services (borgmatic): Add borgmatic service

I used to try to control Ansible's bootstrapping of home-manager by
recording the current git hash of the home-manager repo, but I haven't
allowed ansible to touch home-manager after initial setup for a while
now, so remove the hash code.

flake.nix

@@ -61,7 +61,7 @@
           pkgs = import nixpkgs {
             inherit system;
             config.allowUnfree = true;
-            overlays = [ nur.overlays.default ];
+            overlays = [ nur.overlays.default agenix.overlays.default ];
           };
           pkgs-unstable = import nixpkgs-unstable {
             inherit system;
@@ -105,12 +105,6 @@
 
         "tchristensen@beocat" = mkHomeConfiguration { hostname = "beocat"; };
 
-        "millironx@harmony" = mkHomeConfiguration {
-          hostname = "harmony";
-          arch = "aarch64";
-          desktop = true;
-        };
-
         "millironx@odyssey" = mkHomeConfiguration {
           hostname = "odyssey";
           desktop = true;

homes/common.nix

@@ -31,6 +31,7 @@ in {
       };
     };
     packages = with pkgs; [
+      agenix
       btop
       cowsay
       figlet
@@ -86,14 +87,6 @@ in {
     };
     sessionPath = [ "$HOME/.local/bin" ];
     activation = {
-      recordHmGitHash = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
-        cd "$HOME/.config/home-manager" || exit 1
-        if [ -z "$(${pkgs.git}/bin/git status --porcelain --untracked-files=no)" ]; then
-          run echo "$(${pkgs.git}/bin/git rev-parse HEAD)" | tee $HOME/.cache/hm-git-hash
-        else
-          run echo '*' | tee $HOME/.cache/hm-git-hash
-        fi
-      '';
       installRunic = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
         run ${pkgs.julia-bin}/bin/julia --project=@runic --startup-file=no -e 'using Pkg; Pkg.add(name="Runic", version="${runic_version}")'
       '';

homes/harmony.nix

@@ -1,95 +0,0 @@
-{ config, lib, pkgs, pkgs-unstable, ... }: {
-  # harmony is an Asahi Fedora box
-  # I don't use NixOS, so there are some programs that don't interact well with
-  # the base system (or won't even install) when installed from Nix.
-  # There is no uniform way to trigger dnf package installs from Nix, so I'm
-  # just going to list my packages here. I hope to create a custom script that
-  # mimics the ideas of a Brewfile someday
-  # TODO: Create a Brewfile equivalent for dnf
-
-  # dnf repos:
-  # https://github.com/terrapkg/packages?tab=readme-ov-file
-  # https://pkgs.tailscale.com/stable/fedora/tailscale.repo
-  # https://packagecloud.io/filips/FirefoxPWA
-
-  # copr repos:
-  # iucar/rstudio
-
-  # dnf packages:
-  # apptainer
-  # chromium
-  # firefoxpwa - The nix version installs an "immutable" runtime, which simply launches extra browser windows on non-NixOS
-  # inkscape
-  # kate
-  # kdiff3
-  # krita
-  # lutris
-  # musescore
-  # nextcloud-client
-  # nextcloud-client-dolphin
-  # obs-studio
-  # podman-compose
-  # podman-docker
-  # qownnotes
-  # qt
-  # rssguard
-  # rstudio-desktop
-  # steam
-  # supertuxkart
-  # tailscale
-  # thunderbird
-  # vlc
-  # vorta - The vorta package is aarch64 compatible, but you cannot see any icons, and it cannot access local ssh keys, so we have to use the dnf package instead
-  # yakuake
-  # zed
-  # zsh
-  # R
-  # https://downloads.sourceforge.net/project/mscorefonts2/rpms/msttcore-fonts-installer-2.6-1.noarch.rpm
-  home = {
-    username = "millironx";
-    homeDirectory = "/home/millironx";
-    # Signal desktop is not available in any other package repository for aarch64 linux
-    # Similarly, Bitwarden is non-functional in all other forms using a 16k page size
-    packages = with pkgs; [
-      trayscale
-      veracrypt
-      pkgs-unstable.signal-desktop
-      pkgs.bitwarden-desktop
-    ];
-  };
-  programs = {
-    git = {
-      signing = {
-        key = "0x37A3041D1C8C4524!";
-        signByDefault = true;
-      };
-    };
-  };
-  services = {
-    gpg-agent = { sshKeys = [ "207D13371E19752A67AA2686C16354D9963821DB" ]; };
-  };
-  xdg = {
-    configFile = {
-      "nextflow.config".text = ''
-        params {
-            config_profile_description = 'harmony Asahi Linux local profile'
-            config_profile_contact     = 'Thomas A. Christensen II <25492070+MillironX@users.noreply.github.com>'
-            config_profile_url         = null
-
-            max_memory = 12.GB
-            max_cpus   = 12
-            max_time   = 7.d
-        }
-
-        apptainer {
-            enabled    = true
-            autoMounts = true
-        }
-
-        process {
-            executor = 'local'
-        }
-      '';
-    };
-  };
-}

