diff options
author | Kjetil Orbekk <kj@orbekk.com> | 2022-01-25 08:01:38 -0500 |
---|---|---|
committer | Kjetil Orbekk <kj@orbekk.com> | 2022-01-25 08:40:05 -0500 |
commit | a850dad99672223cb453d4185921ced36235771f (patch) | |
tree | a1209220c2c82c6df2f98a0b954aedc379f9fe4e | |
parent | 3d6a49a5d90a0909fc04e5b70286b4de83aea6f4 (diff) |
Add agenix dependency and start working on borg backups
-rw-r--r-- | flake.lock | 52 | ||||
-rw-r--r-- | flake.nix | 6 | ||||
-rw-r--r-- | machines/x1-pincer.nix | 6 | ||||
-rw-r--r-- | modules/backup-server.nix | 48 | ||||
-rw-r--r-- | modules/common.nix | 2 | ||||
-rw-r--r-- | modules/secrets.nix | 16 | ||||
-rw-r--r-- | secrets/README.md | 3 | ||||
-rw-r--r-- | secrets/pincer-borg-repo-key.age | 19 | ||||
-rw-r--r-- | secrets/pincer-borg-ssh-key.age | bin | 0 -> 1356 bytes | |||
-rw-r--r-- | secrets/pincer-borg-ssh-key.pub | 1 | ||||
-rw-r--r-- | secrets/secrets.nix | 8 | ||||
-rw-r--r-- | secrets/test-secret.age | 21 |
12 files changed, 171 insertions, 11 deletions
@@ -1,5 +1,23 @@ { "nodes": { + "agenix": { + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1641576265, + "narHash": "sha256-G4W39k5hdu2kS13pi/RhyTOySAo7rmrs7yMUZRH0OZI=", + "owner": "ryantm", + "repo": "agenix", + "rev": "08b9c96878b2f9974fc8bde048273265ad632357", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "emacs-overlay": { "locked": { "lastModified": 1643020612, @@ -54,32 +72,45 @@ }, "nixpkgs": { "locked": { - "lastModified": 1642961095, - "narHash": "sha256-RLatktZmvwFBOyqdoIk4qdS4OGKB7aKIvvs4ZP2L8D8=", + "lastModified": 1618628710, + "narHash": "sha256-9xIoU+BrCpjs5nfWcd/GlU7XCVdnNKJPffoNTxgGfhs=", + "path": "/nix/store/z1rf17q0fxj935cmplzys4gg6nxj1as0-source", + "rev": "7919518f0235106d050c77837df5e338fb94de5d", + "type": "path" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1642903813, + "narHash": "sha256-0lNfGW8sNfyTrixoQhVG00Drl/ECaf5GbfKAQ1ZDoyE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "604c44137d97b5111be1ca5c0d97f6e24fbc5c2c", + "rev": "689b76bcf36055afdeb2e9852f5ecdd2bf483f87", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-21.11", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } }, - "nixpkgs-unstable": { + "nixpkgs_2": { "locked": { - "lastModified": 1642903813, - "narHash": "sha256-0lNfGW8sNfyTrixoQhVG00Drl/ECaf5GbfKAQ1ZDoyE=", + "lastModified": 1642961095, + "narHash": "sha256-RLatktZmvwFBOyqdoIk4qdS4OGKB7aKIvvs4ZP2L8D8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "689b76bcf36055afdeb2e9852f5ecdd2bf483f87", + "rev": "604c44137d97b5111be1ca5c0d97f6e24fbc5c2c", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-unstable", + "ref": "nixos-21.11", "repo": "nixpkgs", "type": "github" } @@ -109,9 +140,10 @@ }, "root": { "inputs": { + "agenix": "agenix", "emacs-overlay": "emacs-overlay", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_2", "nixpkgs-unstable": "nixpkgs-unstable", "pms7003": "pms7003" } @@ -5,9 +5,10 @@ inputs.pms7003.url = "github:orbekk/pms7003/master"; inputs.pms7003.inputs.nixpkgs.follows = "nixpkgs"; inputs.emacs-overlay.url = "github:nix-community/emacs-overlay"; + inputs.agenix.url = "github:ryantm/agenix"; outputs = - { self, nixpkgs, nixpkgs-unstable, nixos-hardware, pms7003, emacs-overlay }: + { self, nixpkgs, nixpkgs-unstable, nixos-hardware, pms7003, emacs-overlay, agenix }: let pkgs-module = { config, ... }: let @@ -16,6 +17,7 @@ ppp = pms7003; extra-packages = final: prev: { pms7003 = ppp.packages.${final.system}.pms7003; + agenix = agenix.defaultPackage.${final.system}; }; unstable-overlay = final: prev: rec { @@ -67,8 +69,10 @@ modules = (lib.attrValues self.nixosModules) ++ [ pkgs-module + registry-module module nixpkgs.nixosModules.notDetected + agenix.nixosModules.age ({ config, pkgs, ... }: { # Let 'nixos-version --json' know about the Git revision # of this flake. diff --git a/machines/x1-pincer.nix b/machines/x1-pincer.nix index ed13d62..97ae60d 100644 --- a/machines/x1-pincer.nix +++ b/machines/x1-pincer.nix @@ -3,6 +3,11 @@ let ports = { minecraft = 25565; }; in { + age.secrets.test-secret.file = ../secrets/test-secret.age; + age.secrets.test-secret.owner = "orbekk"; + orbekk.backups.enableServer = true; + orbekk.backups.enableClient = true; + orbekk.gaming.enable = true; orbekk.desktop.enable = true; orbekk.thinkpad.enable = true; @@ -11,6 +16,7 @@ let ports = { services.printing.enable = true; services.printing.drivers = with pkgs; [ gutenprint brlaser ]; + services.openssh.enable = true; networking.networkmanager.enable = true; diff --git a/modules/backup-server.nix b/modules/backup-server.nix new file mode 100644 index 0000000..774d71e --- /dev/null +++ b/modules/backup-server.nix @@ -0,0 +1,48 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.orbekk.backups; + + backups.pincer = { + paths = [ "/etc/nixos" ]; + doInit = true; + repo = cfg.serverLocation; + encryption = { + mode = "repokey-blake2"; + passCommand = "cat ${config.age.secrets.pincer-borg-repo-key.path}"; + }; + environment = { BORG_RSH = "ssh -i ${config.age.secrets.pincer-borg-ssh-key.path}"; }; + compression = "auto,lzma"; + startAt = "daily"; + }; + + backupJob = { + ${config.networking.hostName} = backups.