diff --git a/configs/nixos/ni/modules/services/backup/default.nix b/configs/nixos/ni/modules/services/backup/default.nix index aecc7aee..513c3915 100644 --- a/configs/nixos/ni/modules/services/backup/default.nix +++ b/configs/nixos/ni/modules/services/backup/default.nix @@ -5,7 +5,11 @@ let hostCfg = config.hosts.ni; cfg = hostCfg.services.backup; - borgJobCommonSetting = { patterns ? [ ], passCommand }@args: args // { + borgJobCommonSetting = { patterns ? [ ], passCommand, ... }@args: + let + args' = lib.attrsets.removeAttrs args [ "patterns" "passCommand" ]; + in + { compression = "zstd,12"; dateFormat = "+%F-%H-%M-%S-%z"; doInit = false; @@ -35,7 +39,7 @@ let yearly = 3; }; }; - }; + } // args'; hetzner-boxes-user = "u332477"; hetzner-boxes-server = "${hetzner-boxes-user}.your-storagebox.de"; @@ -51,13 +55,12 @@ in ./secrets.yaml (foodogsquaredLib.sops-nix.attachSopsPathPrefix pathPrefix { "patterns/home" = { }; - "patterns/etc" = { }; + "patterns/root" = { }; "patterns/keys" = { }; - "patterns/remote-backup" = { }; - "repos/archive/password" = { }; - "repos/external-drive/password" = { }; + "repos/archives/password" = { }; + "repos/external-hdd/password" = { }; "repos/hetzner-box/password" = { }; - "ssh-key" = { }; + "repos/hetzner-box/ssh-key" = { }; }); suites.filesystem.setups = { @@ -72,20 +75,21 @@ in secrets."${pathPrefix}/patterns/root".path secrets."${pathPrefix}/patterns/keys".path ]; - passCommand = "cat ${config.sops.secrets."${pathPrefix}/repos/archive/password".path}"; + passCommand = "cat ${config.sops.secrets."${pathPrefix}/repos/archives/password".path}"; removableDevice = true; repo = "/mnt/archives/backups"; startAt = "04:30"; }; - local-external-drive = borgJobCommonSetting { + local-external-hdd = borgJobCommonSetting { patterns = with config.sops; [ secrets."${pathPrefix}/patterns/home".path secrets."${pathPrefix}/patterns/root".path secrets."${pathPrefix}/patterns/keys".path ]; - passCommand = "cat ${config.sops.secrets."${pathPrefix}/repos/external-drive/password".path}"; + passCommand = "cat ${config.sops.secrets."