diff options
-rw-r--r-- | machines/dragon.nix | 2 | ||||
-rw-r--r-- | modules/backup-server.nix | 25 | ||||
-rw-r--r-- | secrets/dragon-borg-repo-key.age | 8 | ||||
-rw-r--r-- | secrets/dragon-borg-ssh-key.age | bin | 0 -> 670 bytes | |||
-rw-r--r-- | secrets/dragon-borg-ssh-key.pub | 1 | ||||
-rw-r--r-- | secrets/secrets.nix | 9 |
6 files changed, 40 insertions, 5 deletions
diff --git a/machines/dragon.nix b/machines/dragon.nix index bb5a979..f689154 100644 --- a/machines/dragon.nix +++ b/machines/dragon.nix @@ -12,6 +12,8 @@ in { orbekk.monitoring-server.enable = true; orbekk.postfix.enable = true; orbekk.nextcloud.enable = true; + orbekk.backups.enableServer = true; + orbekk.backups.enableClient = true; environment.systemPackages = with pkgs; [ ipmitool ]; programs.mosh.enable = true; diff --git a/modules/backup-server.nix b/modules/backup-server.nix index 774d71e..fbe9c25 100644 --- a/modules/backup-server.nix +++ b/modules/backup-server.nix @@ -16,6 +16,19 @@ let startAt = "daily"; }; + backups.dragon = { + paths = [ "/etc/nixos" ]; + doInit = true; + repo = cfg.serverLocation; + encryption = { + mode = "repokey-blake2"; + passCommand = "cat ${config.age.secrets.dragon-borg-repo-key.path}"; + }; + environment = { BORG_RSH = "ssh -i ${config.age.secrets.dragon-borg-ssh-key.path}"; }; + compression = "auto,lzma"; + startAt = "daily"; + }; + backupJob = { ${config.networking.hostName} = backups.${config.networking.hostName}; }; @@ -33,10 +46,18 @@ in }; config = { - age.secrets.pincer-borg-repo-key.file = ../secrets/pincer-borg-repo-key.age; - age.secrets.pincer-borg-ssh-key.file = ../secrets/pincer-borg-ssh-key.age; + age.secrets = lib.mkIf cfg.enableClient { + "${config.networking.hostName}-borg-repo-key".file = + ../secrets/${config.networking.hostName}-borg-repo-key.age; + "${config.networking.hostName}-borg-ssh-key".file = + ../secrets/${config.networking.hostName}-borg-ssh-key.age; + }; services.borgbackup.repos = lib.mkIf cfg.enableServer { + dragon = { + authorizedKeys = [ (builtins.readFile ../secrets/pincer-borg-ssh-key.pub) ]; + path = [ "/var/lib/dragon" ]; + }; pincer = { authorizedKeys = [ (builtins.readFile ../secrets/pincer-borg-ssh-key.pub) ]; path = [ "/var/lib/borg-pincer" ]; diff --git a/secrets/dragon-borg-repo-key.age b/secrets/dragon-borg-repo-key.age new file mode 100644 index 0000000..03e7f6c --- /dev/null +++ b/secrets/dragon-borg-repo-key.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 lwHmDQ KwzPoADUC0jPyxvD4MZKti4O9VcMDjtU6U2+fd/K0TM +csXrTnviH7pX8P6gXyLy99MWLYvT08ExzmReDuqR5iU +-> 8-grease [9n| M|z_Jur +GwyaVRIE3Z9JRFO6ne1bahks7WzcdlCPNLG5pPIgevVhFUBRkJCJp1LsP4dqpBJF +C+wGKtOV1K9nFDDOKOfk/j+f75TsBAUU01KctEl+icFYtaeseTs +--- 6TRIsu5+78AQdy6yrQqYnXfLbfTECnM0CrmYCtc30CA +<q#^Ck<Dî8Hą`&BxuҟƗQGCJ2&ǩ[;Z_WƩ=^ýф?T6W5nr d5v/
\ No newline at end of file diff --git a/secrets/dragon-borg-ssh-key.age b/secrets/dragon-borg-ssh-key.age Binary files differnew file mode 100644 index 0000000..5f0c835 --- /dev/null +++ b/secrets/dragon-borg-ssh-key.age diff --git a/secrets/dragon-borg-ssh-key.pub b/secrets/dragon-borg-ssh-key.pub new file mode 100644 index 0000000..0796888 --- /dev/null +++ b/secrets/dragon-borg-ssh-key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHwihuH10KLW3zuHGz31f54PXFzspKhIdCKIWR5iBcBq orbekk@pincer diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 186b44c..cb97304 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,8 +1,11 @@ let orbekk = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCgvHMjYQ5Ty7Em2Seji6dvYhgQUIbyhiHdzRINYpiOUMuVA8wgJOV0ZggmFFTO5zfJ83m7E5nc/zMuBVHwkx1gJz5ic8YdO9eLIhymQn9R+9fyLA+g+h8uwTi7UlFmQp+My7MYYxdA2tet1wwgm39Yu49mxi8lARUgi4awXn5K/ZFy08GyjGia2E/YKx2gXPKhHsWFKWPO5u8ik0v8AFCliY2wXiG4jkZE2zI0gI5FUp66tpxkaOSZqreH+lVJw+S+GAJIqzGI99zqZsAdpr7m4WALZEYwj9D7/lattSG14CAjXxjqcMSsfi6fV0ZsF1O40eoZ9mNQpIvatXtL6HBSN3kuUfraQMeB8o5kbxwyXt2Fr5hMKtEGYlMv5uPqdn+yHcC51F3RkUxFJplOFwZ3Rh/AjLLMKo+vEtL9UjhTuYiSQ0ySunY5JbBVkJY4z3pLT9MOPnq+KIfBMFBI/eYE6yeMNTHxIFMDaNMFOxWc0SoBDhgZJX5eblYidt/YWMOEPbqJNCrWIzQwtDsiYsF9JS/3D5civwTP/oaASaiJWTAvluwbibMFAC1OSBFb20xM5gD0C1q05pxVMN3Ioy1P0CIvJMLWfQR1yrNbnmoGUGHeSA/gwaxqMg7G+P/SBIheDAYEu5fzXXgFgO3sI8JvIdc1NTJMmHktahb/ecG1MQ== cardno:000605483607"; pincer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG5z3Ht/CjNxMfzjRjW35SlwZgwAOUkV3Cr5J0kwehpH root@pincer"; + dragon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcSRisp/LKhG1URVXAqXmqAWmSuNkdk8njR1qDo1AJP root@dragon"; in { - "test-secret.age".publicKeys = [ orbekk pincer ]; - "pincer-borg-ssh-key.age".publicKeys = [ orbekk pincer ]; - "pincer-borg-repo-key.age".publicKeys = [ orbekk pincer ]; + "test-secret.age".publicKeys = [ pincer ]; + "pincer-borg-ssh-key.age".publicKeys = [ pincer ]; + "pincer-borg-repo-key.age".publicKeys = [ pincer ]; + "dragon-borg-ssh-key.age".publicKeys = [ dragon ]; + "dragon-borg-repo-key.age".publicKeys = [ dragon ]; } |