felix/nixos
1
0
Fork 0
mirror of https://github.com/Stunkymonkey/nixos.git synced 2025-05-24 09:54:40 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

sops-nix: use secret storage for backup

Browse source
This commit is contained in:
Felix Buehler 2022-06-03 23:32:36 +02:00
parent 24b1041da6
commit 165778f672
10 changed files with 101 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

15
nixos/.sops.yaml Normal file
View file

@ -0,0 +1,15 @@
# This example uses YAML anchors which allows reuse of multiple keys
# without having to repeat yourself.
# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml
# for a more complex example.
keys:
- &admin_felix age1hf8m9upp00dr7qv2kmqdr50fpvd9ejzkfu8yknqnuda2aas2tvrs4l3u7m
- &thinkman age1t485hyawp2zfddetpa7ss2qn8zjk6fh2rjwjs3mcqq7u9lwh9eaqe9244x
- &serverle age14nt7qcsrye0vrpk0xcgcfmhkxwwumna39fpn83g3x0zml62skatqpnmhk4
creation_rules:
- path_regex: secrets.yaml$
key_groups:
- age:
- *admin_felix
- *thinkman
- *serverle

0
nixos/secrets/keys/disasm.asc Normal file
View file

12
nixos/serverle/backup.nix
View file

@ -1,6 +1,6 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
cfg = import ./vars-backup.nix; borgbackupPath = "u181505-sub1@u181505-sub1.your-storagebox.de:serverle/";
borgbackupMonitor = { config, pkgs, lib, ... }: with lib; { borgbackupMonitor = { config, pkgs, lib, ... }: with lib; {
key = "borgbackupMonitor"; key = "borgbackupMonitor";
_file = "borgbackupMonitor"; _file = "borgbackupMonitor";
@ -28,6 +28,10 @@ in
borgbackupMonitor borgbackupMonitor
]; ];
sops.defaultSopsFile = ./secrets.yaml;
sops.secrets.borgbackup_password = { };
sops.secrets.borgbackup_private_ssh_key = { };
services.borgbackup.jobs.hetzner = { services.borgbackup.jobs.hetzner = {
paths = [ paths = [
"/" "/"
@ -55,10 +59,10 @@ in
extraCreateArgs = "--exclude-caches --keep-exclude-tags --stats"; extraCreateArgs = "--exclude-caches --keep-exclude-tags --stats";
encryption = { encryption = {
mode = "repokey-blake2"; mode = "repokey-blake2";
passCommand = "cat /root/.borg_password"; passCommand = "cat ${config.sops.secrets.borgbackup_password.path}";
}; };
environment.BORG_RSH = "ssh -o 'StrictHostKeyChecking=no' -i /root/.ssh/backup_ed25519 -p 23"; environment.BORG_RSH = "ssh -o 'StrictHostKeyChecking=no' -i ${config.sops.secrets.borgbackup_private_ssh_key.path} -p 23";
repo = "${cfg.borg.user}@${cfg.borg.host}:${cfg.borg.dir}"; repo = borgbackupPath;
compression = "auto,zstd"; compression = "auto,zstd";
doInit = false; doInit = false;
startAt = "daily"; startAt = "daily";

2
nixos/serverle/configuration.nix
View file

@ -24,6 +24,8 @@
]; ];
networking.hostName = "serverle"; networking.hostName = "serverle";
sops.defaultSopsFile = ./secrets.yaml;
#environment.noXlibs = true; #environment.noXlibs = true;
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [

34
nixos/serverle/secrets.yaml Normal file
View file

@ -0,0 +1,34 @@
borgbackup_user: ENC[AES256_GCM,data:9eCWsSi9U2b4XKKc,iv:PDS8TrbmU5XmefLFdi8XIQeu9Rq0y+yJkdGrND6F3ts=,tag:651RHA5y6all5+2rhdjCdg==,type:str]
borgbackup_host: ENC[AES256_GCM,data:qYwTGE5kdp/jsKK8scVAUCXfOAi787lwiFB3VlntIg==,iv:sFerbhHMCw1lwm9CzAAW7G1JwuZxvTxMzoKP6U5l7bI=,tag:Mi1QFDUo5rWzKXBQ1fsrZg==,type:str]
borgbackup_dir: ENC[AES256_GCM,data:14thrxUMOl+2,iv:yjvQMCwcpN/AqbE/oLBNYbk3FpPHHibKZrxnK1gBdTY=,tag:CbEgg3WsNZ9MLw6iAMMW5A==,type:str]
borgbackup_password: ENC[AES256_GCM,data:+i3uY8b5K558QD86dtuAmaIxHDbh0k8=,iv:dvhqQYKY9ZvZVKs/j3mD3mqF5B6IgSX2RCC14eOMxJc=,tag:X8gJU1iOQGQfjJh4MaRYQg==,type:str]
borgbackup_private_ssh_key: ENC[AES256_GCM,data:WDVQaAmNMtZP99lCOpeMDnsL26gziDHlDDSnct7QXU9KgveNhDnnh4vGR/DaPlsnp76dVaNKf1vpspsJjtJ+BcEOg4SKU7xyODK5f5tglRJqapmTymASzERNF9joP8Py1lW15zlgGy4s/J9oAQ8gsfwy7aUGMlPr5xafHatbKPXiy+OnxekTTzT+H5eGaMl+q5nPKX8yOwnwBnPwp6DKvK+rTrqBptNsYBxw0MYgdEK1hW1YUxE9d4oZM3Mi7ggklK+ztspuXNpqkbogqc+1XIZN8vMaL9MK5zSJjuCw9lFYsfHctgiBlEuOy5Hn4tyEhu49uWVvoJLb+q7+gNJcbKBrisFd4c9fa7EnaQ4AenP2l1arZqlqjaqLNhD9FWI47o0neXe6TDAv1msIMXHibQVEVyNdktl6LBxQerXiGq33fWe3J5usaUFVi2N4sOF/Pn1Hta25OvuO2N2gUWh1bqi11wYzljS445LOOPBT3jkoceV2m+5R7fpF0soc/beKdj0dP6u5sfKbXFolHk1K,iv:4ZS/6PfyUwXlFaCYxpO0VkjBoH9zM9DJvF5I7fLYR+M=,tag:9m6RHNgr9TunQJp1Q5MqJA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hf8m9upp00dr7qv2kmqdr50fpvd9ejzkfu8yknqnuda2aas2tvrs4l3u7m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5STRaTnBIRFptdlBMenh4
UnhKdlQ1bDVzQzJqenRHeERWeU1pRU9vT2tRCitBVFhBbXMvQ0p2YUs0b0d2Q2hW
aHVxRWVnMWw2dkNIVVBBN1pTaUZIeWcKLS0tIEZZN3haVkVJL2dnRW05WDhtenJI
YlZ5RVdyOFBVVkJmRUFIeGFEbW1XdkUKM0U4vXxIbHx31btXdRVB4oXRiEPbDK2L
nY/sf0N9AOnR3n+RaoCF+gM7VlykKECKsbW538Lba6nX46FZc+LcCQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age14nt7qcsrye0vrpk0xcgcfmhkxwwumna39fpn83g3x0zml62skatqpnmhk4
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKdWovR2dKYjNZaFZ1czJ0
VFZUMytvb0dKUk5qb3F5ZHpnci9ibUt0QlJjClZ6YUdrZWJLb1d1bEFNNzgwWnRH
amVxYldDU21HUk5jUENQV0dSSGtqSE0KLS0tIE12WGFUU1gyM1l5U2ZhM2c1d1JW
SkFGQ04yWEhBY3FPSE5RaXZ6N1NmSUkKpLf4gOnPBx1ao5slYIfvK9sShRep2bqO
IZvlGcsX1EHP0WB8XT1f9GUjBaEM1ZdIlXfaWRW2DDrDbgs+usQq2A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-06-03T19:52:20Z"
mac: ENC[AES256_GCM,data:0TXzyknsWGQFRx1gEexioarG7UNynpVSV8wLG3wCr7ACDpXARYauj9knaksq+wi7/M3YJarZ9kHkPXUyQLdfpiss3su6DXc6XzJ8vJNUJ5tjUeMRD7SoAOBJyrO8N7/f9Jc79hGJvfyBC3yZBDloMnJ7fqiRCAwcrvja69aCgIQ=,iv:dnogW59lF+ycTRdRDJvOXTgMNhoEUNkKVqWcmMDtFC4=,tag:y3d/awlTl/Fj08SPhF1zgw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