${config.networking.hostName}; + }; +in +{ + options = { + orbekk.backups = { + enableServer = lib.mkEnableOption "Enable backup server"; + enableClient = lib.mkEnableOption "Enable backup client"; + serverLocation = lib.mkOption { + type = lib.types.str; + default = "borg@localhost:."; + }; + }; + }; + + config = { + age.secrets.pincer-borg-repo-key.file = ../secrets/pincer-borg-repo-key.age; + age.secrets.pincer-borg-ssh-key.file = ../secrets/pincer-borg-ssh-key.age; + + services.borgbackup.repos = lib.mkIf cfg.enableServer { + pincer = { + authorizedKeys = [ (builtins.readFile ../secrets/pincer-borg-ssh-key.pub) ]; + path = [ "/var/lib/borg-pincer" ]; + }; + }; + + services.borgbackup.jobs = lib.mkIf cfg.enableClient backupJob; + }; +} diff --git a/modules/common.nix b/modules/common.nix index 26f96f7..4353ed6 100644 --- a/modules/common.nix +++ b/modules/common.nix @@ -3,6 +3,8 @@ programs.zsh.interactiveShellInit = "bindkey -e"; programs.tmux.enable = true; + orbekk.secrets.enable = true; + nixpkgs.config.packageOverrides = pkgs: { libsignal-protocol-c = pkgs.callPackage ../pkgs/libsignal-c/default.nix { }; keycloak = pkgs.callPackage ../pkgs/keycloak/default.nix { }; diff --git a/modules/secrets.nix b/modules/secrets.nix new file mode 100644 index 0000000..d027339 --- /dev/null +++ b/modules/secrets.nix @@ -0,0 +1,16 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.orbekk.secrets; +in +{ + options = { + orbekk.secrets = { + enable = lib.mkEnableOption "Enable secrets"; + }; + }; + + config = lib.mkIf cfg.enable { + environment.systemPackages = [ pkgs.agenix ]; + }; +} diff --git a/secrets/README.md b/secrets/README.md new file mode 100644 index 0000000..812f206 --- /dev/null +++ b/secrets/README.md @@ -0,0 +1,3 @@ +# Encrypted secrets + +Add new keys to `secrets.nix`, then use agenix -e to write the actual key. diff --git a/secrets/pincer-borg-repo-key.age b/secrets/pincer-borg-repo-key.age new file mode 100644 index 0000000..5ae1ab8 --- /dev/null +++ b/secrets/pincer-borg-repo-key.age @@ -0,0 +1,19 @@ +age-encryption.org/v1 +-> ssh-ed25519 Yx9stw t1Oc7D3qbeobY+yggKoaMmU8tT1ShFdniNplpDyFCwI +nCAHD6S5FSAdIYr3KoVaDc1UPQA+OhSX89iLu77qzdQ +-> ssh-rsa xgQQbQ +Ox6Ye5y7nmmYv2FWmhBT0SgzNsp7L3ft5ZAhzK6S12Mx9TOZstKx5ZkimPjAxJLp +KWJHyXs5abrsaC386ux6h/d8OZcBrPGxHLULxDG23JEGBfnLkhV++j98y3Tt2jsq +ptwF011h2+mMvxm+ZePQqhtZMJCi+Bb/zdN+ixqSXnTY+LyUJtyhQUFn0Grkulh/ +KX5PtaFG7EBoFox48ul/ImrO3scSHc1pqZnw4Dqi/Z/RyJ+kWynlUVbhWAFpzbuF +zO0Xl+y4B0lQ7XD0mNW+lGYM1UhZDfjZ9ZHeeF5tEd11yRNYgghdK3zYOr6tsMrk +7pupTbo6hqMHnv/hZe+PwM9U46aQ7JDI3dT7gZDDed1Wgnq148Va6iqIGm7A4Ngu +XR1GhWaOo9zvF0AW23rPiLaLlBxztSH9Q64iIoTDPYmAPpodrkOU23hlceWkBwcD +XWILOaPqHqh5+ibx2jTDFE5p4nO0Xg7UKYU2vD2Shc1ZszSIXvovbYl8KOIG89G6 +kCGJdwBDrE95tp5SJejcmOCSsO/keLr81F3+z0Fo0HUHRaUG5UH8Fzi8UbH79l1s +MPJ6k5gGI63FskxkWyfN/NRogDUo6DzsfqCHu7A2dMWwv0OygBnwRU2TYmFKl2fa +KiMsxm86CV99ZaAvGVJJA1gz6bgtWzCfAaWgJaPz3+o +-> ,Gj5rN-grease krGDTh `!#Lp< +Fg+PdtWhVgQCnYCxI0jGy04TRA +--- rAP3GU3p0KdGOt5zctfl/3XqVWaKv5m1JkqTFNTuJNs +XR/Ӂ'ڢs.<O\0&ۍyXY[b#¯ (h>R^H)?:-Ƒqz'0
