tasks/backup-archive: organize secrets and update remote backup

This commit is contained in:
Gabriel Arazas 2022-07-20 12:00:51 +08:00
parent 9ba543d2fc
commit 01bf630a9d
2 changed files with 24 additions and 19 deletions
modules/nixos/tasks/backup-archive
secrets

View File

@ -10,7 +10,7 @@ let
doInit = true;
encryption = {
mode = "repokey-blake2";
passCommand = "cat ${config.sops.secrets.borg-password.path}";
passCommand = "cat ${config.sops.secrets."borg-backup/password".path}";
};
extraCreateArgs = lib.concatStringsSep " "
(builtins.map (patternFile: "--patterns-from ${patternFile}") patterns);
@ -45,12 +45,14 @@ in {
getKey = key: {
inherit key;
sopsFile = lib.getSecret "backup-archive.yaml";
name = "borg-backup/${key}";
}; in {
borg-patterns-home = getKey "borg-patterns/home";
borg-patterns-etc = getKey "borg-patterns/etc";
borg-patterns-keys = getKey "borg-patterns/keys";
borg-ssh-key = getKey "ssh-key";
borg-password = getKey "password";
"borg-backup/patterns/home" = getKey "borg-patterns/home";
"borg-backup/patterns/etc" = getKey "borg-patterns/etc";
"borg-backup/patterns/keys" = getKey "borg-patterns/keys";
"borg-backup/patterns/remote-backup" = getKey "borg-patterns/remote-backup";
"borg-backup/ssh-key" = getKey "ssh-key";
"borg-backup/password" = getKey "password";
};
fileSystems."/mnt/external-storage" = {
@ -97,10 +99,10 @@ in {
services.borgbackup.jobs = {
local-archive = borgJobCommonSetting {
patterns = [
config.sops.secrets.borg-patterns-home.path
config.sops.secrets.borg-patterns-etc.path
config.sops.secrets.borg-patterns-keys.path
patterns = with config.sops; [
secrets."borg-backup/patterns/home".path
secrets."borg-backup/patterns/etc".path
secrets."borg-backup/patterns/keys".path
];
} // {
doInit = false;
@ -110,10 +112,10 @@ in {
};
local-external-drive = borgJobCommonSetting {
patterns = [
config.sops.secrets.borg-patterns-home.path
config.sops.secrets.borg-patterns-etc.path
config.sops.secrets.borg-patterns-keys.path
patterns = with config.sops; [
secrets."borg-backup/patterns/home".path
secrets."borg-backup/patterns/etc".path
secrets."borg-backup/patterns/keys".path
];
} // {
doInit = false;
@ -123,17 +125,19 @@ in {
};
remote-borgbase = borgJobCommonSetting {
patterns = [ config.sops.secrets.borg-patterns-home.path ];
patterns = with config.sops; [
secrets."borg-backup/patterns/remote-backup".path
];
} // {
repo = "r6o30viv@r6o30viv.repo.borgbase.com:repo";
startAt = "daily";
environment.BORG_RSH = "ssh -i ${config.sops.secrets.borg-ssh-key.path}";
environment.BORG_RSH = "ssh -i ${config.sops.secrets."borg-backup/ssh-key".path}";
};
};
programs.ssh.extraConfig = ''
Host *.repo.borgbase.com
IdentityFile ${config.sops.secrets.borg-ssh-key.path}
IdentityFile ${config.sops.secrets."borg-backup/ssh-key".path}
'';
};
}

