foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-01-31 10:58:02 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

tasks/backup-archive: assign different passwords for different repos

Browse Source
This commit is contained in:
Gabriel Arazas 2023-01-11 13:16:02 +08:00
parent 10fe6c33af
commit e7bcce4ef6
2 changed files with 29 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
modules/nixos/tasks/backup-archive/default.nix
View File

@ -4,13 +4,13 @@
let let
cfg = config.tasks.backup-archive; cfg = config.tasks.backup-archive;
borgJobCommonSetting = { patterns ? [ ] }: { borgJobCommonSetting = { patterns ? [ ], passCommand }: {
compression = "zstd,12"; compression = "zstd,12";
dateFormat = "+%F-%H-%M-%S-%z"; dateFormat = "+%F-%H-%M-%S-%z";
doInit = false; doInit = false;
encryption = { encryption = {
inherit passCommand;
mode = "repokey-blake2"; mode = "repokey-blake2";
passCommand = "cat ${config.sops.secrets."borg-backup/password".path}";
}; };
extraCreateArgs = lib.concatStringsSep " " extraCreateArgs = lib.concatStringsSep " "
(builtins.map (patternFile: "--patterns-from ${patternFile}") patterns); (builtins.map (patternFile: "--patterns-from ${patternFile}") patterns);
@ -50,22 +50,24 @@ in
inherit key; inherit key;
sopsFile = lib.getSecret "backup-archive.yaml"; sopsFile = lib.getSecret "backup-archive.yaml";
}; };
getSecrets = keys: getSecrets = secrets:
lib.listToAttrs (lib.lists.map lib.mapAttrs'
(key: (key: config:
lib.nameValuePair lib.nameValuePair
"borg-backup/${key}" "borg-backup/${key}"
(getKey key)) ((getKey key) // config))
keys); secrets;
in in
getSecrets [ getSecrets {
"borg-patterns/home" "borg-patterns/home" = { };
"borg-patterns/etc" "borg-patterns/etc" = { };
"borg-patterns/keys" "borg-patterns/keys" = { };
"borg-patterns/remote-backup" "borg-patterns/remote-backup" = { };
"ssh-key" "borg-repos/archive/password" = { };
"password" "borg-repos/external-drive/password" = { };
]; "borg-repos/hetzner-box/password" = { };
"ssh-key" = { };
};
profiles.filesystem = { profiles.filesystem = {
archive.enable = true; archive.enable = true;
@ -80,6 +82,7 @@ in
secrets."borg-backup/borg-patterns/etc".path secrets."borg-backup/borg-patterns/etc".path
secrets."borg-backup/borg-patterns/keys".path secrets."borg-backup/borg-patterns/keys".path
]; ];
