summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKjetil Orbekk <kj@orbekk.com>2022-01-25 08:01:38 -0500
committerKjetil Orbekk <kj@orbekk.com>2022-01-25 08:40:05 -0500
commita850dad99672223cb453d4185921ced36235771f (patch)
treea1209220c2c82c6df2f98a0b954aedc379f9fe4e
parent3d6a49a5d90a0909fc04e5b70286b4de83aea6f4 (diff)
Add agenix dependency and start working on borg backups
Diffstat
-rw-r--r--flake.lock52
-rw-r--r--flake.nix6
-rw-r--r--machines/x1-pincer.nix6
-rw-r--r--modules/backup-server.nix48
-rw-r--r--modules/common.nix2
-rw-r--r--modules/secrets.nix16
-rw-r--r--secrets/README.md3
-rw-r--r--secrets/pincer-borg-repo-key.age19
-rw-r--r--secrets/pincer-borg-ssh-key.agebin0 -> 1356 bytes
-rw-r--r--secrets/pincer-borg-ssh-key.pub1
-rw-r--r--secrets/secrets.nix8
-rw-r--r--secrets/test-secret.age21
12 files changed, 171 insertions, 11 deletions
diff --git a/flake.lock b/flake.lock
index 46e84ba..6ba3870 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,23 @@
{
"nodes": {
+ "agenix": {
+ "inputs": {
+ "nixpkgs": "nixpkgs"
+ },
+ "locked": {
+ "lastModified": 1641576265,
+ "narHash": "sha256-G4W39k5hdu2kS13pi/RhyTOySAo7rmrs7yMUZRH0OZI=",
+ "owner": "ryantm",
+ "repo": "agenix",
+ "rev": "08b9c96878b2f9974fc8bde048273265ad632357",
+ "type": "github"
+ },
+ "original": {
+ "owner": "ryantm",
+ "repo": "agenix",
+ "type": "github"
+ }
+ },
"emacs-overlay": {
"locked": {
"lastModified": 1643020612,
@@ -54,32 +72,45 @@
},
"nixpkgs": {
"locked": {
- "lastModified": 1642961095,
- "narHash": "sha256-RLatktZmvwFBOyqdoIk4qdS4OGKB7aKIvvs4ZP2L8D8=",
+ "lastModified": 1618628710,
+ "narHash": "sha256-9xIoU+BrCpjs5nfWcd/GlU7XCVdnNKJPffoNTxgGfhs=",
+ "path": "/nix/store/z1rf17q0fxj935cmplzys4gg6nxj1as0-source",
+ "rev": "7919518f0235106d050c77837df5e338fb94de5d",
+ "type": "path"
+ },
+ "original": {
+ "id": "nixpkgs",
+ "type": "indirect"
+ }
+ },
+ "nixpkgs-unstable": {
+ "locked": {
+ "lastModified": 1642903813,
+ "narHash": "sha256-0lNfGW8sNfyTrixoQhVG00Drl/ECaf5GbfKAQ1ZDoyE=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "604c44137d97b5111be1ca5c0d97f6e24fbc5c2c",
+ "rev": "689b76bcf36055afdeb2e9852f5ecdd2bf483f87",
"type": "github"
},
"original": {
"owner": "NixOS",
- "ref": "nixos-21.11",
+ "ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
- "nixpkgs-unstable": {
+ "nixpkgs_2": {
"locked": {
- "lastModified": 1642903813,
- "narHash": "sha256-0lNfGW8sNfyTrixoQhVG00Drl/ECaf5GbfKAQ1ZDoyE=",
+ "lastModified": 1642961095,
+ "narHash": "sha256-RLatktZmvwFBOyqdoIk4qdS4OGKB7aKIvvs4ZP2L8D8=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "689b76bcf36055afdeb2e9852f5ecdd2bf483f87",
+ "rev": "604c44137d97b5111be1ca5c0d97f6e24fbc5c2c",
"type": "github"
},
"original": {
"owner": "NixOS",
- "ref": "nixos-unstable",
+ "ref": "nixos-21.11",
"repo": "nixpkgs",
"type": "github"
}
@@ -109,9 +140,10 @@
},
"root": {
"inputs": {
+ "agenix": "agenix",
"emacs-overlay": "emacs-overlay",
"nixos-hardware": "nixos-hardware",
- "nixpkgs": "nixpkgs",
+ "nixpkgs": "nixpkgs_2",
"nixpkgs-unstable": "nixpkgs-unstable",
"pms7003": "pms7003"
}
diff --git a/flake.nix b/flake.nix
index 2e81360..d11304d 100644
--- a/flake.nix
+++ b/flake.nix
@@ -5,9 +5,10 @@
inputs.pms7003.url = "github:orbekk/pms7003/master";
inputs.pms7003.inputs.nixpkgs.follows = "nixpkgs";
inputs.emacs-overlay.url = "github:nix-community/emacs-overlay";
+ inputs.agenix.url = "github:ryantm/agenix";
outputs =
- { self, nixpkgs, nixpkgs-unstable, nixos-hardware, pms7003, emacs-overlay }:
+ { self, nixpkgs, nixpkgs-unstable, nixos-hardware, pms7003, emacs-overlay, agenix }:
let
pkgs-module = { config, ... }:
let
@@ -16,6 +17,7 @@
ppp = pms7003;
extra-packages = final: prev: {
pms7003 = ppp.packages.${final.system}.pms7003;
+ agenix = agenix.defaultPackage.${final.system};
};
