{ config, pkgs, ... }:
let
  name = "hetzner_nixos";
  hostname = config.networking.hostName;
  remotehost = "u555679-sub2@u555679-sub2.your-storagebox.de";
  backuppath = "/backup/snapshot";
  borgHook = toString /etc/nixos/scripts/borgHook.sh;
in
{

  sops.secrets."borg/hetzner/mcserver/${hostname}" = {};

  services.borgbackup.jobs."${name}" = {
    paths = [
      "${backuppath}/etc"
      "${backuppath}/home"
      "${backuppath}/root"
      "${backuppath}/var"
    ];
    exclude = [
      "${backuppath}*/.cache"
      "${backuppath}/home/*/build"
      "${backuppath}/var/log"
      "${backuppath}/var/lib/nextcloud/data/appdata_ocnc33s4dl6i/preview"
      "${backuppath}/var/lib/postgresql/*/"
      "${backuppath}/var/lib/mysql/*"
      "${backuppath}/var/lib/containers"
      "${backuppath}/var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots"
    ];
    #repo = "borg@nasty:.";
    repo = "ssh://${remotehost}:23/./${hostname}";
    compression = "zstd,10";
    encryption.mode = "repokey";
    encryption.passCommand = "cat /run/secrets/borg/hetzner/mcserver/${hostname}";
    environment.BORG_RSH = "ssh -i /root/.ssh/id_hetzner_nixos";
    extraCreateArgs = "--verbose --stats";
    extraArgs = [ "--remote-path=borg-1.4" ];
    startAt = "00:10";
    preHook = "${borgHook} pre ${backuppath}"; #create snapshot for consistent filesystem
    postCreate = "${borgHook} post ${backuppath}"; #delete snapshot again
  };

  systemd.services."borgbackup-job-${name}" = {
    environment = {
      BORG_RELOCATED_REPO_ACCESS_IS_OK = "yes";
    };
    path = [ pkgs.btrfs-progs pkgs.mount pkgs.umount pkgs.lvm2 pkgs.bash ];
    serviceConfig = {
      ReadWritePaths = [ "/backup" "/var/lock/lvm" "/etc/lvm" ];
    };
  };
}

# vim: set et ts=2 sw=2 ai: