From 2945f5d00d6223562c750550ebff04833ea8b977 Mon Sep 17 00:00:00 2001 From: buffet Date: Mon, 22 Aug 2022 18:32:26 +0000 Subject: [PATCH] Add agenix and borg --- fanya.nix | 3 ++- flake.lock | 21 +++++++++++++++++++++ flake.nix | 5 +++++ impermanence.nix | 3 +++ programs/borg.nix | 25 +++++++++++++++++++++++++ programs/default.nix | 1 + secrets.nix | 5 +++++ secrets/borgpassword.age | 17 +++++++++++++++++ 8 files changed, 79 insertions(+), 1 deletion(-) create mode 100644 programs/borg.nix create mode 100644 secrets.nix create mode 100644 secrets/borgpassword.age diff --git a/fanya.nix b/fanya.nix index 8ca7f12..e57b27a 100644 --- a/fanya.nix +++ b/fanya.nix @@ -1,11 +1,13 @@ { pkgs, + agenix, home-manager, ... }: let password = "$6$FHwMlUwmRdAsPqS4$4XND0L0EEVf2Mhc/tvo6y3ZLIrMTOlsIZrG3w69EeXvtVZhdeNyoDOkPNIe.GBB8.PrchuUKDacqbvcvyuPkt0"; in { imports = [ + agenix.nixosModule home-manager.nixosModule ./impermanence.nix ./programs @@ -76,7 +78,6 @@ in { users.users.root.hashedPassword = password; - # TODO: borgbackup hardware.bluetooth.enable = true; virtualisation.libvirtd.enable = true; systemd.coredump.enable = true; diff --git a/flake.lock b/flake.lock index 4cfea90..e39e439 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,25 @@ { "nodes": { + "agenix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1652712410, + "narHash": "sha256-hMJ2TqLt0DleEnQFGUHK9sV2aAzJPU8pZeiZoqRozbE=", + "owner": "ryantm", + "repo": "agenix", + "rev": "7e5e58b98c3dcbf497543ff6f22591552ebfe65b", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -70,6 +90,7 @@ }, "root": { "inputs": { + "agenix": "agenix", "home-manager": "home-manager", "impermanence": "impermanence", "lsp-trouble": "lsp-trouble", diff --git a/flake.nix b/flake.nix index e753134..7dea385 100644 --- a/flake.nix +++ b/flake.nix @@ -3,6 +3,11 @@ impermanence.url = "github:nix-community/impermanence"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.05"; + agenix = { + url = "github:ryantm/agenix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + home-manager = { url = "github:nix-community/home-manager/release-22.05"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/impermanence.nix b/impermanence.nix index 54d1ff4..cc9622f 100644 --- a/impermanence.nix +++ b/impermanence.nix @@ -68,4 +68,7 @@ umount /mnt ''; }; + + # workaround for agenix running before /etc impermanence gets set up + age.identityPaths = ["/persist/buffet/ssh/.ssh/id_rsa"]; } diff --git a/programs/borg.nix b/programs/borg.nix new file mode 100644 index 0000000..714f1dc --- /dev/null +++ b/programs/borg.nix @@ -0,0 +1,25 @@ +{config, ...