unstable-overlay = final: prev: rec {
@@ -67,8 +69,10 @@
modules = (lib.attrValues self.nixosModules) ++ [
pkgs-module
+ registry-module
module
nixpkgs.nixosModules.notDetected
+ agenix.nixosModules.age
({ config, pkgs, ... }: {
# Let 'nixos-version --json' know about the Git revision
# of this flake.
diff --git a/machines/x1-pincer.nix b/machines/x1-pincer.nix
index ed13d62..97ae60d 100644
--- a/machines/x1-pincer.nix
+++ b/machines/x1-pincer.nix
@@ -3,6 +3,11 @@ let ports = {
minecraft = 25565;
}; in
{
+ age.secrets.test-secret.file = ../secrets/test-secret.age;
+ age.secrets.test-secret.owner = "orbekk";
+ orbekk.backups.enableServer = true;
+ orbekk.backups.enableClient = true;
+
orbekk.gaming.enable = true;
orbekk.desktop.enable = true;
orbekk.thinkpad.enable = true;
@@ -11,6 +16,7 @@ let ports = {
services.printing.enable = true;
services.printing.drivers = with pkgs; [ gutenprint brlaser ];
+ services.openssh.enable = true;
networking.networkmanager.enable = true;
diff --git a/modules/backup-server.nix b/modules/backup-server.nix
new file mode 100644
index 0000000..774d71e
--- /dev/null
+++ b/modules/backup-server.nix
@@ -0,0 +1,48 @@
+{ config, lib, pkgs, ... }:
+
+let
+ cfg = config.orbekk.backups;
+
+ backups.pincer = {
+ paths = [ "/etc/nixos" ];
+ doInit = true;
+ repo = cfg.serverLocation;
+ encryption = {
+ mode = "repokey-blake2";
+ passCommand = "cat ${config.age.secrets.pincer-borg-repo-key.path}";
+ };
+ environment = { BORG_RSH = "ssh -i ${config.age.secrets.pincer-borg-ssh-key.path}"; };
+ compression = "auto,lzma";
+ startAt = "daily";
+ };
+
+ backupJob = {
+ ${config.networking.hostName} = backups.${config.networking.hostName};
+ };
+in
+{
+ options = {
+ orbekk.backups = {
+ enableServer = lib.mkEnableOption "Enable backup server";
+ enableClient = lib.mkEnableOption "Enable backup client";
+ serverLocation = lib.mkOption {
+ type = lib.types.str;
+ default = "borg@localhost:.";
+ };
+ };
+ };
+
+ config = {
+ age.secrets.pincer-borg-repo-key.file = ../secrets/pincer-borg-repo-key.age;
+ age.secrets.pincer-borg-ssh-key.file = ../secrets/pincer-borg-ssh-key.age;
+
+ services.borgbackup.repos = lib.mkIf cfg.enableServer {
+ pincer = {
+ authorizedKeys = [ (builtins.readFile ../secrets/pincer-borg-ssh-key.pub) ];
+ path = [ "/var/lib/borg-pincer" ];
+ };
+ };
+
+ services.borgbackup.jobs = lib.mkIf cfg.enableClient backupJob;
+ };
+}
diff --git a/modules/common.nix b/modules/common.nix
index 26f96f7..4353ed6 100644
--- a/modules/common.nix
+++ b/modules/common.nix
@@ -3,6 +3,8 @@
programs.zsh.interactiveShellInit = "bindkey -e";
programs.tmux.enable = true;
+ orbekk.secrets.enable = true;
+
nixpkgs.config.packageOverrides = pkgs: {
libsignal-protocol-c = pkgs.callPackage ../pkgs/libsignal-c/default.nix { };
keycloak = pkgs.callPackage ../pkgs/keycloak/default.nix { };
diff --git a/modules/secrets.nix b/modules/secrets.nix
new file mode 100644
index 0000000..d027339
--- /dev/null
+++ b/modules/secrets.nix
@@ -0,0 +1,16 @@
+{ config, lib, pkgs, ... }:
+
+let
+ cfg = config.orbekk.secrets;
+in
+{
+ options = {
+ orbekk.secrets = {
+ enable = lib.mkEnableOption "Enable secrets";
+ };
+ };
+
+ config = lib.mkIf cfg.enable {
+ environment.systemPackages = [ pkgs.agenix ];
+ };
+}
diff --git a/secrets/README.md b/secrets/README.md
new file mode 100644
index 0000000..812f206
--- /dev/null
+++ b/secrets/README.md
@@ -0,0 +1,3 @@
+# Encrypted secrets
+
+Add new keys to `secrets.nix`, then use agenix -e to write the actual key.