\ No newline at end of file diff --git a/secrets/pincer-borg-ssh-key.age b/secrets/pincer-borg-ssh-key.age Binary files differnew file mode 100644 index 0000000..fd48aa3 --- /dev/null +++ b/secrets/pincer-borg-ssh-key.age diff --git a/secrets/pincer-borg-ssh-key.pub b/secrets/pincer-borg-ssh-key.pub new file mode 100644 index 0000000..951aaca --- /dev/null +++ b/secrets/pincer-borg-ssh-key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF8z/TLGajs/1ibY9qaafx5wl9BTZXdBnv0YuGP3G7OB orbekk@pincer diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..186b44c --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,8 @@ +let + orbekk = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCgvHMjYQ5Ty7Em2Seji6dvYhgQUIbyhiHdzRINYpiOUMuVA8wgJOV0ZggmFFTO5zfJ83m7E5nc/zMuBVHwkx1gJz5ic8YdO9eLIhymQn9R+9fyLA+g+h8uwTi7UlFmQp+My7MYYxdA2tet1wwgm39Yu49mxi8lARUgi4awXn5K/ZFy08GyjGia2E/YKx2gXPKhHsWFKWPO5u8ik0v8AFCliY2wXiG4jkZE2zI0gI5FUp66tpxkaOSZqreH+lVJw+S+GAJIqzGI99zqZsAdpr7m4WALZEYwj9D7/lattSG14CAjXxjqcMSsfi6fV0ZsF1O40eoZ9mNQpIvatXtL6HBSN3kuUfraQMeB8o5kbxwyXt2Fr5hMKtEGYlMv5uPqdn+yHcC51F3RkUxFJplOFwZ3Rh/AjLLMKo+vEtL9UjhTuYiSQ0ySunY5JbBVkJY4z3pLT9MOPnq+KIfBMFBI/eYE6yeMNTHxIFMDaNMFOxWc0SoBDhgZJX5eblYidt/YWMOEPbqJNCrWIzQwtDsiYsF9JS/3D5civwTP/oaASaiJWTAvluwbibMFAC1OSBFb20xM5gD0C1q05pxVMN3Ioy1P0CIvJMLWfQR1yrNbnmoGUGHeSA/gwaxqMg7G+P/SBIheDAYEu5fzXXgFgO3sI8JvIdc1NTJMmHktahb/ecG1MQ== cardno:000605483607"; + pincer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG5z3Ht/CjNxMfzjRjW35SlwZgwAOUkV3Cr5J0kwehpH root@pincer"; +in { + "test-secret.age".publicKeys = [ orbekk pincer ]; + "pincer-borg-ssh-key.age".publicKeys = [ orbekk pincer ]; + "pincer-borg-repo-key.age".publicKeys = [ orbekk pincer ]; +} diff --git a/secrets/test-secret.age b/secrets/test-secret.age new file mode 100644 index 0000000..bc2d920 --- /dev/null +++ b/secrets/test-secret.age @@ -0,0 +1,21 @@ +age-encryption.org/v1 +-> ssh-ed25519 Yx9stw NQ894qBMEbMfn+Iqh6oZZYp2Ul8Gh7oovVSekuCa5S0 +xmpoNUcstscI2v91ahRZzQCeY8VKsT3ZKmn/p9NmD1k +-> ssh-rsa xgQQbQ +chqe0rwVbHYsEHpzC7RDeQDUYGV6poI6FvXkWNOdmtLrsZ+DWBgDX8tkufcdsHYn +t9D2kQ1F135ucifxXcHCT4rUypDIngzu5LXNy0TqdUAnU15fUFXvb5C36EUbS8Ft +nNEIqh9SctXCkNEg30FupmfHfTmxVhjPpdBO1ai7tPCqLGnIhfMVBqdAeNA57Nmo +vxGdqXuCsV6gP47H/eGRcTBzycBqHFJ+tpi7U8LPOs0RB8V3ivYvJguC8PkHmm6O +bsP8tFqyw5FW9Xl2ZKymAH8m9hMG94MsCBX7Ly27ADewPM8kMK2DQAWohNt1T4uO +7B+SyHCZx1u1e1FCKvRjBnucMWM8koqMO6SDJgwHazOX/VwJvTFpUWdfsG52MjBA +QL4O4gdCSLI1KnKiJfJEBeiV98kddM5WUbqWyMcFGVPDDVzz4kQmUvwESUoAgNHl +yLw2K/8D5xud/vSSMUGjM/igpwhH/UVApLZ1keZakIXrGvnen5ErBWb4DIfLLRHF +IAuZucTpTeBBuqN6VmO0uWOeKYVlGys8xBdxwKTzTr66/s08pKetd0Xk/AQuQO89 +uAjvoPMkmJsh+vv2uFqtI3bjpk4jePc9QbkIS5OAYzMSx7CVUpeMd3E/7k+kW2Ek +LWPgkZ29BWFR6bLyPqB9RCsxUxrhC/Ln6deVBj4SzOk +-> k4-grease . r +bryo+3JU9atXp5HZ7M/FWRWXD6kgw6yV08SR9iRb/QbQ7MT1JbYv0PhRRpnT4MMR +zaWMOJjw1g +--- SGG1/hxUHo+zpuNsbwsMrLTtuQin9xgD9fAoEhi1F7g +] +t9BO$sxo_@9'v|?S'<
1?*q
\ No newline at end of file |