7
nixos/serverle/vars-backup.nix
View file

@ -1,7 +0,0 @@
{
borg = {
user = "u181505-sub1";
host = "u181505-sub1.your-storagebox.de";
dir = "serverle/";
};
}

12
nixos/thinkman/backup.nix
View file

@ -1,6 +1,6 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
cfg = import ./vars-backup.nix; borgbackupPath = "u181505-sub1@u181505-sub1.your-storagebox.de:thinkman/";
borgbackupMonitor = { config, pkgs, lib, ... }: with lib; { borgbackupMonitor = { config, pkgs, lib, ... }: with lib; {
key = "borgbackupMonitor"; key = "borgbackupMonitor";
_file = "borgbackupMonitor"; _file = "borgbackupMonitor";
@ -28,6 +28,10 @@ in
borgbackupMonitor borgbackupMonitor
]; ];
sops.defaultSopsFile = ./secrets.yaml;
sops.secrets.borgbackup_password = { };
sops.secrets.borgbackup_private_ssh_key = { };
services.borgbackup.jobs.hetzner = { services.borgbackup.jobs.hetzner = {
paths = [ paths = [
"/" "/"
@ -55,10 +59,10 @@ in
extraCreateArgs = "--exclude-caches --keep-exclude-tags --stats"; extraCreateArgs = "--exclude-caches --keep-exclude-tags --stats";
encryption = { encryption = {
mode = "repokey-blake2"; mode = "repokey-blake2";
passCommand = "cat /root/.borg_password"; passCommand = "cat ${config.sops.secrets.borgbackup_password.path}";
}; };
environment.BORG_RSH = "ssh -o 'StrictHostKeyChecking=no' -i /root/.ssh/backup_ed25519 -p 23"; environment.BORG_RSH = "ssh -o 'StrictHostKeyChecking=no' -i ${config.sops.secrets.borgbackup_private_ssh_key.path} -p 23";
repo = "${cfg.borg.user}@${cfg.borg.host}:${cfg.borg.dir}"; repo = borgbackupPath;
compression = "auto,zstd"; compression = "auto,zstd";
doInit = false; doInit = false;
startAt = "daily"; startAt = "daily";

3
nixos/thinkman/configuration.nix
View file

@ -40,6 +40,9 @@
networking.hostName = "thinkman"; networking.hostName = "thinkman";
sops.defaultSopsFile = ./secrets.yaml;
sops.age.sshKeyPaths = [ "/home/felix/.ssh/keys/local_ed25519" ];
# Use latest kernel # Use latest kernel
boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelPackages = pkgs.linuxPackages_latest;

