diff --git a/hosts/plover/default.nix b/hosts/plover/default.nix index 1e1d644c..2ebfc7e7 100644 --- a/hosts/plover/default.nix +++ b/hosts/plover/default.nix @@ -46,6 +46,8 @@ in "gitea/db/password".owner = giteaUserGroup; "gitea/smtp/password".owner = giteaUserGroup; "vaultwarden/env".owner = vaultwardenUserGroup; + "borg/patterns/keys" = {}; + "borg/password" = {}; }); # All of the keys required to deploy the secrets. Don't know how to make the @@ -254,5 +256,46 @@ in }; }; + # Of course, what is a server without a backup? A professionally-handled + # production system so we can act like one. + services.borgbackup.jobs.host-backup = let + patterns = [ + config.sops.secrets."plover/borg/patterns/keys".path + ]; + in { + compression = "zstd,11"; + dateFormat = "+%F-%H-%M-%S-%z"; + doInit = true; + encryption = { + mode = "repokey-blake2"; + passCommand = "cat ${config.sops.secrets."plover/borg/password".path}"; + }; + extraCreateArgs = lib.concatStringsSep " " + (builtins.map (patternFile: "--patterns-from ${patternFile}") patterns); + extraInitArgs = "--make-parent-dirs"; + # We're setting it since it is required plus we're replacing all of them + # with patterns anyways. + paths = []; + persistentTimer = true; + preHook = '' + extraCreateArgs="$extraCreateArgs --stats" + ''; + prune = { + keep = { + weekly = 4; + monthly = 12; + yearly = 6; + }; + }; + repo = "cr6pf13r@cr6pf13r.repo.borgbase.com:repo"; + startAt = "monthly"; + environment.BORG_RSH = "ssh -i ${config.sops.secrets."plover/ssh-key".path}"; + }; + + programs.ssh.extraConfig = '' + Host *.repo.borgbase.com + IdentityFile ${config.sops.secrets."plover/ssh-key".path} + ''; + system.stateVersion = "22.11"; } diff --git a/hosts/plover/secrets/secrets.yaml b/hosts/plover/secrets/secrets.yaml index 4c2d6189..30c590a7 100644 --- a/hosts/plover/secrets/secrets.yaml +++ b/hosts/plover/secrets/secrets.yaml @@ -13,6 +13,10 @@ gitea: password: ENC[AES256_GCM,data:rk8GPBLof4D9mJnDCzKtbjJcQqeS5W8kyNuqOzYbr9rNjOlBNN2y/qVGb/MmOd9TMzRpKJYe70Gk87DgCvlm8/JoxsoQ,iv:TdVDi71s8HDyCeWadubYBjgDvBZdfZhlFf8qArGgpdk=,tag:mptPQ8AScuG+1skTu7ooxw==,type:str] vaultwarden: env: ENC[AES256_GCM,data:C0advtRXZSRrm3D9iguxfYXTbK2XPMnsqHegN5JcNtxojQuGRry4hyM+PytB5t0rkaPrxffLGJkBsJo/oaYgXlkEBvoEVejMsVNsV2BBU/UrjkhvtjzS1q2BsnSW3rwy6K1IW1CCKHeknWiiT/qH/w0UvGSm3JxbkKnMShxy+mXkNeL99oPJS+5x4bcmCExaJ+EYlMiK1o/BjeBgk/sq/5TcguVpfZvIN0/PhSwqXGn0mwHR+GGApCQxSbB6kO9kKd8e+7zkbfWbK1cRsnZ6UpQl+ElVyQ==,iv:27TdCZYTYazXvi8gjNUkEvYDSRCzUE2IhbvT8k5Mqro=,tag:B+agm4rueu5B6jMkBd3FVQ==,type:str] +borg: + password: ENC[AES256_GCM,data:jj5DARwujL3qMyOZ5jegFuWqAWKeEPbGihV2WZ45,iv:qiII9yWbUfQggeO3KdPwNXAQBwVmx6YEa5YIID3AUIs=,tag:Nz6iEf02N6UZTbNxP/vh/A==,type:str] + patterns: + keys: ENC[AES256_GCM,data:0CDCFSvqUeGD6JOAuptnke6z3eSD+SgT3AhZYTPujR+6Q42IWXs5Oq+YZeI1CEASFbV7+DhXSNc08zsR/Uuu2xym,iv:xj/owX79CeWV2ztQ0DP5bQRBwLPZiCpHB/JAK5tCfH8=,tag:VXC/b3HDdmwwiZlcqX/C9g==,type:str] sops: kms: [] gcp_kms: @@ -31,8 +35,8 @@ sops: YTZnVWJBdkVKTDIyN0JjNUVkNU84bmsKVEvYry/jpwScC0wtDqbvE4WtYVm+bBss /uTld6ObaI92LLVwdkcApVSzt8AD/vCRD/Kf084oi+fRDFn2JiYChQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-12-02T14:09:22Z" - mac: ENC[AES256_GCM,data:zj0iVqEqi756+6IRhi4My7zds3ttP+FYPfCC2zSSCk/Sx5ONMlZtxD8v3LWZ0D+X0amgwFUi8+FYp0C4tj6GDcPU3Ila98eCvPOoCWh35vHUojO/8PwRsKY1jzx51o6mwHahksWBIHeH7+hGWnKFwjYO7Bpt1D9m2cLD4GXiUOM=,iv:o7fx9PuC0sUnIlpjS3dSr4YpcW9CMS/SdQjfhNd/K1s=,tag:190liNbTq7J/Lg5VMa6PEw==,type:str] + lastmodified: "2022-12-02T23:39:58Z" + mac: ENC[AES256_GCM,data:9g4mwaqH6+P1gxYlAOT1VVzbGAW7pC2A6MuAzEM5n3ooNemIMnj9GG5WMR9g4d3BYx6Ne8FLWuT2Xi1T1JTtY6vaFuUOMoCt5Lucl4twLeS1zP4wjx5vwGqSgwC2ZB1Gjd3gN1TCoKxhbAy74AClPJZeFuVLvFiDbxmD8AyA3xg=,iv:rssJX9hQL0FX2hlrNQRLDikU2YNwJAL3AjnJASqS/Rc=,tag:yx95SM15geHUMd51uZYTSg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3