passCommand = "cat ${config.sops.secrets."borg-backup/borg-repos/archive/password".path}";
} // { } // {
removableDevice = true; removableDevice = true;
repo = "/mnt/archives/backups"; repo = "/mnt/archives/backups";
@ -93,6 +96,7 @@ in
secrets."borg-backup/borg-patterns/etc".path secrets."borg-backup/borg-patterns/etc".path
secrets."borg-backup/borg-patterns/keys".path secrets."borg-backup/borg-patterns/keys".path
]; ];
passCommand = "cat ${config.sops.secrets."borg-backup/borg-repos/external-drive/password".path}";
} // { } // {
removableDevice = true; removableDevice = true;
repo = "/mnt/external-storage/backups"; repo = "/mnt/external-storage/backups";
@ -104,6 +108,7 @@ in
patterns = with config.sops; [ patterns = with config.sops; [
secrets."borg-backup/borg-patterns/remote-backup".path secrets."borg-backup/borg-patterns/remote-backup".path
]; ];
passCommand = "cat ${config.sops.secrets."borg-backup/borg-repos/hetzner-box/password".path}";
} // { } // {
doInit = true; doInit = true;
repo = "ssh://${hetzner-boxes-user}@${hetzner-boxes-server}:23/./borg/desktop/ni"; repo = "ssh://${hetzner-boxes-user}@${hetzner-boxes-server}:23/./borg/desktop/ni";

12
secrets/backup-archive.yaml
View File

@ -1,5 +1,11 @@
password: ENC[AES256_GCM,data:rXMyW38rKCKJcrRkLFkc8PJDdLnn4Xow6RqY,iv:Qu11ghsC2TMEGLOVAkoWgWkImx4IKLi0RaP0T+avHUg=,tag:Ntyyfchy6db1AAeBW4JZrQ==,type:str]
ssh-key: ENC[AES256_GCM,data:MDKZC4QMcfoXLtmTQYUXmz7vAFVKhcLACiQp3DzyeIle3FykNuvD/i5TLmqDclMHAcIfBb7yOCTPL/+hIvXRbU25btqWTc/i48RjYTvbpkVKQyyb7lBCmgeMHPoFNpSeu+NluelUpicQv2zOhIgG+LInQsDSy6uZuEnAEDh/MkCrch9G5DOQ1fGFcmRnpReKPNShkFaEnwiT0iYfQ/ksAvJlRS+szphWCcP6phwGWINETXyIQVekvnPp4pcioFtQ2sIZoLEkcOnhloNoSXs/hrqDaxgbEc7biITy+FCDU0M/qMVHiS8pE9Sb443MpmCSx84pm+kcgRpKPLqhhcf/PB0wLLGDvBD4Wv+0cmgGdKEKaZxvoTcYuCplvMKfRCzOGCDliBUGEy9gU/E8QCNNxC1OokhJFPs0b6YiHTAv+n+z48lRMojaKfmA5sRhiAh2mbiQerga8Tf3pEhtDW2myR3zrXYsJH2201F1j8O4TSQrXjvwC4ZeaIrzC1zYHXbTlNykdopv++M9U5BxRptBrAG5MgoQablsV3cH,iv:mIXPJIZ1z9xnoja+zQcHvVLLCWn3YMdVFKkhadbWCjY=,tag:Z/c2LB/mTaY8MzDfLjLrDQ==,type:str] ssh-key: ENC[AES256_GCM,data:MDKZC4QMcfoXLtmTQYUXmz7vAFVKhcLACiQp3DzyeIle3FykNuvD/i5TLmqDclMHAcIfBb7yOCTPL/+hIvXRbU25btqWTc/i48RjYTvbpkVKQyyb7lBCmgeMHPoFNpSeu+NluelUpicQv2zOhIgG+LInQsDSy6uZuEnAEDh/MkCrch9G5DOQ1fGFcmRnpReKPNShkFaEnwiT0iYfQ/ksAvJlRS+szphWCcP6phwGWINETXyIQVekvnPp4pcioFtQ2sIZoLEkcOnhloNoSXs/hrqDaxgbEc7biITy+FCDU0M/qMVHiS8pE9Sb443MpmCSx84pm+kcgRpKPLqhhcf/PB0wLLGDvBD4Wv+0cmgGdKEKaZxvoTcYuCplvMKfRCzOGCDliBUGEy9gU/E8QCNNxC1OokhJFPs0b6YiHTAv+n+z48lRMojaKfmA5sRhiAh2mbiQerga8Tf3pEhtDW2myR3zrXYsJH2201F1j8O4TSQrXjvwC4ZeaIrzC1zYHXbTlNykdopv++M9U5BxRptBrAG5MgoQablsV3cH,iv:mIXPJIZ1z9xnoja+zQcHvVLLCWn3YMdVFKkhadbWCjY=,tag:Z/c2LB/mTaY8MzDfLjLrDQ==,type:str]