View File

@ -4,6 +4,7 @@ borg-patterns:
home: ENC[AES256_GCM,data:Vmz2TVmoQKasF91OKJO860WPO4VuBm3U3u9izzZecRGDWfIaZU7Li2CoxtO2XX4Pq3EEgo9+/QoW2ZRJCnm2ws+/4hb8e7UNVuO/DwAGTXmvCaxEi3u/7La6WOl2FMZVg8QFbYUE6rPoyXfm/iTYZhry5g0jzb6yNJt4IisH2y4HZ++xJndv2eeKfwbwyEUuLfYOdtSB6QG5bS3jwxz6dNH0NHZHRkOpKKyLfo3qzSfRVMM6qMWeqB86uQmJYKQgNsQyJBjWQfx8Qhzu7iZGMy7SFmS2eiftXt3B480ea2F0mcDrJTkkmq3TIRkUIPnwQXrdOZArlWzY8fdcpIA6/lOJW/t+yQcCTf8YAWzg8gTVsHldeiRRzuGgHF5At09FBNJWoIhhOUw+yjUdASJq2IaCkHDBzBGvnPry6Pn8PSZ7los5++4bRbZq/S5FJL4ODr0XBkBUXEvSaq8pUwKHOUbYvUbslA+tnr+bi6dysDRaAbjLxAhZ9k7r8US5EM0XArVp2C2TSLtin6urwP+hcqwV1zp7g2fmralggwyXlpIYOb5annm9mU4rnhz/D18WBN5u3Y+h3RBI3eY08JjvDxbDHMTF/0nc5qvWpznoMm6zrtJeF3/+sB46Wq2PAdwd5WV37Ob+aV6Dp69qqaOsynR/qDXJwOKhR8QuftLD0WQ9qdEvZUYwT1+M7QR6LeN9KTssiu9ov1uxVdua2vBsbTEGrPkWWmHI17l08YAO9FT2L1vwKhWqolBQ7BwVzDO/f+6Uv8ItnygIa/iH6govdE3cyddNIgGcbdak8E6Vz3R8ZW0ptaWOFH2hQ5AD0mvBbtdCLizNm5xMRlFKg5L1p/H4aZrPafr7PtcjjK9/tJ7BhFdYWMOZ8xL/tDsoWI7W4jWM0w==,iv:gg7vbrzukPJj5WEL55gzX+EghZps5+rSJbWiCzJFE28=,tag:HYxQlwGM0de8lht9w+iiWA==,type:str]
etc: ENC[AES256_GCM,data:RUpVlNFuEVbhtfXio2N3XpDiYZPjNE1mqladh7iMB7gJX2HSivh5hqt4KkD3Bpl3zSClYqbS6GwxkQ46i5mXqJWl/vCNSFuWPg3qiw==,iv:QJnXrAHfJQJ7Gj4kTIh1RSAFfpBQCIkLIlgeYDsrHko=,tag:NzDm2lamC6YXVH9oBxet5A==,type:str]
keys: ENC[AES256_GCM,data:qrnNqEhStnsuCHjFgCC1fNUDLmIvHbXUzCFXK9PGudQtj5W6DJX6him1rkMNW5VltoFilHo4flRk6ebB+eWNq4eN4h/7/1a7IfoaIQDmpjl4/skbVpPA9wriEgFunY3dWyiH4Qu3MCBiDSIOKJrkD11o2FKnvudTSxavNkvccQI9Z5ALrHKc1t3I0NDt4sE4gfocAq1l6cfnRJ8CTs8ZcWtLTQ==,iv:4/CUrq/oq0qvEbGUS2udLiBLZeGuQZ/KiSueBCqAoV0=,tag:tPiRZW/0y1BqHdwR3KNuyQ==,type:str]
remote-backup: ENC[AES256_GCM,data:0+CRZF//EPzA6DHm9lYEaLzjdKv/oBuueLQUnsmBgLWS+3vfKf0iKZ9h4652kLwsVTEJk7Ozlu2mbbvl+NLkkVFrIe/dzH3w+M7YtXWxscNmt/TQk2HxkpEZOP+P/WL3cXPqPaEPza38UaoWJTXk70jyY4EmFobgL8uYE9IJR9n8re9qylvIZj61EcGpa4XNESUasEg/Ft1g0DIQ+FrthoHx140Rwu9jj5NOyQ4LLZHR8UIkso0waR+lLXI19/oPj00MUdMGc9jz7cf1BtMDq1DPysAWd/qztBoTRwkUum3ExrgVDOpnF5K1F4CAGS5Aw7Pfv9bD8OzL4onMSdeC18EGKnm8XmwjBABojk2w3q9T6o49fDDNOGg0zbzYFlzbCS27Lt25