${pathPrefix}/repos/external-hdd/password".path}"; removableDevice = true; + doInit = true; repo = "/mnt/external-storage/backups"; startAt = "04:30"; }; @@ -93,20 +97,18 @@ in remote-backup-hetzner-box = borgJobCommonSetting { patterns = with config.sops; [ secrets."${pathPrefix}/patterns/home".path - secrets."${pathPrefix}/patterns/root".path - secrets."${pathPrefix}/patterns/keys".path ]; passCommand = "cat ${config.sops.secrets."${pathPrefix}/repos/hetzner-box/password".path}"; doInit = true; repo = "ssh://${hetzner-boxes-user}@${hetzner-boxes-server}:23/./borg/desktop/ni"; startAt = "04:30"; - environment.BORG_RSH = "ssh -i ${config.sops.secrets."${pathPrefix}/ssh-key".path}"; + environment.BORG_RSH = "ssh -i ${config.sops.secrets."${pathPrefix}/repos/hetzner-box/ssh-key".path}"; }; }; programs.ssh.extraConfig = '' Host ${hetzner-boxes-server} - IdentityFile ${config.sops.secrets."${pathPrefix}/ssh-key".path} + IdentityFile ${config.sops.secrets."${pathPrefix}/repos/hetzner-box/ssh-key".path} ''; }; } diff --git a/configs/nixos/ni/modules/services/backup/desktop-backup.pub b/configs/nixos/ni/modules/services/backup/desktop-backup.pub index b780d1f3..0a5de0d7 100644 --- a/configs/nixos/ni/modules/services/backup/desktop-backup.pub +++ b/configs/nixos/ni/modules/services/backup/desktop-backup.pub @@ -1 +1 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOCPRzVqx7dE2l6ja62d0iYStQxUHU2bCIoaZ/QTN+38 Desktop backup +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ7t+v5lQfX1voEdV6WHmdu5doV7N+B9Rq4auZB4x782 Desktop (ni) backup diff --git a/configs/nixos/ni/modules/services/backup/secrets.yaml b/configs/nixos/ni/modules/services/backup/secrets.yaml index f0f6d225..3a868b81 100644 --- a/configs/nixos/ni/modules/services/backup/secrets.yaml +++ b/configs/nixos/ni/modules/services/backup/secrets.yaml @@ -1,33 +1,32 @@ -ssh-key: ENC[AES256_GCM,data:oEFV3sCuwIVdKJR25oOYLfroos0G7m1QtGkTTR0TVM5ZJXSzBF3MtNr2wXRjvNFK3QAcgGuFQz42OfdgZJI/d7z/Rwxyp5H9TOguCDDDrkQ1vp1S75z3VEkXZKoVS9IyncF+Wc/qoqLngTEFA67XcXoAXIpAits+lgMm4Ek2RE7idwuLv2NsLlMFTYhu4zzG4ycsAynnvNneID9IwXGK82FHmusyPko80jDDxvibMOpHtnt3yoBWTHzHiJHGcWY6+Lm0DQBqfwnZ4SiAG5rGNNpYsMGT4Hp76RrC0s1bPqzW0bcMPJ1Il4KluTu1/r6dDVfuw3L2Q1S65LaGhiGid6fwAzbSfSLPRvmq0Cbre3xkhzt2xE8Cf+VKTTuXo5pJZdfzXhhSqoEI7lau+0uHmca1X68qaqpyJ3x3kCfQUz4xebOMt7z0rIvXwKuv07b4Pa3Y0TiK/kV/Howg3UyOGOlPYxH1mqQolC8KBsaM4j7TXFeofor8gCwM539iVWjXhvcyeH68UG5ayWWQMNK8BsPasNHiEyy3b909,iv:lXKaTo+TgxLEfdVRVwP64MJZ9DdinIi9LDlzTnN9rGs=,tag:9gH77XGDPBlCKYo6tXL+gg==,type:str] -repos: - archive: - password: ENC[AES256_GCM,data:SDeOjiMuHRNbUIozozzt2gPv1hA4fnhk1WPd9v2Hoj7FQd8G,iv:4EjrKKvFScYf5qc+ild3xxNOj7ueNQZFJRCtXk2PNMk=,tag:gaxzCzs/ZnSHTPwAos4Yow==,type:str] - external-drive: - password: ENC[AES256_GCM,data:BjL6PhkA9GYdSQEyHIrt00vA1JY9kLIqjHC6R2mUPuupbt1E,iv:37l5GTCxLPo3hOENHxZEH5CjcL6lP8sf5BoLA3YMXqM=,tag:LaMsCfaV4eVF0KBKnVlwlA==,type:str] - hetzner-box: - password: ENC[AES256_GCM,data:4rT5C0Qa4eAVk1NYvDJ6jFAcZtjUreaTMvn9,iv:l6q4bjqKxYQAxSVW+FOXvn9waLKa/a2s7exWtFJdDzw=,tag:tHXjc6HbSHnpS8oRWywg0A==,type:str] patterns: - home: ENC[AES256_GCM,data:i7hlH0EWgYaj4Ow1iW6WvtFlPpEIFRWHepQMfpIXek/Ir5aNxG3dkrOzvgdEmWo+wDc6J9PtV2y7TDXCbOFbQA7Uai/6h+xWu7ost977t5zMkKm+85dN1GD4TLV89QmIZj410XNh5RiU7ociCnZq4zV6Mk5WpBo2XWt42L1kRX6REO39X4HmTTazBQdU56Jz8zhSx/NvmQR/q8y7y2qL/rOAaWv5+KnWjn0vLZzAA9aXDqRUGHA+DKoId0LakwFtVeRV9y/ok1MmenmlrY+vvzfutXondf/uQWAnlWnk7HGAKKrsvLjN5mkkkhqXVekM2ueWSnvpdTKxDIFqS95Pcba7u0ecVpBIYv6q5u9v1Ttt9dGfrEEAfK+l2jWSxT0gNuVaYkaNRlYExqPVQof+kRHCSRaVV+BwvO/iRubRXAWj8t6sS7vzohGGNzmHX/9SyUAscTS9VI2Isgu8izKRPeQNeXgDerLjunZocnhKE/FtqTwMOwLYrg1nnjxC5m0A0yrsV8Qx/YKPSxCZFQ+T29RBKXEe1UI0+VoMdRM4C0JSnxRBPquX9ALvGIu+i0zqBgjKqPgrqtDnQCLpGGh71nYpCcqzi+iG6/Hzuv/GaJGEtBGA7ZWnXk8Fpz1TgJ+YJNKQAO6b5rbM4IivHjodyhsoG8/BdClL9knMqfRmZBj+A1srSCUXtLXvU1k4fYoxg7aq9pS2KThA/E9aVP7SrXWAEna62r6BUnjTmPxO+VgguCbCfarP5B5qjonwzWtyGVvlA9aVJ6sTS2ZoSfY9hgKT+aep4veqyH0kAv8K7CcNFw6gVod9G/yL+bdV6xXpQWSxQwfwA7SxO/BEUt+616DxiDqql7Y/6n3CGSVJtee4vMfyrc55DnolVlaPVxN4yAYiaHYCS2CGNmQbZg49dJsLyriuiHgCogK5AZYgRw8vsAeX/I0SRQSd3+JE2oVKm36HGE/3NAel3M2IRw+m3d5gsQ2yflsnPwJLgS1A1eH9M6QHB6sIzEGyiFa4W+xe9IQp8gM8AM9b234WHp+PMJQNuBH1TyUS4Stle0qObMdEuUODIFyMqqNObQfvfyctSLHagX8w+RX9h6XH6H9uQ7UXh+Nh1QVFhKZ3CxwVsAEHKjK/B6NhJ2U8CVGdw+1854qsmxvKQLNJNrJAoaeDCTNryBfDwxEyNiS8In37xbojXPoIKTLgpriJeO7rnyFWewHJAVeZNCtNgzdI+vTh0mzr8gGC/HTL+5lt9mwCq1zKN+BK,iv:Jb3bHb/nnAe0TKJSmBUJRhkSqCGKzzvUhLERf3AucOU=,tag:PKGN63IZngNn4HrIqeL6Fw==,type:str] - etc: ENC[AES256_GCM,data:e+fAxfJQ7A6DcmejGndxZUHwzszZDZmH7nuqhpwoGgcgKdDmjqlroYgbJvWmQkiQWGxBdU5ZYdAb4392H7mk5StxeZfxl8CLFQAZ,iv:G4Zl4Y9abR39e8Tp3tHAeZ/RV0nXo27ETco+st+VqWc=,tag:hePvY0fhy17fxcWRohUiqw==,type:str] - keys: ENC[AES256_GCM,data:daVoQqMYwhyRZsZoTKcuhy19PQajLwebVbi8SnzsXPGZH2HNweLgUXuILevUw2Pi30Wc0cJkPlf9HlmN7MGk9iN/H3bO99GK8/ixDb1JmkQyIEg5FjCZ4OgfIw9TuAQyINnG6IMZVzjPPkqGdtjIssPp7BT03heQjgxP9gYUMqZ9jMk1UNesJ+MkSDkkrj9FZsO8aAnz7dOTCZpnaWGU/10UjEciegyl08rhCKgfRe9/RY3wCu8psxlqAcfkWEm4ZLy6/D5ph2jJhJ4uybrUyvtZ8t4joFYRvokQrUlMFsxVT2g=,iv:fF1ns69AO860KnX3MibQsV/fhzxeH8FHLEG8JNjLbW0=,tag:R1w/WiNtoLaPrsNws9C8RQ==,type:str] - remote-backup: ENC[AES256_GCM,data:0D3xu9bdX0AqtIhsKB/LREo45iJ9YWsEhR7ynBPBVmY5+4eGw2DvlfIbnXPkj5Zl9LstJPJtzHwD5Smo+e/PKFwMjpcpidv/CoV7JXLERQsBjueg+7T4acQ9Oq3NzAW3CHP6Vrk+RMD7du+6yc9JTKsjQJw5+jPR0+fWfK616VtYmaajztgJgE41WZ+0n/4zBc/P4dbK0CTTQ8eH1/EFfAD5+J2p9JYcKqqjRVTg1cKYIhQOfRQeqpGe8xFXrdOKSDCTeGflJnUaBoOIYr5+S37Oq7Zj+bxwwEaxEqoH5Tuezaw6wVOsHzvsURp0lqPtL8WGz41t/A3ljCdhrZ2qAtAXMVZH9ZC9CtoGYxX4G7wadP5hAyG9pig2sZl6ssz/lAMhHXwi9/UY+hHgK9mkncYT2agi8tkpIkIf8EFH6Rul9dvjXyeF30TUauPjocH6+1fww8RS229E62Teal+MgYQuZ7oYYJFs4jMOcmA8Jn1nTAIJcqAMK7PJasRnl0KIiAxKfoD9kUchRFbpk05qnZO8GuevpWZ8oBe9HimwPO+X0BZZFIYASbbdDasd0V2VLhwVgK3/r5DMg+Q9Hx2HFK1Z6Ju8Q52NcFF3fdMOrXF7exjjWlnyAN/dhLaGeIDfW/L9IdoTOcb4rNXgG3ngLPTqSqtSADVNmwuYe5lpdUip00cbcwwiDttX9M2rP2XmOkOlMHkX+jg1nIEvaegEgbWCGWucTflLVnz8YuqLL+nfaPnEmbLTObQjjVC0jK0R9a069XcYb4KykTqDRgRU2WW6TF3TZNS5sVnselETT9Wp3DYuEOnnj4lIGxZwY1/Rcl8z8uMCI/0TbDwoSgaK3cKUxMEiR80X22V372ZcDv5r7WJ/Oe+koVd3JSTkDsYnVMS2jcOMQYCLgnLWqiNsMZn+abDsxevoAqXrl/yBDokSoFGaPvYrbi7M/pgPjVSCP076MqlrkIcNBgp3JqtwOV517EFEs7bLkD/wlKgaYWL08lhjNcxb02h2Cu6gw6lkIUQdb6CJl1QU47XWZulYxPBPnFhKNLziqHTVURouZfWMy4RMWx1APgIpZgpfFSccPd8e77w6WYZrwQqj+Nqo8+nZMZ2gFNzT6S0d/+hu0tWfKSEezNluwqBEnxRTwEuUQDJO8mkmbMjzFdGASY+grdoOA3gHwYc4w7tPQfsZKRZLd/LV+irbj3KmkDvgbn/Tjn5WgN1SbTWf9CJdB721V/hjVia2ds/QG3k3wPmfg6xk/BhQiDhqO1ZR8OoDxUpl7uoBjp9ZDr2vGp93En86JIMD+AZJKPSklF8i8ejb4/QnVBCMJoHdzrxNQModP2XdVJU3yjWVp7+qQ0OYSu/i0iKqkfn3gnN1/tgGkZJBv5TXumH//og3P2k0vDyf4CHJWMYPzKSZf6MSOzN9cR3e/yBqdCTolXoErBQYKsPIAdtvnTRSPLia70kYgRrY20pP7hPBKPQmyWsVqkE8XXV9Z7BHXFFU1Gswv9qH7W6Rij36EHxJyjnvlSQSCTDXwRYGrKkhK+c/TN5OnjmVzDxBJicm/aOvd7lHz6p1KPNHgEamozviQPD0lrANrGoD7Jljp2SwjjwR2EAW7Qcnnj19hrnVCHXWm4mYy0A4XybnRzQvFfRmgKXk6fcKKGgAZ3TYmeR/vgLpIe5CgTX889P0Z/ns8JipNlSu6I0/qKA99tU1kBytR+uItKZ7OZ+ftmD3qV0rlnQwoVULtsExCPmPSjNCcQqS1K/xY0L3yqqf6ghmEE7usW5A0LBSinshNGhbpGydgP4FuswV5/nIWj2v27XDbzd2ObrHeNFH9MQ8f1XdL1Fe8IJqUNgtKU/j00uqRQ1LSHYzQ9Iwbm/1eEQsmv1bLQTfaX03Zaz69BhEVA3i6aIeT9bXgDumxoEKHfYJNSoP8MNJab6hiBu1wIG12VmDx7+8KKQJZx0KgBk12K7jpFLW4UrbTpb8DkhdI7fZsw==,iv:OOHvndCVsxdrn/fA1ERlSZBDW8d+x1fNEt33seOgoG4=,tag:2X+j5HwNT2D6NLaCVvAXGg==,type:str] + home: ENC[AES256_GCM,data:FQyVpxe+3MAwoE/d4sb1ZmD/2Y8rBEQEd+qsTAzvY+Hi2ANiHERN4tuwPbHY8zK67yIFlEsnMEDngYzOkH2mas1aJf1hf3w+yEB6IIh+IhYApzWivQADumj6rPVJT2WfItlz2S9Z8+LFzD48xPnN3UboJ1vicMZeSm/Ffp342CQzG6lQlmMpoQCy4Q5bNPk8Kk8YOnFMhMuq+/jgtIMnl27WYiVpYzM6kSrq96J8VxAS4XJMHIWP/bzk+CrE7tsdhNgnS+JzuLRhERwB+sKJ5m2TBNVC31ZOSJeROYXCus0CDyaGEoy7ssDfAfBjePqAGzTMKxayLoMh4GbIPTmqLyfsl9IWXLRFiDBnbPYVgCSdxgINye4mEg==,iv:0+1etWOkvmngX3KPUCxYpIJ5QoUjEw8RtAM8XH6bEu4=,tag:R0e+thbJAro/ZFnFvf13IA==,type:str] + keys: ENC[AES256_GCM,data:xxuamNHPWLpQyERawROxaRdUek6HoDypPK9zw9WGRJthk+7vtCWhyZLLndz0j0ST0H5mU9L9rwDJ4GiyKvPgAyk4iP4=,iv:FclOzefSaDDc+VXq/EMdKX95GfzInPvdKdaBqkNTQRI=,tag:p/0upm4ef/ESx0m9MUPROg==,type:str] + root: ENC[AES256_GCM,data:mHDo6whty2eiz8ZRhM3bpJ2fPNx5KMzkG0+J/E/CfR7EG02yY3y2Xu+fYQ==,iv:iX9tqqR5Qqbk8uyDczLpotOw68Aj2glpp/ZcOvQ+NQo=,tag:Ni2rcy4UK0HUOVuET5AwwQ==,type:str] +repos: + archives: + password: ENC[AES256_GCM,data:FuPW5dgbt20+eOT4ulV653amUocILnSgc2sBYaeusXw=,iv:WZJYpYdWQzs8G23P4Zflhlxe/H1tShPvMjmFEiLHl4A=,tag:lZUC9JBIwhcEiBpPajaKUw==,type:str] + hetzner-box: + password: ENC[AES256_GCM,data:GuNsNiVGHyUPrkVMlUQfAEIs/1bGfp3qYseXi/T+lQ==,iv:qrTs+T89R8wzvCxKzYoJyVzBGMczIDqhqfXB93pyxBU=,tag:KdO2cQjMjkJviBF+/5wzdA==,type:str] + ssh-key: ENC[AES256_GCM,data:b6A6ryV8gtBLWs0zje6KmTGvsMCDjS7KkisctZYkQ6Mt+1V5r49mVkgsZJF4zemK0FENR1usBeOQW9ylkmZD4attYrIp20KgMs7lmehpViE3xk8MA/m6TFUjR0bXh/FW+bwQ2JPFh09kmEmvPsj0gbGXp6Ine63PxQOPc2wZxxkgm1hjnDFeZVhknw5L3UrmvsOD2ex6lrCip6LwsKcz+9v4KRixQJkAQreALQ8lyw32FYKB8GwPsTSDjGpqiQAZWq1u8jEZcPmITW60qVH42V4jD0tny0HkQIaY5TpssPWbNrB1DPyKTtq1ZyRWRcTVtGQAGLcmcA2+vErdGDuM0YbvJmSbzRIj3EE9dR9gQJ19N1LRoJnQn2qLE5TovYFFa4V7tTx8GMa34dUmHfaIhotk+itCL/le9dhROdb2W1FabpRM7NkObJKdyV9HR88WpAZFr9wpnuOyEKW2qFFVqsPpmHP21VkKfbGJxm3LL6zw4MHN/WsFvfMF2NQCshOXixubQNiDaEQcMjlx3tS7easuB3Lavg3vQa4F,iv:hV4FupMtLb8lpe3JWlkbFLBu37kae06InNiZTOlppo0=,tag:k1rVBDz4mjD1ovxiTSEtZA==,type:str] + external-hdd: + password: ENC[AES256_GCM,data:P9LNQIs456JBWFJs1ARQHLiNeLWlkhPWaEgX431VYg5YNA==,iv:cN3v9jMZlHRVUHdhvXnDizl0GdpVlw5U70yYlxAv3ek=,tag:mYaq2M8xSBfl5+lAa1NNVQ==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: - - recipient: age1dm9xugju4q5gx0zty8ckw655ea904c64gv9qw9fn3lu507ck8uzsag59y8 + - recipient: age1jxna9vm7nx4g69s84qgjptxvuzszcypf2rfk4ss2lyhnpe3yxdnqusu6jp enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvSnZFWGxpMTBGNUF3RFhB - UG5SVWRhUDJ2bElnSVdqSHFhcXJYVU1MS3hRCmZEbGZpYlZPTWxZNzJ1UGFQNlF1 - OXIyVUM3RkRCTkY3eGtWSXRpVm4yMTgKLS0tIEs2elQzOGw0T3UydVIyTUYxOUth - T1dFM2lCSGU4Yy9Zd2c4aUQ3YTlRaHMKL8RVIJE4v8aauIo7jmTvveuniwfs9A/W - SvdsKE/HxWplCZDvvW8y5OeT2hDemmn7a+46OrIWduao1qpK9PoCDQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnVExxY094cElKaG9KVUVC + R0R1RXd6YjViRnlpM2VKaDY3NlNUZXpoSEcwCithUUhzbERveVlRZm40bzQ0bitH + OEh4MlRLNjdsQjYvNENZMk5DMytoMjAKLS0tIHV6NkdYUGN3d1RpNmFxTWY4YW1s + emJQY1B4UHQvVDJxQlVlUjZXcW5hV2MKAqRYMFGWoXALeUeDoFCYFvCT8pIIRGk4 + xMZwLHvRWuZW+15DYGrfrA9+DOS6SZYEYQeApMFVWUdYMU/Xn6KZig== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-04T09:43:43Z" - mac: ENC[AES256_GCM,data:w4VI/9GJ9iIBi7c0aCU9+wsAzZLVhIoZNlif6nPG2R/D7xiuLudizsUrljEujIINFxqaMhhJjl2lGBhBdUsY9Q8TB6WP+NVm0R3vvODhGc1Z3r87lbSL/TpYvFyM7TVsCx4gkiUgwE1i4nxdMeFtyi4P3lhm+k0TlBDhtZLaNtE=,iv:SwEIja9cnYaBtTQty+opkNscAZTOMnPzRzhbI4OJfQI=,tag:E2Ip2SPSnWQuTsPmFpxPKg==,type:str] + lastmodified: "2024-03-11T01:00:45Z" + mac: ENC[AES256_GCM,data:uvK0SmRAF/9xLrc5iF7GJBi0SbNKZ2U2Dudai6owToknCqiU5N0w9JudY7+eTxtD/RZkB2h2Kvq1aMEpbahdl8zZ4F6o7vxs1oeNcXAuB1gHGOfpG8AI+gojUrKZP5SKWsCqUOTjRtxAR9AjG0pR/rhbJjJ8EbQ9UawsaqQHMFk=,iv:VYSmLqDsViLwSJ1qsmjLFmlchJfM7QMmAD6HYC7jaWQ=,tag:hLGh+qdJsRXquXhWbnikUw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1