Add agenix and borg

fanya.nix

@@ -1,11 +1,13 @@
 {
   pkgs,
+  agenix,
   home-manager,
   ...
 }: let
   password = "$6$FHwMlUwmRdAsPqS4$4XND0L0EEVf2Mhc/tvo6y3ZLIrMTOlsIZrG3w69EeXvtVZhdeNyoDOkPNIe.GBB8.PrchuUKDacqbvcvyuPkt0";
 in {
   imports = [
+    agenix.nixosModule
     home-manager.nixosModule
     ./impermanence.nix
     ./programs
@@ -76,7 +78,6 @@ in {
 
   users.users.root.hashedPassword = password;
 
-  # TODO: borgbackup
   hardware.bluetooth.enable = true;
   virtualisation.libvirtd.enable = true;
   systemd.coredump.enable = true;

flake.lock

@@ -1,5 +1,25 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1652712410,
+        "narHash": "sha256-hMJ2TqLt0DleEnQFGUHK9sV2aAzJPU8pZeiZoqRozbE=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "7e5e58b98c3dcbf497543ff6f22591552ebfe65b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -70,6 +90,7 @@
     },
     "root": {
       "inputs": {
+        "agenix": "agenix",
         "home-manager": "home-manager",
         "impermanence": "impermanence",
         "lsp-trouble": "lsp-trouble",

flake.nix

@@ -3,6 +3,11 @@
     impermanence.url = "github:nix-community/impermanence";
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.05";
 
+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     home-manager = {
       url = "github:nix-community/home-manager/release-22.05";
       inputs.nixpkgs.follows = "nixpkgs";

impermanence.nix

@@ -68,4 +68,7 @@
       umount /mnt
     '';
   };
+
+  # workaround for agenix running before /etc impermanence gets set up
+  age.identityPaths = ["/persist/buffet/ssh/.ssh/id_rsa"];
 }

programs/borg.nix

@@ -0,0 +1,25 @@
+{config, ...}: let
+  host = "11967@prio.ch-s011.rsync.net";
+in {
+  age.secrets.borgpassword.file = ../secrets/borgpassword.age;
+
+  services.borgbackup = {
+    jobs.backup = {
+      paths = ["/persist"];
+      repo = "${host}:${config.networking.hostName}";
+      encryption = {
+        mode = "repokey";
+        passCommand = "cat ${config.age.secrets.borgpassword.path}";
+      };
+      startAt = "daily";
+      environment.BORG_RSH = "ssh -i /home/buffet/.ssh/id_borg";
+      extraArgs = "--remote-path borg1";
+      prune.keep = {
+        within = "1d";
+        daily = 7;
+        weekly = 4;
+        monthly = -1;
+      };
+    };
+  };
+}

programs/default.nix

@@ -2,6 +2,7 @@
   imports = [
     ./alacritty.nix
     ./bash.nix
+    ./borg.nix
     ./chromium.nix
     ./git.nix
     ./gpg.nix

secrets.nix

@@ -0,0 +1,5 @@
+let
+  buffet = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDci73LlPFhg9Z26jnuGMzGEh0jO192alsLhSVUE+CIOkRfkeRonJ69WxwY9kBFAa5PyY9zrAr2XueLWaQAaHJdmHyWbXmMJGtqsx0oB5KU4aFL8stJGkr8u6Bv5HPpkGr4PyqGkzKEPirUBYOMxXW3KSuP5LCTTx+UVoEFhIRS+j6w67ZIjyEHalwZAVJP8sp1GJkk9eQkmoJjdBt4qxAoBRaZp8kTzdKJezJY1g0f+JBI+0ZUDPS2IdAAXroVho/ea31gGFRsqazbP17Tpbiy1H4dQwTc19YkyOYu7R4klRrOVjzh/CBYgTUmIV1czUISG6KEGfgW4IciYSc6R5IGo+GCf3OsNVDKjjgxCvCLLx03KsBZJXoQJlZ/grfoQ0aulUR/hDeAyOU/bE2XjpzkNiYKhlMd7gEN3AC1iCjsYNL+6Nr82GVpn5XE0UsDYFJyZ//6zI4ldNnCcuYPNgyE9VabaUh0WuemkhdTe/SKIBOQfHSLFlEAZVWVGUQV/dvi5HY9Ie4nIHtUU1IdeNiCa+OB+KxIE5a9+2h5KJB2NPCyPt1TImqS/OiXaQlihEPsNOyKqbBiN/4LUPtixAGbnbdzBwmdP8Pt32Y1ehOyBoDxLv36R1hHP9Xn4C+KUX35lhpfToSRVvWvVUcDDZVq3kUnxPV22BTs3kgLG3rJ6Q==";
+in {
+  "secrets/borgpassword.age".publicKeys = [buffet];
+}

secrets/borgpassword.age

@@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> ssh-rsa 3ONyjg
+UTq4McHWeqEvIq7nTAaPLC6EUp+UzuihSfNEroimDaM46dINxRxPmltikpQldbzA
+ACgHOutO0oIG5VKNrb8AwBwjUp6daO7UhhVYPOByxy6Y4jVZOnPkY/+U0Btv5/M+
+iezYoPBwp7P6ATYiujfe7+JZWecpq18ArCmmOUsjYAyaS7lrFkgPDnAjPZLuP1ow
+rL4lkGOnSeKq812PBFoeHtXLEAOOoUoSrCKM/pnFJVMOwoY0aXTwiUg09VBjbE2m
+FXM1rWpElK+3mU+TtNLtlY+i4/PZ0M611mm1WoE6gKvWwAX7rQFg+LMbKxircM7o
+yH6PwRM82qKvG79bMqtRviOkkkosRneAJs0a0CNWP5hAUebbGPM803yXVY5ahOEg
+TlHN5SeDfAeC8E1ZgKNGn4StMqJaHgs1obBqqf7AhfpA6A54Vr8dVtCLlQrNmK5k
+BfIzOs+AruRLsn0G3CsLl4xtFXriiqo1YL2otgfnNRRUI4cE+NDLxpLKhqxQoBA4
+b+j2zObfOBGyYyxvC5AXUEU/NTH5ZI9MT0+q5ZPM3oJc/LBqHxZLMT08LAbrjMew
+9tx/B7kIwDKdWbXQnMWLc1R4biBcCLci0JNnqayTXDX9sFuE/ZtlynkEQNnblot8
+7kTUr7xS6z3DrYZ13UaFLykHgG6RG0akPLfQCceAMwI
+-> nK-grease K Li~\Elx DV6kZ"
+Wz3P
+--- 5u5c2AnSqsdte7OH1t+7BGld7cLWv3KFCZqVyMsAtkk
+ªÎ ÃA*?<3F>IËè1ùŽÓÜXP?23	çŒÞD““`¥™x.P£5;r¤{•²›BÐÀ	|JÕ#jvùšâ ù×<C3B9>à‡"5­®|JF†&¸þU­Š´N1Uð~ºÀwÊ<>ÇòÝ—¦–M2W»åY³ÛpÑãýËȨջƴç
v­5%öê€
˜<>9W;w„Яrf)²Oë$°vw$6