Encrypt restic secrets

2022-11-04 16:49:46 +01:00 · 2022-11-04 16:49:46 +01:00 · 4f1a2f6b45
parent 89a55f792a
commit 4f1a2f6b45
18 changed files with 121 additions and 39 deletions
--- a/modules/restic-server-client/default.nix
+++ b/modules/restic-server-client/default.nix
@ -1,29 +1,30 @@
-{ custom
-, hostname
-, inputs
-, path ? "/home/${custom.username}"
+{ inputs
+, path
 , tag ? "home-dir"
 , time
-}: { pkgs, ... }:
+}: { config, pkgs, ... }:
 {
  imports = [
    (import "${inputs.self}/modules/telegram-notifications" { inherit inputs; })
  ];
-  systemd.timers."restic-backups-${custom.username}" = {
+
+  age.secrets.resticKey.file = "${inputs.self}/scrts/restic.key.age";
+
+  systemd.timers."restic-backups" = {
    wantedBy = [ "timers.target" ];
-    partOf = [ "restic-backups-${custom.username}.service" ];
+    partOf = [ "restic-backups.service" ];
    timerConfig = {
      OnCalendar = time;
    };
  };

-  systemd.services."restic-backups-${custom.username}" = {
+  systemd.services."restic-backups" = {
    serviceConfig = {
      User = "root";
      Type = "oneshot";
    };
    environment = {
-      RESTIC_PASSWORD_FILE = "/home/${custom.username}/.nixos/secrets/passwords/restic.key";
+      RESTIC_PASSWORD_FILE = config.age.secrets.resticKey.path;
      RESTIC_REPOSITORY = "rest:http://10.7.89.30:8000";
    };
    onFailure = [ "unit-status-telegram@%n.service" ];
@ -34,7 +35,7 @@

      ${pkgs.restic}/bin/restic forget \
        --tag home-dir \
-        --host ${hostname} \
+        --host ${config.networking.hostName} \
        --keep-daily 7 \
        --keep-weekly 5 \
        --keep-monthly 12 \
--- a/modules/restic-server-mysql-client/default.nix
+++ b/modules/restic-server-mysql-client/default.nix
@ -1,29 +1,30 @@
-{ custom
-, hostname
-, inputs
-, path ? "/home/${custom.username}"
+{ inputs
+, path
 , tag ? "home-dir"
 , time
-}: { pkgs, ... }:
+}: { config, pkgs, ... }:
 {
  imports = [
    (import "${inputs.self}/modules/telegram-notifications" { inherit inputs; })
  ];
-  systemd.timers."restic-backups-${custom.username}" = {
+
+  age.secrets.resticKey.file = "${inputs.self}/scrts/restic.key.age";
+
+  systemd.timers."restic-backups" = {
    wantedBy = [ "timers.target" ];
-    partOf = [ "restic-backups-${custom.username}.service" ];
+    partOf = [ "restic-backups.service" ];
    timerConfig = {
      OnCalendar = time;
    };
  };

-  systemd.services."restic-backups-${custom.username}" = {
+  systemd.services."restic-backups" = {
    serviceConfig = {
      User = "root";
      Type = "oneshot";
    };
    environment = {
-      RESTIC_PASSWORD_FILE = "/home/${custom.username}/.nixos/secrets/passwords/restic.key";
+      RESTIC_PASSWORD_FILE = config.age.secrets.resticKey.path;
      RESTIC_REPOSITORY = "rest:http://10.7.89.30:8000";
    };
    onFailure = [ "unit-status-telegram@%n.service" ];
@ -40,7 +41,7 @@

      ${pkgs.restic}/bin/restic forget \
        --tag home-dir \
-        --host ${hostname} \
+        --host ${config.networking.hostName} \
        --keep-daily 7 \
        --keep-weekly 5 \
        --keep-monthly 12 \
@ -48,7 +49,7 @@

