diff --git a/nixos/.sops.yaml b/nixos/.sops.yaml new file mode 100644 index 0000000..3ba21b5 --- /dev/null +++ b/nixos/.sops.yaml @@ -0,0 +1,15 @@ +# This example uses YAML anchors which allows reuse of multiple keys +# without having to repeat yourself. +# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml +# for a more complex example. +keys: + - &admin_felix age1hf8m9upp00dr7qv2kmqdr50fpvd9ejzkfu8yknqnuda2aas2tvrs4l3u7m + - &thinkman age1t485hyawp2zfddetpa7ss2qn8zjk6fh2rjwjs3mcqq7u9lwh9eaqe9244x + - &serverle age14nt7qcsrye0vrpk0xcgcfmhkxwwumna39fpn83g3x0zml62skatqpnmhk4 +creation_rules: + - path_regex: secrets.yaml$ + key_groups: + - age: + - *admin_felix + - *thinkman + - *serverle diff --git a/nixos/secrets/keys/disasm.asc b/nixos/secrets/keys/disasm.asc new file mode 100644 index 0000000..e69de29 diff --git a/nixos/serverle/backup.nix b/nixos/serverle/backup.nix index 96cbf74..561f474 100644 --- a/nixos/serverle/backup.nix +++ b/nixos/serverle/backup.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: let - cfg = import ./vars-backup.nix; + borgbackupPath = "u181505-sub1@u181505-sub1.your-storagebox.de:serverle/"; borgbackupMonitor = { config, pkgs, lib, ... }: with lib; { key = "borgbackupMonitor"; _file = "borgbackupMonitor"; @@ -28,6 +28,10 @@ in borgbackupMonitor ]; + sops.defaultSopsFile = ./secrets.yaml; + sops.secrets.borgbackup_password = { }; + sops.secrets.borgbackup_private_ssh_key = { }; + services.borgbackup.jobs.hetzner = { paths = [ "/" @@ -55,10 +59,10 @@ in extraCreateArgs = "--exclude-caches --keep-exclude-tags --stats"; encryption = { mode = "repokey-blake2"; - passCommand = "cat /root/.borg_password"; + passCommand = "cat ${config.sops.secrets.borgbackup_password.path}"; }; - environment.BORG_RSH = "ssh -o 'StrictHostKeyChecking=no' -i /root/.ssh/backup_ed25519 -p 23"; - repo = "${cfg.borg.user}@${cfg.borg.host}:${cfg.borg.dir}"; + environment.BORG_RSH = "ssh -o 'StrictHostKeyChecking=no' -i ${config.sops.secrets.borgbackup_private_ssh_key.path} -p 23"; + repo = borgbackupPath; compression = "auto,zstd"; doInit = false; startAt = "daily"; diff --git a/nixos/serverle/configuration.nix b/nixos/serverle/configuration.nix index 195ba40..e09c692 100644 --- a/nixos/serverle/configuration.nix +++ b/nixos/serverle/configuration.nix @@ -24,6 +24,8 @@ ]; networking.hostName = "serverle"; + sops.defaultSopsFile = ./secrets.yaml; + #environment.noXlibs = true; networking.firewall.allowedTCPPorts = [ diff --git a/nixos/serverle/secrets.yaml b/nixos/serverle/secrets.yaml new file mode 100644 index 0000000..7c7160f --- /dev/null +++ b/nixos/serverle/secrets.yaml @@ -0,0 +1,34 @@ +borgbackup_user: ENC[AES256_GCM,data:9eCWsSi9U2b4XKKc,iv:PDS8TrbmU5XmefLFdi8XIQeu9Rq0y+yJkdGrND6F3ts=,tag:651RHA5y6all5+2rhdjCdg==,type:str] +borgbackup_host: ENC[AES256_GCM,data:qYwTGE5kdp/jsKK8scVAUCXfOAi787lwiFB3VlntIg==,iv:sFerbhHMCw1lwm9CzAAW7G1JwuZxvTxMzoKP6U5l7bI=,tag:Mi1QFDUo5rWzKXBQ1fsrZg==,type:str] +borgbackup_dir: ENC[AES256_GCM,data:14thrxUMOl+2,iv:yjvQMCwcpN/AqbE/oLBNYbk3FpPHHibKZrxnK1gBdTY=,tag:CbEgg3WsNZ9MLw6iAMMW5A==,type:str] +borgbackup_password: ENC[AES256_GCM,data:+i3uY8b5K558QD86dtuAmaIxHDbh0k8=,iv:dvhqQYKY9ZvZVKs/j3mD3mqF5B6IgSX2RCC14eOMxJc=,tag:X8gJU1iOQGQfjJh4MaRYQg==,type:str] +borgbackup_private_ssh_key: ENC[AES256_GCM,data:WDVQaAmNMtZP99lCOpeMDnsL26gziDHlDDSnct7QXU9KgveNhDnnh4vGR/DaPlsnp76dVaNKf1vpspsJjtJ+BcEOg4SKU7xyODK5f5tglRJqapmTymASzERNF9joP8Py1lW15zlgGy4s/J9oAQ8gsfwy7aUGMlPr5xafHatbKPXiy+OnxekTTzT+H5eGaMl+q5nPKX8yOwnwBnPwp6DKvK+rTrqBptNsYBxw0MYgdEK1hW1YUxE9d4oZM3Mi7ggklK+ztspuXNpqkbogqc+1XIZN8vMaL9MK5zSJjuCw9lFYsfHctgiBlEuOy5Hn4tyEhu49uWVvoJLb+q7+gNJcbKBrisFd4c9fa7EnaQ4AenP2l1arZqlqjaqLNhD9FWI47o0neXe6TDAv1msIMXHibQVEVyNdktl6LBxQerXiGq33fWe3J5usaUFVi2N4sOF/Pn1Hta25OvuO2N2gUWh1bqi11wYzljS445LOOPBT3jkoceV2m+5R7fpF0soc/beKdj0dP6u5sfKbXFolHk1K,iv:4ZS/6PfyUwXlFaCYxpO0VkjBoH9zM9DJvF5I7fLYR+M=,tag:9m6RHNgr9TunQJp1Q5MqJA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1hf8m9upp00dr7qv2kmqdr50fpvd9ejzkfu8yknqnuda2aas2tvrs4l3u7m + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5STRaTnBIRFptdlBMenh4 + UnhKdlQ1bDVzQzJqenRHeERWeU1pRU9vT2tRCitBVFhBbXMvQ0p2YUs0b0d2Q2hW + aHVxRWVnMWw2dkNIVVBBN1pTaUZIeWcKLS0tIEZZN3haVkVJL2dnRW05WDhtenJI + YlZ5RVdyOFBVVkJmRUFIeGFEbW1XdkUKM0U4vXxIbHx31btXdRVB4oXRiEPbDK2L + nY/sf0N9AOnR3n+RaoCF+gM7VlykKECKsbW538Lba6nX46FZc+LcCQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age14nt7qcsrye0vrpk0xcgcfmhkxwwumna39fpn83g3x0zml62skatqpnmhk4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKdWovR2dKYjNZaFZ1czJ0 + VFZUMytvb0dKUk5qb3F5ZHpnci9ibUt0QlJjClZ6YUdrZWJLb1d1bEFNNzgwWnRH + amVxYldDU21HUk5jUENQV0dSSGtqSE0KLS0tIE12WGFUU1gyM1l5U2ZhM2c1d1JW + SkFGQ04yWEhBY3FPSE5RaXZ6N1NmSUkKpLf4gOnPBx1ao5slYIfvK9sShRep2bqO + IZvlGcsX1EHP0WB8XT1f9GUjBaEM1ZdIlXfaWRW2DDrDbgs+usQq2A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-06-03T19:52:20Z" + mac: ENC[AES256_GCM,data:0TXzyknsWGQFRx1gEexioarG7UNynpVSV8wLG3wCr7ACDpXARYauj9knaksq+wi7/M3YJarZ9kHkPXUyQLdfpiss3su6DXc6XzJ8vJNUJ5tjUeMRD7SoAOBJyrO8N7/f9Jc79hGJvfyBC3yZBDloMnJ7fqiRCAwcrvja69aCgIQ=,iv:dnogW59lF+ycTRdRDJvOXTgMNhoEUNkKVqWcmMDtFC4=,tag:y3d/awlTl/Fj08SPhF1zgw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/nixos/serverle/vars-backup.nix b/nixos/serverle/vars-backup.nix deleted file mode 100644 index 64a39e7..0000000 --- a/nixos/serverle/vars-backup.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ - borg = { - user = "u181505-sub1"; - host = "u181505-sub1.your-storagebox.de"; - dir = "serverle/"; - }; -} diff --git a/nixos/thinkman/backup.nix b/nixos/thinkman/backup.nix index 96cbf74..daf4754 100644 --- a/nixos/thinkman/backup.nix +++ b/nixos/thinkman/backup.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: let - cfg = import ./vars-backup.nix; + borgbackupPath = "u181505-sub1@u181505-sub1.your-storagebox.de:thinkman/"; borgbackupMonitor = { config, pkgs, lib, ... }: with lib; { key = "borgbackupMonitor"; _file = "borgbackupMonitor"; @@ -28,6 +28,10 @@ in borgbackupMonitor ]; + sops.defaultSopsFile = ./secrets.yaml; + sops.secrets.borgbackup_password = { }; + sops.secrets.borgbackup_private_ssh_key = { }; + services.borgbackup.jobs.hetzner = { paths = [ "/" @@ -55,10 +59,10 @@ in extraCreateArgs = "--exclude-caches --keep-exclude-tags --stats"; encryption = { mode = "repokey-blake2"; - passCommand = "cat /root/.borg_password"; + passCommand = "cat ${config.sops.secrets.borgbackup_password.path}"; }; - environment.BORG_RSH = "ssh -o 'StrictHostKeyChecking=no' -i /root/.ssh/backup_ed25519 -p 23"; - repo = "${cfg.borg.user}@${cfg.borg.host}:${cfg.borg.dir}"; + environment.BORG_RSH = "ssh -o 'StrictHostKeyChecking=no' -i ${config.sops.secrets.borgbackup_private_ssh_key.path} -p 23"; + repo = borgbackupPath; compression = "auto,zstd"; doInit = false; startAt = "daily"; diff --git a/nixos/thinkman/configuration.nix b/nixos/thinkman/configuration.nix index 861abd1..0c75b12 100644 --- a/nixos/thinkman/configuration.nix +++ b/nixos/thinkman/configuration.nix @@ -40,6 +40,9 @@ networking.hostName = "thinkman"; + sops.defaultSopsFile = ./secrets.yaml; + sops.age.sshKeyPaths = [ "/home/felix/.ssh/keys/local_ed25519" ]; + # Use latest kernel boot.kernelPackages = pkgs.linuxPackages_latest; diff --git a/nixos/thinkman/secrets.yaml b/nixos/thinkman/secrets.yaml new file mode 100644 index 0000000..0893cb5 --- /dev/null +++ b/nixos/thinkman/secrets.yaml @@ -0,0 +1,31 @@ +borgbackup_password: ENC[AES256_GCM,data:+LCiZ3ttCR4lsy3vJPPUdhbSKxbghoT3lg==,iv:FaIJoZggZNCRuHyfWUQ+DDSBFzbP8Nh90nn7+gUlRak=,tag:7FysidMti7NBkLyHvoYZtw==,type:str] +borgbackup_private_ssh_key: ENC[AES256_GCM,data:XO43VMaX0T0OlImTZWvmrKl5Ph48TMXVWNHcP0Ez9whJLTArnySImh5Tv5i9v7c4ASDypBuUarZYwbdcYbOBwJV3PQxD4RR7QSuP/nB3QVha7ytgGYPbH3CZ3+uHCCyf1f5ZUoZMxTrJRDGURJNKpfkCySizXvEHhrDiO1mLZzuHq7kRujNR/+ymDp9gooacMPwGunj3fd8P3QQ3t7EM844Q02tLVy5og82qDePw0h/S9CTjnJkt5Rjl/CCc/pKn9oZ9XYOG57RUOcWyyF0PTc4wlZiBnG1H/m0LvKt3ThnLNRrOrOyulven35gMbr0cfs1UeBcAj6OnmrFeWIa72d/JTSMCa+KtUuIWrG3H2InqVLan9rMrQpQl92onb6vEnCIlhZdgWfRjRotplcxCFlLKpAgUo+bIIuWpb5hIoTKjAuHmz2byNbEgeYxIMSty93aj1BEbMIuzmTjWabsd0vqkKKouzlCN+9avT1TBoOG2anOEHWmYs44wsJN30z4px5c7pEP3qWpXkPhf1ecz,iv:v73n2tYZ2b4NF0xjeBvC3rKijkchb93xZA+Z9LUzBqE=,tag:6yhSJH3UB3Rajr36WdcXfA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age14nt7qcsrye0vrpk0xcgcfmhkxwwumna39fpn83g3x0zml62skatqpnmhk4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXRUo1SC9MbkFveEQrczU4 + OCtoZ1g0MDFjOGp3WHZ6d0gwVjNHcEdsckRBClhHblhwT2xicWJKazZjbm4xeEVU + alRBTksxUEloeDJWdC9wU3VmQ2YyWjAKLS0tIEZHNUlNUXNvd2JMTlllcldTeW44 + T1JrV210WWQ3VTV0dEtidXoyMXQ0UmcKqFDvDdAVDjO23xZYQzmnmf7fbp23RnRC + 6Uyi7N5nuJib3GWnMiiPfNI9aeq0IpehuevrvrPhsY42jqx7n+z/ug== + -----END AGE ENCRYPTED FILE----- + - recipient: age1hf8m9upp00dr7qv2kmqdr50fpvd9ejzkfu8yknqnuda2aas2tvrs4l3u7m + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvMzUxdEZEaGRuTTlNQ0Fk + YXB3TTZLR1BMMW1wd0dWM21JSmtCbVJJU1JNClNrdk9pM3NvaU5xdG1HZ2lqWW9v + ZTJqeHJxL1dJbUN4aDZUU3V4QVM3QWMKLS0tIG1tR1A2V3FDMW1lZWJSanpKTGdi + V0RYMTRlSmtxQXgxeURDTWoxNW40MEUKsAaewEOrlH3XFXLs4vGt62J3uU9hlbkN + a+3MDTcPzwTdT46q7cRp/vLFvEtWj1alwY+wzF8m3H4aLy2pdKz7+g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-06-03T20:28:28Z" + mac: ENC[AES256_GCM,data:a0K63CIODtYkzE/ewcT3mBe9xqY1pOp5VZmlmLiQKo7MtC0FNHdgBA0fyvvhqtDK9qf6CiKOY3UgkZ9kzSBkZh6Cm5wih5d+Ga7NFkhtBCfimaBi5tCjWlOnE4veU501fcieO3rmelj13D33cFfQjVzUHpJcm+3/bZEkbViIMiU=,iv:cZyb56UV370QojhMslbfwPv3Fxqs1hrkmay5bJ/gEr0=,tag:XDTaVUEz10/gBpvzy0ERDA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/nixos/thinkman/vars-backup.nix b/nixos/thinkman/vars-backup.nix deleted file mode 100644 index 1eca17c..0000000 --- a/nixos/thinkman/vars-backup.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ - borg = { - user = "u181505-sub1"; - host = "u181505-sub1.your-storagebox.de"; - dir = "thinkman/"; - }; -}