borg: use new ssh keys and add -x flag

hosts/chunk/borg.nix

@@ -31,13 +31,13 @@
         passCommand = "cat ${config.sops.secrets."borg/rsyncnet".path}";
       };
       environment = {
-        BORG_RSH = "ssh -i /home/yt/.ssh/id_ed25519";
+        BORG_RSH = ''ssh -i ${config.sops.secrets."rsyncnet/id_ed25519"}'';
         BORG_REMOTE_PATH = "borg1";
         BORG_EXIT_CODES = "modern";
       };
       compression = "auto,zstd";
       startAt = "hourly";
-      extraCreateArgs = [ "--stats" ];
+      extraCreateArgs = [ "--stats" "-x" ];
       # warnings are often not that serious
       failOnWarnings = false;
       postHook = ''

hosts/chunk/default.nix

@@ -79,6 +79,9 @@
       sopsFile = ../../secrets/services/gitlab.yaml;
       owner = config.users.users.git.name;
     };
+    "rsyncnet/id_ed25519" = {
+      sopsFile = ../../secrets/de3911/chunk.yaml;
+    };
   };
 
   boot.loader.grub.enable = true;

hosts/ytnix/default.nix

@@ -23,6 +23,9 @@
     "wireguard/psk" = {
       sopsFile = ../../secrets/wireguard/yt.yaml;
     };
+    "rsyncnet/id_ed25519" = {
+      sopsFile = ../../secrets/de3911/yt.yaml;
+    };
   };
 
   boot = {
@@ -207,13 +210,13 @@
       passCommand = ''cat ${config.sops.secrets."borg/rsyncnet".path}'';
     };
     environment = {
-      BORG_RSH = "ssh -i /home/yt/.ssh/id_ed25519";
+      BORG_RSH = ''ssh -i ${config.sops.secrets."rsyncnet/id_ed25519".path}'';
       BORG_REMOTE_PATH = "borg1";
       BORG_EXIT_CODES = "modern";
     };
     compression = "auto,zstd";
     startAt = "daily";
-    extraCreateArgs = [ "--stats" ];
+    extraCreateArgs = [ "--stats" "-x" ];
     # warnings are often not that serious
     failOnWarnings = false;
     postHook = ''