inventory.yaml

@@ -3,20 +3,13 @@ ungrouped:
   hosts:
     localhost:
       ansible_connection: local
-    harmony:
-      ansible_connection: local
     odyssey:
       ansible_connection: local
 
-asahi:
-  hosts:
-    harmony:
-
 amd64:
   hosts:
     odyssey:
 
 fedora:
   hosts:
-    harmony:
     odyssey:

playbooks/config.yaml

@@ -11,7 +11,7 @@
         mode: "755"
     - name: Create Firefox DNS policy
       ansible.builtin.template:
-        src: "{{ playbook_dir }}/../templates/policies.json"
+        src: "policies.json"
         dest: /etc/firefox/policies/policies.json
         mode: "644"
 

playbooks/nix.yaml

@@ -45,7 +45,8 @@
       register: home_manager_exists
     - name: Init home-manager
       ansible.builtin.shell: |
-        /nix/var/nix/profiles/default/bin/nix run home-manager -- switch --flake git+https://code.millironx.com/millironx/nix-dotfiles#{{ ansible_user_id }}@{{ ansible_hostname }}
+        /nix/var/nix/profiles/default/bin/nix run home-manager -- switch \
+        --flake git+https://code.millironx.com/millironx/nix-dotfiles#{{ ansible_user_id }}@{{ ansible_hostname }}
       when: not home_manager_exists.stat.exists
       register: home_manager_init
       changed_when: home_manager_init.rc == 0

