Encrypt restic secrets
This commit is contained in:
parent
89a55f792a
commit
4f1a2f6b45
|
@ -1,29 +1,30 @@
|
|||
{ custom
|
||||
, hostname
|
||||
, inputs
|
||||
, path ? "/home/${custom.username}"
|
||||
{ inputs
|
||||
, path
|
||||
, tag ? "home-dir"
|
||||
, time
|
||||
}: { pkgs, ... }:
|
||||
}: { config, pkgs, ... }:
|
||||
{
|
||||
imports = [
|
||||
(import "${inputs.self}/modules/telegram-notifications" { inherit inputs; })
|
||||
];
|
||||
systemd.timers."restic-backups-${custom.username}" = {
|
||||
|
||||
age.secrets.resticKey.file = "${inputs.self}/scrts/restic.key.age";
|
||||
|
||||
systemd.timers."restic-backups" = {
|
||||
wantedBy = [ "timers.target" ];
|
||||
partOf = [ "restic-backups-${custom.username}.service" ];
|
||||
partOf = [ "restic-backups.service" ];
|
||||
timerConfig = {
|
||||
OnCalendar = time;
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services."restic-backups-${custom.username}" = {
|
||||
systemd.services."restic-backups" = {
|
||||
serviceConfig = {
|
||||
User = "root";
|
||||
Type = "oneshot";
|
||||
};
|
||||
environment = {
|
||||
RESTIC_PASSWORD_FILE = "/home/${custom.username}/.nixos/secrets/passwords/restic.key";
|
||||
RESTIC_PASSWORD_FILE = config.age.secrets.resticKey.path;
|
||||
RESTIC_REPOSITORY = "rest:http://10.7.89.30:8000";
|
||||
};
|
||||
onFailure = [ "unit-status-telegram@%n.service" ];
|
||||
|
@ -34,7 +35,7 @@
|
|||
|
||||
${pkgs.restic}/bin/restic forget \
|
||||
--tag home-dir \
|
||||
--host ${hostname} \
|
||||
--host ${config.networking.hostName} \
|
||||
--keep-daily 7 \
|
||||
--keep-weekly 5 \
|
||||
--keep-monthly 12 \
|
||||
|
|
|
@ -1,29 +1,30 @@
|
|||
{ custom
|
||||
, hostname
|
||||
, inputs
|
||||
, path ? "/home/${custom.username}"
|
||||
{ inputs
|
||||
, path
|
||||
, tag ? "home-dir"
|
||||
, time
|
||||
}: { pkgs, ... }:
|
||||
}: { config, pkgs, ... }:
|
||||
{
|
||||
imports = [
|
||||
(import "${inputs.self}/modules/telegram-notifications" { inherit inputs; })
|
||||
];
|
||||
systemd.timers."restic-backups-${custom.username}" = {
|
||||
|
||||
age.secrets.resticKey.file = "${inputs.self}/scrts/restic.key.age";
|
||||
|
||||
systemd.timers."restic-backups" = {
|
||||
wantedBy = [ "timers.target" ];
|
||||
partOf = [ "restic-backups-${custom.username}.service" ];
|
||||
partOf = [ "restic-backups.service" ];
|
||||
timerConfig = {
|
||||
OnCalendar = time;
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services."restic-backups-${custom.username}" = {
|
||||
systemd.services."restic-backups" = {
|
||||
serviceConfig = {
|
||||
User = "root";
|
||||
Type = "oneshot";
|
||||
};
|
||||
environment = {
|
||||
RESTIC_PASSWORD_FILE = "/home/${custom.username}/.nixos/secrets/passwords/restic.key";
|
||||
RESTIC_PASSWORD_FILE = config.age.secrets.resticKey.path;
|
||||
RESTIC_REPOSITORY = "rest:http://10.7.89.30:8000";
|
||||
};
|
||||
onFailure = [ "unit-status-telegram@%n.service" ];
|
||||
|
@ -40,7 +41,7 @@
|
|||
|
||||
${pkgs.restic}/bin/restic forget \
|
||||
--tag home-dir \
|
||||
--host ${hostname} \
|
||||
--host ${config.networking.hostName} \
|
||||
--keep-daily 7 \
|
||||
--keep-weekly 5 \
|
||||
--keep-monthly 12 \
|
||||
|
@ -48,7 +49,7 @@
|
|||
|
||||