      ${pkgs.restic}/bin/restic forget \
        --tag mariadb \
-        --host ${hostname} \
+        --host ${config.networking.hostName} \
        --keep-daily 7 \
        --keep-weekly 5 \
        --keep-monthly 12 \
--- a/modules/restic-server/default.nix
+++ b/modules/restic-server/default.nix
@ -1,8 +1,10 @@
-{ inputs, custom, pkgs, ... }:
+{ inputs }: { config, pkgs, ... }:
 let
  repository = "/mnt/restic-server";
 in
 {
+  age.secrets.resticKey.file = "${inputs.self}/scrts/restic.key.age";
+
  environment.systemPackages = with pkgs; [
    restic
  ];
@ -27,7 +29,7 @@ in
    script = ''
      ${pkgs.restic}/bin/restic \
      --repo ${repository} \
-      --password-file "/etc/restic/restic.key" \
+      --password-file ${config.age.secrets.resticKey.path} \
      prune \
    '';
  };
--- a/modules/restic/default.nix
+++ b/modules/restic/default.nix
@ -1,7 +1,7 @@
-{ custom, hostname, inputs }: { pkgs, ... }:
+{ custom, inputs }: { config, pkgs, ... }:
 let
  # TODO: encrypt key file with agenix
-  password_file = "/home/${custom.username}/.nixos/secrets/passwords/restic.key";
+  password_file = config.age.secrets.resticKey.path;
  repository = "rest:http://10.7.89.30:8000";

  restic-mount = pkgs.writeShellScriptBin "restic-mount" ''
@ -9,7 +9,7 @@ let
    ${pkgs.restic}/bin/restic \
      --repo ${repository} \
      --password-file ${password_file} \
-      --host ${hostname} \
+      --host ${config.networking.hostName} \
      mount /tmp/restic'';

  restic-mount-all = pkgs.writeShellScriptBin "restic-mount-all" ''
@ -20,7 +20,7 @@ let
      mount /tmp/restic'';

  # TODO: encrypt key file with agenix
-  infomaniak-env = "/home/${custom.username}/.nixos/secrets/passwords/infomaniak-env";
+  infomaniak-env = config.age.secrets.infomaniakEnv.path;
  infomaniak-repo = "swift:default:/";
  infomaniak-auth-url = "https://swiss-backup02.infomaniak.com/identity/v3";

@ -49,6 +49,19 @@ in
    (import "${inputs.self}/modules/telegram-notifications" { inherit inputs; })
  ];

+  age.secrets.infomaniakEnv = {
+    file = "${inputs.self}/scrts/infomaniak_env.age";
+    mode = "600";
+    owner = custom.username;
+    group = "users";
+  };
+  age.secrets.resticKey = {
+    file = "${inputs.self}/scrts/restic.key.age";
+    mode = "600";
+    owner = custom.username;
+    group = "users";
+  };
+
  systemd.timers."restic-backups-${custom.username}" = {
    wantedBy = [ "timers.target" ];
    partOf = [ "restic-backups-${custom.username}.service" ];
@ -77,7 +90,7 @@ in

