feat(home,nixos/haruka): sops secrets setup

2 files changed, 75 insertions, 45 deletions

diff --git a/nixos/haruka/configuration.nix b/nixos/haruka/configuration.nix
index 5f1d715..c6aecdc 100644
--- a/nixos/haruka/configuration.nix
+++ b/nixos/haruka/configuration.nix
@@ -108,44 +108,44 @@
     }
   ];
 
-  #SOPSsops.secrets.borg-haruka-rolling-pass = { };
-  #SOPSservices.borgbackup.jobs.haruka-rolling = {
-    #SOPSpaths = [
-      #SOPS"/persist"
-      #SOPS"/home"
-    #SOPS];
-
-    #SOPSexclude = [
-      #SOPS# Rust build files
-      #SOPS"**/target"
-    #SOPS];
-
-    #SOPSprune.keep = {
-      #SOPSwithin = "1d";
-      #SOPSdaily = 7;
-      #SOPSweekly = 4;
-      #SOPSmonthly = 3;
-    #SOPS};
-
-    #SOPSrepo = "20963@hk-s020.rsync.net:rolling/haruka";
-    #SOPSencryption.mode = "repokey-blake2";
-    #SOPSencryption.passCommand = "cat ${config.sops.secrets.borg-haruka-rolling-pass}";
-
-    #SOPSenvironment.BORG_RSH = "ssh -i /persist/ssh/ssh_host_ed25519_key";
-    #SOPS# use borg 1.0+ on rsync.net
-    #SOPSenvironment.BORG_REMOTE_PATH = "/usr/local/bin/borg1/borg1";
-    #SOPSextraCreateArgs = "--verbose --stats --checkpoint-interval 600";
-    #SOPScompression = "auto,zstd";
-    #SOPSstartAt = "hourly";
-    #SOPSpersistentTimer = true;
-  #SOPS};
-
-  #SOPSsystemd.services.borgbackup-job-haruka-rolling = {
-    #SOPSpreStart = lib.mkBefore ''
-      #SOPS# Wait until internet is reachable after resuming
-      #SOPSuntil /run/wrappers/bin/ping rsync.net -c1 -q >/dev/null; do :; done
-    #SOPS'';
-  #SOPS};
+  sops.secrets.borg-haruka-rolling-pass = { };
+  services.borgbackup.jobs.haruka-rolling = {
+    paths = [
+      "/persist"
+      "/home"
+    ];
+
+    exclude = [
+      # Rust build files
+      "**/target"
+    ];
+
+    prune.keep = {
+      within = "1d";
+      daily = 7;
+      weekly = 4;
+      monthly = 3;
+    };
+
+    repo = "20963@hk-s020.rsync.net:rolling/haruka";
+    encryption.mode = "repokey-blake2";
+    encryption.passCommand = "cat ${config.sops.secrets.borg-haruka-rolling-pass.path}";
+
+    environment.BORG_RSH = "ssh -i /persist/ssh/ssh_host_ed25519_key";
+    # use borg 1.0+ on rsync.net
+    environment.BORG_REMOTE_PATH = "/usr/local/bin/borg1/borg1";
+    extraCreateArgs = "--verbose --stats --checkpoint-interval 600";
+    compression = "auto,zstd";
+    startAt = "hourly";
+    persistentTimer = true;
+  };
+
+  systemd.services.borgbackup-job-haruka-rolling = {
+    preStart = lib.mkBefore ''
+      # Wait until internet is reachable after resuming
+      until /run/wrappers/bin/ping rsync.net -c1 -q >/dev/null; do :; done
+    '';
+  };
 
   services.openssh.knownHosts."hk-s020.rsync.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcPl9x9JfRFwsn09NnDw/xBZbAN80ZQck+h6AqlVqPH";
 
@@ -268,22 +268,20 @@
     ];
   };
 
