From 379980b29e5d1e2f6871dd4c7aa6ec0d6ae02b3f Mon Sep 17 00:00:00 2001
From: sefidel <contact@sefidel.net>
Date: Thu, 14 Sep 2023 20:56:34 +0900
Subject: feat(home,nixos/haruka): sops secrets setup

---
 home/.sops.yaml                   |  2 +
 home/secrets/secrets.yaml         |  4 +-
 nixos/.sops.yaml                  |  6 +++
 nixos/haruka/configuration.nix    | 88 +++++++++++++++++++--------------------
 nixos/haruka/secrets/secrets.yaml | 32 ++++++++++++++
 5 files changed, 85 insertions(+), 47 deletions(-)
 create mode 100644 nixos/haruka/secrets/secrets.yaml

diff --git a/home/.sops.yaml b/home/.sops.yaml
index 8b7073c..d10a342 100644
--- a/home/.sops.yaml
+++ b/home/.sops.yaml
@@ -2,9 +2,11 @@ keys:
   - &sefidel age1jt8xg0lvzj5q4f7fn7nw670qsszm3kv3caa654eh62azra4x44zss4fad8
   - &sefidel_pgp 8BDFDFB56842239382A0441B9238BC709E05516A
   - &alpha_sefidel age1k585l9d34j77htwmzk79ms0wcfyltz5d3v87pnjkvrzru85vke4q2q0qjd
+  - &haruka_sefidel age1070zxj95mava396j5990a6hvpeajcxqgqlxyr8xu2s9p245yfenqkqew6f
 creation_rules:
   - path_regex: secrets/[^/]+\.yaml$
     key_groups:
       - age:
         - *sefidel
         - *alpha_sefidel
+        - *haruka_sefidel
diff --git a/home/secrets/secrets.yaml b/home/secrets/secrets.yaml
index 5149b59..60dd583 100644
--- a/home/secrets/secrets.yaml
+++ b/home/secrets/secrets.yaml
@@ -23,8 +23,8 @@ sops:
             SDl5RTUvUXVSdmc0aEc0aFd2akdkY0UKJFEvPFe2xalBb5Y2fxSbCeB6vHf15OXw
             LzSmm+8T7kvCUvJG+TEu1qOaR16RSWHSv/A9F4IfmE0V8YTRdgbgrQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-03-09T07:55:37Z"
-    mac: ENC[AES256_GCM,data:SzuAZEwRy/sziLdHJ+IpjUJRTY6FTv8l5lKWM/Ylhww58/VzoDvPGbcr6npV3uKPy/B+bUFkzrhtF+DnlD44o8aVGfwXOrVNT5+2mxzG3+u22ZYBDOQE/LB84EkV4/0XVJ8pZGBCTQlqI+rmoNdT1tzsdH4oh4bMZp+6+vLGGzU=,iv:WOpM7Rn0s9w+t0kLdSSmWU2EOOqdnylnmNxyYqyfMmk=,tag:3IQ2k0vIVnONSXvUQ0XALA==,type:str]
+    lastmodified: "2023-09-14T11:26:18Z"
+    mac: ENC[AES256_GCM,data:ZjrurFQ3O4MM51i6XRnZjq5mf/Yq/cly5cWELafJnEliaoRl568C4EULKqAtO93njU2g/ej4Z7Ypg2t8xMoJJ6gbW1l76s1EzhsH5F1VJ1xr5OQ/hLx1/Zi4zekJCfac8pAH9jA4AaZ9dt4+CQiaz9pNyVumnc0OXLNd7KAvFUo=,iv:KSfResvF+LDAlGAMn5L89cn2Nm98ZD3kiQKQRjcu1oQ=,tag:S1L/w6BuomJsZzuVgJ2ZCA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3
diff --git a/nixos/.sops.yaml b/nixos/.sops.yaml
index 2afc664..9815b58 100644
--- a/nixos/.sops.yaml
+++ b/nixos/.sops.yaml
@@ -3,12 +3,18 @@ keys:
   - &sefidel_pgp 8BDFDFB56842239382A0441B9238BC709E05516A
   - &host_alpha age100jkyvgl8hqkapw3s4s4uu8jjgfkjn8kyl769x8u4x6tddk6rezshtf6gr
   - &host_kompakt age180yj8dn9jhjzj9c0y6qr5fa76g0ls3p772dvn60nu67wveqv8pvsahvur6
+  - &host_haruka age1hn509x2uuk0nrvfkaexwrengdtngh8uwx6fxldfgn8f4hhhsqdwsgnprr7
 creation_rules:
   - path_regex: alpha/secrets/[^/]+\.yaml$
     key_groups:
       - age:
         - *sefidel
         - *host_alpha
+  - path_regex: haruka/secrets/[^/]+\.yaml$
+    key_groups:
+      - age:
+        - *sefidel
+        - *host_haruka
   - path_regex: kompakt/secrets/[^/]+\.yaml$
     key_groups:
       - age:
diff --git a/nixos/haruka/configuration.nix b/nixos/haruka/configuration.nix
index 5f1d715..c6aecdc 100644
--- a/nixos/haruka/configuration.nix
+++ b/nixos/haruka/configuration.nix
@@ -108,44 +108,44 @@
     }
   ];
 