playbooks/packages.yaml

@@ -1,55 +1,9 @@
 ---
-# These are repos and packages that are useless or unavailable on Asahi Linux,
-# or have completely separate install procedures.
-- name: Configure amd64-specific dnf packages
-  hosts: amd64
-  become: true
-  tasks:
-    - name: Install x86-specific dnf packages
-      ansible.builtin.dnf:
-        name:
-          - libdvdcss
-          - mkvtoolnix
-          - mpv
-          - protontricks
-          - x264
-          - x264-libs
-        state: present
-    - name: Install VeraCrypt
-      ansible.builtin.dnf:
-        name: https://launchpad.net/veracrypt/trunk/1.26.20/+download/veracrypt-1.26.20-Fedora-40-x86_64.rpm
-        state: present
-        disable_gpg_check: true
-
-- name: Configure amd64-specific Flatpaks
-  hosts: amd64
-  become: false
-  tasks:
-    - name: Install x86-specific Flatpaks
-      community.general.flatpak:
-        name:
-          - com.bitwarden.desktop
-          - com.slack.Slack
-          - dev.deedles.Trayscale
-          - org.signal.Signal
-        state: latest
-        method: user
-        remote: flathub
-
-- name: Configure Asahi Linux-specific dnf packages
-  hosts: asahi
-  become: true
-  tasks:
-    - name: Install aarch64-specific dnf packages
-      ansible.builtin.dnf:
-        name:
-          - veracrypt
-
-- name: Configure common (all arch) dnf packages
+- name: Configure dnf packages
   hosts: fedora
   become: true
   tasks:
-    - name: Install common (all arch) dnf packages
+    - name: Install dnf packages
       ansible.builtin.dnf:
         name:
           - chromium
@@ -64,15 +18,19 @@
           - kdenlive
           - kdiff3
           - krita
+          - libdvdcss
           - libjpeg-devel
           - libpng-devel
           - libtiff-devel
           - libwebp-devel
+          - mkvtoolnix
+          - mpv
           - musescore
           - nextcloud-client
           - nextcloud-client-dolphin
           - obs-studio
           - onedrive
+          - protontricks
           - qownnotes
           - qt
           - rssguard
@@ -82,6 +40,8 @@
           - thunderbird
           - vlc
           - vorta
+          - x264
+          - x264-libs
           - yakuake
           - zed
           - zsh
@@ -92,6 +52,11 @@
         name: https://downloads.sourceforge.net/project/mscorefonts2/rpms/msttcore-fonts-installer-2.6-1.noarch.rpm
         state: present
         disable_gpg_check: true
+    - name: Install VeraCrypt
+      ansible.builtin.dnf:
+        name: https://launchpad.net/veracrypt/trunk/1.26.20/+download/veracrypt-1.26.20-Fedora-40-x86_64.rpm
+        state: present
+        disable_gpg_check: true
     - name: Install rig (R installation manager)
       ansible.builtin.dnf:
         name: https://github.com/r-lib/rig/releases/download/latest/r-rig-latest-1.{{ ansible_architecture }}.rpm
@@ -109,19 +74,23 @@
         name: "*"
         state: latest # noqa: package-latest
 
-- name: Configure common (all arch) Flatpaks
+- name: Configure Flatpaks
   hosts: fedora
   become: false
   tasks:
-    - name: Install common (all arch) Flatpaks
+    - name: Install Flatpaks
       community.general.flatpak:
         name:
+          - com.bitwarden.desktop
           - com.github.tchx84.Flatseal
           - com.logseq.Logseq
+          - com.slack.Slack
+          - dev.deedles.Trayscale
           - io.freetubeapp.FreeTube
           - io.github.alainm23.planify
           - io.github.dweymouth.supersonic
           - io.openrct2.OpenRCT2
+          - org.signal.Signal
           - org.zulip.Zulip
           - net.ankiweb.Anki
         state: latest

playbooks/repos.yaml

@@ -1,6 +1,6 @@
 ---
-- name: Configure amd64-specific package repositories
-  hosts: amd64
+- name: Configure dnf package repositories
+  hosts: fedora
   become: true
   tasks:
     - name: Install RPM Fusion free repository
@@ -20,31 +20,6 @@
     - name: Install Zotero COPR repository
       community.general.copr:
         name: "mozes/zotero7"
-
-# Asahi Linux comes with its own strange version of RPMFusion installed, so
-# RPMFusion is installed only on amd64 systems. In addition, VeraCrypt and
-# Zotero *are* available via COPR, but from different repos than their amd64
-# counterparts.
-# Also, Asahi has its own version string, so we have to manually specify the
-# chroot for COPR repos added via Ansible. This is handled automatically when
-# using `dnf copr enable ...`, but not via Ansible.
-- name: Configure Asahi Linux-specific package repositories
-  hosts: asahi
-  become: true
-  tasks:
-    - name: Install Zotero COPR repository
-      community.general.copr:
-        name: "isaksamsten/Zotero"
-        chroot: "fedora-{{ ansible_distribution_major_version }}-aarch64"
-    - name: Install VeraCrypt COPR repository
-      community.general.copr:
-        name: "architektapx/veracrypt"
-        chroot: "fedora-{{ ansible_distribution_major_version }}-aarch64"
-
-- name: Configure common (all arch) package repositories
-  hosts: fedora
-  become: true
-  tasks:
     - name: Install Tailscale repo
       ansible.builtin.yum_repository:
         name: tailscale-stable
@@ -110,7 +85,7 @@
       register: terra_priority
       changed_when: terra_priority.rc != 0
 
