diff --git a/modules/restic-server-client/default.nix b/modules/restic-server-client/default.nix index 92506a1..45d0ddf 100644 --- a/modules/restic-server-client/default.nix +++ b/modules/restic-server-client/default.nix @@ -1,29 +1,30 @@ -{ custom -, hostname -, inputs -, path ? "/home/${custom.username}" +{ inputs +, path , tag ? "home-dir" , time -}: { pkgs, ... }: +}: { config, pkgs, ... }: { imports = [ (import "${inputs.self}/modules/telegram-notifications" { inherit inputs; }) ]; - systemd.timers."restic-backups-${custom.username}" = { + + age.secrets.resticKey.file = "${inputs.self}/scrts/restic.key.age"; + + systemd.timers."restic-backups" = { wantedBy = [ "timers.target" ]; - partOf = [ "restic-backups-${custom.username}.service" ]; + partOf = [ "restic-backups.service" ]; timerConfig = { OnCalendar = time; }; }; - systemd.services."restic-backups-${custom.username}" = { + systemd.services."restic-backups" = { serviceConfig = { User = "root"; Type = "oneshot"; }; environment = { - RESTIC_PASSWORD_FILE = "/home/${custom.username}/.nixos/secrets/passwords/restic.key"; + RESTIC_PASSWORD_FILE = config.age.secrets.resticKey.path; RESTIC_REPOSITORY = "rest:http://10.7.89.30:8000"; }; onFailure = [ "unit-status-telegram@%n.service" ]; @@ -34,7 +35,7 @@ ${pkgs.restic}/bin/restic forget \ --tag home-dir \ - --host ${hostname} \ + --host ${config.networking.hostName} \ --keep-daily 7 \ --keep-weekly 5 \ --keep-monthly 12 \ diff --git a/modules/restic-server-mysql-client/default.nix b/modules/restic-server-mysql-client/default.nix index 2bbfb59..ee3d276 100644 --- a/modules/restic-server-mysql-client/default.nix +++ b/modules/restic-server-mysql-client/default.nix @@ -1,29 +1,30 @@ -{ custom -, hostname -, inputs -, path ? "/home/${custom.username}" +{ inputs +, path , tag ? "home-dir" , time -}: { pkgs, ... }: +}: { config, pkgs, ... }: { imports = [ (import "${inputs.self}/modules/telegram-notifications" { inherit inputs; }) ]; - systemd.timers."restic-backups-${custom.username}" = { + + age.secrets.resticKey.file = "${inputs.self}/scrts/restic.key.age"; + + systemd.timers."restic-backups" = { wantedBy = [ "timers.target" ]; - partOf = [ "restic-backups-${custom.username}.service" ]; + partOf = [ "restic-backups.service" ]; timerConfig = { OnCalendar = time; }; }; - systemd.services."restic-backups-${custom.username}" = { + systemd.services."restic-backups" = { serviceConfig = { User = "root"; Type = "oneshot"; }; environment = { - RESTIC_PASSWORD_FILE = "/home/${custom.username}/.nixos/secrets/passwords/restic.key"; + RESTIC_PASSWORD_FILE = config.age.secrets.resticKey.path; RESTIC_REPOSITORY = "rest:http://10.7.89.30:8000"; }; onFailure = [ "unit-status-telegram@%n.service" ]; @@ -40,7 +41,7 @@ ${pkgs.restic}/bin/restic forget \ --tag home-dir \ - --host ${hostname} \ + --host ${config.networking.hostName} \ --keep-daily 7 \ --keep-weekly 5 \ --keep-monthly 12 \ @@ -48,7 +49,7 @@ ${pkgs.restic}/bin/restic forget \ --tag mariadb \ - --host ${hostname} \ + --host ${config.networking.hostName} \ --keep-daily 7 \ --keep-weekly 5 \ --keep-monthly 12 \ diff --git a/modules/restic-server/default.nix b/modules/restic-server/default.nix index 0a88ff1..6c88074 100644 --- a/modules/restic-server/default.nix +++ b/modules/restic-server/default.nix @@ -1,8 +1,10 @@ -{ inputs, custom, pkgs, ... }: +{ inputs }: { config, pkgs, ... }: let repository = "/mnt/restic-server"; in { + age.secrets.resticKey.file = "${inputs.self}/scrts/restic.key.age"; + environment.systemPackages = with pkgs; [ restic ]; @@ -27,7 +29,7 @@ in script = '' ${pkgs.restic}/bin/restic \ --repo ${repository} \ - --password-file "/etc/restic/restic.key" \ + --password-file ${config.age.secrets.resticKey.path} \ prune \ ''; }; diff --git a/modules/restic/default.nix b/modules/restic/default.nix index 242085a..71ccdbd 100644 --- a/modules/restic/default.nix +++ b/modules/restic/default.nix @@ -1,7 +1,7 @@ -{ custom, hostname, inputs }: { pkgs, ... }: +{ custom, inputs }: { config, pkgs, ... }: let # TODO: encrypt key file with agenix - password_file = "/home/${custom.username}/.nixos/secrets/passwords/restic.key"; + password_file = config.age.secrets.resticKey.path; repository = "rest:http://10.7.89.30:8000"; restic-mount = pkgs.writeShellScriptBin "restic-mount" '' @@ -9,7 +9,7 @@ let ${pkgs.restic}/bin/restic \ --repo ${repository} \ --password-file ${password_file} \ - --host ${hostname} \ + --host ${config.networking.hostName} \ mount /tmp/restic''; restic-mount-all = pkgs.writeShellScriptBin "restic-mount-all" '' @@ -20,7 +20,7 @@ let mount /tmp/restic''; # TODO: encrypt key file with agenix - infomaniak-env = "/home/${custom.username}/.nixos/secrets/passwords/infomaniak-env"; + infomaniak-env = config.age.secrets.infomaniakEnv.path; infomaniak-repo = "swift:default:/"; infomaniak-auth-url = "https://swiss-backup02.infomaniak.com/identity/v3"; @@ -49,6 +49,19 @@ in (import "${inputs.self}/modules/telegram-notifications" { inherit inputs; }) ]; + age.secrets.infomaniakEnv = { + file = "${inputs.self}/scrts/infomaniak_env.age"; + mode = "600"; + owner = custom.username; + group = "users"; + }; + age.secrets.resticKey = { + file = "${inputs.self}/scrts/restic.key.age"; + mode = "600"; + owner = custom.username; + group = "users"; + }; + systemd.timers."restic-backups-${custom.username}" = { wantedBy = [ "timers.target" ]; partOf = [ "restic-backups-${custom.username}.service" ]; @@ -77,7 +90,7 @@ in ${pkgs.restic}/bin/restic \ forget \ - --host ${hostname} \ + --host ${config.networking.hostName} \ --tag home-dir \ --keep-hourly 25 \ --keep-daily 7 \ @@ -92,7 +105,7 @@ in ${pkgs.restic}/bin/restic \ --repo ${repository} \ --password-file ${password_file} \ - snapshots --host ${hostname}''; + snapshots --host ${config.networking.hostName}''; restic-unlock = '' ${pkgs.restic}/bin/restic \ --repo ${repository} \ diff --git a/scrts/infomaniak_env.age b/scrts/infomaniak_env.age new file mode 100644 index 0000000..858f77d Binary files /dev/null and b/scrts/infomaniak_env.age differ diff --git a/scrts/restic.key.age b/scrts/restic.key.age new file mode 100644 index 0000000..5fc5bd0 --- /dev/null +++ b/scrts/restic.key.age @@ -0,0 +1,50 @@ +age-encryption.org/v1 +-> ssh-rsa 7S8lxw +OzFzBC1L014yJHeHbcprvvHFrSGGVvDYbSGL0zhz9zU9QVdavrF1Vjiau8uqKw89 +BWgGsxkgdalzb99kds21tpX2dW9oVUCC5Utb4WSsOzTD6YvbW8D+XlsNsTPTb9iG +LQAvfe3W7xGCVn1vk87e1lKk21VngsvivaAU1ZUfZLRGTAs16ES9aOQoPN5nmV8x +DqnoApkbxUa3MhM45ZTl6mFXzEJxyBdX6wTs8e2A2BKsdTKTFFSuOamMN1v2b/Et +rnYFSxVNaH/2/lVYcOm4cY9K3IY2T/pgeJXXehg02w0kaaULNh8IqNcLnRygj/XD +tyQdJ3Xgg3bgVAYo8YTeG9+e9CYgLvyxGN4sJ5pa1QE5qAebpy9okCzATxI4quVt +QF//zYPnnLxIw4Vd66a2avySt0JcytjFCuhluOcEpyUb5Nsycieto0tX9bVMRwDb +DQtjDKRafYquLVExVrjfvR1x7MBBtLwVqdIhgAYYFTPGyOEPINAOZgIGub5Q1cZF + +-> ssh-rsa Ws+JZA +r6k1X2MNk2nqjyYCjgn1H0C470BNkqJ6m+q4tNtYSmG7jPI/5xXZ6hCOi0eGMypT +ysleDwgW/BuM5o7SKfrx9URVAUe435IO/FTYqO7qOh2hU2nE01TFcjEp3qE47YA7 +lzCAlwN5YcMn9ELRbhFmjWt8p8XjSjcRyma1urHQjKa0ggls5VUyGhdn2Sko8ed6 +52lwy6bNj/CnrsLycMj1ib1QvrG0o7VqbY/l9I4+x2kqryPgOTqH4Uy/pD1/XFVc +JAUQeAJMdUCPFczGmDQojtPXRgBjACNBDffLL9GB0MPf7rpC5Das/YkoU+b0yzsM +veWeIxovtJLbcNyIbmSQgap4gGT0+6Wb3FKsYDm3cgHft0o31sTQHHe00LV5kpc1 +AXz2EANCPMxtauKDzu+v1uOmnckjBH3i7MQKMDV1C5oqhbd7zussHsd9l9S3hu2J +xCJWSY9Os1KlGhkJvJyjeegOr34LGI65dWJQO+QbjQESXmIPOw7aoEz3J8HLDdr0 + +-> ssh-ed25519 p9NsdQ WL1/YPZGXNiL4fq1q0NQjZSNPGLSDLMlpyOp9Qv82kk +XF8E3iG2x2xn2fYl/QWDkBtUnUSqC3Df9IRZ8ScTMEk +-> ssh-ed25519 skmU/w lL8if8HD/7QHG5rTmrAuZ/Mvlf5ugWy6mMMdN1znOBY +0ne2zhnCV0BJ9gh7E4gRgonRM5IGT8iDXCf3fFsEaSM +-> ssh-ed25519 L7IrhA tMYUDRPI5jUaUk2v2/cJ2PfF9vFZLR3lxUosLPx6z38 +TvZsKBkb1ss3KmkFqL3YXzEeADtKMbrbanUFkZRCedY +-> ssh-ed25519 ASE6tQ dWh338rCCoy90kGWAuzAXApaQSUnX5mc0faa1pQPKRw +IEptFLmlBQOh8F6QpI/kx4Fjsbd+RZ0r+ZPVnZpkN90 +-> ssh-ed25519 MpFwoA 2LxQdhrQwahXu8sPByC7Iat1UDW2HTCrBy99E3WU5Fw +x3hU+nNhdOeCwB/vDfJuOtv/Ku1wdasvw5ITCVvUL2g +-> ssh-ed25519 aGyD+A DrG2z4JqXFC70cDXoHSKKvO+5jH0HSQ1E6AF6o12JEc +SXuuFi6z8ukei4GZpdcVKasZJzjqXVJCf6LKBsu1J9E +-> ssh-ed25519 KXqA9w vzLJx/+kTAIiuKDN/I4WJ0dNgr1C4gsMEvz77wRI/yg +jEqXDIBVcOhVZERxynTQzQ5EQUTLFafNLG6jQT+2zag +-> ssh-ed25519 f6vWeA oijUvlyY9l6cXr2eXuEqV+cUr4EF32rGsEd7ewa1hQs +NcuR16Msc8GxavitVBSVYXTzg51F/U+J82UE1V3kpSI +-> ssh-ed25519 6EZJNg 84hGgnr/Qwshnnyq9I9uj1onQG7lJ3KTQsBxNbB3slg +4sf6zyReKAsOE82dpJplxPV2Pqygbe3AGbvMwd+dQMg +-> ssh-ed25519 6TvZbg D0bfdLAmX+E7/kRXHCtkLTAaY004cynq1LLuMu0dcks +rVOArYhUaF4+RgAh28BrS2wWetskLFUOKrihZpG3Un0 +-> ssh-ed25519 BycpnQ 5MwWmzm0lNRGBrwz3dSQ/bYdn3zVc87aouCifCTnTQU +7PXd9CuMyex61PTrHnTgULJj2Y7iV366K4pQ0KjtxSA +-> ssh-ed25519 pCmz5A o2ZYdBuAfGG5VDRwB11Q5CjCLT4hBUQ6Q59zKIf513E +PYz4Gf9Np1kkc8qG2J6YM7w3+E/raD1q+310aI1xdys +-> D,C-grease #P3fP{ [,?