      ${pkgs.restic}/bin/restic \
      forget \
-        --host ${hostname} \
+        --host ${config.networking.hostName} \
        --tag home-dir \
        --keep-hourly 25 \
        --keep-daily 7 \
@ -92,7 +105,7 @@ in
      ${pkgs.restic}/bin/restic \
        --repo ${repository} \
        --password-file ${password_file} \
-        snapshots --host ${hostname}'';
+        snapshots --host ${config.networking.hostName}'';
    restic-unlock = ''
      ${pkgs.restic}/bin/restic \
        --repo ${repository} \
--- a/scrts/infomaniak_env.age
+++ b/scrts/infomaniak_env.age
--- a/scrts/restic.key.age
+++ b/scrts/restic.key.age
@ -0,0 +1,50 @@
+age-encryption.org/v1
+-> ssh-rsa 7S8lxw
+OzFzBC1L014yJHeHbcprvvHFrSGGVvDYbSGL0zhz9zU9QVdavrF1Vjiau8uqKw89
+BWgGsxkgdalzb99kds21tpX2dW9oVUCC5Utb4WSsOzTD6YvbW8D+XlsNsTPTb9iG
+LQAvfe3W7xGCVn1vk87e1lKk21VngsvivaAU1ZUfZLRGTAs16ES9aOQoPN5nmV8x
+DqnoApkbxUa3MhM45ZTl6mFXzEJxyBdX6wTs8e2A2BKsdTKTFFSuOamMN1v2b/Et
+rnYFSxVNaH/2/lVYcOm4cY9K3IY2T/pgeJXXehg02w0kaaULNh8IqNcLnRygj/XD
+tyQdJ3Xgg3bgVAYo8YTeG9+e9CYgLvyxGN4sJ5pa1QE5qAebpy9okCzATxI4quVt
+QF//zYPnnLxIw4Vd66a2avySt0JcytjFCuhluOcEpyUb5Nsycieto0tX9bVMRwDb
+DQtjDKRafYquLVExVrjfvR1x7MBBtLwVqdIhgAYYFTPGyOEPINAOZgIGub5Q1cZF
+
+-> ssh-rsa Ws+JZA
+r6k1X2MNk2nqjyYCjgn1H0C470BNkqJ6m+q4tNtYSmG7jPI/5xXZ6hCOi0eGMypT
+ysleDwgW/BuM5o7SKfrx9URVAUe435IO/FTYqO7qOh2hU2nE01TFcjEp3qE47YA7
+lzCAlwN5YcMn9ELRbhFmjWt8p8XjSjcRyma1urHQjKa0ggls5VUyGhdn2Sko8ed6
+52lwy6bNj/CnrsLycMj1ib1QvrG0o7VqbY/l9I4+x2kqryPgOTqH4Uy/pD1/XFVc
+JAUQeAJMdUCPFczGmDQojtPXRgBjACNBDffLL9GB0MPf7rpC5Das/YkoU+b0yzsM
+veWeIxovtJLbcNyIbmSQgap4gGT0+6Wb3FKsYDm3cgHft0o31sTQHHe00LV5kpc1
+AXz2EANCPMxtauKDzu+v1uOmnckjBH3i7MQKMDV1C5oqhbd7zussHsd9l9S3hu2J
+xCJWSY9Os1KlGhkJvJyjeegOr34LGI65dWJQO+QbjQESXmIPOw7aoEz3J8HLDdr0
+
+-> ssh-ed25519 p9NsdQ WL1/YPZGXNiL4fq1q0NQjZSNPGLSDLMlpyOp9Qv82kk
+XF8E3iG2x2xn2fYl/QWDkBtUnUSqC3Df9IRZ8ScTMEk
+-> ssh-ed25519 skmU/w lL8if8HD/7QHG5rTmrAuZ/Mvlf5ugWy6mMMdN1znOBY
+0ne2zhnCV0BJ9gh7E4gRgonRM5IGT8iDXCf3fFsEaSM
+-> ssh-ed25519 L7IrhA tMYUDRPI5jUaUk2v2/cJ2PfF9vFZLR3lxUosLPx6z38
+TvZsKBkb1ss3KmkFqL3YXzEeADtKMbrbanUFkZRCedY
+-> ssh-ed25519 ASE6tQ dWh338rCCoy90kGWAuzAXApaQSUnX5mc0faa1pQPKRw
+IEptFLmlBQOh8F6QpI/kx4Fjsbd+RZ0r+ZPVnZpkN90
+-> ssh-ed25519 MpFwoA 2LxQdhrQwahXu8sPByC7Iat1UDW2HTCrBy99E3WU5Fw
+x3hU+nNhdOeCwB/vDfJuOtv/Ku1wdasvw5ITCVvUL2g
+-> ssh-ed25519 aGyD+A DrG2z4JqXFC70cDXoHSKKvO+5jH0HSQ1E6AF6o12JEc
+SXuuFi6z8ukei4GZpdcVKasZJzjqXVJCf6LKBsu1J9E
+-> ssh-ed25519 KXqA9w vzLJx/+kTAIiuKDN/I4WJ0dNgr1C4gsMEvz77wRI/yg
+jEqXDIBVcOhVZERxynTQzQ5EQUTLFafNLG6jQT+2zag
+-> ssh-ed25519 f6vWeA oijUvlyY9l6cXr2eXuEqV+cUr4EF32rGsEd7ewa1hQs
+NcuR16Msc8GxavitVBSVYXTzg51F/U+J82UE1V3kpSI
+-> ssh-ed25519 6EZJNg 84hGgnr/Qwshnnyq9I9uj1onQG7lJ3KTQsBxNbB3slg
