From e7bcce4ef6c79cd7c2d4cec4e1bd85ceeeefaa5b Mon Sep 17 00:00:00 2001
From: Gabriel Arazas <foodogsquared@foodogsquared.one>
Date: Wed, 11 Jan 2023 13:16:02 +0800
Subject: [PATCH] tasks/backup-archive: assign different passwords for
 different repos

---
 .../nixos/tasks/backup-archive/default.nix    | 35 +++++++++++--------
 secrets/backup-archive.yaml                   | 12 +++++--
 2 files changed, 29 insertions(+), 18 deletions(-)

diff --git a/modules/nixos/tasks/backup-archive/default.nix b/modules/nixos/tasks/backup-archive/default.nix
index 75bd22bd..d0136668 100644
--- a/modules/nixos/tasks/backup-archive/default.nix
+++ b/modules/nixos/tasks/backup-archive/default.nix
@@ -4,13 +4,13 @@
 let
   cfg = config.tasks.backup-archive;
 
-  borgJobCommonSetting = { patterns ? [ ] }: {
+  borgJobCommonSetting = { patterns ? [ ], passCommand }: {
     compression = "zstd,12";
     dateFormat = "+%F-%H-%M-%S-%z";
     doInit = false;
     encryption = {
+      inherit passCommand;
       mode = "repokey-blake2";
-      passCommand = "cat ${config.sops.secrets."borg-backup/password".path}";
     };
     extraCreateArgs = lib.concatStringsSep " "
       (builtins.map (patternFile: "--patterns-from ${patternFile}") patterns);
@@ -50,22 +50,24 @@ in
           inherit key;
           sopsFile = lib.getSecret "backup-archive.yaml";
         };
-        getSecrets = keys:
-          lib.listToAttrs (lib.lists.map
-            (key:
+        getSecrets = secrets:
+          lib.mapAttrs'
+            (key: config:
               lib.nameValuePair
                 "borg-backup/${key}"
-                (getKey key))
-            keys);
+                ((getKey key) // config))
+            secrets;
       in
-      getSecrets [
-        "borg-patterns/home"
-        "borg-patterns/etc"
-        "borg-patterns/keys"
-        "borg-patterns/remote-backup"
-        "ssh-key"
-        "password"
-      ];
+      getSecrets {
+        "borg-patterns/home" = { };
+        "borg-patterns/etc" = { };
+        "borg-patterns/keys" = { };
+        "borg-patterns/remote-backup" = { };
+        "borg-repos/archive/password" = { };
+        "borg-repos/external-drive/password" = { };
+        "borg-repos/hetzner-box/password" = { };
+        "ssh-key" = { };
+      };
 
     profiles.filesystem = {
       archive.enable = true;
@@ -80,6 +82,7 @@ in
             secrets."borg-backup/borg-patterns/etc".path