${pkgs.restic}/bin/restic forget \
|
||||
--tag mariadb \
|
||||
--host ${hostname} \
|
||||
--host ${config.networking.hostName} \
|
||||
--keep-daily 7 \
|
||||
--keep-weekly 5 \
|
||||
--keep-monthly 12 \
|
||||
|
|
|
@ -1,8 +1,10 @@
|
|||
{ inputs, custom, pkgs, ... }:
|
||||
{ inputs }: { config, pkgs, ... }:
|
||||
let
|
||||
repository = "/mnt/restic-server";
|
||||
in
|
||||
{
|
||||
age.secrets.resticKey.file = "${inputs.self}/scrts/restic.key.age";
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
restic
|
||||
];
|
||||
|
@ -27,7 +29,7 @@ in
|
|||
script = ''
|
||||
${pkgs.restic}/bin/restic \
|
||||
--repo ${repository} \
|
||||
--password-file "/etc/restic/restic.key" \
|
||||
--password-file ${config.age.secrets.resticKey.path} \
|
||||
prune \
|
||||
'';
|
||||
};
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
{ custom, hostname, inputs }: { pkgs, ... }:
|
||||
{ custom, inputs }: { config, pkgs, ... }:
|
||||
let
|
||||
# TODO: encrypt key file with agenix
|
||||
password_file = "/home/${custom.username}/.nixos/secrets/passwords/restic.key";
|
||||
password_file = config.age.secrets.resticKey.path;
|
||||
repository = "rest:http://10.7.89.30:8000";
|
||||
|
||||
restic-mount = pkgs.writeShellScriptBin "restic-mount" ''
|
||||
|
@ -9,7 +9,7 @@ let
|
|||
${pkgs.restic}/bin/restic \
|
||||
--repo ${repository} \
|
||||
--password-file ${password_file} \
|
||||
--host ${hostname} \
|
||||
--host ${config.networking.hostName} \
|
||||
mount /tmp/restic'';
|
||||
|
||||
restic-mount-all = pkgs.writeShellScriptBin "restic-mount-all" ''
|
||||
|
@ -20,7 +20,7 @@ let
|
|||
mount /tmp/restic'';
|
||||
|
||||
# TODO: encrypt key file with agenix
|
||||
infomaniak-env = "/home/${custom.username}/.nixos/secrets/passwords/infomaniak-env";
|
||||
infomaniak-env = config.age.secrets.infomaniakEnv.path;
|
||||
infomaniak-repo = "swift:default:/";
|
||||
infomaniak-auth-url = "https://swiss-backup02.infomaniak.com/identity/v3";
|
||||
|
||||
|
@ -49,6 +49,19 @@ in
|
|||
(import "${inputs.self}/modules/telegram-notifications" { inherit inputs; })
|
||||
];
|
||||
|
||||
age.secrets.infomaniakEnv = {
|
||||
file = "${inputs.self}/scrts/infomaniak_env.age";
|
||||
mode = "600";
|
||||
owner = custom.username;
|
||||
group = "users";
|
||||
};
|
||||
age.secrets.resticKey = {
|
||||
file = "${inputs.self}/scrts/restic.key.age";
|
||||
mode = "600";
|
||||
owner = custom.username;
|
||||
group = "users";
|
||||
};
|
||||
|
||||
systemd.timers."restic-backups-${custom.username}" = {
|
||||
wantedBy = [ "timers.target" ];
|
||||
partOf = [ "restic-backups-${custom.username}.service" ];
|
||||
|
@ -77,7 +90,7 @@ in
|
|||
|
||||
${pkgs.restic}/bin/restic \
|
||||
forget \
|
||||
--host ${hostname} \
|
||||
--host ${config.networking.hostName} \
|
||||
--tag home-dir \
|
||||
--keep-hourly 25 \
|
||||
--keep-daily 7 \
|
||||
|
@ -92,7 +105,7 @@ in
|
|||
${pkgs.restic}/bin/restic \
|
||||
--repo ${repository} \
|
||||
--password-file ${password_file} \
|
||||
snapshots --host ${hostname}'';
|
||||
snapshots --host ${config.networking.hostName}'';
|
||||
restic-unlock = ''
|
||||
${pkgs.restic}/bin/restic \
|
||||
--repo ${repository} \
|
||||
|
|
Binary file not shown.
