nix/nixos/common/services/btrbk.nix

{ hostname, pkgs, ... }: {

  sops.secrets."btrbk/ssh_key" = {
    sopsFile = ../../../secrets/secrets.yaml;
    owner = "btrbk";
    group = "btrbk";
  };

  security.sudo = {
    enable = true;
    extraRules = [
      {
        commands = [
          {
            command = "${pkgs.coreutils-full}/bin/test";
            options = [ "NOPASSWD" ];
          }
          {
            command = "${pkgs.coreutils-full}/bin/readlink";
            options = [ "NOPASSWD" ];
          }
          {
            command = "${pkgs.btrfs-progs}/bin/btrfs";
            options = [ "NOPASSWD" ];
          }
        ];
        users = [ "btrbk" ];
      }
    ];
  };

  # Ensure the btrbk snapshot folders are created since btrbk won't do it automatically:
  systemd.tmpfiles.rules = [
    "d /.snapshots/btrbk     0755 btrbk btrbk"
    "d /nix/.snapshots/btrbk 0755 btrbk btrbk"
  ];

  # More info:  https://github.com/digint/btrbk/blob/master/btrbk.conf.example
  # More info:  https://digint.ch/btrbk/doc/btrbk.conf.5.html#_btrfs_specific_options
  services.btrbk = {
    instances."synology" = {
      onCalendar = "daily"; 
      settings = {
        snapshot_create = "ondemand";
        incremental_resolve = "directory";
        snapshot_preserve_min = "7d";
        snapshot_preserve = "7d 4w 6m";
        target_preserve_min = "7d";
        target_preserve   = "7d 4w 6m";
        ssh_identity = "/run/secrets/btrbk/ssh_key";
        ssh_user = "root"; 
        stream_compress = "gzip";
        volume."/" = {
          target = "ssh://synology/volume1/btrbk/hosts/${hostname}";
          subvolume = {
            "/"    = { snapshot_dir = "/.snapshots/btrbk";     };
            "/nix" = { snapshot_dir = "/nix/.snapshots/btrbk"; };
          };
        };
      };
    };
  };
}