-  #SOPSsops.defaultSopsFile = ./secrets/secrets.yaml;
-  #SOPSsops.secrets.root-password.neededForUsers = true;
-  #SOPSsops.secrets.sefidel-password.neededForUsers = true;
+  sops.defaultSopsFile = ./secrets/secrets.yaml;
+  sops.secrets.root-password.neededForUsers = true;
+  sops.secrets.sefidel-password.neededForUsers = true;
 
   users.mutableUsers = false;
 
   fileSystems."/persist".neededForBoot = true;
 
   users.users = {
-    #SOPSroot.passwordFile = config.sops.secrets.root-password.path;
-    root.password = "1111";
+    root.passwordFile = config.sops.secrets.root-password.path;
     sefidel = {
       isNormalUser = true;
       shell = pkgs.zsh;
-      #SOPSpasswordFile = config.sops.secrets.sefidel-password.path;
-      password = "1111";
+      passwordFile = config.sops.secrets.sefidel-password.path;
 
       extraGroups = [
         "wheel"
diff --git a/nixos/haruka/secrets/secrets.yaml b/nixos/haruka/secrets/secrets.yaml
new file mode 100644
index 0000000..a59a2a8
--- /dev/null
+++ b/nixos/haruka/secrets/secrets.yaml
@@ -0,0 +1,32 @@
+root-password: ENC[AES256_GCM,data:5bmLUZ/JqQtelGz1UKmX4MfMAvZehq+K4S7VeujhAVkVOu28qP8uFM7/cAC3rLP3LHMWdF5Ktjd3AxL3BqG7pfsYzP1CJSg47w==,iv:/jIWyTjVro2tJTx3XXipeMVLXRsl2B2/ADXPDDQkttI=,tag:/TMZteWjARWCKufgqU1TiQ==,type:str]
+sefidel-password: ENC[AES256_GCM,data:/LpPSzpABh1y5DIU/0Ki9Rn9PDidAoG0zvus3UZC6wpIjGGjtUoCJnRKDDePw6hL3uM7wo8uGVANs8w5sDkwO33Neu2rNb6adQ==,iv:Bhgpej2yXXnUtwA2g4Yhj98iLzm0U2zHvdJcL/3ZugU=,tag:B+ua2H1xluy2/OH9P+/GJw==,type:str]
+borg-haruka-rolling-pass: ENC[AES256_GCM,data:JqmKd5VvdCq8Y6ks8bspQ2YC4X1gihTpeERs2rvK/w==,iv:+g+ZGraW76PASfht8tNF4c30zYUeiR8tTRqxu+ETdjQ=,tag:leFtuzalVnkWMFz5PSx9Xw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1jt8xg0lvzj5q4f7fn7nw670qsszm3kv3caa654eh62azra4x44zss4fad8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNTEVyeU5DemlXcHVGR1Qx
+            dUFnanhpcDl2bEVGNjgwMUQvWG1JVS82YVNBCk9pUlJNUVFiZExFaktiOHN3WXVV
+            QVg4NHlTWUxsOFg3V1RwWHdFNlhyZGcKLS0tIHJsSFllOFg5dDZNaVRQUm41dTRN
+            L2ZDaW1ZSGtTVWxXRzQwcGNHU1k2ak0KEVQI+rUCm+GbJLDvooYJ7XneISszeSoM
+            tqji07emPkVWfz/B6lbB4sTfSf9ZFLk8MssFeqxO5Y7yhWsqaULYCQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1hn509x2uuk0nrvfkaexwrengdtngh8uwx6fxldfgn8f4hhhsqdwsgnprr7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNQnFJTmtvTUVackVuNXQw
+            TGJXdzhvQVlZbGQ2Wko2bElVeXU2NjV2TWpvCndkNVU2cnpoQnBjaHRPZ1dLbjNq
+            aTJ1eG1FQkhONzFYdWhqSmRQRFdLSEkKLS0tIEZJRzdmWWZTNm9XbGk5R3FKYk0y
+            NEt0ZUdHekFsc1ZPY0NkdkFmSXBicTgKWd6zebmSjrwokehdz3L5x61XNf3Mn1g/
+            II/uRkYH7UXuw7Hji/Maa4JsWmdWtNhqMQPvd0WBGZQpbeWwqwBuFA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-09-14T11:22:16Z"
+    mac: ENC[AES256_GCM,data:dSNP4IWtyKTshrIBSADR5TdK4edi8NOKqC+/MSgZTnq3jxc5j6rE32vFJAJaezzbbypIcXy6H6IK/YpvBVa6YThDQaG3LVvmmqWzhJtpRLJakNGfbreKnbOWog7XOSOGPUi5f5g+IQZhO7XX1oP6RmmbxHGNRCPMPPalJRuPakI=,iv:wkSp20znSxToZBEHzsTxI7F1eOiSLs/MwQcH52G8D6w=,tag:0okZjKoZZE//906lzOs2FQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3