31
nixos/thinkman/secrets.yaml Normal file
View file

@ -0,0 +1,31 @@
borgbackup_password: ENC[AES256_GCM,data:+LCiZ3ttCR4lsy3vJPPUdhbSKxbghoT3lg==,iv:FaIJoZggZNCRuHyfWUQ+DDSBFzbP8Nh90nn7+gUlRak=,tag:7FysidMti7NBkLyHvoYZtw==,type:str]
borgbackup_private_ssh_key: ENC[AES256_GCM,data:XO43VMaX0T0OlImTZWvmrKl5Ph48TMXVWNHcP0Ez9whJLTArnySImh5Tv5i9v7c4ASDypBuUarZYwbdcYbOBwJV3PQxD4RR7QSuP/nB3QVha7ytgGYPbH3CZ3+uHCCyf1f5ZUoZMxTrJRDGURJNKpfkCySizXvEHhrDiO1mLZzuHq7kRujNR/+ymDp9gooacMPwGunj3fd8P3QQ3t7EM844Q02tLVy5og82qDePw0h/S9CTjnJkt5Rjl/CCc/pKn9oZ9XYOG57RUOcWyyF0PTc4wlZiBnG1H/m0LvKt3ThnLNRrOrOyulven35gMbr0cfs1UeBcAj6OnmrFeWIa72d/JTSMCa+KtUuIWrG3H2InqVLan9rMrQpQl92onb6vEnCIlhZdgWfRjRotplcxCFlLKpAgUo+bIIuWpb5hIoTKjAuHmz2byNbEgeYxIMSty93aj1BEbMIuzmTjWabsd0vqkKKouzlCN+9avT1TBoOG2anOEHWmYs44wsJN30z4px5c7pEP3qWpXkPhf1ecz,iv:v73n2tYZ2b4NF0xjeBvC3rKijkchb93xZA+Z9LUzBqE=,tag:6yhSJH3UB3Rajr36WdcXfA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age14nt7qcsrye0vrpk0xcgcfmhkxwwumna39fpn83g3x0zml62skatqpnmhk4
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXRUo1SC9MbkFveEQrczU4
OCtoZ1g0MDFjOGp3WHZ6d0gwVjNHcEdsckRBClhHblhwT2xicWJKazZjbm4xeEVU
alRBTksxUEloeDJWdC9wU3VmQ2YyWjAKLS0tIEZHNUlNUXNvd2JMTlllcldTeW44
T1JrV210WWQ3VTV0dEtidXoyMXQ0UmcKqFDvDdAVDjO23xZYQzmnmf7fbp23RnRC
6Uyi7N5nuJib3GWnMiiPfNI9aeq0IpehuevrvrPhsY42jqx7n+z/ug==
-----END AGE ENCRYPTED FILE-----
- recipient: age1hf8m9upp00dr7qv2kmqdr50fpvd9ejzkfu8yknqnuda2aas2tvrs4l3u7m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvMzUxdEZEaGRuTTlNQ0Fk
YXB3TTZLR1BMMW1wd0dWM21JSmtCbVJJU1JNClNrdk9pM3NvaU5xdG1HZ2lqWW9v
ZTJqeHJxL1dJbUN4aDZUU3V4QVM3QWMKLS0tIG1tR1A2V3FDMW1lZWJSanpKTGdi
V0RYMTRlSmtxQXgxeURDTWoxNW40MEUKsAaewEOrlH3XFXLs4vGt62J3uU9hlbkN
a+3MDTcPzwTdT46q7cRp/vLFvEtWj1alwY+wzF8m3H4aLy2pdKz7+g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-06-03T20:28:28Z"
mac: ENC[AES256_GCM,data:a0K63CIODtYkzE/ewcT3mBe9xqY1pOp5VZmlmLiQKo7MtC0FNHdgBA0fyvvhqtDK9qf6CiKOY3UgkZ9kzSBkZh6Cm5wih5d+Ga7NFkhtBCfimaBi5tCjWlOnE4veU501fcieO3rmelj13D33cFfQjVzUHpJcm+3/bZEkbViIMiU=,iv:cZyb56UV370QojhMslbfwPv3Fxqs1hrkmay5bJ/gEr0=,tag:XDTaVUEz10/gBpvzy0ERDA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

7
nixos/thinkman/vars-backup.nix
View file

@ -1,7 +0,0 @@
{
borg = {
user = "u181505-sub1";
host = "u181505-sub1.your-storagebox.de";
dir = "thinkman/";
};
}