|
@ -0,0 +1,50 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-rsa 7S8lxw
|
||||
OzFzBC1L014yJHeHbcprvvHFrSGGVvDYbSGL0zhz9zU9QVdavrF1Vjiau8uqKw89
|
||||
BWgGsxkgdalzb99kds21tpX2dW9oVUCC5Utb4WSsOzTD6YvbW8D+XlsNsTPTb9iG
|
||||
LQAvfe3W7xGCVn1vk87e1lKk21VngsvivaAU1ZUfZLRGTAs16ES9aOQoPN5nmV8x
|
||||
DqnoApkbxUa3MhM45ZTl6mFXzEJxyBdX6wTs8e2A2BKsdTKTFFSuOamMN1v2b/Et
|
||||
rnYFSxVNaH/2/lVYcOm4cY9K3IY2T/pgeJXXehg02w0kaaULNh8IqNcLnRygj/XD
|
||||
tyQdJ3Xgg3bgVAYo8YTeG9+e9CYgLvyxGN4sJ5pa1QE5qAebpy9okCzATxI4quVt
|
||||
QF//zYPnnLxIw4Vd66a2avySt0JcytjFCuhluOcEpyUb5Nsycieto0tX9bVMRwDb
|
||||
DQtjDKRafYquLVExVrjfvR1x7MBBtLwVqdIhgAYYFTPGyOEPINAOZgIGub5Q1cZF
|
||||
|
||||
-> ssh-rsa Ws+JZA
|
||||
r6k1X2MNk2nqjyYCjgn1H0C470BNkqJ6m+q4tNtYSmG7jPI/5xXZ6hCOi0eGMypT
|
||||
ysleDwgW/BuM5o7SKfrx9URVAUe435IO/FTYqO7qOh2hU2nE01TFcjEp3qE47YA7
|
||||
lzCAlwN5YcMn9ELRbhFmjWt8p8XjSjcRyma1urHQjKa0ggls5VUyGhdn2Sko8ed6
|
||||
52lwy6bNj/CnrsLycMj1ib1QvrG0o7VqbY/l9I4+x2kqryPgOTqH4Uy/pD1/XFVc
|
||||
JAUQeAJMdUCPFczGmDQojtPXRgBjACNBDffLL9GB0MPf7rpC5Das/YkoU+b0yzsM
|
||||
veWeIxovtJLbcNyIbmSQgap4gGT0+6Wb3FKsYDm3cgHft0o31sTQHHe00LV5kpc1
|
||||
AXz2EANCPMxtauKDzu+v1uOmnckjBH3i7MQKMDV1C5oqhbd7zussHsd9l9S3hu2J
|
||||
xCJWSY9Os1KlGhkJvJyjeegOr34LGI65dWJQO+QbjQESXmIPOw7aoEz3J8HLDdr0
|
||||
|
||||
-> ssh-ed25519 p9NsdQ WL1/YPZGXNiL4fq1q0NQjZSNPGLSDLMlpyOp9Qv82kk
|
||||
XF8E3iG2x2xn2fYl/QWDkBtUnUSqC3Df9IRZ8ScTMEk
|
||||
-> ssh-ed25519 skmU/w lL8if8HD/7QHG5rTmrAuZ/Mvlf5ugWy6mMMdN1znOBY
|
||||
0ne2zhnCV0BJ9gh7E4gRgonRM5IGT8iDXCf3fFsEaSM
|
||||
-> ssh-ed25519 L7IrhA tMYUDRPI5jUaUk2v2/cJ2PfF9vFZLR3lxUosLPx6z38
|
||||
TvZsKBkb1ss3KmkFqL3YXzEeADtKMbrbanUFkZRCedY
|
||||
-> ssh-ed25519 ASE6tQ dWh338rCCoy90kGWAuzAXApaQSUnX5mc0faa1pQPKRw
|
||||
IEptFLmlBQOh8F6QpI/kx4Fjsbd+RZ0r+ZPVnZpkN90
|
||||
-> ssh-ed25519 MpFwoA 2LxQdhrQwahXu8sPByC7Iat1UDW2HTCrBy99E3WU5Fw
|
||||
x3hU+nNhdOeCwB/vDfJuOtv/Ku1wdasvw5ITCVvUL2g
|
||||
-> ssh-ed25519 aGyD+A DrG2z4JqXFC70cDXoHSKKvO+5jH0HSQ1E6AF6o12JEc
|
||||
SXuuFi6z8ukei4GZpdcVKasZJzjqXVJCf6LKBsu1J9E
|
||||
-> ssh-ed25519 KXqA9w vzLJx/+kTAIiuKDN/I4WJ0dNgr1C4gsMEvz77wRI/yg
|
||||
jEqXDIBVcOhVZERxynTQzQ5EQUTLFafNLG6jQT+2zag
|
||||
-> ssh-ed25519 f6vWeA oijUvlyY9l6cXr2eXuEqV+cUr4EF32rGsEd7ewa1hQs
|
||||
NcuR16Msc8GxavitVBSVYXTzg51F/U+J82UE1V3kpSI
|
||||
-> ssh-ed25519 6EZJNg 84hGgnr/Qwshnnyq9I9uj1onQG7lJ3KTQsBxNbB3slg
|
||||
4sf6zyReKAsOE82dpJplxPV2Pqygbe3AGbvMwd+dQMg
|
||||
-> ssh-ed25519 6TvZbg D0bfdLAmX+E7/kRXHCtkLTAaY004cynq1LLuMu0dcks
|
||||
rVOArYhUaF4+RgAh28BrS2wWetskLFUOKrihZpG3Un0
|
||||
