diff options
| author | sefidel <contact@sefidel.net> | 2023-09-14 20:56:34 +0900 |
|---|---|---|
| committer | sefidel <contact@sefidel.net> | 2023-09-14 20:56:34 +0900 |
| commit | 379980b29e5d1e2f6871dd4c7aa6ec0d6ae02b3f (patch) | |
| tree | 3d3ff6c2eb50f98f41d99dee0ebcd73a7fbe6f7d /nixos/haruka/configuration.nix | |
| parent | f05dcbb77e616c59879d503527007d2b8ed8a3db (diff) | |
| download | nixrc-379980b29e5d1e2f6871dd4c7aa6ec0d6ae02b3f.tar.gz nixrc-379980b29e5d1e2f6871dd4c7aa6ec0d6ae02b3f.zip | |
feat(home,nixos/haruka): sops secrets setup
Diffstat (limited to 'nixos/haruka/configuration.nix')
| -rw-r--r-- | nixos/haruka/configuration.nix | 88 |
1 files changed, 43 insertions, 45 deletions
diff --git a/nixos/haruka/configuration.nix b/nixos/haruka/configuration.nix index 5f1d715..c6aecdc 100644 --- a/nixos/haruka/configuration.nix +++ b/nixos/haruka/configuration.nix @@ -108,44 +108,44 @@ } ]; - #SOPSsops.secrets.borg-haruka-rolling-pass = { }; - #SOPSservices.borgbackup.jobs.haruka-rolling = { - #SOPSpaths = [ - #SOPS"/persist" - #SOPS"/home" - #SOPS]; - - #SOPSexclude = [ - #SOPS# Rust build files - #SOPS"**/target" - #SOPS]; - - #SOPSprune.keep = { - #SOPSwithin = "1d"; - #SOPSdaily = 7; - #SOPSweekly = 4; - #SOPSmonthly = 3; - #SOPS}; - - #SOPSrepo = "20963@hk-s020.rsync.net:rolling/haruka"; - #SOPSencryption.mode = "repokey-blake2"; - #SOPSencryption.passCommand = "cat ${config.sops.secrets.borg-haruka-rolling-pass}"; - - #SOPSenvironment.BORG_RSH = "ssh -i /persist/ssh/ssh_host_ed25519_key"; - #SOPS# use borg 1.0+ on rsync.net - #SOPSenvironment.BORG_REMOTE_PATH = "/usr/local/bin/borg1/borg1"; - #SOPSextraCreateArgs = "--verbose --stats --checkpoint-interval 600"; - #SOPScompression = "auto,zstd"; - #SOPSstartAt = "hourly"; - #SOPSpersistentTimer = true; - #SOPS}; - - #SOPSsystemd.services.borgbackup-job-haruka-rolling = { - #SOPSpreStart = lib.mkBefore '' - #SOPS# Wait until internet is reachable after resuming - #SOPSuntil /run/wrappers/bin/ping rsync.net -c1 -q >/dev/null; do :; done - #SOPS''; - #SOPS}; + sops.secrets.borg-haruka-rolling-pass = { }; + services.borgbackup.jobs.haruka-rolling = { + paths = [ + "/persist" + "/home" + ]; + + exclude = [ + # Rust build files + "**/target" + ]; + + prune.keep = { + within = "1d"; + daily = 7; + weekly = 4; + monthly = 3; + }; + + repo = "20963@hk-s020.rsync.net:rolling/haruka"; + encryption.mode = "repokey-blake2"; + encryption.passCommand = "cat ${config.sops.secrets.borg-haruka-rolling-pass.path}"; + + environment.BORG_RSH = "ssh -i /persist/ssh/ssh_host_ed25519_key"; + # use borg 1.0+ on rsync.net + environment.BORG_REMOTE_PATH = "/usr/local/bin/borg1/borg1"; + extraCreateArgs = "--verbose --stats --checkpoint-interval 600"; + compression = "auto,zstd"; + startAt = "hourly"; + persistentTimer = true; + }; + + systemd.services.borgbackup-job-haruka-rolling = { + preStart = lib.mkBefore '' + # Wait until internet is reachable after resuming + until /run/wrappers/bin/ping rsync.net -c1 -q >/dev/null; do :; done + ''; + }; services.openssh.knownHosts."hk-s020.rsync.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcPl9x9JfRFwsn09NnDw/xBZbAN80ZQck+h6AqlVqPH"; @@ -268,22 +268,20 @@ ]; }; - #SOPSsops.defaultSopsFile = ./secrets/secrets.yaml; - #SOPSsops.secrets.root-password.neededForUsers = true; - #SOPSsops.secrets.sefidel-password.neededForUsers = true; + sops.defaultSopsFile = ./secrets/secrets.yaml; + sops.secrets.root-password.neededForUsers = true; + sops.secrets.sefidel-password.neededForUsers = true; users.mutableUsers = false; fileSystems."/persist".neededForBoot = true; users.users = { - #SOPSroot.passwordFile = config.sops.secrets.root-password.path; - root.password = "1111"; + root.passwordFile = config.sops.secrets.root-password.path; sefidel = { isNormalUser = true; shell = pkgs.zsh; - #SOPSpasswordFile = config.sops.secrets.sefidel-password.path; - password = "1111"; + passwordFile = config.sops.secrets.sefidel-password.path; extraGroups = [ "wheel" |