-- name: Configure Flathub remote
+- name: Configure Flatpack remotes
   hosts: fedora
   become: false
   tasks:

secrets.nix

@@ -6,28 +6,30 @@ let
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIxTfeg+GZsfmG8TuEV1xW1gXknAIKzZ3UjZ3guRY+EW root@nixos";
   bosephus-millironx =
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKaDPqRJHoqgY2pseh/mnhjaGWXprHk2s5I52LhHpHcF millironx@bosephus";
-  odyssey-millironx =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN9Aj7BtQp1Roa0tgopDrUo7g2am5WJ43lO1d1fDUz45 millironx@odyssey";
   corianne-host =
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHKKkucebeb1GcerOZAAs5GQsgTS8kXw5W41b9Fy9+hp root@corianne.local";
   corianne-millironx =
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgL2lO9RJBdQYANoxGyWXcNKi5/NZkRHHo/rNqaYMc/ millironx@corianne";
-  harmony-millironx =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFBYxsCkw+ObDzIvU8z/rSlYcQx0JIt1bCVxKcDxeNNZ millironx@harmony";
-
+  mcentire-host =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINT51tQgsKzTIQc9WSQj01h/gPRvAD3k9jRhXppY7xmd root@nixos";
+  odyssey-millironx =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN9Aj7BtQp1Roa0tgopDrUo7g2am5WJ43lO1d1fDUz45 millironx@odyssey";
   system-administrators = [
     anderson-millironx
     bosephus-millironx
     odyssey-millironx
     corianne-millironx
-    harmony-millironx
   ];
 
 in {
+  "secrets/ansible-vault-password.age".publicKeys = system-administrators;
+  "secrets/borgmatic-passphrase.age".publicKeys = system-administrators
+    ++ [ mcentire-host ];
+  "secrets/borgmatic-ssh-config.age".publicKeys = system-administrators
+    ++ [ mcentire-host ];
+  "secrets/darwin-policies-json.age".publicKeys = system-administrators
+    ++ [ corianne-host ];
   "secrets/network-information.age".publicKeys = system-administrators
     ++ [ bosephus-host ];
   "secrets/pihole.age".publicKeys = system-administrators ++ [ bosephus-host ];
-  "secrets/ansible-vault-password.age".publicKeys = system-administrators;
-  "secrets/darwin-policies-json.age".publicKeys = system-administrators
-    ++ [ corianne-host ];
 }

