diff options
| -rw-r--r-- | home/.sops.yaml | 2 | ||||
| -rw-r--r-- | home/secrets/secrets.yaml | 4 | ||||
| -rw-r--r-- | nixos/.sops.yaml | 6 | ||||
| -rw-r--r-- | nixos/haruka/configuration.nix | 88 | ||||
| -rw-r--r-- | nixos/haruka/secrets/secrets.yaml | 32 |
5 files changed, 85 insertions, 47 deletions
diff --git a/home/.sops.yaml b/home/.sops.yaml index 8b7073c..d10a342 100644 --- a/home/.sops.yaml +++ b/home/.sops.yaml @@ -2,9 +2,11 @@ keys: - &sefidel age1jt8xg0lvzj5q4f7fn7nw670qsszm3kv3caa654eh62azra4x44zss4fad8 - &sefidel_pgp 8BDFDFB56842239382A0441B9238BC709E05516A - &alpha_sefidel age1k585l9d34j77htwmzk79ms0wcfyltz5d3v87pnjkvrzru85vke4q2q0qjd + - &haruka_sefidel age1070zxj95mava396j5990a6hvpeajcxqgqlxyr8xu2s9p245yfenqkqew6f creation_rules: - path_regex: secrets/[^/]+\.yaml$ key_groups: - age: - *sefidel - *alpha_sefidel + - *haruka_sefidel diff --git a/home/secrets/secrets.yaml b/home/secrets/secrets.yaml index 5149b59..60dd583 100644 --- a/home/secrets/secrets.yaml +++ b/home/secrets/secrets.yaml @@ -23,8 +23,8 @@ sops: SDl5RTUvUXVSdmc0aEc0aFd2akdkY0UKJFEvPFe2xalBb5Y2fxSbCeB6vHf15OXw LzSmm+8T7kvCUvJG+TEu1qOaR16RSWHSv/A9F4IfmE0V8YTRdgbgrQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-03-09T07:55:37Z" - mac: ENC[AES256_GCM,data:SzuAZEwRy/sziLdHJ+IpjUJRTY6FTv8l5lKWM/Ylhww58/VzoDvPGbcr6npV3uKPy/B+bUFkzrhtF+DnlD44o8aVGfwXOrVNT5+2mxzG3+u22ZYBDOQE/LB84EkV4/0XVJ8pZGBCTQlqI+rmoNdT1tzsdH4oh4bMZp+6+vLGGzU=,iv:WOpM7Rn0s9w+t0kLdSSmWU2EOOqdnylnmNxyYqyfMmk=,tag:3IQ2k0vIVnONSXvUQ0XALA==,type:str] + lastmodified: "2023-09-14T11:26:18Z" + mac: ENC[AES256_GCM,data:ZjrurFQ3O4MM51i6XRnZjq5mf/Yq/cly5cWELafJnEliaoRl568C4EULKqAtO93njU2g/ej4Z7Ypg2t8xMoJJ6gbW1l76s1EzhsH5F1VJ1xr5OQ/hLx1/Zi4zekJCfac8pAH9jA4AaZ9dt4+CQiaz9pNyVumnc0OXLNd7KAvFUo=,iv:KSfResvF+LDAlGAMn5L89cn2Nm98ZD3kiQKQRjcu1oQ=,tag:S1L/w6BuomJsZzuVgJ2ZCA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3 diff --git a/nixos/.sops.yaml b/nixos/.sops.yaml index 2afc664..9815b58 100644 --- a/nixos/.sops.yaml +++ b/nixos/.sops.yaml @@ -3,12 +3,18 @@ keys: - &sefidel_pgp 8BDFDFB56842239382A0441B9238BC709E05516A - &host_alpha age100jkyvgl8hqkapw3s4s4uu8jjgfkjn8kyl769x8u4x6tddk6rezshtf6gr - &host_kompakt age180yj8dn9jhjzj9c0y6qr5fa76g0ls3p772dvn60nu67wveqv8pvsahvur6 + - &host_haruka age1hn509x2uuk0nrvfkaexwrengdtngh8uwx6fxldfgn8f4hhhsqdwsgnprr7 creation_rules: - path_regex: alpha/secrets/[^/]+\.yaml$ key_groups: - age: - *sefidel - *host_alpha + - path_regex: haruka/secrets/[^/]+\.yaml$ + key_groups: + - age: + - *sefidel + - *host_haruka - path_regex: kompakt/secrets/[^/]+\.yaml$ key_groups: - age: diff --git a/nixos/haruka/configuration.nix b/nixos/haruka/configuration.nix