add borg client to nfss

hosts/nixos/nfss/system.nix

@@ -5,6 +5,7 @@
     ../system-default.nix
     ../../../modules/tailscale.nix
     ../../../modules/podman.nix
+    ../../../modules/borg/client.nix
     ../../../modules/login-display.nix
     ../../../modules/media-server.nix
     ../../../modules/samba.nix
@@ -146,4 +147,20 @@
     user = "yanlin";
   };
 
+  # Borg backup configuration
+  services.borg-client-custom = {
+    enable = true;
+    repositoryUrl = "ssh://borg-server/./nfss";
+    backupPaths = [
+      "/var/lib/mongodb"
+    ];
+    backupFrequency = "*-*-* 01:00:00";
+    retention = {
+      keepDaily = 7;
+      keepWeekly = 4;
+      keepMonthly = 6;
+      keepYearly = 2;
+    };
+  };
+
 }

modules/borg/client.nix

@@ -5,6 +5,9 @@ with lib;
 let
   cfg = config.services.borg-client-custom;
   sshCommand = "ssh -F /home/yanlin/.ssh/config -o StrictHostKeyChecking=accept-new -o ServerAliveInterval=60 -o ServerAliveCountMax=240";
+  # NOTE: Passphrase file: /etc/borg-passphrase
+  # Should contain: BORG_PASSPHRASE=your-passphrase
+  # Place on host with mode 0600
   passphraseFile = "/etc/borg-passphrase";
   excludePatterns = [
     "*.tmp" "*.temp" "*/.cache/*" "*/.local/share/Trash/*" "*/tmp/*" "*/temp/*"

modules/wireguard.nix

@@ -26,7 +26,10 @@ in
       default = 51820;
       description = "UDP port to listen on (server mode only)";
     };
-    
+
+    # NOTE: Private key file: /etc/wireguard/private.key
+    # Generate with: wg genkey > /etc/wireguard/private.key
+    # Place on host with mode 0600 (auto-generated if missing)
     privateKeyFile = mkOption {
       type = types.str;
       default = "/etc/wireguard/private.key";