From 379980b29e5d1e2f6871dd4c7aa6ec0d6ae02b3f Mon Sep 17 00:00:00 2001 From: sefidel Date: Thu, 14 Sep 2023 20:56:34 +0900 Subject: feat(home,nixos/haruka): sops secrets setup --- nixos/haruka/configuration.nix | 88 +++++++++++++++++++-------------------- nixos/haruka/secrets/secrets.yaml | 32 ++++++++++++++ 2 files changed, 75 insertions(+), 45 deletions(-) create mode 100644 nixos/haruka/secrets/secrets.yaml (limited to 'nixos/haruka') diff --git a/nixos/haruka/configuration.nix b/nixos/haruka/configuration.nix index 5f1d715..c6aecdc 100644 --- a/nixos/haruka/configuration.nix +++ b/nixos/haruka/configuration.nix @@ -108,44 +108,44 @@ } ]; - #SOPSsops.secrets.borg-haruka-rolling-pass = { }; - #SOPSservices.borgbackup.jobs.haruka-rolling = { - #SOPSpaths = [ - #SOPS"/persist" - #SOPS"/home" - #SOPS]; - - #SOPSexclude = [ - #SOPS# Rust build files - #SOPS"**/target" - #SOPS]; - - #SOPSprune.keep = { - #SOPSwithin = "1d"; - #SOPSdaily = 7; - #SOPSweekly = 4; - #SOPSmonthly = 3; - #SOPS}; - - #SOPSrepo = "20963@hk-s020.rsync.net:rolling/haruka"; - #SOPSencryption.mode = "repokey-blake2"; - #SOPSencryption.passCommand = "cat ${config.sops.secrets.borg-haruka-rolling-pass}"; - - #SOPSenvironment.BORG_RSH = "ssh -i /persist/ssh/ssh_host_ed25519_key"; - #SOPS# use borg 1.0+ on rsync.net - #SOPSenvironment.BORG_REMOTE_PATH = "/usr/local/bin/borg1/borg1"; - #SOPSextraCreateArgs = "--verbose --stats --checkpoint-interval 600"; - #SOPScompression = "auto,zstd"; - #SOPSstartAt = "hourly"; - #SOPSpersistentTimer = true; - #SOPS}; - - #SOPSsystemd.services.borgbackup-job-haruka-rolling = { - #SOPSpreStart = lib.mkBefore '' - #SOPS# Wait until internet is reachable after resuming - #SOPSuntil /run/wrappers/bin/ping rsync.net -c1 -q >/dev/null; do :; done - #SOPS''; - #SOPS}; + sops.secrets.borg-haruka-rolling-pass = { }; + services.borgbackup.jobs.haruka-rolling = { + paths = [ + "/persist" + "/home" + ]; + + exclude = [ + # Rust build files + "**/target" + ]; + + prune.keep = { + within = "1d"; + daily = 7; + weekly = 4; + monthly = 3; + }; + + repo = "20963@hk-s020.rsync.net:rolling/haruka"; + encryption.mode = "repokey-blake2"; + encryption.passCommand = "cat ${config.sops.secrets.borg-haruka-rolling-pass.path}"; + + environment.BORG_RSH = "ssh -i /persist/ssh/ssh_host_ed25519_key"; + # use borg 1.0+ on rsync.net + environment.BORG_REMOTE_PATH = "/usr/local/bin/borg1/borg1"; + extraCreateArgs = "--verbose --stats --checkpoint-interval 600"; + compression = "auto,zstd"; + startAt = "hourly"; + persistentTimer = true; + }; + + systemd.services.borgbackup-job-haruka-rolling = { + preStart = lib.mkBefore '' + # Wait until internet is reachable after resuming + until /run/wrappers/bin/ping rsync.net -c1 -q >/dev/null; do :; done + ''; + }; services.openssh.knownHosts."hk-s020.rsync.