borg-repos:
archive:
password: ENC[AES256_GCM,data:XCWvZIYgxUYApn2hni7gtPkOiiv6Fc5WAyBjIhIbboGP1TPJ,iv:FfWqVC9KpDa+XBXFWgvzJDZL2gqAYPHtUT6mROheU68=,tag:xGE2zyYKMFO8x6aJELLAgw==,type:str]
external-drive:
password: ENC[AES256_GCM,data:5qbA4HRzStX0rJ4fQv9KwfenUeE5PbKoIT3wCZ87M4YzVbQ+,iv:Odrgkb9FAZOOHU3R2CVRf7UdkqmGpZgCoz3ci/lgKjg=,tag:hyRu0OwlmM6nroqq0Yjj0A==,type:str]
hetzner-box:
password: ENC[AES256_GCM,data:me5czGtTEoiIr1qKh+GpNTLBRhG+3BVyj87t,iv:4ew7vTK38xEGXPIPm9I2BxsFwMqRHGJ5mtpN91Cfghg=,tag:HbI8jxQNbUz37L8H3T56+Q==,type:str]
borg-patterns: borg-patterns:
home: ENC[AES256_GCM,data:NXW0QN4sFTmbPB08Ww4J3pzn5RrOroqD2l/EyK3cHNcT9P6nz32j6nB3Qzx0Ik1CfuVFt38xQV/yUGkszCdj8GcLoOHi4Bu6xgBCmPqmNh8CaDg9jRdVBxUpf3UVfTJx9oVw0IL1qN2Rk28OqKqGhrxHQCMqzICRKrNaobTV0tOJq50B/8Hz5DzuBKO7fpf2VyNIqkM5B2VCKvYALgB7cpnq//Oz6BNsMiQe429axOcRWOyxSl/RSpCAmF74vCT9SRRB1Stb0xH0aiXxm5HXmSuQBjjERSfdFmlGsyaSD/9OscNA0amwHOmmeg7CuD+5cPaxgUlbDEgMwsXwyThKVw9LHWh5DPrjV627UZyJNVVYnTmApIW9DDJqX7rkP8pGRsoQZV/Fc2tQ5uSmDE4dOxxDh/60as8FVfR4+lhURhfAfZuuSrVd84SJFWvdYNRgqtYO2s2NER4/Syj/7/qCBsujpRTidIzjSaECSDAqwjL0JVNyIwAyaqvK4jDQHiK9aZ5Zv9Xu/7cfRVaEnHoe0/Dy/ZRVpZlELC7PlbpFHEY0vQ21quPpsSJPPj1i4RMAk5QHkJb8JxV1N/Qdv+3//bk9Hr3Hr+h/RmMygmQ1Q5Pin/dIgfpzo24ITRwDU7KXo4SP0EvdjhcIDo8AAopX7hFcKh5tluvZpTSgPP9ETlhoIuwQoqtqsVzKROcM88LPnEltticEDACejVo41zuszY4sLuLfkn+x7f6tfRTGansoaxLL6Xoxs6OZWzHQ/rCHONLFg67smjbdBpEKkwGH/8yh5VzIkkGjWlui0WHCn6AYhXw6neR0WWUqGkVMw/LFd9N6Ss8PlFjAWYbpMn3DFBO/Hl3yaPz7RRqVkuT7auSrj6MB+iRN6o5INL3JW4ZdHV/7tGQHm8B+WEjq3YYw3x8U6RrIANWrXjqZEK+tU1fLNZ80oZwTz7WkaiNQuO3oYWgoUMnvOSM+aM6aVjIm5itEjmfbWuHgR4lljl2XKJb25Gp7FEbn0XGjLy+wfgNKP/ZAAlhJVD1oWwvjYJ2o,iv:JhM40qLFXoJqA/BeUjMVYL/eWdoJrPhrRyiIR3acVwM=,tag:KGtAGSOcpvS9yCO2LyKFsA==,type:str] home: ENC[AES256_GCM,data:NXW0QN4sFTmbPB08Ww4J3pzn5RrOroqD2l/EyK3cHNcT9P6nz32j6nB3Qzx0Ik1CfuVFt38xQV/yUGkszCdj8GcLoOHi4Bu6xgBCmPqmNh8CaDg9jRdVBxUpf3UVfTJx9oVw0IL1qN2Rk28OqKqGhrxHQCMqzICRKrNaobTV0tOJq50B/8Hz5DzuBKO7fpf2VyNIqkM5B2VCKvYALgB7cpnq//Oz6BNsMiQe429axOcRWOyxSl/RSpCAmF74vCT9SRRB1Stb0xH0aiXxm5HXmSuQBjjERSfdFmlGsyaSD/9OscNA0amwHOmmeg7CuD+5cPaxgUlbDEgMwsXwyThKVw9LHWh5DPrjV627UZyJNVVYnTmApIW9DDJqX7rkP8pGRsoQZV/Fc2tQ5uSmDE4dOxxDh/60as8FVfR4+lhURhfAfZuuSrVd84SJFWvdYNRgqtYO2s2NER4/Syj/7/qCBsujpRTidIzjSaECSDAqwjL0JVNyIwAyaqvK4jDQHiK9aZ5Zv9Xu/7cfRVaEnHoe0/Dy/ZRVpZlELC7PlbpFHEY0vQ21quPpsSJPPj1i4RMAk5QHkJb8JxV1N/Qdv+3//bk9Hr3Hr+h/RmMygmQ1Q5Pin/dIgfpzo24ITRwDU7KXo4SP0EvdjhcIDo8AAopX7hFcKh5tluvZpTSgPP9ETlhoIuwQoqtqsVzKROcM88LPnEltticEDACejVo41zuszY4sLuLfkn+x7f6tfRTGansoaxLL6Xoxs6OZWzHQ/rCHONLFg67smjbdBpEKkwGH/8yh5VzIkkGjWlui0WHCn6AYhXw6neR0WWUqGkVMw/LFd9N6Ss8PlFjAWYbpMn3DFBO/Hl3yaPz7RRqVkuT7auSrj6MB+iRN6o5INL3JW4ZdHV/7tGQHm8B+WEjq3YYw3x8U6RrIANWrXjqZEK+tU1fLNZ80oZwTz7WkaiNQuO3oYWgoUMnvOSM+aM6aVjIm5itEjmfbWuHgR4lljl2XKJb25Gp7FEbn0XGjLy+wfgNKP/ZAAlhJVD1oWwvjYJ2o,iv:JhM40qLFXoJqA/BeUjMVYL/eWdoJrPhrRyiIR3acVwM=,tag:KGtAGSOcpvS9yCO2LyKFsA==,type:str]
etc: ENC[AES256_GCM,data:8Bq1/YP4XndDv5H4SS/wT8WLQyY5JPp5oErU+RpTqgSJqlSs8Q9aCZHHzd/zhmazgGZfCiTl5xLOgSw8lB7cqRfeasE64ffiafM7,iv:6wM1510XdECx9B/EEyICQxRj8fqZ8Tv6oFMoGMynmog=,tag:0uNmZtNGs6Z7QE4dbJZegg==,type:str] etc: ENC[AES256_GCM,data:8Bq1/YP4XndDv5H4SS/wT8WLQyY5JPp5oErU+RpTqgSJqlSs8Q9aCZHHzd/zhmazgGZfCiTl5xLOgSw8lB7cqRfeasE64ffiafM7,iv:6wM1510XdECx9B/EEyICQxRj8fqZ8Tv6oFMoGMynmog=,tag:0uNmZtNGs6Z7QE4dbJZegg==,type:str]
@ -29,8 +35,8 @@ sops:
QUlyNHBlNDV6eVJXc3VWNzJSaThIQUEKCdNxZCCNISWll5uaCcDQBA2ir7oLpHco QUlyNHBlNDV6eVJXc3VWNzJSaThIQUEKCdNxZCCNISWll5uaCcDQBA2ir7oLpHco
+7ypF6lcOalqjvzc5DTXTt/v6QVs0f7SCZmNJFBMpZm8M2B+7O1h7A== +7ypF6lcOalqjvzc5DTXTt/v6QVs0f7SCZmNJFBMpZm8M2B+7O1h7A==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-01-07T08:58:15Z" lastmodified: "2023-01-11T04:39:58Z"
mac: ENC[AES256_GCM,data:5rwm+xuliaQJZb6iPc/S0zz/K6+n5iD/3UkCmDDmNXBtIakS0VRMAmzHjod/uEUxD0tf2zYuRI1K8dKcChbPwgvxJ8AVtSn//4pjLsOoikz7Cu24O049sjl0O1kRBj4BcDPopKDo0pWLV1vpputQEiSd8bYp/WXZMmfyx7SV4Ug=,iv:lsYTDf52QdPKt1miOyJkNtqyxGEttySZZM9euyB7mf8=,tag:vgRX88smognAG/rT3nUnrg==,type:str] mac: ENC[AES256_GCM,data:QUg/3MW3a7vlunhj1sTCzY2L5vLjOY9ZhTSwVujHCrN3SMcQWgyOK+m5vbdjqNwezyLKmTg8av6nTAqHwSZIKyJZLfkxKFSIzizR0IJEkf4bYrCXeQ6z/M7EaTtMbfXOEk2eNpqFuPjpErJL4vHz0e5ZYtdKvLDLUK2XvWZRKXg=,iv:1x6fim8dxMAAfmCVN7UpjqudHUpxUE3YQQLABccnXA4=,tag:Se707Qcr6ON68ymdVbLXpg==,type:str]
pgp: pgp:
- created_at: "2022-07-18T13:19:32Z" - created_at: "2022-07-18T13:19:32Z"
enc: | enc: |