-> ssh-ed25519 BycpnQ 5MwWmzm0lNRGBrwz3dSQ/bYdn3zVc87aouCifCTnTQU
|
||||
7PXd9CuMyex61PTrHnTgULJj2Y7iV366K4pQ0KjtxSA
|
||||
-> ssh-ed25519 pCmz5A o2ZYdBuAfGG5VDRwB11Q5CjCLT4hBUQ6Q59zKIf513E
|
||||
PYz4Gf9Np1kkc8qG2J6YM7w3+E/raD1q+310aI1xdys
|
||||
-> D,C-grease #P3fP{ [,?%}
|
||||
tbwJ6/FEVeNe9AYCNCYRxfbcaAm1qeNNLFNI6aY6C7gmU9403oSmdEWBm0WLt0KP
|
||||
JYs
|
||||
--- WBUozPqy+aDm4mj36Q9N4y3uNSZiVZDdwGIyEsvH1Ho
|
||||
žÕÈÏþOÃ-BA<0B>ª.ÊÈIò¸ó÷²$Mÿi[DÿI
ÓWªÛÿë 2„÷í;öW+¼Óþ!ˆW
|
|
@ -34,8 +34,10 @@ let
|
|||
in
|
||||
{
|
||||
"gitea_env.age".publicKeys = defaultKeys ++ [ git ];
|
||||
"infomaniak_env.age".publicKeys = all;
|
||||
"pihole_env.age".publicKeys = defaultKeys ++ [ pihole ];
|
||||
"plex_claim.age".publicKeys = defaultKeys ++ [ plex ];
|
||||
"restic.key.age".publicKeys = all;
|
||||
"telegram_notify_env.age".publicKeys = all;
|
||||
"ttrss_env.age".publicKeys = defaultKeys ++ [ ttrss ];
|
||||
}
|
||||
|
|
|
@ -9,7 +9,8 @@ in
|
|||
inherit hostname inputs;
|
||||
})
|
||||
(import "${inputs.self}/modules/restic-server-mysql-client" {
|
||||
time = "03:00"; inherit custom hostname inputs;
|
||||
path = "/home/andreas";
|
||||
time = "03:00"; inherit inputs;
|
||||
})
|
||||
(import "${inputs.self}/modules/nginx-proxy" {
|
||||
inherit domain inputs;
|
||||
|
|
|
@ -20,7 +20,7 @@
|
|||
"${inputs.self}/modules/scripts"
|
||||
"${inputs.self}/modules/tlp"
|
||||
"${inputs.self}/modules/tmux"
|
||||
(import "${inputs.self}/modules/restic" { inherit custom hostname inputs; })
|
||||
(import "${inputs.self}/modules/restic" { inherit custom inputs; })
|
||||
];
|
||||
boot.initrd.availableKernelModules = [
|
||||
"aesni_intel"
|
||||
|
|
|
@ -6,7 +6,9 @@
|
|||
inherit hostname inputs;
|
||||
})
|
||||
(import "${inputs.self}/modules/restic-server-client" {
|
||||
time = "04:30"; inherit custom hostname inputs;
|
||||
path = "/home/andreas";
|
||||
time = "04:30";
|
||||
inherit inputs;
|
||||
})
|
||||
(import "${inputs.self}/modules/nginx-proxy" {
|
||||
domain = "mail.zweili.org"; inherit inputs;
|
||||
|
|
|
@ -10,6 +10,12 @@ in
|
|||
})
|
||||
(import "${inputs.self}/modules/docker" { inherit custom; })
|
||||
"${inputs.self}/modules/logs-share"
|
||||
(import "${inputs.self}/modules/restic-server-client" {
|
||||
path = "/home/andreas";
|
||||
tag = "management";
|
||||
time = "23:30";
|
||||
inherit inputs;
|
||||
})
|
||||
"${inputs.self}/modules/tmux"
|
||||
];
|
||||
services.nginx.virtualHosts."${domain}".locations = {
|
||||
|
|
|
@ -6,7 +6,8 @@
|
|||
inherit hostname inputs;
|