secrets/ansible-vault-password.age

@@ -1,13 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 il3lzQ 8BY+QUEGqILKLs6ROw7llEOhx0GgrfFeKDcEgHePUFw
-SPiG48tkp5ewFc6/uNj+541B6YJODGmDFEbET2BfoZ0
--> ssh-ed25519 1g/xww HyUG/jNJgHCceV/9vaaoSHc681x6Gg/uY+RIfQxIBxU
-6XVufQ4A9r8HPU9QLZ/idx3NjDf+UeKVMhtk9+Awy4E
--> ssh-ed25519 +kBihw XjhEk6TF6M5OalqVQNpAemlmgMIJnfuH6M600DnJql0
-3zQPJZcsfnbUqRf5XWTJNbyqMb/rsSBIkS7YlYsyMcs
--> ssh-ed25519 dbKeHw nIG5Z+XdJ3dyMxFOxyFMHw5sUkRJ2dsooJbIScNwlxM
-brJoiOSQcwgs3vNSk8eK6dzH3zfQGFNdEWj3jjMM5e0
--> ssh-ed25519 Svnssw +VFbKj457mYT3GXQSacQ13J8MSkYe6A26ssNbqh8LAQ
-rJzIG170BcRlsLERhnfaqgRFeAL4Yw7zvtb1gGvUkCU
---- ebIxmIBuNqNgfVWvOJc/0OpFBf3Q7pmApGgHYjrtJI8
-¹ì¤AòeO:(7_ãŽx¦‹¹0œ‘×·“°	Âj¹ f°V Û/D.8â¿€µÌ1ß <EFBFBD>©¯[Ñq°¾f!7ht0Y
+-> ssh-ed25519 il3lzQ WthM+rK9ntTt0GkP6Z7kuFeOCMkYdY5OkoxtIY8xnk8
+howoRiqpwVW+K4ybhHngRfqobGOqSlye6da6+QJg2xU
+-> ssh-ed25519 1g/xww 7iNs/T1MXDvZTtbz3s9Dx8CERfL4TBpn4fwhSv8j+yQ
+cHXWpo3FEmkD2867IhdCpG4Pkq+LRkvi54OvTeSQA8s
+-> ssh-ed25519 +kBihw HXgixNdqoB102vJDQ74UhC2wUIpYNv21ZvfFRgPmyX4
+09wYp8mUSl0ixLbtbK3E+u/7KVx8bYXTAwbzWN9TX/k
+-> ssh-ed25519 dbKeHw PhePJgvp9fRMEJdtYwq3MV+CfNbEs1xJrQefJPQtl3Y
+muMZYzYC8aHJBq96Z12pvxA32Cs4KFcG/0YHVT6tX8o
+--- lunvYfBDg4+g00hMQJc6ZHQiBQ9k/qubJBYQ+p6aXhc
+çÏš:V¬nÎß›ÎTFW=–òrÌÇTvMö_=!³ÕŸ’Ǧ’~N³<0E>0
I»P©em·®Ì®¡.ê’3Ã÷/T[

secrets/borgmatic-passphrase.age

@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 il3lzQ NZt+Qn166/k1xA8H+0i40Nf0QUcNoo/mPB4xEsbc52g
+WDnvHlN0EAM3kcH4P0w9Fl6LaPYFLK9uhbL2C/asXkQ
+-> ssh-ed25519 1g/xww 607VONmCuvQWVfbXOwtW36OrLDSmC1b3FJfcXG8coVk
+aKmWBrjrk3cUfGJuEwmuzgiMfeqaDM4sFA9lSEyXb2A
+-> ssh-ed25519 +kBihw mUCQloe1iMe4TupQmQRV/SsvDl7GYAy9qNgd/9QuRVs
+pl5NvOjZpOmslTm34qhyIY8ihbGfvi5TUMNIN+KftQA
+-> ssh-ed25519 dbKeHw mDRPmYMHU/U39xGm+cPt/DDX1VFwJR9q7Ej393eygjc
+sneArlOp/HU1N9aXQjGunmcL2lSJ+uUfnLUKJrfuwWY
+-> ssh-ed25519 +C0WRg +swZ49g3n/MdCXcaVVN+oJppbhVOeYyVhJBA/0O+zFI
+PleOEzaPcOWCQKSULfZ1V8MIcuzS7W0J6KoqSQWuM44
+--- RtNvvt/RSfurXkC29xKp02PWD5+8Ikrdh3JJHzcUECM
+r»
+Ç”<EFBFBD>j‹	µ&õúý‘(ÝÑöF-WlEÏ®Å3~K@BóO,Úh…J®-ÌéŽ^‡,#»ÝèÁy¶ü<C2B6>ù¡Ú¦B²½Ân#ñ×ÞqÖ´r3æ9PjsgîdiÆ…õвìÏ?‰¦Šo>ˆ<^Ó+E4ˆ
<ÿü)K7;š/«œÀèx‡èùߎ–Ø”…ý‘”Œ
+bï…hØ

