From 364bd36c24e94cf0affe5f53df0f18ea5e7e1db5 Mon Sep 17 00:00:00 2001
From: Yan Lin <github@yanlincs.com>
Date: Mon, 19 Jan 2026 11:17:32 +0100
Subject: [PATCH] add borg client to nfss

---
 hosts/nixos/nfss/system.nix | 17 +++++++++++++++++
 modules/borg/client.nix     |  3 +++
 modules/wireguard.nix       |  5 ++++-
 3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/hosts/nixos/nfss/system.nix b/hosts/nixos/nfss/system.nix
index 70edd64..b203436 100644
--- a/hosts/nixos/nfss/system.nix
+++ b/hosts/nixos/nfss/system.nix
@@ -5,6 +5,7 @@
     ../system-default.nix
     ../../../modules/tailscale.nix
     ../../../modules/podman.nix
+    ../../../modules/borg/client.nix
     ../../../modules/login-display.nix
     ../../../modules/media-server.nix
     ../../../modules/samba.nix
@@ -146,4 +147,20 @@
     user = "yanlin";
   };
 
+  # Borg backup configuration
+  services.borg-client-custom = {
+    enable = true;
+    repositoryUrl = "ssh://borg-server/./nfss";
+    backupPaths = [
+      "/var/lib/mongodb"
+    ];
+    backupFrequency = "*-*-* 01:00:00";
+    retention = {
+      keepDaily = 7;
+      keepWeekly = 4;
+      keepMonthly = 6;
+      keepYearly = 2;
+    };
+  };
+
 }
diff --git a/modules/borg/client.nix b/modules/borg/client.nix
index 2cb4726..c1d5bc0 100644
--- a/modules/borg/client.nix
+++ b/modules/borg/client.nix
@@ -5,6 +5,9 @@ with lib;
 let
   cfg = config.services.borg-client-custom;
   sshCommand = "ssh -F /home/yanlin/.ssh/config -o StrictHostKeyChecking=accept-new -o ServerAliveInterval=60 -o ServerAliveCountMax=240";
+  # NOTE: Passphrase file: /etc/borg-passphrase
+  # Should contain: BORG_PASSPHRASE=your-passphrase
+  # Place on host with mode 0600
   passphraseFile = "/etc/borg-passphrase";
   excludePatterns = [
     "*.tmp" "*.temp" "*/.cache/*" "*/.local/share/Trash/*" "*/tmp/*" "*/temp/*"
diff --git a/modules/wireguard.nix b/modules/wireguard.nix
index a22d7b2..151c15b 100644
--- a/modules/wireguard.nix
+++ b/modules/wireguard.nix
@@ -26,7 +26,10 @@ in
       default = 51820;
       description = "UDP port to listen on (server mode only)";
     };
-    
+
+    # NOTE: Private key file: /etc/wireguard/private.key
+    # Generate with: wg genkey > /etc/wireguard/private.key
+    # Place on host with mode 0600 (auto-generated if missing)
     privateKeyFile = mkOption {
       type = types.str;
       default = "/etc/wireguard/private.key";