diff --git a/secrets/pincer-borg-repo-key.age b/secrets/pincer-borg-repo-key.age
new file mode 100644
index 0000000..5ae1ab8
--- /dev/null
+++ b/secrets/pincer-borg-repo-key.age
@@ -0,0 +1,19 @@
+age-encryption.org/v1
+-> ssh-ed25519 Yx9stw t1Oc7D3qbeobY+yggKoaMmU8tT1ShFdniNplpDyFCwI
+nCAHD6S5FSAdIYr3KoVaDc1UPQA+OhSX89iLu77qzdQ
+-> ssh-rsa xgQQbQ
+Ox6Ye5y7nmmYv2FWmhBT0SgzNsp7L3ft5ZAhzK6S12Mx9TOZstKx5ZkimPjAxJLp
+KWJHyXs5abrsaC386ux6h/d8OZcBrPGxHLULxDG23JEGBfnLkhV++j98y3Tt2jsq
+ptwF011h2+mMvxm+ZePQqhtZMJCi+Bb/zdN+ixqSXnTY+LyUJtyhQUFn0Grkulh/
+KX5PtaFG7EBoFox48ul/ImrO3scSHc1pqZnw4Dqi/Z/RyJ+kWynlUVbhWAFpzbuF
+zO0Xl+y4B0lQ7XD0mNW+lGYM1UhZDfjZ9ZHeeF5tEd11yRNYgghdK3zYOr6tsMrk
+7pupTbo6hqMHnv/hZe+PwM9U46aQ7JDI3dT7gZDDed1Wgnq148Va6iqIGm7A4Ngu
+XR1GhWaOo9zvF0AW23rPiLaLlBxztSH9Q64iIoTDPYmAPpodrkOU23hlceWkBwcD
+XWILOaPqHqh5+ibx2jTDFE5p4nO0Xg7UKYU2vD2Shc1ZszSIXvovbYl8KOIG89G6
+kCGJdwBDrE95tp5SJejcmOCSsO/keLr81F3+z0Fo0HUHRaUG5UH8Fzi8UbH79l1s
+MPJ6k5gGI63FskxkWyfN/NRogDUo6DzsfqCHu7A2dMWwv0OygBnwRU2TYmFKl2fa
+KiMsxm86CV99ZaAvGVJJA1gz6bgtWzCfAaWgJaPz3+o
+-> ,Gj5rN-grease krGDTh `!#Lp<
+Fg+PdtWhVgQCnYCxI0jGy04TRA
+--- rAP3GU3p0KdGOt5zctfl/3XqVWaKv5m1JkqTFNTuJNs
+XR/Ӂ'ڢs.<O\0&ۍyXY[b#¯ (h>R^ H) ?:-Ƒqz'0 \ No newline at end of file
diff --git a/secrets/pincer-borg-ssh-key.age b/secrets/pincer-borg-ssh-key.age
new file mode 100644
index 0000000..fd48aa3
--- /dev/null
+++ b/secrets/pincer-borg-ssh-key.age
Binary files differ
diff --git a/secrets/pincer-borg-ssh-key.pub b/secrets/pincer-borg-ssh-key.pub
new file mode 100644
index 0000000..951aaca
--- /dev/null
+++ b/secrets/pincer-borg-ssh-key.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF8z/TLGajs/1ibY9qaafx5wl9BTZXdBnv0YuGP3G7OB orbekk@pincer
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
new file mode 100644
index 0000000..186b44c
--- /dev/null
+++ b/secrets/secrets.nix
@@ -0,0 +1,8 @@
+let