+4sf6zyReKAsOE82dpJplxPV2Pqygbe3AGbvMwd+dQMg
+-> ssh-ed25519 6TvZbg D0bfdLAmX+E7/kRXHCtkLTAaY004cynq1LLuMu0dcks
+rVOArYhUaF4+RgAh28BrS2wWetskLFUOKrihZpG3Un0
+-> ssh-ed25519 BycpnQ 5MwWmzm0lNRGBrwz3dSQ/bYdn3zVc87aouCifCTnTQU
+7PXd9CuMyex61PTrHnTgULJj2Y7iV366K4pQ0KjtxSA
+-> ssh-ed25519 pCmz5A o2ZYdBuAfGG5VDRwB11Q5CjCLT4hBUQ6Q59zKIf513E
+PYz4Gf9Np1kkc8qG2J6YM7w3+E/raD1q+310aI1xdys
+-> D,C-grease #P3fP{ [,?%}
+tbwJ6/FEVeNe9AYCNCYRxfbcaAm1qeNNLFNI6aY6C7gmU9403oSmdEWBm0WLt0KP
+JYs
+--- WBUozPqy+aDm4mj36Q9N4y3uNSZiVZDdwGIyEsvH1Ho
+žÕÈÏþOÃ-BA<0B>ª.ÃŠÈIò¸ó÷²$Mÿi[DÿI
ÓWªÛÿë 2„÷í;öW+¼Óþ!ˆW
--- a/scrts/secrets.nix
+++ b/scrts/secrets.nix
@ -34,8 +34,10 @@ let
 in
 {
  "gitea_env.age".publicKeys = defaultKeys ++ [ git ];
+  "infomaniak_env.age".publicKeys = all;
  "pihole_env.age".publicKeys = defaultKeys ++ [ pihole ];
  "plex_claim.age".publicKeys = defaultKeys ++ [ plex ];
+  "restic.key.age".publicKeys = all;
  "telegram_notify_env.age".publicKeys = all;
  "ttrss_env.age".publicKeys = defaultKeys ++ [ ttrss ];
 }
--- a/systems/git/default.nix
+++ b/systems/git/default.nix
@ -9,7 +9,8 @@ in
      inherit hostname inputs;
    })
    (import "${inputs.self}/modules/restic-server-mysql-client" {
-      time = "03:00"; inherit custom hostname inputs;
+      path = "/home/andreas";
+      time = "03:00"; inherit inputs;
    })
    (import "${inputs.self}/modules/nginx-proxy" {
      inherit domain inputs;
--- a/systems/gwyn/default.nix
+++ b/systems/gwyn/default.nix
@ -20,7 +20,7 @@
    "${inputs.self}/modules/scripts"
    "${inputs.self}/modules/tlp"
    "${inputs.self}/modules/tmux"
-    (import "${inputs.self}/modules/restic" { inherit custom hostname inputs; })
+    (import "${inputs.self}/modules/restic" { inherit custom inputs; })
  ];
  boot.initrd.availableKernelModules = [
    "aesni_intel"
--- a/systems/mail/default.nix
+++ b/systems/mail/default.nix
@ -6,7 +6,9 @@
      inherit hostname inputs;
    })
    (import "${inputs.self}/modules/restic-server-client" {
-      time = "04:30"; inherit custom hostname inputs;
+      path = "/home/andreas";
+      time = "04:30";
+      inherit inputs;
    })
    (import "${inputs.self}/modules/nginx-proxy" {
      domain = "mail.zweili.org"; inherit inputs;
--- a/systems/management/default.nix
+++ b/systems/management/default.nix
@ -10,6 +10,12 @@ in
    })
    (import "${inputs.self}/modules/docker" { inherit custom; })
    "${inputs.self}/modules/logs-share"
+    (import "${inputs.self}/modules/restic-server-client" {
+      path = "/home/andreas";
+      tag = "management";
+      time = "23:30";
+      inherit inputs;
+    })
    "${inputs.self}/modules/tmux"
  ];
  services.nginx.virtualHosts."${domain}".locations = {
--- a/systems/nextcloud/default.nix
+++ b/systems/nextcloud/default.nix
