From ad6090aaa358c2d2ce99c50bdfd09ae6ae96a6cd Mon Sep 17 00:00:00 2001
From: Kjetil Orbekk <kj@orbekk.com>
Date: Tue, 25 Jan 2022 08:38:38 -0500
Subject: Add dragon borg repo

---
 machines/dragon.nix              |   2 ++
 modules/backup-server.nix        |  25 +++++++++++++++++++++++--
 secrets/dragon-borg-repo-key.age |   8 ++++++++
 secrets/dragon-borg-ssh-key.age  | Bin 0 -> 670 bytes
 secrets/dragon-borg-ssh-key.pub  |   1 +
 secrets/secrets.nix              |   9 ++++++---
 6 files changed, 40 insertions(+), 5 deletions(-)
 create mode 100644 secrets/dragon-borg-repo-key.age
 create mode 100644 secrets/dragon-borg-ssh-key.age
 create mode 100644 secrets/dragon-borg-ssh-key.pub

diff --git a/machines/dragon.nix b/machines/dragon.nix
index bb5a979..f689154 100644
--- a/machines/dragon.nix
+++ b/machines/dragon.nix
@@ -12,6 +12,8 @@ in {
   orbekk.monitoring-server.enable = true;
   orbekk.postfix.enable = true;
   orbekk.nextcloud.enable = true;
+  orbekk.backups.enableServer = true;
+  orbekk.backups.enableClient = true;
 
   environment.systemPackages = with pkgs; [ ipmitool ];
   programs.mosh.enable = true;
diff --git a/modules/backup-server.nix b/modules/backup-server.nix
index 774d71e..fbe9c25 100644
--- a/modules/backup-server.nix
+++ b/modules/backup-server.nix
@@ -16,6 +16,19 @@ let
     startAt = "daily";
   };
 
+  backups.dragon = {
+    paths = [ "/etc/nixos" ];
+    doInit = true;
+    repo = cfg.serverLocation;
+    encryption = {
+      mode = "repokey-blake2";
+      passCommand = "cat ${config.age.secrets.dragon-borg-repo-key.path}";
+    };
+    environment = { BORG_RSH = "ssh -i ${config.age.secrets.dragon-borg-ssh-key.path}"; };
+    compression = "auto,lzma";
+    startAt = "daily";
+  };
+
   backupJob = {
     ${config.networking.hostName} = backups.${config.networking.hostName};
   };
@@ -33,10 +46,18 @@ in
   };
 
   config = {
-    age.secrets.pincer-borg-repo-key.file = ../secrets/pincer-borg-repo-key.age;
-    age.secrets.pincer-borg-ssh-key.file = ../secrets/pincer-borg-ssh-key.age;
+    age.secrets = lib.mkIf cfg.enableClient {
+      "${config.networking.hostName}-borg-repo-key".file =
+        ../secrets/${config.networking.hostName}-borg-repo-key.age;
+      "${config.networking.hostName}-borg-ssh-key".file =
+        ../secrets/${config.networking.hostName}-borg-ssh-key.age;
+    };
 