+ orbekk = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCgvHMjYQ5Ty7Em2Seji6dvYhgQUIbyhiHdzRINYpiOUMuVA8wgJOV0ZggmFFTO5zfJ83m7E5nc/zMuBVHwkx1gJz5ic8YdO9eLIhymQn9R+9fyLA+g+h8uwTi7UlFmQp+My7MYYxdA2tet1wwgm39Yu49mxi8lARUgi4awXn5K/ZFy08GyjGia2E/YKx2gXPKhHsWFKWPO5u8ik0v8AFCliY2wXiG4jkZE2zI0gI5FUp66tpxkaOSZqreH+lVJw+S+GAJIqzGI99zqZsAdpr7m4WALZEYwj9D7/lattSG14CAjXxjqcMSsfi6fV0ZsF1O40eoZ9mNQpIvatXtL6HBSN3kuUfraQMeB8o5kbxwyXt2Fr5hMKtEGYlMv5uPqdn+yHcC51F3RkUxFJplOFwZ3Rh/AjLLMKo+vEtL9UjhTuYiSQ0ySunY5JbBVkJY4z3pLT9MOPnq+KIfBMFBI/eYE6yeMNTHxIFMDaNMFOxWc0SoBDhgZJX5eblYidt/YWMOEPbqJNCrWIzQwtDsiYsF9JS/3D5civwTP/oaASaiJWTAvluwbibMFAC1OSBFb20xM5gD0C1q05pxVMN3Ioy1P0CIvJMLWfQR1yrNbnmoGUGHeSA/gwaxqMg7G+P/SBIheDAYEu5fzXXgFgO3sI8JvIdc1NTJMmHktahb/ecG1MQ== cardno:000605483607";
+ pincer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG5z3Ht/CjNxMfzjRjW35SlwZgwAOUkV3Cr5J0kwehpH root@pincer";
+in {
+ "test-secret.age".publicKeys = [ orbekk pincer ];
+ "pincer-borg-ssh-key.age".publicKeys = [ orbekk pincer ];
+ "pincer-borg-repo-key.age".publicKeys = [ orbekk pincer ];
+}
diff --git a/secrets/test-secret.age b/secrets/test-secret.age
new file mode 100644
index 0000000..bc2d920
--- /dev/null
+++ b/secrets/test-secret.age
@@ -0,0 +1,21 @@
+age-encryption.org/v1
+-> ssh-ed25519 Yx9stw NQ894qBMEbMfn+Iqh6oZZYp2Ul8Gh7oovVSekuCa5S0
+xmpoNUcstscI2v91ahRZzQCeY8VKsT3ZKmn/p9NmD1k
+-> ssh-rsa xgQQbQ
+chqe0rwVbHYsEHpzC7RDeQDUYGV6poI6FvXkWNOdmtLrsZ+DWBgDX8tkufcdsHYn
+t9D2kQ1F135ucifxXcHCT4rUypDIngzu5LXNy0TqdUAnU15fUFXvb5C36EUbS8Ft
+nNEIqh9SctXCkNEg30FupmfHfTmxVhjPpdBO1ai7tPCqLGnIhfMVBqdAeNA57Nmo
+vxGdqXuCsV6gP47H/eGRcTBzycBqHFJ+tpi7U8LPOs0RB8V3ivYvJguC8PkHmm6O
+bsP8tFqyw5FW9Xl2ZKymAH8m9hMG94MsCBX7Ly27ADewPM8kMK2DQAWohNt1T4uO
+7B+SyHCZx1u1e1FCKvRjBnucMWM8koqMO6SDJgwHazOX/VwJvTFpUWdfsG52MjBA
+QL4O4gdCSLI1KnKiJfJEBeiV98kddM5WUbqWyMcFGVPDDVzz4kQmUvwESUoAgNHl
+yLw2K/8D5xud/vSSMUGjM/igpwhH/UVApLZ1keZakIXrGvnen5ErBWb4DIfLLRHF
+IAuZucTpTeBBuqN6VmO0uWOeKYVlGys8xBdxwKTzTr66/s08pKetd0Xk/AQuQO89
+uAjvoPMkmJsh+vv2uFqtI3bjpk4jePc9QbkIS5OAYzMSx7CVUpeMd3E/7k+kW2Ek
+LWPgkZ29BWFR6bLyPqB9RCsxUxrhC/Ln6deVBj4SzOk
+-> k4-grease . r
+bryo+3JU9atXp5HZ7M/FWRWXD6kgw6yV08SR9iRb/QbQ7MT1JbYv0PhRRpnT4MMR
+zaWMOJjw1g
+--- SGG1/hxUHo+zpuNsbwsMrLTtuQin9xgD9fAoEhi1F7g
+]
+t9BO$sxo_@9'v|?S'< 1?*q߼ \ No newline at end of file
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-14 14:35:27 +0000