%} +tbwJ6/FEVeNe9AYCNCYRxfbcaAm1qeNNLFNI6aY6C7gmU9403oSmdEWBm0WLt0KP +JYs +--- WBUozPqy+aDm4mj36Q9N4y3uNSZiVZDdwGIyEsvH1Ho +O-BA .ÊI$Mi[DI W2;W+!W \ No newline at end of file diff --git a/scrts/secrets.nix b/scrts/secrets.nix index 76ee628..df891cf 100644 --- a/scrts/secrets.nix +++ b/scrts/secrets.nix @@ -34,8 +34,10 @@ let in { "gitea_env.age".publicKeys = defaultKeys ++ [ git ]; + "infomaniak_env.age".publicKeys = all; "pihole_env.age".publicKeys = defaultKeys ++ [ pihole ]; "plex_claim.age".publicKeys = defaultKeys ++ [ plex ]; + "restic.key.age".publicKeys = all; "telegram_notify_env.age".publicKeys = all; "ttrss_env.age".publicKeys = defaultKeys ++ [ ttrss ]; } diff --git a/systems/git/default.nix b/systems/git/default.nix index 9b43aa3..e5bb5ad 100644 --- a/systems/git/default.nix +++ b/systems/git/default.nix @@ -9,7 +9,8 @@ in inherit hostname inputs; }) (import "${inputs.self}/modules/restic-server-mysql-client" { - time = "03:00"; inherit custom hostname inputs; + path = "/home/andreas"; + time = "03:00"; inherit inputs; }) (import "${inputs.self}/modules/nginx-proxy" { inherit domain inputs; diff --git a/systems/gwyn/default.nix b/systems/gwyn/default.nix index f99e4ac..ca27726 100644 --- a/systems/gwyn/default.nix +++ b/systems/gwyn/default.nix @@ -20,7 +20,7 @@ "${inputs.self}/modules/scripts" "${inputs.self}/modules/tlp" "${inputs.self}/modules/tmux" - (import "${inputs.self}/modules/restic" { inherit custom hostname inputs; }) + (import "${inputs.self}/modules/restic" { inherit custom inputs; }) ]; boot.initrd.availableKernelModules = [ "aesni_intel" diff --git a/systems/mail/default.nix b/systems/mail/default.nix index a110e1d..1122f0d 100644 --- a/systems/mail/default.nix +++ b/systems/mail/default.nix @@ -6,7 +6,9 @@ inherit hostname inputs; }) (import "${inputs.self}/modules/restic-server-client" { - time = "04:30"; inherit custom hostname inputs; + path = "/home/andreas"; + time = "04:30"; + inherit inputs; }) (import "${inputs.self}/modules/nginx-proxy" { domain = "mail.zweili.org"; inherit inputs; diff --git a/systems/management/default.nix b/systems/management/default.nix index a95cd35..64093e2 100644 --- a/systems/management/default.nix +++ b/systems/management/default.nix @@ -10,6 +10,12 @@ in }) (import "${inputs.self}/modules/docker" { inherit custom; }) "${inputs.self}/modules/logs-share" + (import "${inputs.self}/modules/restic-server-client" { + path = "/home/andreas"; + tag = "management"; + time = "23:30"; + inherit inputs; + }) "${inputs.self}/modules/tmux" ]; services.nginx.virtualHosts."