}: let + host = "11967@prio.ch-s011.rsync.net"; +in { + age.secrets.borgpassword.file = ../secrets/borgpassword.age; + + services.borgbackup = { + jobs.backup = { + paths = ["/persist"]; + repo = "${host}:${config.networking.hostName}"; + encryption = { + mode = "repokey"; + passCommand = "cat ${config.age.secrets.borgpassword.path}"; + }; + startAt = "daily"; + environment.BORG_RSH = "ssh -i /home/buffet/.ssh/id_borg"; + extraArgs = "--remote-path borg1"; + prune.keep = { + within = "1d"; + daily = 7; + weekly = 4; + monthly = -1; + }; + }; + }; +} diff --git a/programs/default.nix b/programs/default.nix index 0a34af6..0a9ec67 100644 --- a/programs/default.nix +++ b/programs/default.nix @@ -2,6 +2,7 @@ imports = [ ./alacritty.nix ./bash.nix + ./borg.nix ./chromium.nix ./git.nix ./gpg.nix diff --git a/secrets.nix b/secrets.nix new file mode 100644 index 0000000..d2c8e9f --- /dev/null +++ b/secrets.nix @@ -0,0 +1,5 @@ +let + buffet = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDci73LlPFhg9Z26jnuGMzGEh0jO192alsLhSVUE+CIOkRfkeRonJ69WxwY9kBFAa5PyY9zrAr2XueLWaQAaHJdmHyWbXmMJGtqsx0oB5KU4aFL8stJGkr8u6Bv5HPpkGr4PyqGkzKEPirUBYOMxXW3KSuP5LCTTx+UVoEFhIRS+j6w67ZIjyEHalwZAVJP8sp1GJkk9eQkmoJjdBt4qxAoBRaZp8kTzdKJezJY1g0f+JBI+0ZUDPS2IdAAXroVho/ea31gGFRsqazbP17Tpbiy1H4dQwTc19YkyOYu7R4klRrOVjzh/CBYgTUmIV1czUISG6KEGfgW4IciYSc6R5IGo+GCf3OsNVDKjjgxCvCLLx03KsBZJXoQJlZ/grfoQ0aulUR/hDeAyOU/bE2XjpzkNiYKhlMd7gEN3AC1iCjsYNL+6Nr82GVpn5XE0UsDYFJyZ//6zI4ldNnCcuYPNgyE9VabaUh0WuemkhdTe/SKIBOQfHSLFlEAZVWVGUQV/dvi5HY9Ie4nIHtUU1IdeNiCa+OB+KxIE5a9+2h5KJB2NPCyPt1TImqS/OiXaQlihEPsNOyKqbBiN/4LUPtixAGbnbdzBwmdP8Pt32Y1ehOyBoDxLv36R1hHP9Xn4C+KUX35lhpfToSRVvWvVUcDDZVq3kUnxPV22BTs3kgLG3rJ6Q=="; +in { + "secrets/borgpassword.age".publicKeys = [buffet]; +} diff --git a/secrets/borgpassword.age b/secrets/borgpassword.age new file mode 100644 index 0000000..2089e31 --- /dev/null +++ b/secrets/borgpassword.age @@ -0,0 +1,17 @@ +age-encryption.org/v1 +-> ssh-rsa 3ONyjg +UTq4McHWeqEvIq7nTAaPLC6EUp+UzuihSfNEroimDaM46dINxRxPmltikpQldbzA +ACgHOutO0oIG5VKNrb8AwBwjUp6daO7UhhVYPOByxy6Y4jVZOnPkY/+U0Btv5/M+ +iezYoPBwp7P6ATYiujfe7+JZWecpq18ArCmmOUsjYAyaS7lrFkgPDnAjPZLuP1ow +rL4lkGOnSeKq812PBFoeHtXLEAOOoUoSrCKM/pnFJVMOwoY0aXTwiUg09VBjbE2m +FXM1rWpElK+3mU+TtNLtlY+i4/PZ0M611mm1WoE6gKvWwAX7rQFg+LMbKxircM7o +yH6PwRM82qKvG79bMqtRviOkkkosRneAJs0a0CNWP5hAUebbGPM803yXVY5ahOEg +TlHN5SeDfAeC8E1ZgKNGn4StMqJaHgs1obBqqf7AhfpA6A54Vr8dVtCLlQrNmK5k +BfIzOs+AruRLsn0G3CsLl4xtFXriiqo1YL2otgfnNRRUI4cE+NDLxpLKhqxQoBA4 +b+j2zObfOBGyYyxvC5AXUEU/NTH5ZI9MT0+q5ZPM3oJc/LBqHxZLMT08LAbrjMew +9tx/B7kIwDKdWbXQnMWLc1R4biBcCLci0JNnqayTXDX9sFuE/ZtlynkEQNnblot8 +7kTUr7xS6z3DrYZ13UaFLykHgG6RG0akPLfQCceAMwI +-> nK-grease K Li~\Elx DV6kZ" +Wz3P +--- 5u5c2AnSqsdte7OH1t+7BGld7cLWv3KFCZqVyMsAtkk + A*?I1XP?23 D`x.P5r{B |J#jvׁ"5|JF&UN1U~wʁݗM2WYpȨƴ v5% 9W;wЯrf)O$vw$6 \ No newline at end of file