mQlLLrU5RnmL0LTOx5a4aZp78vG9kWYO12reGywfCk25ZcdbHOV2egT9h//I595oPV3E+VrQNgihlbTHKcs5seVL6egDvYtAZ99C65quGXZWY5Ga/aBEpFQQEVYwRrw0rNg6Vd9SqBtIsoLhqjKHoqzO66hjJv5YMspGLJFn+Ehry3eXtQXwcgAobgsqSo3sRPHvtv48lmmyI/T6vkp5SaDBh9O2Lc2tWUurKCmLGRPHwkZ1MHPodwt/e+phQI86AIcxZlDf6kRY9MsYZC04b92imleMupDplNecR/lqTCptBcPkeSAVnkzsBj97yCt9zPpJoFKmbPlwiyJhaalGyRsW2mg59BFxoxlgk49T+D3Dg+ViKns/wcHdVSdCaJZTKaMb03eq6f7ix+k+6yYLkH7P//sYMe0G0w8v97WmeYV2mcCK97RALcSUktc//CaNGdDfnn7lQX/0JHGojRgvqU1r8/QLQjM73u8KVby1MSsCR/ZwzwezLip8hdMydSPGykQSAJ28BSuQUh2OWz8tak4BYclnxZSxFP6O7BbkpzI1VsLCZS9fXYXpf4c507V/6z6Leuiczq2KujY/E8jctfrY2XXjji5xnAFTond5ytgx6CxiMaU2hpA2dQZvyi17+CihodmaBYSBAXvHzwNNWpEzD4LhQ4auScjSEvomvwxqI5Ead1iL13jfkGhf4F+l/hM+9XQRtE+gyKat5nQp2uBnYxvXHoN3c8pMZnFbV5K/oPeUEwJydnnh9VG2cAMfSqYovsBhLO+Q1SOq+OVqkg+gbT4wyaa7JVfjq5KOLgklRTQbUgpcTEWj5nzXCbwtaqYBMbT13hRiW/prURs4mhsrtOOY19jjCSNxkrxIXJoGCiG2ApgjxYRqURX+y9CQQ3tBS+Yg+c4Rs99qCoI0dFMbuc8qCXuqyn9j2tEO6INuo+Gqhbhh20oZupFHgSAYvB1mY4USNeKgqJhGc7wJmjzQCiVBKwvzdZm/NpJR5hw1d15n3U42Gxs8NSY7RFpQkZzz9At8t7AazZu3FWxE+MjaSTE=,iv:woThiW9LNEBi1//3kUrmeoP0tynLGpXcJ5hRUNuvjdg=,tag:tAJ+GZtuI349Sen6zfSkIQ==,type:str]
sops:
kms: []
gcp_kms: []
@ -28,8 +29,8 @@ sops:
QUlyNHBlNDV6eVJXc3VWNzJSaThIQUEKCdNxZCCNISWll5uaCcDQBA2ir7oLpHco
+7ypF6lcOalqjvzc5DTXTt/v6QVs0f7SCZmNJFBMpZm8M2B+7O1h7A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-07-18T13:40:36Z"
mac: ENC[AES256_GCM,data:gcobfyFJyKLfde3HlNXUsUdBakISwUCeWVCudn9/sMn6ABNYAlkvOa3PDnYERfp8G8q3QKouyqw43qpWPm+NLIRJs7Db7dR0w4DZOklWuElTumiGFLOSWHafuSNDrSEQS4QZNtaZ4CzobtIKsR9nZ9Admwyf2Jywew2bWxyXV/E=,iv:tEm62tvWmnsdIaRoQNcc6k6mOOG/6CzJv960SLdU0EA=,tag:vVmRjyNlZbxZDds+po93kQ==,type:str]
lastmodified: "2022-07-20T03:15:04Z"
mac: ENC[AES256_GCM,data:R0ylA7RQg1SaD5+1qJTkc3/uoZHibbbMIA7z18eb3mTqiwWIChWbN4ikEBoin8k6CSkD37B3U6VTRxZVdpsz11BaZ2/JZM1hziccPOk229bFAfk+meTzIy2FAq7RoXPAe8dO69Iulm63tUemc3U9PQao1WEeZxG+TdVZ/Cu4AGY=,iv:XwSIDDs/N5AeFqvHHf52GIPDovbpfPkZTVJjaKgywKg=,tag:XlQTGGTQsHXsRJDFOfjhMA==,type:str]
pgp:
- created_at: "2022-07-18T13:19:32Z"
enc: |