diff options
Diffstat (limited to 'modules')
-rw-r--r-- | modules/backup-server.nix | 48 | ||||
-rw-r--r-- | modules/common.nix | 2 | ||||
-rw-r--r-- | modules/secrets.nix | 16 |
3 files changed, 66 insertions, 0 deletions
diff --git a/modules/backup-server.nix b/modules/backup-server.nix new file mode 100644 index 0000000..774d71e --- /dev/null +++ b/modules/backup-server.nix @@ -0,0 +1,48 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.orbekk.backups; + + backups.pincer = { + paths = [ "/etc/nixos" ]; + doInit = true; + repo = cfg.serverLocation; + encryption = { + mode = "repokey-blake2"; + passCommand = "cat ${config.age.secrets.pincer-borg-repo-key.path}"; + }; + environment = { BORG_RSH = "ssh -i ${config.age.secrets.pincer-borg-ssh-key.path}"; }; + compression = "auto,lzma"; + startAt = "daily"; + }; + + backupJob = { + ${config.networking.hostName} = backups.${config.networking.hostName}; + }; +in +{ + options = { + orbekk.backups = { + enableServer = lib.mkEnableOption "Enable backup server"; + enableClient = lib.mkEnableOption "Enable backup client"; + serverLocation = lib.mkOption { + type = lib.types.str; + default = "borg@localhost:."; + }; + }; + }; + + config = { + age.secrets.pincer-borg-repo-key.file = ../secrets/pincer-borg-repo-key.age; + age.secrets.pincer-borg-ssh-key.file = ../secrets/pincer-borg-ssh-key.age; + + services.borgbackup.repos = lib.mkIf cfg.enableServer { + pincer = { + authorizedKeys = [ (builtins.readFile ../secrets/pincer-borg-ssh-key.pub) ]; + path = [ "/var/lib/borg-pincer" ]; + }; + }; + + services.borgbackup.jobs = lib.mkIf cfg.enableClient backupJob; + }; +} diff --git a/modules/common.nix b/modules/common.nix index 26f96f7..4353ed6 100644 --- a/modules/common.nix +++ b/modules/common.nix @@ -3,6 +3,8 @@ programs.zsh.interactiveShellInit = "bindkey -e"; programs.tmux.enable = true; + orbekk.secrets.enable = true; + nixpkgs.config.packageOverrides = pkgs: { libsignal-protocol-c = pkgs.callPackage ../pkgs/libsignal-c/default.nix { }; keycloak = pkgs.callPackage ../pkgs/keycloak/default.nix { }; diff --git a/modules/secrets.nix b/modules/secrets.nix new file mode 100644 index 0000000..d027339 --- /dev/null +++ b/modules/secrets.nix @@ -0,0 +1,16 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.orbekk.secrets; +in +{ + options = { + orbekk.secrets = { + enable = lib.mkEnableOption "Enable secrets"; + }; + }; + + config = lib.mkIf cfg.enable { + environment.systemPackages = [ pkgs.agenix ]; + }; +} |