-  #SOPSsops.secrets.borg-haruka-rolling-pass = { };
-  #SOPSservices.borgbackup.jobs.haruka-rolling = {
-    #SOPSpaths = [
-      #SOPS"/persist"
-      #SOPS"/home"
-    #SOPS];
-
-    #SOPSexclude = [
-      #SOPS# Rust build files
-      #SOPS"**/target"
-    #SOPS];
-
-    #SOPSprune.keep = {
-      #SOPSwithin = "1d";
-      #SOPSdaily = 7;
-      #SOPSweekly = 4;
-      #SOPSmonthly = 3;
-    #SOPS};
-
-    #SOPSrepo = "20963@hk-s020.rsync.net:rolling/haruka";
-    #SOPSencryption.mode = "repokey-blake2";
-    #SOPSencryption.passCommand = "cat ${config.sops.secrets.borg-haruka-rolling-pass}";
-
-    #SOPSenvironment.BORG_RSH = "ssh -i /persist/ssh/ssh_host_ed25519_key";
-    #SOPS# use borg 1.0+ on rsync.net
-    #SOPSenvironment.BORG_REMOTE_PATH = "/usr/local/bin/borg1/borg1";
-    #SOPSextraCreateArgs = "--verbose --stats --checkpoint-interval 600";
-    #SOPScompression = "auto,zstd";
-    #SOPSstartAt = "hourly";
-    #SOPSpersistentTimer = true;
-  #SOPS};
-
-  #SOPSsystemd.services.borgbackup-job-haruka-rolling = {
-    #SOPSpreStart = lib.mkBefore ''
-      #SOPS# Wait until internet is reachable after resuming
-      #SOPSuntil /run/wrappers/bin/ping rsync.net -c1 -q >/dev/null; do :; done
-    #SOPS'';
-  #SOPS};
+  sops.secrets.borg-haruka-rolling-pass = { };
+  services.borgbackup.jobs.haruka-rolling = {
+    paths = [
+      "/persist"
+      "/home"
+    ];
+
+    exclude = [
+      # Rust build files
+      "**/target"
+    ];
+
+    prune.keep = {
+      within = "1d";
+      daily = 7;
+      weekly = 4;
+      monthly = 3;
+    };
+
+    repo = "20963@hk-s020.rsync.net:rolling/haruka";
+    encryption.mode = "repokey-blake2";
+    encryption.passCommand = "cat ${config.sops.secrets.borg-haruka-rolling-pass.path}";
+
+    environment.BORG_RSH = "ssh -i /persist/ssh/ssh_host_ed25519_key";
+    # use borg 1.0+ on rsync.net
+    environment.BORG_REMOTE_PATH = "/usr/local/bin/borg1/borg1";
+    extraCreateArgs = "--verbose --stats --checkpoint-interval 600";
+    compression = "auto,zstd";
+    startAt = "hourly";
+    persistentTimer = true;
+  };
+
+  systemd.services.borgbackup-job-haruka-rolling = {
+    preStart = lib.mkBefore ''
+      # Wait until internet is reachable after resuming
+      until /run/wrappers/bin/ping rsync.net -c1 -q >/dev/null; do :; done
+    '';
+  };
 
   services.openssh.knownHosts."hk-s020.rsync.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcPl9x9JfRFwsn09NnDw/xBZbAN80ZQck+h6AqlVqPH";
 
@@ -268,22 +268,20 @@
     ];
   };
 
