Add borgmatic config for pi

hosts/odyssey/default.nix

@@ -52,7 +52,7 @@
     };
   };
 
-  age.secrets."odyssey-passphrase" = {
+  age.secrets."passwords/services/borg/odyssey-passphrase" = {
     file = "${inputs.secrets}/passwords/services/borg/odyssey-passphrase.age";
   };
 
@@ -66,7 +66,7 @@
         { label = "borgbase"; path = "ssh://iqwu22oq@iqwu22oq.repo.borgbase.com/./repo"; }
       ];
       storage = {
-        encryption_passcommand = "cat ${config.age.secrets.odyssey-passphrase.path}";
+        encryption_passcommand = "cat ${config.age.secrets."passwords/services/borg/odyssey-passphrase".path}";
         ssh_command = "ssh -i /etc/ssh/ssh_host_ed25519_key";
       };
       retention = {

hosts/pi/default.nix

@@ -77,6 +77,35 @@
     };
   };
 
+  age.secrets."passwords/services/borg/pi-passphrase" = {
+    file = "${inputs.secrets}/passwords/services/borg/pi-passphrase.age";
+  };
+
+  services.borgmatic = {
+    enable = true;
+    settings = {
+      source_directories = [
+        "/var/lib/mosquitto"
+        "/var/lib/zigbee2mqtt"
+      ];
+      repositories = [
+        { label = "borgbase"; path = "ssh://qcw86s11@qcw86s11.repo.borgbase.com/./repo"; }
+      ];
+      storage = {
+        encryption_passcommand = "cat ${config.age.secrets."passwords/services/borg/pi-passphrase".path}";
+        ssh_command = "ssh -i /etc/ssh/ssh_host_ed25519_key";
+      };
+      retention = {
+        keep_daily = 7;
+        keep_weekly = 4;
+        keep_monthly = 6;
+      };
+    };
+  };
+
+  # Without this override, `cat` is unavailable for `encryption_passcommand`
+  systemd.services.borgmatic.confinement.fullUnit = true;
+
   environment.systemPackages = with pkgs; [
     libraspberrypi
     raspberrypi-eeprom