From bbe464d73bb8a14b5464ac631ed017a48a5eda3b Mon Sep 17 00:00:00 2001
From: jasmine <its.jassy@pm.me>
Date: Tue, 14 Oct 2025 20:29:37 +0800
Subject: [PATCH] fix(borgbackup): add unencrypted repo access and refactor
 environment blocks

Fixes cache initialization failures on unencrypted repositories and
standardizes environment variable configuration across all backup jobs.

Changes:
- Add BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK to unencrypted repos
  (fuchsia/viridian onsite) to bypass interactive confirmation prompt
- Refactor all environment.BORG_RSH to multiline attribute set format
  for consistency and future extensibility

The cache initialization error occurred after removing persistent timers
(commit d21b36a), causing borg to treat existing repos as "previously
unknown". The bypass flag allows automated jobs to proceed without
interactive confirmation for unencrypted repositories.
---
 nixos/fuchsia/services/borgbackup/offsite.nix  | 4 +++-
 nixos/fuchsia/services/borgbackup/onsite.nix   | 5 ++++-
 nixos/viridian/services/borgbackup/offsite.nix | 5 ++++-
 nixos/viridian/services/borgbackup/onsite.nix  | 4 ++++
 4 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/nixos/fuchsia/services/borgbackup/offsite.nix b/nixos/fuchsia/services/borgbackup/offsite.nix
index 519b655..52ff0d0 100644
--- a/nixos/fuchsia/services/borgbackup/offsite.nix
+++ b/nixos/fuchsia/services/borgbackup/offsite.nix
@@ -81,7 +81,9 @@
       passCommand = "cat ${config.age.secrets.borgbackup.path}";
     };
 
-    environment.BORG_RSH = "ssh -i /etc/ssh/ssh_host_ed25519_key";
+    environment = {
+      BORG_RSH = "ssh -i /etc/ssh/ssh_host_ed25519_key";
+    };
 
     compression = "zstd,9";
     startAt = "14:00"; # Daily at 2pm when system is reliably awake
diff --git a/nixos/fuchsia/services/borgbackup/onsite.nix b/nixos/fuchsia/services/borgbackup/onsite.nix
index ed17648..4a1e8d5 100644
--- a/nixos/fuchsia/services/borgbackup/onsite.nix
+++ b/nixos/fuchsia/services/borgbackup/onsite.nix
@@ -75,7 +75,10 @@ in {
     # No encryption for onsite backups (physical security assumed)
     encryption.mode = "none";
 
-    environment.BORG_RSH = "ssh -i /etc/ssh/ssh_host_ed25519_key";
+    environment = {
+      BORG_RSH = "ssh -i /etc/ssh/ssh_host_ed25519_key";
+      BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes";
+    };
 
     compression = "zstd,9";
     startAt = "hourly";
diff --git a/nixos/viridian/services/borgbackup/offsite.nix b/nixos/viridian/services/borgbackup/offsite.nix
index df766b4..3ea5790 100644
--- a/nixos/viridian/services/borgbackup/offsite.nix
+++ b/nixos/viridian/services/borgbackup/offsite.nix
@@ -100,7 +100,10 @@
       passCommand = "cat ${config.age.secrets.borgbackup.path}";
     };
 
-    environment.BORG_RSH = "ssh -i /etc/ssh/ssh_host_ed25519_key";
+    environment = {
+      BORG_RSH = "ssh -i /etc/ssh/ssh_host_ed25519_key";
+    };
+
     compression = "zstd,9";
     startAt = "daily"; # Daily at midnight
 
diff --git a/nixos/viridian/services/borgbackup/onsite.nix b/nixos/viridian/services/borgbackup/onsite.nix
index 2108e84..51cc50e 100644
--- a/nixos/viridian/services/borgbackup/onsite.nix
+++ b/nixos/viridian/services/borgbackup/onsite.nix
@@ -103,6 +103,10 @@ in {
     # No encryption for local backups (physical security assumed)
     encryption.mode = "none";
 
+    environment = {
+      BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes";
+    };
+
     compression = "zstd,9";
     startAt = "hourly";