nixos-config/hosts/defiant/backup.nix

{ config, pkgs, lib, ... }:
{
  services.restic.backups = let
    localJob = name: paths: {
      inherit paths;
      repository = "/mnt/feal-syn1/backup/defiant/${name}";
      passwordFile = config.sops.secrets."restic/${name}".path;
      initialize = true;
      pruneOpts = [
        "--keep-daily 3"
        "--keep-weekly 4"
        "--keep-monthly 3"
      ];
    };
    cloudJob = name: paths: {
      inherit paths;
      # "rsyncnet" connection details specified in /root/.ssh/config
      repository = "sftp://rsyncnet/restic/challenger/${name}";
      passwordFile = config.sops.secrets."restic/${name}".path;
      initialize = true;
      pruneOpts = [
        # rsync.net keeps daily snapshots
        "--keep-weekly 4"
        "--keep-monthly 36"
      ];
    };
  in {
    postgres = (localJob "postgres" [ "/tank/backup/postgresql" ]) // {
      timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
    };
    postgres-remote = (cloudJob "postgres" [ "/tank/backup/postgresql" ]) // {
      timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
    };

    gitea = (localJob "gitea" [ "/tank/services/gitea" ]);
    gitea-remote = (cloudJob "gitea" [ "/tank/services/gitea" ]);

    matrix-synapse = (localJob "matrix-synapse" [ "/var/lib/matrix-synapse" ]);
    matrix-synapse-remote = (cloudJob "matrix-synapse" [ "/var/lib/matrix-synapse" ]);

    vaultwarden = (localJob "vaultwarden" [ "/var/lib/bitwarden_rs" ]);
    vaultwarden-remote = (cloudJob "vaultwarden" [ "/var/lib/bitwarden_rs" ]);
  };

  # TODO: home-assistant, pihole
  sops.secrets."restic/postgres" = { };
  sops.secrets."restic/gitea" = { };
  sops.secrets."restic/matrix-synapse" = { };
  sops.secrets."restic/vaultwarden" = { };
}