-  #SOPSsops.defaultSopsFile = ./secrets/secrets.yaml;
-  #SOPSsops.secrets.root-password.neededForUsers = true;
-  #SOPSsops.secrets.sefidel-password.neededForUsers = true;
+  sops.defaultSopsFile = ./secrets/secrets.yaml;
+  sops.secrets.root-password.neededForUsers = true;
+  sops.secrets.sefidel-password.neededForUsers = true;
 
   users.mutableUsers = false;
 
   fileSystems."/persist".neededForBoot = true;
 
   users.users = {
-    #SOPSroot.passwordFile = config.sops.secrets.root-password.path;
-    root.password = "1111";
+    root.passwordFile = config.sops.secrets.root-password.path;
     sefidel = {
       isNormalUser = true;
       shell = pkgs.zsh;
-      #SOPSpasswordFile = config.sops.secrets.sefidel-password.path;
-      password = "1111";
+      passwordFile = config.sops.secrets.sefidel-password.path;
 
       extraGroups = [
         "wheel"
diff --git a/nixos/haruka/secrets/secrets.yaml b/nixos/haruka/secrets/secrets.yaml
new file mode 100644
index 0000000..a59a2a8
--- /dev/null
+++ b/nixos/haruka/secrets/secrets.yaml
@@ -0,0 +1,32 @@
+root-password: ENC[AES256_GCM,data:5bmLUZ/JqQtelGz1UKmX4MfMAvZehq+K4S7VeujhAVkVOu28qP8uFM7/cAC3rLP3LHMWdF5Ktjd3AxL3BqG7pfsYzP1CJSg47w==,iv:/jIWyTjVro2tJTx3XXipeMVLXRsl2B2/ADXPDDQkttI=,tag:/TMZteWjARWCKufgqU1TiQ==,type:str]
+sefidel-password: ENC[AES256_GCM,data:/LpPSzpABh1y5DIU/0Ki9Rn9PDidAoG0zvus3UZC6wpIjGGjtUoCJnRKDDePw6hL3uM7wo8uGVANs8w5sDkwO33Neu2rNb6adQ==,iv:Bhgpej2yXXnUtwA2g4Yhj98iLzm0U2zHvdJcL/3ZugU=,tag:B+ua2H1xluy2/OH9P+/GJw==,type:str]
+borg-haruka-rolling-pass: ENC[AES256_GCM,data:JqmKd5VvdCq8Y6ks8bspQ2YC4X1gihTpeERs2rvK/w==,iv:+g+ZGraW76PASfht8tNF4c30zYUeiR8tTRqxu+ETdjQ=,tag:leFtuzalVnkWMFz5PSx9Xw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1jt8xg0lvzj5q4f7fn7nw670qsszm3kv3caa654eh62azra4x44zss4fad8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNTEVyeU5DemlXcHVGR1Qx
+            dUFnanhpcDl2bEVGNjgwMUQvWG1JVS82YVNBCk9pUlJNUVFiZExFaktiOHN3WXVV
+            QVg4NHlTWUxsOFg3V1RwWHdFNlhyZGcKLS0tIHJsSFllOFg5dDZNaVRQUm41dTRN
+            L2ZDaW1ZSGtTVWxXRzQwcGNHU1k2ak0KEVQI+rUCm+GbJLDvooYJ7XneISszeSoM
+            tqji07emPkVWfz/B6lbB4sTfSf9ZFLk8MssFeqxO5Y7yhWsqaULYCQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1hn509x2uuk0nrvfkaexwrengdtngh8uwx6fxldfgn8f4hhhsqdwsgnprr7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNQnFJTmtvTUVackVuNXQw
+            TGJXdzhvQVlZbGQ2Wko2bElVeXU2NjV2TWpvCndkNVU2cnpoQnBjaHRPZ1dLbjNq
+            aTJ1eG1FQkhONzFYdWhqSmRQRFdLSEkKLS0tIEZJRzdmWWZTNm9XbGk5R3FKYk0y
+            NEt0ZUdHekFsc1ZPY0NkdkFmSXBicTgKWd6zebmSjrwokehdz3L5x61XNf3Mn1g/
+            II/uRkYH7UXuw7Hji/Maa4JsWmdWtNhqMQPvd0WBGZQpbeWwqwBuFA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-09-14T11:22:16Z"
+    mac: ENC[AES256_GCM,data:dSNP4IWtyKTshrIBSADR5TdK4edi8NOKqC+/MSgZTnq3jxc5j6rE32vFJAJaezzbbypIcXy6H6IK/YpvBVa6YThDQaG3LVvmmqWzhJtpRLJakNGfbreKnbOWog7XOSOGPUi5f5g+IQZhO7XX1oP6RmmbxHGNRCPMPPalJRuPakI=,iv:wkSp20znSxToZBEHzsTxI7F1eOiSLs/MwQcH52G8D6w=,tag:0okZjKoZZE//906lzOs2FQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
-- 
cgit 1.4.1