secrets/borgmatic-ssh-config.age

@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 il3lzQ +g4/yAloij23EO70Lwv3NHdzUlI3yM17V+GZVet+DB4
+KoJqTEeF5ol4q+ZwcO+bWsP+hKszCMAUrok0yU+L6WU
+-> ssh-ed25519 1g/xww aGc6VKpwoGQyjsPxc4hFPqc5sTzpOx/p7AJL2otF3QE
+u5gZXqSUKLMxKsekgixy5h57GZVmIXChnxOTq5iFv9o
+-> ssh-ed25519 +kBihw FESLL/bEja1rrQm4V2VIFM9pEuP8ydNSiHgatiEqWDk
+Y5D1RoMCKuX3HxUpebwNUgJFQJnJR0GILNeg2DOPaDs
+-> ssh-ed25519 dbKeHw EiccNUjhFewzAI+OWDrZnGNZbY1uoP99EJhvDn3AKyw
+QQohrq0jZJIwXGkycvn7Q4JFJmkhUwxXZEB5HN217Tg
+-> ssh-ed25519 +C0WRg rbfEQSHbKDIvm6p2o9CiJIMNRFWlKaQE7TALCdgauzs
+6NWlDEKfWnYHFwleqOF6fSOzjxNkjdBFeFRl1Cj1L9A
+--- E6T4y6crIEiWxE3G9OOQDrRky4919i7FM0zDnPiqUH4
+d¿…ÆbtÃ=p(Wwxé9rðÁ }&l
+èg`úÁe‘p~§Úkø©¦ô¸æP$vU‘—ûýH¯"…-ò±“Æôï,æ4&šNhü<15>›#%‰8]æŸ
@(ÏI¯
ÔBJìY Ž€¢˜4õ×ežÛQ¤<51>½ÎÒsÅ"‚wN’úð²r-¸CŸ½ˆmq¬xîÙ­Åà<C385>±…
+‚<>!q

secrets/network-information.age

@@ -1,15 +1,15 @@
 age-encryption.org/v1
--> ssh-ed25519 il3lzQ X/F7G7EJbo6QTCGBSp2irApe2qkFUmj2OytrpOVVQ2w
-yjitkwkxhNJLxSK4zF25o2lhZO6drBkjwHYykcPnoIw
--> ssh-ed25519 1g/xww HriK0yZF3EEh2mB8RpVWBGzuPiK1DB80BeXZAt5Runo
-8ke05EDxykN/tu5wEzL3RvRnleBeWKpblm/iXb0pJ8U
--> ssh-ed25519 +kBihw bG3XH77yhvMR+HsJMwi1WsXo4aSm5ez80gRlgkTosSo
-/WhUI2gKt94naWkeDrXvxnc2fsJvqmcARJnnhrU9sjw
--> ssh-ed25519 dbKeHw Bugbp/ovWaODwR6msKnGB3D/dT/ZMmFyr6Za0VAJqBQ
-+FfFa1w5/Ok8rIhp+NOBxfqoGFFlGwt8hPhxzibAVf8
--> ssh-ed25519 Svnssw xpuVCV4OJi8G8R5vuSMio9hoRWmufOsCaEyhLMKarh0
-/82i3ZFwQtMonTj4wfa9KPig9qUIJomVYk3QlpB4rJk
--> ssh-ed25519 jb0ALQ cbnyjqANs0f/CsiD/peCuJuMJfuaNKIIzbd/87OEV2Y
-iQmJxEOQuharrlkiaOdQXnTSUcsq+b7BzSo+G35QJIw
---- eDJuMw4WC33Ihy5OBr2gkeewAFBpCa3gO3CYehr5bOo
-VR@ÓX[6g›ÞÈ£îlœèÊ‘mê.ºüÍP4ÇMããiè‘YtìÚ
ƒÌ¾~
þèîx\ƒ<>YÒã’ŠUM¡GdÜ<64>{ƒ¤Í'mÛBîÔ,@Ùø[eÖà“ü‹]{çN¥bN]¸
Òa·!›*ͬçýÕÁ¬`–ïüñYQn9åÐó¹ÂÑã5	'…–ºq5­Þ]„—Â<E28094>úé›-—6:F<>YL¶¾©$}êï
+-> ssh-ed25519 il3lzQ DhOVslXJ/kZmHvfCLw3rPiRrR1NxTC6zV6Di9WOUY1o
+i+OTfk7LWc3rT+T8yFGlPabsgVkddPAr3D6oc5hpe/Y
+-> ssh-ed25519 1g/xww xiWVbXWJXtgPLnPWC5bRCvdgceKuY/7wrAbWGlBmZWA
+C7rwIOD0xGzTpGRgAycHlspsGaLLwFG6j+6/vPkVtkI
+-> ssh-ed25519 +kBihw E2rOacH/0J3YWuplB01z51r/MW3jF36l1C+QeqY6zls
+162dh2KpWV71727zPZ2fpS7btQsQ/IL43kuViypZwWc
+-> ssh-ed25519 dbKeHw k4ZekrotAzMlC6+RifphXj108iEra0AH4DrCxOSI/gg
++9eibvHzF88lm9Qi/FCfW87D9BW25+zkzQbnhe/F3Rw
+-> ssh-ed25519 jb0ALQ Z8WYL7/D990/IWBHGKZInn3Rffol0jnraGQyQbqCdWE
+LQa3mmMrA6Qx8wChzlWmB3M2OAtjVep5ryOZH3oZOMA
+--- avI87pf1OwXk3BW8w9jW95NK4U/vfUg0pJoqjQ6eCS4
+7
5l7gϹ<C38F>ï<EFBFBD>Nú©ÔU%³Ø*—à-°Œ’^Ð$z1<7A>,”<>4G²Ô°@:~›,SeõŠ@7põÀ
+=‚
Ï>H¿0ÄÍã­…öm
7þm²‚UW
+W-äy¹
<01>îµûè
EÀŸÃŽ8¸+¢<>gM/û-z펈5%lå0l صÓÓΙ |ÃJEz•å‰ yÊ=øaþÎø1ÏjpÇØIÚQæf®Ü<C2AE>Î3

