hosts/plover: create separate passwords for different repos

2025-02-07 12:19:07 +00:00 · 2023-01-07 17:15:45 +08:00 · 2023-01-07 17:15:45 +08:00 · 7dc523903c
commit 7dc523903c
parent da827c6e30
2 changed files with 17 additions and 10 deletions
--- a/hosts/plover/default.nix
+++ b/hosts/plover/default.nix
@ -85,8 +85,9 @@ in
      "gitea/db/password".owner = giteaUserGroup;
      "gitea/smtp/password".owner = giteaUserGroup;
      "vaultwarden/env".owner = vaultwardenUserGroup;
-      "borg/patterns/keys" = { };
-      "borg/password" = { };
+      "borg/repos/host/patterns/keys" = { };
+      "borg/repos/host/password" = { };
+      "borg/repos/services/password" = { };
      "borg/ssh-key" = { };
      "keycloak/db/password".owner = postgresUserGroup;
    };
@ -486,14 +487,14 @@ in
  # production system. However, we're not professionals so we do have backups.
  services.borgbackup.jobs =
    let
-      jobCommonSettings = { patternFiles ? [ ], patterns ? [ ], paths ? [ ], repo }: {
+      jobCommonSettings = { patternFiles ? [ ], patterns ? [ ], paths ? [ ], repo, passCommand }: {
        inherit paths repo;
        compression = "zstd,11";
        dateFormat = "+%F-%H-%M-%S-%z";
        doInit = true;
        encryption = {
+          inherit passCommand;
          mode = "repokey-blake2";
-          passCommand = "cat ${config.sops.secrets."plover/borg/password".path}";
        };
        extraCreateArgs =
          let
@ -528,9 +529,10 @@ in
      # acceptable for it to be backed up monthly.
      host-backup = jobCommonSettings {
        patternFiles = [
-          config.sops.secrets."plover/borg/patterns/keys".path
+          config.sops.secrets."plover/borg/repos/host/patterns/keys".path
        ];
        repo = borgRepo "host";
+        passCommand = "cat ${config.sops.secrets."plover/borg/repos/host/password".path}";
      };

      # Backups for various services.
@ -547,6 +549,7 @@ in
            config.services.postgresqlBackup.location
          ];
          repo = borgRepo "services";
+          passCommand = "cat ${config.sops.secrets."plover/borg/repos/services/password".path}";
        } // { startAt = "weekly"; };
    };

