summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--machines/dragon.nix2
-rw-r--r--modules/backup-server.nix25
-rw-r--r--secrets/dragon-borg-repo-key.age8
-rw-r--r--secrets/dragon-borg-ssh-key.agebin0 -> 670 bytes
-rw-r--r--secrets/dragon-borg-ssh-key.pub1
-rw-r--r--secrets/secrets.nix9
6 files changed, 40 insertions, 5 deletions
diff --git a/machines/dragon.nix b/machines/dragon.nix
index bb5a979..f689154 100644
--- a/machines/dragon.nix
+++ b/machines/dragon.nix
@@ -12,6 +12,8 @@ in {
orbekk.monitoring-server.enable = true;
orbekk.postfix.enable = true;
orbekk.nextcloud.enable = true;
+ orbekk.backups.enableServer = true;
+ orbekk.backups.enableClient = true;
environment.systemPackages = with pkgs; [ ipmitool ];
programs.mosh.enable = true;
diff --git a/modules/backup-server.nix b/modules/backup-server.nix
index 774d71e..fbe9c25 100644
--- a/modules/backup-server.nix
+++ b/modules/backup-server.nix
@@ -16,6 +16,19 @@ let
startAt = "daily";
};
+ backups.dragon = {
+ paths = [ "/etc/nixos" ];
+ doInit = true;
+ repo = cfg.serverLocation;
+ encryption = {
+ mode = "repokey-blake2";
+ passCommand = "cat ${config.age.secrets.dragon-borg-repo-key.path}";
+ };
+ environment = { BORG_RSH = "ssh -i ${config.age.secrets.dragon-borg-ssh-key.path}"; };
+ compression = "auto,lzma";
+ startAt = "daily";
+ };
+
backupJob = {
${config.networking.hostName} = backups.${config.networking.hostName};
};
@@ -33,10 +46,18 @@ in
};
config = {
- age.secrets.pincer-borg-repo-key.file = ../secrets/pincer-borg-repo-key.age;
- age.secrets.pincer-borg-ssh-key.file = ../secrets/pincer-borg-ssh-key.age;
+ age.secrets = lib.mkIf cfg.enableClient {
+ "${config.networking.hostName}-borg-repo-key".file =
+ ../secrets/${config.networking.hostName}-borg-repo-key.age;
+ "${config.networking.hostName}-borg-ssh-key".file =
+ ../secrets/${config.networking.hostName}-borg-ssh-key.age;
+ };
services.borgbackup.repos = lib.mkIf cfg.enableServer {
+ dragon = {
+ authorizedKeys = [ (builtins.readFile ../secrets/pincer-borg-ssh-key.pub) ];
+ path = [ "/var/lib/dragon" ];
+ };
pincer = {
authorizedKeys = [ (builtins.readFile ../secrets/pincer-borg-ssh-key.pub) ];
path = [ "/var/lib/borg-pincer" ];
diff --git a/secrets/dragon-borg-repo-key.age b/secrets/dragon-borg-repo-key.age
new file mode 100644
index 0000000..03e7f6c
--- /dev/null
+++ b/secrets/dragon-borg-repo-key.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 lwHmDQ KwzPoADUC0jPyxvD4MZKti4O9VcMDjtU6U2+fd/K0TM
+csXrTnviH7pX8P6gXyLy99MWLYvT08ExzmReDuqR5iU
+-> 8-grease [9n| M|z_Jur
+GwyaVRIE3Z9JRFO6ne1bahks7WzcdlCPNLG5pPIgevVhFUBRkJCJp1LsP4dqpBJF
+C+wGKtOV1K9nFDDOKOfk/j+f75TsBAUU01KctEl+icFYtaeseTs
+--- 6TRIsu5+78AQdy6yrQqYnXfLbfTECnM0CrmYCtc30CA
+<q#^Ck<Dî8Hą`&BxuҟƗQGCJ2&ǩ[;Z_WƩ=^ýф?T6W5nr d5v/ \ No newline at end of file
diff --git a/secrets/dragon-borg-ssh-key.age b/secrets/dragon-borg-ssh-key.age
new file mode 100644
index 0000000..5f0c835
--- /dev/null
+++ b/secrets/dragon-borg-ssh-key.age
Binary files differ
diff --git a/secrets/dragon-borg-ssh-key.pub b/secrets/dragon-borg-ssh-key.pub
new file mode 100644
index 0000000..0796888
--- /dev/null
+++ b/secrets/dragon-borg-ssh-key.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHwihuH10KLW3zuHGz31f54PXFzspKhIdCKIWR5iBcBq orbekk@pincer
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 186b44c..cb97304 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -1,8 +1,11 @@
let
orbekk = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCgvHMjYQ5Ty7Em2Seji6dvYhgQUIbyhiHdzRINYpiOUMuVA8wgJOV0ZggmFFTO5zfJ83m7E5nc/zMuBVHwkx1gJz5ic8YdO9eLIhymQn9R+9fyLA+g+h8uwTi7UlFmQp+My7MYYxdA2tet1wwgm39Yu49mxi8lARUgi4awXn5K/ZFy08GyjGia2E/YKx2gXPKhHsWFKWPO5u8ik0v8AFCliY2wXiG4jkZE2zI0gI5FUp66tpxkaOSZqreH+lVJw+S+GAJIqzGI99zqZsAdpr7m4WALZEYwj9D7/lattSG14CAjXxjqcMSsfi6fV0ZsF1O40eoZ9mNQpIvatXtL6HBSN3kuUfraQMeB8o5kbxwyXt2Fr5hMKtEGYlMv5uPqdn+yHcC51F3RkUxFJplOFwZ3Rh/AjLLMKo+vEtL9UjhTuYiSQ0ySunY5JbBVkJY4z3pLT9MOPnq+KIfBMFBI/eYE6yeMNTHxIFMDaNMFOxWc0SoBDhgZJX5eblYidt/YWMOEPbqJNCrWIzQwtDsiYsF9JS/3D5civwTP/oaASaiJWTAvluwbibMFAC1OSBFb20xM5gD0C1q05pxVMN3Ioy1P0CIvJMLWfQR1yrNbnmoGUGHeSA/gwaxqMg7G+P/SBIheDAYEu5fzXXgFgO3sI8JvIdc1NTJMmHktahb/ecG1MQ== cardno:000605483607";
pincer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG5z3Ht/CjNxMfzjRjW35SlwZgwAOUkV3Cr5J0kwehpH root@pincer";
+ dragon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcSRisp/LKhG1URVXAqXmqAWmSuNkdk8njR1qDo1AJP root@dragon";
in {
- "test-secret.age".publicKeys = [ orbekk pincer ];
- "pincer-borg-ssh-key.age".publicKeys = [ orbekk pincer ];
- "pincer-borg-repo-key.age".publicKeys = [ orbekk pincer ];
+ "test-secret.age".publicKeys = [ pincer ];
+ "pincer-borg-ssh-key.age".publicKeys = [ pincer ];
+ "pincer-borg-repo-key.age".publicKeys = [ pincer ];
+ "dragon-borg-ssh-key.age".publicKeys = [ dragon ];
+ "dragon-borg-repo-key.age".publicKeys = [ dragon ];
}