||||
})
|
||||
(import "${inputs.self}/modules/restic-server-mysql-client" {
|
||||
time = "04:00"; inherit custom hostname inputs;
|
||||
path = "/home/andreas";
|
||||
time = "04:00"; inherit inputs;
|
||||
})
|
||||
(import "${inputs.self}/modules/docker" { inherit custom; })
|
||||
"${inputs.self}/modules/mariadb"
|
||||
|
|
|
@ -8,7 +8,7 @@
|
|||
(import "${inputs.self}/modules/restic-server-client" {
|
||||
path = "/var/lib/pihole";
|
||||
tag = "pihole";
|
||||
time = "05:00"; inherit custom hostname inputs;
|
||||
time = "05:00"; inherit inputs;
|
||||
})
|
||||
(import "${inputs.self}/modules/docker" { inherit custom; })
|
||||
(import "${inputs.self}/modules/pihole" { inherit inputs; })
|
||||
|
|
|
@ -8,7 +8,8 @@
|
|||
(import "${inputs.self}/modules/restic-server-client" {
|
||||
path = "/var/lib/plex";
|
||||
tag = "plex";
|
||||
time = "03:30"; inherit custom hostname inputs;
|
||||
time = "03:30";
|
||||
inherit inputs;
|
||||
})
|
||||
(import "${inputs.self}/modules/docker" { inherit custom; })
|
||||
"${inputs.self}/modules/media-share"
|
||||
|
|
|
@ -6,7 +6,9 @@
|
|||
inherit hostname inputs;
|
||||
})
|
||||
(import "${inputs.self}/modules/restic-server-client" {
|
||||
time = "00:00"; inherit custom hostname inputs;
|
||||
path = "/home/andreas";
|
||||
time = "00:00";
|
||||
inherit inputs;
|
||||
})
|
||||
"${inputs.self}/modules/nginx-acme-base"
|
||||
(import "${inputs.self}/modules/docker" { inherit custom; })
|
||||
|
|
|
@ -5,6 +5,6 @@
|
|||
ip = "10.7.89.30";
|
||||
inherit hostname inputs;
|
||||
})
|
||||
"${inputs.self}/modules/restic-server"
|
||||
(import "${inputs.self}/modules/restic-server" { inherit inputs; })
|
||||
];
|
||||
}
|
||||
|
|
|
@ -10,7 +10,7 @@
|
|||
(import "${inputs.self}/modules/droidcam" { inherit custom; })
|
||||
(import "${inputs.self}/modules/espanso" { inherit custom; })
|
||||
"${inputs.self}/modules/lockscreen"
|
||||
(import "${inputs.self}/modules/restic" { inherit custom hostname inputs; })
|
||||
(import "${inputs.self}/modules/restic" { inherit custom inputs; })
|
||||
"${inputs.self}/modules/tlp"
|
||||
"${inputs.self}/modules/tmux"
|
||||
];
|
||||
|
|
|
@ -14,7 +14,7 @@ in
|
|||
(import "${inputs.self}/modules/restic-server-mysql-client" {
|
||||
path = "/var/lib/ttrss";
|
||||
tag = "ttrss";
|
||||
time = "23:00"; inherit custom hostname inputs;
|
||||
time = "23:00"; inherit inputs;
|
||||
})
|
||||
(import "${inputs.self}/modules/ttrss" {
|
||||
inherit domain inputs;
|
||||
|
|
Loading…
Reference in New Issue