@ -6,7 +6,8 @@
      inherit hostname inputs;
    })
    (import "${inputs.self}/modules/restic-server-mysql-client" {
-      time = "04:00"; inherit custom hostname inputs;
+      path = "/home/andreas";
+      time = "04:00"; inherit inputs;
    })
    (import "${inputs.self}/modules/docker" { inherit custom; })
    "${inputs.self}/modules/mariadb"
--- a/systems/pihole/default.nix
+++ b/systems/pihole/default.nix
@ -8,7 +8,7 @@
    (import "${inputs.self}/modules/restic-server-client" {
      path = "/var/lib/pihole";
      tag = "pihole";
-      time = "05:00"; inherit custom hostname inputs;
+      time = "05:00"; inherit inputs;
    })
    (import "${inputs.self}/modules/docker" { inherit custom; })
    (import "${inputs.self}/modules/pihole" { inherit inputs; })
--- a/systems/plex/default.nix
+++ b/systems/plex/default.nix
@ -8,7 +8,8 @@
    (import "${inputs.self}/modules/restic-server-client" {
      path = "/var/lib/plex";
      tag = "plex";
-      time = "03:30"; inherit custom hostname inputs;
+      time = "03:30";
+      inherit inputs;
    })
    (import "${inputs.self}/modules/docker" { inherit custom; })
    "${inputs.self}/modules/media-share"
--- a/systems/proxy/default.nix
+++ b/systems/proxy/default.nix
@ -6,7 +6,9 @@
      inherit hostname inputs;
    })
    (import "${inputs.self}/modules/restic-server-client" {
-      time = "00:00"; inherit custom hostname inputs;
+      path = "/home/andreas";
+      time = "00:00";
+      inherit inputs;
    })
    "${inputs.self}/modules/nginx-acme-base"
    (import "${inputs.self}/modules/docker" { inherit custom; })
--- a/systems/restic-server/default.nix
+++ b/systems/restic-server/default.nix
@ -5,6 +5,6 @@
      ip = "10.7.89.30";
      inherit hostname inputs;
    })
-    "${inputs.self}/modules/restic-server"
+    (import "${inputs.self}/modules/restic-server" { inherit inputs; })
  ];
 }
--- a/systems/staubfinger/default.nix
+++ b/systems/staubfinger/default.nix
@ -10,7 +10,7 @@
    (import "${inputs.self}/modules/droidcam" { inherit custom; })
    (import "${inputs.self}/modules/espanso" { inherit custom; })
    "${inputs.self}/modules/lockscreen"
-    (import "${inputs.self}/modules/restic" { inherit custom hostname inputs; })
+    (import "${inputs.self}/modules/restic" { inherit custom inputs; })
    "${inputs.self}/modules/tlp"
    "${inputs.self}/modules/tmux"
  ];
--- a/systems/ttrss/default.nix
+++ b/systems/ttrss/default.nix
@ -14,7 +14,7 @@ in
    (import "${inputs.self}/modules/restic-server-mysql-client" {
      path = "/var/lib/ttrss";
      tag = "ttrss";
-      time = "23:00"; inherit custom hostname inputs;
+      time = "23:00"; inherit inputs;
    })
    (import "${inputs.self}/modules/ttrss" {
      inherit domain inputs;