     services.borgbackup.repos = lib.mkIf cfg.enableServer {
+      dragon = {
+        authorizedKeys = [ (builtins.readFile ../secrets/pincer-borg-ssh-key.pub) ];
+        path = [ "/var/lib/dragon" ];
+      };
       pincer = {
         authorizedKeys = [ (builtins.readFile ../secrets/pincer-borg-ssh-key.pub) ];
         path = [ "/var/lib/borg-pincer" ];
diff --git a/secrets/dragon-borg-repo-key.age b/secrets/dragon-borg-repo-key.age
new file mode 100644
index 0000000..03e7f6c
--- /dev/null
+++ b/secrets/dragon-borg-repo-key.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 lwHmDQ KwzPoADUC0jPyxvD4MZKti4O9VcMDjtU6U2+fd/K0TM
+csXrTnviH7pX8P6gXyLy99MWLYvT08ExzmReDuqR5iU
+-> 8-grease [9n| M|z_Jur
+GwyaVRIE3Z9JRFO6ne1bahks7WzcdlCPNLG5pPIgevVhFUBRkJCJp1LsP4dqpBJF
+C+wGKtOV1K9nFDDOKOfk/j+f75TsBAUU01KctEl+icFYtaeseTs
+--- 6TRIsu5+78AQdy6yrQqYnXfLbfTECnM0CrmYCtc30CA
+Àì<q#^¸×CkÁ<DÃ®8H­»¥Ä…ý`ÙôŽ&BÙxÞuÒŸÆ—QGÁCJ²¾2Ûæ&—Ç©[;Zš_•þÃWÆ©þ›=^Ã½ÃÑ„?T6W5á¦nr d5v©ß/
\ No newline at end of file
diff --git a/secrets/dragon-borg-ssh-key.age b/secrets/dragon-borg-ssh-key.age
new file mode 100644
index 0000000..5f0c835
Binary files /dev/null and b/secrets/dragon-borg-ssh-key.age differ
diff --git a/secrets/dragon-borg-ssh-key.pub b/secrets/dragon-borg-ssh-key.pub
new file mode 100644
index 0000000..0796888
--- /dev/null
+++ b/secrets/dragon-borg-ssh-key.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHwihuH10KLW3zuHGz31f54PXFzspKhIdCKIWR5iBcBq orbekk@pincer
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 186b44c..cb97304 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -1,8 +1,11 @@
 let
   orbekk = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCgvHMjYQ5Ty7Em2Seji6dvYhgQUIbyhiHdzRINYpiOUMuVA8wgJOV0ZggmFFTO5zfJ83m7E5nc/zMuBVHwkx1gJz5ic8YdO9eLIhymQn9R+9fyLA+g+h8uwTi7UlFmQp+My7MYYxdA2tet1wwgm39Yu49mxi8lARUgi4awXn5K/ZFy08GyjGia2E/YKx2gXPKhHsWFKWPO5u8ik0v8AFCliY2wXiG4jkZE2zI0gI5FUp66tpxkaOSZqreH+lVJw+S+GAJIqzGI99zqZsAdpr7m4WALZEYwj9D7/lattSG14CAjXxjqcMSsfi6fV0ZsF1O40eoZ9mNQpIvatXtL6HBSN3kuUfraQMeB8o5kbxwyXt2Fr5hMKtEGYlMv5uPqdn+yHcC51F3RkUxFJplOFwZ3Rh/AjLLMKo+vEtL9UjhTuYiSQ0ySunY5JbBVkJY4z3pLT9MOPnq+KIfBMFBI/eYE6yeMNTHxIFMDaNMFOxWc0SoBDhgZJX5eblYidt/YWMOEPbqJNCrWIzQwtDsiYsF9JS/3D5civwTP/oaASaiJWTAvluwbibMFAC1OSBFb20xM5gD0C1q05pxVMN3Ioy1P0CIvJMLWfQR1yrNbnmoGUGHeSA/gwaxqMg7G+P/SBIheDAYEu5fzXXgFgO3sI8JvIdc1NTJMmHktahb/ecG1MQ== cardno:000605483607";
   pincer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG5z3Ht/CjNxMfzjRjW35SlwZgwAOUkV3Cr5J0kwehpH root@pincer";
+  dragon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcSRisp/LKhG1URVXAqXmqAWmSuNkdk8njR1qDo1AJP root@dragon";
 in {
-  "test-secret.age".publicKeys = [ orbekk pincer ];
-  "pincer-borg-ssh-key.age".publicKeys = [ orbekk pincer ];
-  "pincer-borg-repo-key.age".publicKeys = [ orbekk pincer ];
+  "test-secret.age".publicKeys = [ pincer ];
+  "pincer-borg-ssh-key.age".publicKeys = [ pincer ];
+  "pincer-borg-repo-key.age".publicKeys = [ pincer ];
+  "dragon-borg-ssh-key.age".publicKeys = [ dragon ];
+  "dragon-borg-repo-key.age".publicKeys = [ dragon ];
 }
-- 
cgit v1.2.3