index 5f1d715..c6aecdc 100644 --- a/nixos/haruka/configuration.nix +++ b/nixos/haruka/configuration.nix @@ -108,44 +108,44 @@ } ]; - #SOPSsops.secrets.borg-haruka-rolling-pass = { }; - #SOPSservices.borgbackup.jobs.haruka-rolling = { - #SOPSpaths = [ - #SOPS"/persist" - #SOPS"/home" - #SOPS]; - - #SOPSexclude = [ - #SOPS# Rust build files - #SOPS"**/target" - #SOPS]; - - #SOPSprune.keep = { - #SOPSwithin = "1d"; - #SOPSdaily = 7; - #SOPSweekly = 4; - #SOPSmonthly = 3; - #SOPS}; - - #SOPSrepo = "20963@hk-s020.rsync.net:rolling/haruka"; - #SOPSencryption.mode = "repokey-blake2"; - #SOPSencryption.passCommand = "cat ${config.sops.secrets.borg-haruka-rolling-pass}"; - - #SOPSenvironment.BORG_RSH = "ssh -i /persist/ssh/ssh_host_ed25519_key"; - #SOPS# use borg 1.0+ on rsync.net - #SOPSenvironment.BORG_REMOTE_PATH = "/usr/local/bin/borg1/borg1"; - #SOPSextraCreateArgs = "--verbose --stats --checkpoint-interval 600"; - #SOPScompression = "auto,zstd"; - #SOPSstartAt = "hourly"; - #SOPSpersistentTimer = true; - #SOPS}; - - #SOPSsystemd.services.borgbackup-job-haruka-rolling = { - #SOPSpreStart = lib.mkBefore '' - #SOPS# Wait until internet is reachable after resuming - #SOPSuntil /run/wrappers/bin/ping rsync.net -c1 -q >/dev/null; do :; done - #SOPS''; - #SOPS}; + sops.secrets.borg-haruka-rolling-pass = { }; + services.borgbackup.jobs.haruka-rolling = { + paths = [ + "/persist" + "/home" + ]; + + exclude = [ + # Rust build files + "**/target" + ]; + + prune.keep = { + within = "1d"; + daily = 7; + weekly = 4; + monthly = 3; + }; + + repo = "20963@hk-s020.rsync.net:rolling/haruka"; + encryption.mode = "repokey-blake2"; + encryption.passCommand = "cat ${config.sops.secrets.borg-haruka-rolling-pass.path}"; + + environment.BORG_RSH = "ssh -i /persist/ssh/ssh_host_ed25519_key"; + # use borg 1.0+ on rsync.net + environment.BORG_REMOTE_PATH = "/usr/local/bin/borg1/borg1"; + extraCreateArgs = "--verbose --stats --checkpoint-interval 600"; + compression = "auto,zstd"; + startAt = "hourly"; + persistentTimer = true; + }; + + systemd.services.borgbackup-job-haruka-rolling = { + preStart = lib.mkBefore '' + # Wait until internet is reachable after resuming + until /run/wrappers/bin/ping rsync.net -c1 -q >/dev/null; do :; done + ''; + }; services.openssh.knownHosts."hk-s020.rsync.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcPl9x9JfRFwsn09NnDw/xBZbAN80ZQck+h6AqlVqPH"; @@ -268,22 +268,20 @@ ]; }; - #SOPSsops.defaultSopsFile = ./secrets/secrets.yaml; - #SOPSsops.secrets.root-password.neededForUsers = true; - #SOPSsops.secrets.sefidel-password.neededForUsers = true; + sops.defaultSopsFile = ./secrets/secrets.yaml; + sops.secrets.root-password.neededForUsers = true; + sops.secrets.sefidel-password.neededForUsers = true; users.mutableUsers = false; fileSystems."