From e679c76e6b39e365b004c321a05d3c3af8907ed8 Mon Sep 17 00:00:00 2001
From: wi11-holdsworth <83637728+wi11-holdsworth@users.noreply.github.com>
Date: Mon, 29 Sep 2025 22:46:32 +1000
Subject: [PATCH] feat: create reusable backup utility function

---
 modules/nixos/backup.nix          | 75 +++++++++++++++++++++++++++++++
 modules/templates/web-feature.nix |  3 ++
 2 files changed, 78 insertions(+)
 create mode 100644 modules/nixos/backup.nix

diff --git a/modules/nixos/backup.nix b/modules/nixos/backup.nix
new file mode 100644
index 0000000..f262da5
--- /dev/null
+++ b/modules/nixos/backup.nix
@@ -0,0 +1,75 @@
+service: servicecfg:
+{
+  # keep-sorted start
+  pkgs,
+  config,
+  lib,
+# keep-sorted end
+}:
+let
+  notify =
+    {
+      tag,
+      msg,
+      location,
+    }:
+    ''
+      ${pkgs.curl}/bin/curl \
+        -H "X-Tags: ${tag},BorgBackup,Server,${location}" \
+        -d "${msg}" \
+        ${config.services.ntfy-sh.settings.base-url}/backups
+    '';
+  notifySuccess =
+    context:
+    notify {
+      tag = "tada";
+      msg = "Backup succeeded";
+      location = "${context}/${service}";
+    };
+  notifyFailure =
+    context:
+    notify {
+      tag = "rotating_light";
+      msg = "Backup failed, check logs";
+      location = "${context}/${service}";
+    };
+  job =
+    context: contextcfg:
+    lib.nameValuePair "${context}-${service}" (
+      {
+        compression = "auto,zstd";
+        startAt = "*-*-* 04:00:00 Australia/Melbourne";
+        prune.keep = {
+          daily = 7;
+          weekly = 4;
+          monthly = 6;
+        };
+        postHook = ''
+          if [ $exitStatus -eq 0 ]; then
+            ${notifySuccess context}
+          else 
+            ${notifyFailure context}
+          fi
+        '';
+      }
+      // contextcfg
+      // servicecfg
+    );
+in
+builtins.listToAttrs [
+  (job "onsite" {
+    repo = "/backup/repo";
+    encryption = {
+      mode = "repokey-blake2";
+      passCommand = "cat ${config.age.secrets.borgbackup-server-onsite.path}";
+    };
+  })
+  (job "offsite" {
+    repo = "vuc5c3xq@vuc5c3xq.repo.borgbase.com:repo";
+    encryption = {
+      mode = "repokey-blake2";
+      passCommand = "cat ${config.age.secrets.borgbackup-server-offsite.path}";
+    };
+    environment.BORG_RSH = "ssh -i /home/srv/.ssh/id_ed25519";
+  })
+]
diff --git a/modules/templates/web-feature.nix b/modules/templates/web-feature.nix
index d101877..77245e2 100644
--- a/modules/templates/web-feature.nix
+++ b/modules/templates/web-feature.nix
@@ -15,6 +15,9 @@ in
         enable = true;
       };
 
+      # backup
+      borgbackup.jobs = feature { };
+
       # reverse proxy
       nginx.virtualHosts."${feature}.fi33.buzz" = {
         forceSSL = true;