--- a/hosts/plover/secrets/secrets.yaml
+++ b/hosts/plover/secrets/secrets.yaml
@ -16,9 +16,13 @@ gitea:
 vaultwarden:
    env: ENC[AES256_GCM,data:9RebpDWaKhPHpUzWDOuOYSDDtJ/pAvL30ipZuZz5OxUsUKoepHHLeBhjQzxyvwIDd2lT1Jx3UdLVSoKmh2qxGboFdBt9XF+grEzsQoP18wiSopiPjlAyaRgZ2f/6d46G+NYy13J4+N6zbPSHS3W76vpa6Vy8Fn7MWy3bXVoE4m9vORagPT/OZO+tcbJGjjVWUbz6JwNv0o+VvVPAHtXB9esnkqYMK1LvvDKLoT6eBtbu0MUmcnQ=,iv:UxbyYnNJPV+tznBBf3wFsu5eNayuJHuMfn6QfFi52ss=,tag:FMIhzv6UrR6rkqlOZ56oVg==,type:str]
 borg:
-    password: ENC[AES256_GCM,data:yvAtGsdJDYFRSUoq09iBh+snFWsJMrED++H3O/U=,iv:5N/OsIIEQr/c2ge23QznSPD88Jsccf8EdzlpG0c6zRs=,tag:896/9Z3LK1VFM4100ga8Qw==,type:str]
-    patterns:
-        keys: ENC[AES256_GCM,data:rv1I75M+3Y4vR65aloXyPgD594n2U9zcOFg4853yeA/+jUpDUC+Is9SaKVo1AB90LgnPl5yhGNzQbM5q9INaq9SL,iv:xj/owX79CeWV2ztQ0DP5bQRBwLPZiCpHB/JAK5tCfH8=,tag:sgkrWI/PtxZjw70lQfD8Jg==,type:str]
+    repos:
+        host:
+            password: ENC[AES256_GCM,data:EEHtGBASOY1t1hGmtNZ7/Edc01v4yNZgpcycT04=,iv:pgQ43gqx9iYk+SfGkPQfknTixn0MLkeTJzhUhOzjw6A=,tag:ihuKeJnY/L5iBfx/pvBRYw==,type:str]
+            patterns:
+                keys: ENC[AES256_GCM,data:u+oNQAUoPVIZHAtjNhjg+P/n2XGLpFZGPKxgxwbkaCGXvTg5femyjPTghFKypeANfK13AuPu7RjjG68S/5+HfiB3,iv:zlicZvzURkhY2XIYLO1QFavV4gikZWRyL5BXZ7Oax7E=,tag:QWhMGYgUKkoocAFJW0GICQ==,type:str]
+        services:
+            password: ENC[AES256_GCM,data:FDzK9Iv1iAhbRoSOiW1c0G5lW39BcivDAp0QzaW/XT2y,iv:VD/coWjhdsYAi8R03AqSH2kcqHHdqiXuxGINuWAwVek=,tag:mBLwdJGdOEEHO82rsvCYiw==,type:str]
    ssh-key: ENC[AES256_GCM,data:Sue8+VkfMHDbIx5dZps9G7iEALOf3Wvm2FcXdGr8dCURytIUaSszTGfjSRRXnmjNS1bymt1SBGo+2HSBHug8N56EC7gUFsRqfBEM+wBFPmYkR1LdtHLBEoC/4cpupvQLjNadmNplELjYBJCmURhTnrIdDIsHe8xCcGzarewlfiE9PuAa/hAjikUvqQyq2oljd0udINXC3wmGRK9m9SpnxW0YUPAL5A8GaXmn3eLSSLhDLbJJZK8/CMuBRnSYGbcmKessIiMetT7CR4pn7OHN2Naxg09uhquKWieeK9LXbMBIlgOZ004IdX1R+eNb9bI3+G4yN+VDv69xIDrtkTzksSePuaII+Vb6jTofB/DWWZ0b8cN7hPTC1JEKdaktd6pVTVqZ78dNAr4hi5sdELfHtgO6LZAajsN3TKviMoB1YUzHpt4+Ws12iR8B7njJKawh6ls8XvBpnYu8LpZmbo+IpN3yflpxGvlYThetdVSDB+gvzzyXqUmp4nlBiiwZdQXibHjkau2s1y1Es2+uy/NnkNR9VdNe9FGFpwFAsOyBOWmtOfucIE65KqyIskq2mXrW,iv:R9Se6PNqKZ61NQxY2J7p9W+Ougnaycl70Q24WCe4qG4=,tag:rEdbBnSs+Ix4p/W9Rpi0WA==,type:str]
 keycloak:
    db:
@ -38,8 +42,8 @@ sops:
            ZCtNbnFqdzNkVlBtNjVCdE4yNHMrRjQKfFV4GaReO0UO81xsTB0EuN5ibVsafXJY
            miBgZAZWbJjSBcM4X+Fym/DlxHRoB1a6iFEFN9yg+Z9WI8PfjKnbsA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-01-06T15:49:16Z"
-    mac: ENC[AES256_GCM,data:2hp92GQOeixM7F3sl5MjaJ676S5ah0a6aaHf3QXJc/ibSvvfmJunoAJiHZmjFYZ56x36jb5NWYJjMIMUhUoqcbEpTYvNkY9T5N6Qs0DAAbIASm3RG9KGdsjBQYFpU7Y5f4i3GOG76Dg1kex1JeFms25mIalcxA8ZAkbjnI0ifeo=,iv:6m6nDZBkgcK3l8Ezy4/mB4+3tWFueWNVNNBXenZ1ExI=,tag:c2klGi+T+9qV3VZ3FH2taQ==,type:str]
+    lastmodified: "2023-01-07T09:17:12Z"
+    mac: ENC[AES256_GCM,data:YPV7nJeLwMzuR/xRzDCgBKICfahOw+P2pF9LQJ/1pQHVor+tPFHdDxe79rmqvrwred+LW/YLECwuxAGMnxds5GIQ1SFB8jwTYwV7pR2Pum7mHmJNP+5Z3x/hYso2UHMRpi4INyrnw5jbsGI05yEyjM41ySctrD1cploLLgr5hEk=,iv:WJ/8lDu+0w40fLDsUmFD2TITnCNRJpulHvSzOo3veh4=,tag:NvWGBDtNM6S8/htWzeeAAQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3