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcPl9x9JfRFwsn09NnDw/xBZbAN80ZQck+h6AqlVqPH"; @@ -268,22 +268,20 @@ ]; }; - #SOPSsops.defaultSopsFile = ./secrets/secrets.yaml; - #SOPSsops.secrets.root-password.neededForUsers = true; - #SOPSsops.secrets.sefidel-password.neededForUsers = true; + sops.defaultSopsFile = ./secrets/secrets.yaml; + sops.secrets.root-password.neededForUsers = true; + sops.secrets.sefidel-password.neededForUsers = true; users.mutableUsers = false; fileSystems."/persist".neededForBoot = true; users.users = { - #SOPSroot.passwordFile = config.sops.secrets.root-password.path; - root.password = "1111"; + root.passwordFile = config.sops.secrets.root-password.path; sefidel = { isNormalUser = true; shell = pkgs.zsh; - #SOPSpasswordFile = config.sops.secrets.sefidel-password.path; - password = "1111"; + passwordFile = config.sops.secrets.sefidel-password.path; extraGroups = [ "wheel" diff --git a/nixos/haruka/secrets/secrets.yaml b/nixos/haruka/secrets/secrets.yaml new file mode 100644 index 0000000..a59a2a8 --- /dev/null +++ b/nixos/haruka/secrets/secrets.yaml @@ -0,0 +1,32 @@ +root-password: ENC[AES256_GCM,data:5bmLUZ/JqQtelGz1UKmX4MfMAvZehq+K4S7VeujhAVkVOu28qP8uFM7/cAC3rLP3LHMWdF5Ktjd3AxL3BqG7pfsYzP1CJSg47w==,iv:/jIWyTjVro2tJTx3XXipeMVLXRsl2B2/ADXPDDQkttI=,tag:/TMZteWjARWCKufgqU1TiQ==,type:str] +sefidel-password: ENC[AES256_GCM,data:/LpPSzpABh1y5DIU/0Ki9Rn9PDidAoG0zvus3UZC6wpIjGGjtUoCJnRKDDePw6hL3uM7wo8uGVANs8w5sDkwO33Neu2rNb6adQ==,iv:Bhgpej2yXXnUtwA2g4Yhj98iLzm0U2zHvdJcL/3ZugU=,tag:B+ua2H1xluy2/OH9P+/GJw==,type:str] +borg-haruka-rolling-pass: ENC[AES256_GCM,data:JqmKd5VvdCq8Y6ks8bspQ2YC4X1gihTpeERs2rvK/w==,iv:+g+ZGraW76PASfht8tNF4c30zYUeiR8tTRqxu+ETdjQ=,tag:leFtuzalVnkWMFz5PSx9Xw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1jt8xg0lvzj5q4f7fn7nw670qsszm3kv3caa654eh62azra4x44zss4fad8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNTEVyeU5DemlXcHVGR1Qx + dUFnanhpcDl2bEVGNjgwMUQvWG1JVS82YVNBCk9pUlJNUVFiZExFaktiOHN3WXVV + QVg4NHlTWUxsOFg3V1RwWHdFNlhyZGcKLS0tIHJsSFllOFg5dDZNaVRQUm41dTRN + L2ZDaW1ZSGtTVWxXRzQwcGNHU1k2ak0KEVQI+rUCm+GbJLDvooYJ7XneISszeSoM + tqji07emPkVWfz/B6lbB4sTfSf9ZFLk8MssFeqxO5Y7yhWsqaULYCQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1hn509x2uuk0nrvfkaexwrengdtngh8uwx6fxldfgn8f4hhhsqdwsgnprr7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNQnFJTmtvTUVackVuNXQw + TGJXdzhvQVlZbGQ2Wko2bElVeXU2NjV2TWpvCndkNVU2cnpoQnBjaHRPZ1dLbjNq + aTJ1eG1FQkhONzFYdWhqSmRQRFdLSEkKLS0tIEZJRzdmWWZTNm9XbGk5R3FKYk0y + NEt0ZUdHekFsc1ZPY0NkdkFmSXBicTgKWd6zebmSjrwokehdz3L5x61XNf3Mn1g/ + II/uRkYH7UXuw7Hji/Maa4JsWmdWtNhqMQPvd0WBGZQpbeWwqwBuFA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-09-14T11:22:16Z" + mac: ENC[AES256_GCM,data:dSNP4IWtyKTshrIBSADR5TdK4edi8NOKqC+/MSgZTnq3jxc5j6rE32vFJAJaezzbbypIcXy6H6IK/YpvBVa6YThDQaG3LVvmmqWzhJtpRLJakNGfbreKnbOWog7XOSOGPUi5f5g+IQZhO7XX1oP6RmmbxHGNRCPMPPalJRuPakI=,iv:wkSp20znSxToZBEHzsTxI7F1eOiSLs/MwQcH52G8D6w=,tag:0okZjKoZZE//906lzOs2FQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 -- cgit 1.4.1