hosts/clerie-backup: Replicate backups with restic instead of borgbackup

hosts/clerie-backup/configuration.nix

@@ -5,6 +5,7 @@
     [
       ./hardware-configuration.nix
 
+      ./replication.nix
       ./restic-server.nix
     ];
 
@@ -36,30 +37,6 @@
     };
   };
 
-  # fix borgbackup primary grouping
-  users.users.borg.group = "borg";
-
-  services.borgbackup.jobs = {
-    backup-replication-hetzner = {
-      paths = [
-        "/mnt/clerie-backup"
-      ];
-      doInit = true;
-      repo = "u275370-sub2@u275370.your-storagebox.de:./clerie-backup/";
-      encryption = {
-        mode = "none";
-      };
-      environment = { BORG_RSH = "ssh -p 23 -i /var/src/secrets/ssh/borg-backup-replication-hetzner"; };
-      compression = "auto,lzma";
-      startAt = "*-*-* 04:07:00";
-
-      readWritePaths = [ "/var/lib/prometheus-node-exporter/textfiles" ];
-      postPrune = ''
-        echo "backup_replication_hetzner_last_successful_run_time $(date +%s)" > /var/lib/prometheus-node-exporter/textfiles/backup-replication-hetzner.prom
-      '';
-    };
-  };
-
   clerie.monitoring = {
     enable = true;
     id = "204";

hosts/clerie-backup/replication.nix

@@ -0,0 +1,23 @@
+{ lib, ... }:
+
+with lib;
+
+{
+  clerie.backup = {
+    enable = true;
+    targets = mkForce {
+      hetzner-storage-box = {
+        serverUrl = "sftp://u275370-sub2@u275370.your-storagebox.de:23";
+        sshKeyFile = "/var/src/secrets/ssh/borg-backup-replication-hetzner";
+      };
+    };
+    jobs.replication = {
+      paths = [
+        "/mnt/clerie-backup/cyan"
+      ];
+      exclude = [
+        "/mnt/clerie-backup/cyan/.htpasswd"
+      ];
+    };
+  };
+}

