{ config, pkgs, secrets, ... }: { age.secrets.roam-rclone-conf = { file = secrets.roam."rclone-conf.age"; mode = "440"; owner = "root"; group = "root"; }; systemd = { timers."backup-rclone" = { wantedBy = [ "timers.target" ]; timerConfig = { OnCalendar = "daily"; Persistent = true; Unit = "backup-rclone.service"; }; }; services."backup-rclone" = let conf = config.age.secrets.roam-rclone-conf.path; forgejo-repos = config.services.forgejo.repositoryRoot; in { # Backs up git repos (bare /git/* and forgejo) to an rclone crypt remote # as bundles to avoid crypt path-length limits. Documents are synced to # OneDrive directly (not odc) since syncthing already encrypts them via # receiveEncrypted. script = '' ${pkgs.rclone}/bin/rclone --config ${conf} copy /data/sync/documents-hd onedrive:sync tmpdir=$(mktemp -d) trap "rm -rf $tmpdir" EXIT for repo in /git/*/; do [ -f "$repo/HEAD" ] || continue ${pkgs.git}/bin/git -c safe.directory="$repo" -C "$repo" show-ref --quiet || continue name=$(basename "$repo") ${pkgs.git}/bin/git -c safe.directory="$repo" -C "$repo" bundle create "$tmpdir/$name.bundle" --all done ${pkgs.rclone}/bin/rclone --config ${conf} sync "$tmpdir" odc:git tmpdir_forgejo=$(mktemp -d) trap "rm -rf $tmpdir_forgejo" EXIT for owner in ${forgejo-repos}/*/; do for repo in "$owner"*/; do [ -f "$repo/HEAD" ] || continue ${pkgs.git}/bin/git -c safe.directory="$repo" -C "$repo" show-ref --quiet || continue owner_name=$(basename "$owner") repo_name=$(basename "$repo") ${pkgs.git}/bin/git -c safe.directory="$repo" -C "$repo" bundle create "$tmpdir_forgejo/''${owner_name}__''${repo_name}.bundle" --all done done ${pkgs.rclone}/bin/rclone --config ${conf} sync "$tmpdir_forgejo" odc:forgejo-git ''; path = [ pkgs.rclone pkgs.git ]; serviceConfig = { Type = "oneshot"; User = "root"; }; }; }; }