             secrets."borg-backup/borg-patterns/keys".path
           ];
+          passCommand = "cat ${config.sops.secrets."borg-backup/borg-repos/archive/password".path}";
         } // {
         removableDevice = true;
         repo = "/mnt/archives/backups";
@@ -93,6 +96,7 @@ in
             secrets."borg-backup/borg-patterns/etc".path
             secrets."borg-backup/borg-patterns/keys".path
           ];
+          passCommand = "cat ${config.sops.secrets."borg-backup/borg-repos/external-drive/password".path}";
         } // {
         removableDevice = true;
         repo = "/mnt/external-storage/backups";
@@ -104,6 +108,7 @@ in
           patterns = with config.sops; [
             secrets."borg-backup/borg-patterns/remote-backup".path
           ];
+          passCommand = "cat ${config.sops.secrets."borg-backup/borg-repos/hetzner-box/password".path}";
         } // {
         doInit = true;
         repo = "ssh://${hetzner-boxes-user}@${hetzner-boxes-server}:23/./borg/desktop/ni";
diff --git a/secrets/backup-archive.yaml b/secrets/backup-archive.yaml
index c8cf13ab..bf04c95d 100644
--- a/secrets/backup-archive.yaml
+++ b/secrets/backup-archive.yaml
@@ -1,5 +1,11 @@
-password: ENC[AES256_GCM,data:rXMyW38rKCKJcrRkLFkc8PJDdLnn4Xow6RqY,iv:Qu11ghsC2TMEGLOVAkoWgWkImx4IKLi0RaP0T+avHUg=,tag:Ntyyfchy6db1AAeBW4JZrQ==,type:str]
 ssh-key: ENC[AES256_GCM,data:MDKZC4QMcfoXLtmTQYUXmz7vAFVKhcLACiQp3DzyeIle3FykNuvD/i5TLmqDclMHAcIfBb7yOCTPL/+hIvXRbU25btqWTc/i48RjYTvbpkVKQyyb7lBCmgeMHPoFNpSeu+NluelUpicQv2zOhIgG+LInQsDSy6uZuEnAEDh/MkCrch9G5DOQ1fGFcmRnpReKPNShkFaEnwiT0iYfQ/ksAvJlRS+szphWCcP6phwGWINETXyIQVekvnPp4pcioFtQ2sIZoLEkcOnhloNoSXs/hrqDaxgbEc7biITy+FCDU0M/qMVHiS8pE9Sb443MpmCSx84pm+kcgRpKPLqhhcf/PB0wLLGDvBD4Wv+0cmgGdKEKaZxvoTcYuCplvMKfRCzOGCDliBUGEy9gU/E8QCNNxC1OokhJFPs0b6YiHTAv+n+z48lRMojaKfmA5sRhiAh2mbiQerga8Tf3pEhtDW2myR3zrXYsJH2201F1j8O4TSQrXjvwC4ZeaIrzC1zYHXbTlNykdopv++M9U5BxRptBrAG5MgoQablsV3cH,iv:mIXPJIZ1z9xnoja+zQcHvVLLCWn3YMdVFKkhadbWCjY=,tag:Z/c2LB/mTaY8MzDfLjLrDQ==,type:str]
+borg-repos:
+    archive:
+        password: ENC[AES256_GCM,data:XCWvZIYgxUYApn2hni7gtPkOiiv6Fc5WAyBjIhIbboGP1TPJ,iv:FfWqVC9KpDa+XBXFWgvzJDZL2gqAYPHtUT6mROheU68=,tag:xGE2zyYKMFO8x6aJELLAgw==,type:str]
+    external-drive:
+        password: ENC[AES256_GCM,data:5qbA4HRzStX0rJ4fQv9KwfenUeE5PbKoIT3wCZ87M4YzVbQ+,iv:Odrgkb9FAZOOHU3R2CVRf7UdkqmGpZgCoz3ci/lgKjg=,tag:hyRu0OwlmM6nroqq0Yjj0A==,type:str]
+    hetzner-box:
+        password: ENC[AES256_GCM,data:me5czGtTEoiIr1qKh+GpNTLBRhG+3BVyj87t,iv:4ew7vTK38xEGXPIPm9I2BxsFwMqRHGJ5mtpN91Cfghg=,tag:HbI8jxQNbUz37L8H3T56+Q==,type:str]
 borg-patterns:
     home: ENC[AES256_GCM,data:NXW0QN4sFTmbPB08Ww4J3pzn5RrOroqD2l/EyK3cHNcT9P6nz32j6nB3Qzx0Ik1CfuVFt38xQV/yUGkszCdj8GcLoOHi4Bu6xgBCmPqmNh8CaDg9jRdVBxUpf3UVfTJx9oVw0IL1qN2Rk28OqKqGhrxHQCMqzICRKrNaobTV0tOJq50B/8Hz5DzuBKO7fpf2VyNIqkM5B2VCKvYALgB7cpnq//Oz6BNsMiQe429axOcRWOyxSl/RSpCAmF74vCT9SRRB1Stb0xH0aiXxm5HXmSuQBjjERSfdFmlGsyaSD/9OscNA0amwHOmmeg7CuD+5cPaxgUlbDEgMwsXwyThKVw9LHWh5DPrjV627UZyJNVVYnTmApIW9DDJqX7rkP8pGRsoQZV/Fc2tQ5uSmDE4dOxxDh/60as8FVfR4+lhURhfAfZuuSrVd84SJFWvdYNRgqtYO2s2NER4/Syj/7/qCBsujpRTidIzjSaECSDAqwjL0JVNyIwAyaqvK4jDQHiK9aZ5Zv9Xu/7cfRVaEnHoe0/Dy/ZRVpZlELC7PlbpFHEY0vQ21quPpsSJPPj1i4RMAk5QHkJb8JxV1N/Qdv+3//bk9Hr3Hr+h/RmMygmQ1Q5Pin/dIgfpzo24ITRwDU7KXo4SP0EvdjhcIDo8AAopX7hFcKh5tluvZpTSgPP9ETlhoIuwQoqtqsVzKROcM88LPnEltticEDACejVo41zuszY4sLuLfkn+x7f6tfRTGansoaxLL6Xoxs6OZWzHQ/rCHONLFg67smjbdBpEKkwGH/8yh5VzIkkGjWlui0WHCn6AYhXw6neR0WWUqGkVMw/LFd9N6Ss8PlFjAWYbpMn3DFBO/Hl3yaPz7RRqVkuT7auSrj6MB+iRN6o5INL3JW4ZdHV/7tGQHm8B+WEjq3YYw3x8U6RrIANWrXjqZEK+tU1fLNZ80oZwTz7WkaiNQuO3oYWgoUMnvOSM+aM6aVjIm5itEjmfbWuHgR4lljl2XKJb25Gp7FEbn0XGjLy+wfgNKP/ZAAlhJVD1oWwvjYJ2o,iv:JhM40qLFXoJqA/BeUjMVYL/eWdoJrPhrRyiIR3acVwM=,tag:KGtAGSOcpvS9yCO2LyKFsA==,type:str]
     etc: ENC[AES256_GCM,data:8Bq1/YP4XndDv5H4SS/wT8WLQyY5JPp5oErU+RpTqgSJqlSs8Q9aCZHHzd/zhmazgGZfCiTl5xLOgSw8lB7cqRfeasE64ffiafM7,iv:6wM1510XdECx9B/EEyICQxRj8fqZ8Tv6oFMoGMynmog=,tag:0uNmZtNGs6Z7QE4dbJZegg==,type:str]
@@ -29,8 +35,8 @@ sops:
             QUlyNHBlNDV6eVJXc3VWNzJSaThIQUEKCdNxZCCNISWll5uaCcDQBA2ir7oLpHco
             +7ypF6lcOalqjvzc5DTXTt/v6QVs0f7SCZmNJFBMpZm8M2B+7O1h7A==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-01-07T08:58:15Z"
-    mac: ENC[AES256_GCM,data:5rwm+xuliaQJZb6iPc/S0zz/K6+n5iD/3UkCmDDmNXBtIakS0VRMAmzHjod/uEUxD0tf2zYuRI1K8dKcChbPwgvxJ8AVtSn//4pjLsOoikz7Cu24O049sjl0O1kRBj4BcDPopKDo0pWLV1vpputQEiSd8bYp/WXZMmfyx7SV4Ug=,iv:lsYTDf52QdPKt1miOyJkNtqyxGEttySZZM9euyB7mf8=,tag:vgRX88smognAG/rT3nUnrg==,type:str]
+    lastmodified: "2023-01-11T04:39:58Z"
+    mac: ENC[AES256_GCM,data:QUg/3MW3a7vlunhj1sTCzY2L5vLjOY9ZhTSwVujHCrN3SMcQWgyOK+m5vbdjqNwezyLKmTg8av6nTAqHwSZIKyJZLfkxKFSIzizR0IJEkf4bYrCXeQ6z/M7EaTtMbfXOEk2eNpqFuPjpErJL4vHz0e5ZYtdKvLDLUK2XvWZRKXg=,iv:1x6fim8dxMAAfmCVN7UpjqudHUpxUE3YQQLABccnXA4=,tag:Se707Qcr6ON68ymdVbLXpg==,type:str]
     pgp:
         - created_at: "2022-07-18T13:19:32Z"
           enc: |