From 0f1eba14b6c8998babc08c3d0fd4fbe6da645e58 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jonas=20R=C3=B6ger?= <jonas.roeger@tu-dortmund.de>
Date: Sun, 6 Apr 2025 22:18:16 +0200
Subject: [PATCH] add borg-server

---
 hosts/harbor/configuration.nix              |  3 ++
 modules/services/borg-server.nix            | 55 +++++++++++++++++++++
 static/keys/borg-jonas@comfy-station.pub    |  1 +
 static/keys/passgit-jonas@comfy-station.pub |  1 +
 4 files changed, 60 insertions(+)
 create mode 100644 modules/services/borg-server.nix
 create mode 100644 static/keys/borg-jonas@comfy-station.pub
 create mode 100644 static/keys/passgit-jonas@comfy-station.pub

diff --git a/hosts/harbor/configuration.nix b/hosts/harbor/configuration.nix
index 851139f..13a9d41 100644
--- a/hosts/harbor/configuration.nix
+++ b/hosts/harbor/configuration.nix
@@ -52,6 +52,9 @@
   services.nextcloud-instance.adminPasswordFile = config.sops.secrets.nextcloud-admin-pass.path;
   services.nextcloud-instance.instanceFQDN = "nextcloud.jroeger.de";
 
+  services.borg-server.enable = true;
+  services.borg-server.repositories.comfy-station.ssh_public_key = builtins.readFile (../../static/keys/ + "borg-jonas@comfy-station.pub");
+
   # Allow unfree packages
   nixpkgs.config.allowUnfree = true;
 
diff --git a/modules/services/borg-server.nix b/modules/services/borg-server.nix
new file mode 100644
index 0000000..146840f
--- /dev/null
+++ b/modules/services/borg-server.nix
@@ -0,0 +1,55 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}: let
+  cfg = config.services.borg-server;
+in {
+  options.services.borg-server = {
+    enable = lib.mkEnableOption "Enable the borg server";
+    borg_user = lib.mkOption {
+      type = lib.types.str;
+      example = "borg";
+      default = "borg";
+      description = "The user for the borg repository home.";
+    };
+    repositories_path = lib.mkOption {
+      type = lib.types.path;
+      example = "/var/lib/borg-repositories";
+      default = "/var/lib/borg-repositories";
+      description = "The user for the borg repository home.";
+    };
+    repositories = lib.mkOption {
+      type = lib.types.attrsOf (lib.types.submodule {
+        options = {
+          name = lib.mkOption {
+            type = lib.types.nullOr (lib.types.strMatching "^[a-zA-Z0-9._-]+$");
+            example = "borg-repo";
+            description = "The name of the borg repository. If null, use key of attrset";
+          };
+          ssh_public_key = lib.mkOption {
+            type = lib.types.singleLineStr;
+            example = "ssh-rsa AAAA...";
+            description = "The path to the public key for the borg repository.";
+          };
+        };
+      });
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    users.users.${cfg.borg_user} = {
+      isNormalUser = true;
+      description = "Borg user";
+      home = cfg.repositories_path;
+      createHome = true;
+      extraGroups = ["borg"];
+      openSSH.authorizedKeys.keys = builtins.attrValues (
+        builtins.mapAttrs
+        (key: repo: "command=\"${pkgs.borg}/bin/borg serve --restrict-to-path=${cfg.repositories_path}/${repo.name or key}\", restrict ${repo.ssh_public_key}")
+        cfg.repositories
+      );
+    };
+  };
+}
diff --git a/static/keys/borg-jonas@comfy-station.pub b/static/keys/borg-jonas@comfy-station.pub
new file mode 100644
index 0000000..e286cb7
--- /dev/null
+++ b/static/keys/borg-jonas@comfy-station.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILNYmQ4HspLsunLyryI/ZbX4tTuRI6cRv0n/ai6+DNCc borg@jroeger.de
diff --git a/static/keys/passgit-jonas@comfy-station.pub b/static/keys/passgit-jonas@comfy-station.pub
new file mode 100644
index 0000000..a16c7c6
--- /dev/null
+++ b/static/keys/passgit-jonas@comfy-station.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBodNTvEGT2J+w6qpJNvmwZuHCshzq2nwU92+VqRcyn4 jonas@comfy-station