secrets_harmony.enc

@@ -1,6 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-38383539613238613864336630316433666436623334313334393762396536663530336264306661
-3338616565316138616666343862366638643134343931320a633366363539326461346636373738
-66393138653463663536313065623332383166386332303564323939336630333163623637386434
-6538393966633731660a616437356233643234363562366433663437383439326161353330356331
-63346432663036353332303266343361346266396437396131376531303265356233

services/borgmatic.nix

@@ -0,0 +1,37 @@
+{ pkgs, config, ... }: {
+
+  # We don't want to expose the location where borg backups are going, so we
+  # will setup an encrypted ssh config that references the host/username
+  # combo as simply 'borgserver'
+  age.secrets = {
+    borgmatic-ssh-config = { file = ./../secrets/borgmatic-ssh-config.age; };
+    borgmatic-passphrase = { file = ./../secrets/borgmatic-passphrase.age; };
+  };
+
+  services.borgmatic = {
+    enable = true;
+
+    # This is the bare-bones way to get Borgmatic up and running. Other services
+    # are expected to declare their stateful directories by adding to
+    # `services.borgmatic.configurations."${config.networking.hostName}".source_directories`
+    # and to add their databases to
+    # `services.borgmatic.configurations."${config.networking.hostName}".[mariadb|postgresql|etc]_databases`
+
+    configurations."${config.networking.hostName}" = {
+      source_directories = [ "/home" "/root" ];
+      repositories = [{
+        label = "${config.networking.hostName}-default";
+        path = "ssh://borgserver/./repo";
+      }];
+      ssh_command =
+        "${pkgs.openssh}/bin/ssh -F ${config.age.secrets.borgmatic-ssh-config.path}";
+      encryption_passcommand =
+        "${pkgs.coreutils}/bin/cat ${config.age.secrets.borgmatic-passphrase.path}";
+      retention = {
+        keep_daily = 7;
+        keep_weekly = 4;
+        keep_monthly = 6;
+      };
+    };
+  };
+}

systems/linux/mcentire.nix

@@ -4,6 +4,7 @@
   imports = [ # Include the results of the hardware scan.
     ./hardware-configuration/mcentire.nix
     ./../../services/nixos-update.nix
+    ./../../services/borgmatic.nix
     ./../../services/crowdsec.nix
   ];