${domain}".locations = { diff --git a/systems/nextcloud/default.nix b/systems/nextcloud/default.nix index e958c8d..f46701b 100644 --- a/systems/nextcloud/default.nix +++ b/systems/nextcloud/default.nix @@ -6,7 +6,8 @@ inherit hostname inputs; }) (import "${inputs.self}/modules/restic-server-mysql-client" { - time = "04:00"; inherit custom hostname inputs; + path = "/home/andreas"; + time = "04:00"; inherit inputs; }) (import "${inputs.self}/modules/docker" { inherit custom; }) "${inputs.self}/modules/mariadb" diff --git a/systems/pihole/default.nix b/systems/pihole/default.nix index 7dc2381..098589a 100644 --- a/systems/pihole/default.nix +++ b/systems/pihole/default.nix @@ -8,7 +8,7 @@ (import "${inputs.self}/modules/restic-server-client" { path = "/var/lib/pihole"; tag = "pihole"; - time = "05:00"; inherit custom hostname inputs; + time = "05:00"; inherit inputs; }) (import "${inputs.self}/modules/docker" { inherit custom; }) (import "${inputs.self}/modules/pihole" { inherit inputs; }) diff --git a/systems/plex/default.nix b/systems/plex/default.nix index a761aa8..d854b61 100644 --- a/systems/plex/default.nix +++ b/systems/plex/default.nix @@ -8,7 +8,8 @@ (import "${inputs.self}/modules/restic-server-client" { path = "/var/lib/plex"; tag = "plex"; - time = "03:30"; inherit custom hostname inputs; + time = "03:30"; + inherit inputs; }) (import "${inputs.self}/modules/docker" { inherit custom; }) "${inputs.self}/modules/media-share" diff --git a/systems/proxy/default.nix b/systems/proxy/default.nix index d4b0ab9..e99ccbf 100644 --- a/systems/proxy/default.nix +++ b/systems/proxy/default.nix @@ -6,7 +6,9 @@ inherit hostname inputs; }) (import "${inputs.self}/modules/restic-server-client" { - time = "00:00"; inherit custom hostname inputs; + path = "/home/andreas"; + time = "00:00"; + inherit inputs; }) "${inputs.self}/modules/nginx-acme-base" (import "${inputs.self}/modules/docker" { inherit custom; }) diff --git a/systems/restic-server/default.nix b/systems/restic-server/default.nix index f0d86c4..4e95b1d 100644 --- a/systems/restic-server/default.nix +++ b/systems/restic-server/default.nix @@ -5,6 +5,6 @@ ip = "10.7.89.30"; inherit hostname inputs; }) - "${inputs.self}/modules/restic-server" + (import "${inputs.self}/modules/restic-server" { inherit inputs; }) ]; } diff --git a/systems/staubfinger/default.nix b/systems/staubfinger/default.nix index f49d85d..db5e028 100644 --- a/systems/staubfinger/default.nix +++ b/systems/staubfinger/default.nix @@ -10,7 +10,7 @@ (import "${inputs.self}/modules/droidcam" { inherit custom; }) (import "${inputs.self}/modules/espanso" { inherit custom; }) "${inputs.self}/modules/lockscreen" - (import "${inputs.self}/modules/restic" { inherit custom hostname inputs; }) + (import "${inputs.self}/modules/restic" { inherit custom inputs; }) "${inputs.self}/modules/tlp" "${inputs.self}/modules/tmux" ]; diff --git a/systems/ttrss/default.nix b/systems/ttrss/default.nix index 806070b..d920dda 100644 --- a/systems/ttrss/default.nix +++ b/systems/ttrss/default.nix @@ -14,7 +14,7 @@ in (import "${inputs.self}/modules/restic-server-mysql-client" { path = "/var/lib/ttrss"; tag = "ttrss"; - time = "23:00"; inherit custom hostname inputs; + time = "23:00"; inherit inputs; }) (import "${inputs.self}/modules/ttrss" { inherit domain inputs;