hosts/clerie-backup/secrets.json

@@ -1,19 +1,16 @@
 {
+	"clerie-backup-job-replication": "ENC[AES256_GCM,data:J9zWkW1xGUiK73M=,iv:0PCJW1qrOMlX0Twy2HXGmqFzyXknE4dVdpJnnEbW36U=,tag:yxIdsqMHZgHLUIN+JCcZ6A==,type:str]",
 	"restic-server-cyan-htpasswd": "ENC[AES256_GCM,data:Fe6lcXXy0Hu27Y2LtwQRbk+78+unSGkII144jtstOgK0pyjlJqG2mo8ZG7L+3mmthuu+leZ6XXadEcRGpby3eCwyVEYd3lDr930pPC8hChWYMC5mGkkRUAobYED63iVxcsc36PVFQYMCDbYvtcPk8uQTXfQmhs9kSzCrONrL1Id0L9D+sGoU0snpE+eCNXyiLwuyc1qocchhuHIwkGi4dyVJWgMsKGummF5Pf9zK4KzHmT6RuPouEUAfwHkdPwtOSJ8OqZof/C/CuPYmJQyfOFAqtw8xD9OXUpvyxjC1Kta89sL5cRAE0R15oPvNUmYGaXputm9iMycPjMacpouycx1TXMTEDB0caryX9uEFAyTfPm7keHT86qA1UfImWqEE9QqJ3uCeiwW698SbTZVeKLDBqDCPP+nP/L+N412d+HHyGugPOnTj1gXY50xeOay8Wryw87iDZ9rnJxcn0u5D4+JjOIbjWvydqBXacMD/o0NG2CcQu6LVRAHRiDKoSQWEwx25tzVwn2dsgFV8c3oQ0xQI7050R11Z3M9QWOvPmOZCvYV5VSoxu7r1jMu5asrcPbbhXKatbrabEHCAbDGsBpDkqts3BVUfUaHwboXVR0DxqOC6CHVE34J99SVTGI0kIHXyNqpeUJ36tCXFg7eNPNsu8cra9whjyUUHtw==,iv:Gfg3t3YPw2hz0LJ5hovPftMYOADN2Xjc93VmT2fFVQI=,tag:k6KH4qDPrFYIU2PGgW3F9Q==,type:str]",
 	"wg-monitoring": "ENC[AES256_GCM,data:rOpBlDt9K//zlgWo1Bw9IX5jmpLbnit5zi60Ulz8f6tHwqVsKJv5NkxYc9A=,iv:Jlo0QZP6R1CEE20iLa7M/LV/ZX2/33oMv/FzBBo6nvY=,tag:Ttqo7BKd6RuUiMksW6rZnw==,type:str]",
 	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1px682xeu0xfkr49qdqe95er040p2vv3ugekk04e36jj2wqs7tyfs8mhclh",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UCtUZ3NZQWxOK1FUNDhL\nbWhaanN2OEJIVmpMOURzWU1vcGhuODdtcDJnCm9Nb01NaVVpWDJ6Q3JCbXRkRUJP\nUVdFaGVScUdxRnlpSnRNOG1RalNRaFUKLS0tICs0cW1WR0JMUmdaVWVzdTh2bjFm\nenBzaERpb1hCS1E3TUo3cmxpZFUxWmcKcLL5/YTGyZEVLwHSpbEI5XfWGklkI7h+\n0uhCww8Wh23EpUYFslZ0Nnbf5HX5/Z34qBwf20cvN8eLToTAQvTdeg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-02-16T18:13:34Z",
-		"mac": "ENC[AES256_GCM,data:io2WVxTxHSlxrk7JaN6/fUI7YotvPfgbXTD1lEf1tN7QhuGRH/iZrji/VQlhJ8tk2dAS1Pe0rsTuxCMXcXcxRIh4EYbQky5IZj5jpfPcslQOquTcXzmPYdijPUWSqu6leGc0GG/7KccjSFD8TfwAgeuVrc2Br57yfqKoPf+M0fY=,iv:iYp73PrFnLZoI9014mbqQQERhFtfhb5YmzV6HiUi+YM=,tag:2AZEzhVVdEos5FLkg8cr5w==,type:str]",
+		"lastmodified": "2025-11-16T16:13:47Z",
+		"mac": "ENC[AES256_GCM,data:ksW2wq/EWTi9dKppGhEheVQ74G6riy1asiDmdsC78bfeAJHTbXqlni5u11DIbo67sdpZE+xXJiB1woLEcG0B4wS92r5MIWhQrul+ot95UnwVFceYLkO4KLxgOjlJzgHKuWq/ccOoKnucd/vmagQ5E/4ubBXMOHvHVLL4dNYOsDo=,iv:unLO6F/b1mAIefWfvD0PW840pTWUULgwJSl6mh637q4=,tag:0dlOFTAmLZc7oXJ25SeH1A==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-05-05T12:12:27Z",
@@ -22,6 +19,6 @@
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
-		"version": "3.8.1"
+		"version": "3.11.0"
 	}
-}
+}

modules/backup/default.nix

@@ -60,16 +60,19 @@ let
         config.sops.secrets."clerie-backup-job-${jobName}".path;
       repoPath = if jobOptions.repoPath == null then "/${config.networking.hostName}/${jobName}" else jobOptions.repoPath;
       targetPasswordFile = if targetOptions.passwordFile != null then targetOptions.passwordFile else
-        config.sops.secrets."clerie-backup-target-${targetName}".path;
+        config.sops.secrets."clerie-backup-target-${targetName}".path or null;
       targetUsername = if targetOptions.username == null then config.networking.hostName else targetOptions.username;
     in {
       "clerie-backup/${jobName}-${targetName}/repo_password".source = jobPasswordFile;
       "clerie-backup/${jobName}-${targetName}/repo_url".text = "${targetOptions.serverUrl}${repoPath}";
       "clerie-backup/${jobName}-${targetName}/auth_username".text = targetUsername;
-      "clerie-backup/${jobName}-${targetName}/auth_password".source = targetPasswordFile;
       "clerie-backup/${jobName}-${targetName}/files".text = concatStringsSep "\n" jobOptions.paths;
       "clerie-backup/${jobName}-${targetName}/excludes".text = concatStringsSep "\n" jobOptions.exclude;
-    }
+    } // (if targetPasswordFile == null then {} else {
+      "clerie-backup/${jobName}-${targetName}/auth_password".source = targetPasswordFile;
+    }) // (if targetOptions.sshKeyFile == null then {} else {
+      "clerie-backup/${jobName}-${targetName}/ssh_key".source = targetOptions.sshKeyFile;
+    })
   ) jobTargetPairs);
 