/persist".neededForBoot = true; users.users = { - #SOPSroot.passwordFile = config.sops.secrets.root-password.path; - root.password = "1111"; + root.passwordFile = config.sops.secrets.root-password.path; sefidel = { isNormalUser = true; shell = pkgs.zsh; - #SOPSpasswordFile = config.sops.secrets.sefidel-password.path; - password = "1111"; + passwordFile = config.sops.secrets.sefidel-password.path; extraGroups = [ "wheel" diff --git a/nixos/haruka/secrets/secrets.yaml b/nixos/haruka/secrets/secrets.yaml new file mode 100644 index 0000000..a59a2a8 --- /dev/null +++ b/nixos/haruka/secrets/secrets.yaml @@ -0,0 +1,32 @@ +root-password: ENC[AES256_GCM,data:5bmLUZ/JqQtelGz1UKmX4MfMAvZehq+K4S7VeujhAVkVOu28qP8uFM7/cAC3rLP3LHMWdF5Ktjd3AxL3BqG7pfsYzP1CJSg47w==,iv:/jIWyTjVro2tJTx3XXipeMVLXRsl2B2/ADXPDDQkttI=,tag:/TMZteWjARWCKufgqU1TiQ==,type:str] +sefidel-password: ENC[AES256_GCM,data:/LpPSzpABh1y5DIU/0Ki9Rn9PDidAoG0zvus3UZC6wpIjGGjtUoCJnRKDDePw6hL3uM7wo8uGVANs8w5sDkwO33Neu2rNb6adQ==,iv:Bhgpej2yXXnUtwA2g4Yhj98iLzm0U2zHvdJcL/3ZugU=,tag:B+ua2H1xluy2/OH9P+/GJw==,type:str] +borg-haruka-rolling-pass: ENC[AES256_GCM,data:JqmKd5VvdCq8Y6ks8bspQ2YC4X1gihTpeERs2rvK/w==,iv:+g+ZGraW76PASfht8tNF4c30zYUeiR8tTRqxu+ETdjQ=,tag:leFtuzalVnkWMFz5PSx9Xw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1jt8xg0lvzj5q4f7fn7nw670qsszm3kv3caa654eh62azra4x44zss4fad8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNTEVyeU5DemlXcHVGR1Qx + dUFnanhpcDl2bEVGNjgwMUQvWG1JVS82YVNBCk9pUlJNUVFiZExFaktiOHN3WXVV + QVg4NHlTWUxsOFg3V1RwWHdFNlhyZGcKLS0tIHJsSFllOFg5dDZNaVRQUm41dTRN + L2ZDaW1ZSGtTVWxXRzQwcGNHU1k2ak0KEVQI+rUCm+GbJLDvooYJ7XneISszeSoM + tqji07emPkVWfz/B6lbB4sTfSf9ZFLk8MssFeqxO5Y7yhWsqaULYCQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1hn509x2uuk0nrvfkaexwrengdtngh8uwx6fxldfgn8f4hhhsqdwsgnprr7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNQnFJTmtvTUVackVuNXQw + TGJXdzhvQVlZbGQ2Wko2bElVeXU2NjV2TWpvCndkNVU2cnpoQnBjaHRPZ1dLbjNq + aTJ1eG1FQkhONzFYdWhqSmRQRFdLSEkKLS0tIEZJRzdmWWZTNm9XbGk5R3FKYk0y + NEt0ZUdHekFsc1ZPY0NkdkFmSXBicTgKWd6zebmSjrwokehdz3L5x61XNf3Mn1g/ + II/uRkYH7UXuw7Hji/Maa4JsWmdWtNhqMQPvd0WBGZQpbeWwqwBuFA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-09-14T11:22:16Z" + mac: ENC[AES256_GCM,data:dSNP4IWtyKTshrIBSADR5TdK4edi8NOKqC+/MSgZTnq3jxc5j6rE32vFJAJaezzbbypIcXy6H6IK/YpvBVa6YThDQaG3LVvmmqWzhJtpRLJakNGfbreKnbOWog7XOSOGPUi5f5g+IQZhO7XX1oP6RmmbxHGNRCPMPPalJRuPakI=,iv:wkSp20znSxToZBEHzsTxI7F1eOiSLs/MwQcH52G8D6w=,tag:0okZjKoZZE//906lzOs2FQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 |