   targetOptions = { ... }: {
@@ -85,6 +88,10 @@ let
       serverUrl = mkOption {
         type = types.str;
       };
+      sshKeyFile = mkOption {
+        type = with types; nullOr str;
+        default = null;
+      };
     };
   };
 

pkgs/clerie-backup/clerie-backup.sh

@@ -45,30 +45,39 @@ if [[ ! -f "${CONFIG_DIR}/auth_username" ]]; then
 	echo "File ${CONFIG_DIR}/auth_username not found"
 	ISSUE_EXIST=1
 fi
-if [[ ! -f "${CONFIG_DIR}/auth_password" ]]; then
-	echo "File ${CONFIG_DIR}/auth_password not found"
-	ISSUE_EXIST=1
-fi
 if [[ -n "${ISSUE_EXIST}" ]]; then
 	exit 1
 fi
 
 RESTIC_PASSWORD_FILE="${CONFIG_DIR}/repo_password"
 export RESTIC_PASSWORD_FILE
-RESTIC_REPOSITORY="rest:$(cat "${CONFIG_DIR}/repo_url")"
+REPO_URL="$(cat "${CONFIG_DIR}/repo_url")"
+if [[ "${REPO_URL}" == http* ]]; then
+	RESTIC_REPOSITORY="rest:${REPO_URL}"
+else
+	RESTIC_REPOSITORY="${REPO_URL}"
+fi
 export RESTIC_REPOSITORY
 RESTIC_REST_USERNAME="$(cat "${CONFIG_DIR}/auth_username")"
 export RESTIC_REST_USERNAME
-RESTIC_REST_PASSWORD="$(cat "${CONFIG_DIR}/auth_password")"
-export RESTIC_REST_PASSWORD
+if [[ -e "${CONFIG_DIR}/auth_password" ]]; then
+	RESTIC_REST_PASSWORD="$(cat "${CONFIG_DIR}/auth_password")"
+	export RESTIC_REST_PASSWORD
+fi
 RESTIC_PROGRESS_FPS="0.1"
 export RESTIC_PROGRESS_FPS
 RESTIC_CACHE_DIR="/var/cache/restic"
 export RESTIC_CACHE_DIR
 
+EXTRA_OPTIONS=()
+
+if [[ -e "${CONFIG_DIR}/ssh_key" ]]; then
+	EXTRA_OPTIONS+=("-o" "sftp.args='-o IdentityFile=${CONFIG_DIR}/ssh_key'")
+fi
+
 case "${ACTION}" in
 restic)
-	restic "$@"
+	restic "${EXTRA_OPTIONS[@]}" "$@"
 	;;
 backup)
 	ISSUE_EXIST=
@@ -84,9 +93,9 @@ backup)
 		exit 1
 	fi
 
-        restic snapshots --latest 1 || restic init
+        restic "${EXTRA_OPTIONS[@]}" snapshots --latest 1 || restic "${EXTRA_OPTIONS[@]}" init
 
-        restic backup --exclude-file "${CONFIG_DIR}/excludes" --files-from "${CONFIG_DIR}/files"
+        restic "${EXTRA_OPTIONS[@]}" backup --exclude-file "${CONFIG_DIR}/excludes" --files-from "${CONFIG_DIR}/files"
 	;;
 *)
 	echo "Unsupported ACTION: ${ACTION}"