From b52f0ea460efab6a329baa5909f661e5c0387db8 Mon Sep 17 00:00:00 2001 From: Nathan McCarty Date: Fri, 10 Jun 2022 18:58:36 -0400 Subject: [PATCH] Setup borg on levitation --- machines/levitation.nix | 68 ++++++++++++++++++++++++++++++++++++++--- secrets/borg.yaml | 67 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 130 insertions(+), 5 deletions(-) create mode 100644 secrets/borg.yaml diff --git a/machines/levitation.nix b/machines/levitation.nix index 00d24d2..7983af9 100644 --- a/machines/levitation.nix +++ b/machines/levitation.nix @@ -1,20 +1,25 @@ -{ pkgs, lib, ... }: { +{ pkgs, lib, config, ... }: { - # Define the hostname, enable dhcp + ### + ## Define the hostname, enable dhcp + ### networking = { hostName = "levitation"; domain = "mccarty.io"; useDHCP = false; interfaces.enp5s0.useDHCP = true; }; - - # Enable programs we don't want on every machine + ### + ## Enable programs we don't want on every machine + ### programs = { steam.enable = true; adb.enable = true; }; - # Firewall ports + ### + ## Firewall ports + ### # 61377 - SoulSeek # Enable firewall and pass some ports networking.firewall = { @@ -23,7 +28,9 @@ allowedUDPPorts = [ 61377 ]; }; + ### ## Machine specific home-manager + ### home-manager.users.nathan = { # Sway outputs wayland.windowManager.sway.config = { @@ -57,4 +64,55 @@ output = "DP-3"; }; }; + + ### + ## Borg Backups + ### + + # Install borg + environment.systemPackages = with pkgs; [ + borgbackup + ]; + # Setup sops + sops.secrets."borg-sshKey" = { + format = "yaml"; + sopsFile = ../secrets/borg.yaml; + }; + sops.secrets."borg-levitationPassword" = { + format = "yaml"; + sopsFile = ../secrets/borg.yaml; + }; + # Setup the job + services.borgbackup.jobs = { + remote_backup = { + paths = [ + "/home" + "/var" + "/etc" + ]; + exclude = [ + "*/.cache" + "*/.tmp" + "/home/nathan/Projects/*/target" + "/home/nathan/Work/*/target" + "/home/nathan/.local/share/Steam" + "/home/nathan/Downloads" + "/home/nathan/Music" + ]; + repo = "de1955@de1955.rsync.net:computers/levitation"; + encryption = { + mode = "repokey-blake2"; + passCommand = "cat ${config.sops.secrets."borg-levitationPassword".path}"; + }; + environment.BORG_RSH = "ssh -i ${config.sops.secrets."borg-sshKey".path}"; + compression = "auto,zstd"; + startAt = "hourly"; + prune.keep = { + within = "7d"; # Keep all archives for the past week + daily = 1; # Keep 1 snapshot a day for 2 weeks + weekly = 4; # Keep 1 snapshot a week for 4 weeks + monthly = -1; # Keep unlimited monthly backups + }; + }; + }; } diff --git a/secrets/borg.yaml b/secrets/borg.yaml new file mode 100644 index 0000000..50cc9f9 --- /dev/null +++ b/secrets/borg.yaml @@ -0,0 +1,67 @@ +borg-sshKey: ENC[AES256_GCM,data:rVDwCkDQbeYl8cAu/VlZzcW1XQERFVIhjGBigWZ1n0nSDga9812pJgnaIG6aoRVbuaiOVelSqZa0XJRlNU6yJtrT9sDulWb1nqFudSJ84cnhE3QzrgPzAGZJ60PcAQMI2/dqpb4pHGf0nyNBKf5OGCtOahwN3nqkAuiQkqE/XbGlPylHJ+3Hb+Q/RnmMrL5bhKQ9EvuauHwTczlII5JwkrrtZeuHiTZm1SzokQSTMgt71CUOOmDlKlSxXgHDn2g1C+rc+OHzZraWIFyOI0cMpYdfYOxkJM7Wh0/ByX5Iqlp6nTYAK3IbHr4bUUclw2QPMNtLebIaJzzZP8Hplg4sO1zxEWxG+moZzRT6rfd6FF+5EJ8KalgfTgIHVYVrwsQj3SoL258+IWbahQZI2Er1SixVwZQes46HuPaFn7Ydn+/RfJo33birUJ89H5ge/boEkaUT1cHKcbodxfvJsQJkbRUTzHqpRGIHRW9bF1m94/5D2LaaFmaFoJqondewwy1ZVzZIF0jePRhvF4lFtSmKP4jC1Z0xg2L/JnUo,iv:gHr+vtcY99MgSy9IiMmxy3mlOjcOJ4oN5NS3doNAXwo=,tag:AOaE2qHv5NalE7J/NVXQjw==,type:str] +borg-levitationPassword: ENC[AES256_GCM,data:nAtAlhmv6NAE88f81BeroMnMd/lr7ZnUTmLlAMtn4/ML8TuiZjijCJ4LiUSg5FLeWmDEALUN5g/T,iv:2qoF4mw/sbitLmticTsKndcYdV2B+6YjXjKHJr591nk=,tag:ENPk7gm3tmVOSgzfrn7Vag==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrajVrQjRjemFTNTdBOTFn + bTN4TjVoT0hpd3RvUFRwSkdPZzhzNWJ4dWtVCkFSd2lvSE5BLzlGVmhYb3BFMXM1 + dlZiOFdCUnZ5UExZMkpqSDFPemRITFkKLS0tIFdLZU96YjNZN1FiRTBpN3R6c0RJ + Z3JBZWM3RTdqcG44M0RBYXJDci9MUG8KKzI86Y2gYYyhKHK+H5U3aoJuU2a+RiRz + pulu06DWlL6R3e4HUDTpe0m1/RHwYxE8ap+WgVlq7jvG0STZV2a6pg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1tsq68swufcjq6qavqpzrtse4474p5gs58v6qp6w7gum49yz45cgsegxhuw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2b0M2WkNPRzI3YW15cHYz + TUcwUGt0bldSV3REKzF4dkk2anVLTjFCbGdvCnNJbWpONjJXU3dBaG1Za0tQS0Uw + engwS0RWRnVCRmdDaGx1UElsNVdZWjQKLS0tIGp2K1BsL0RlaFFzWTdKQmV3NnVa + c1ZONlRic2xBUzhTVVZYMWpGRWJ3bncK829TyEoxOAjmbdAJEZpmt+sW66bpVUgY + njlFpVrwAjLe49RezMelWbfI+ZIlL5+eKvoMzaG3te9daTxPjRoaVQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age12ayrv88xjt4r276fzc9du70x8q0r7xutt85vj627ykf4k8kgms4sc6wywn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwQkRtS3lyUG9xK3laNndP + V2hOVXMvSmpRKzBqeW43Y01vS2VBRWFQK2xJCk9zQXgzSUFEd1BkcjhicXFpQ3hI + KzhYMXlZaFcrcGx0VG05ZEl4eWttY0kKLS0tIE1saUV4WHNKVC9ocHIzV2JTWENs + M0FqdDF2TU5JY3RwM2lXZEg4SVlscG8KoPu3vxd5watGkeKBPcwnfY79n27RKtre + zZDkeCldJNaIsvX2PPjm3NKUdUjVG1m8m8bQrvq0e4IAWkBwOFjUrA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1r0aszjkyp4zlcw2w2vrk8hmcyvntshr8rew4ehlu5zad4eh6mspsatuczd + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSTTJ4Mm9rZklxWlcraW5C + TUl5UVp1eUxkd0Mxamh5YVpQN0ZxMU83TVRvCmlvMWd0MFc2c3htWllySVRZcWYz + UjNLQkUwVG1Kb0tMb1J0ZHpSMnJDU1kKLS0tIHVIR1cxTXRoSUJtRllsYlk5c3FS + dzNxQzl0VGVsZExhL05vcWJiSzk2c0kKsU5nsgBcKh8EdrTYco6FvVRkk+8tUVtu + gltw8yhYC3TmbdsW185KIDMCxaX8btWmtBKoQk7RiSlHNgcNn+ebbg== + -----END AGE ENCRYPTED FILE----- + - recipient: age10zd0y2zpty2z39sh2qe66yuu9jd6hrcd3ag2wqtjp8tc579nmphsymhdla + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6QTl5blVHUjZYdGdLY00w + aCtYalhVNzFsYlJSZmRPTVpGSmRoSkg5YnhnCmVlbCtka2lUck42MmZIRGkyQ2RC + NWQ5OW5Wc1liOWplbGtXbWxDZHlQQUUKLS0tIG1nOEpjcHpaZjRpM3ZEa3hlSDZL + K2JPTDBMemdyZU9RU0JzRDZFQ2hLZ1EKJrV5DVDw/zqvZ3fzDPc2xcQjGzFy+2pn + Y5yO+fQJC6mrrIQiQG1Jhl6RZNXPgI02f/iJKodDZ33QTc1e9/916w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1pm647k04hhwm2dmqh07hnzflkurfevefcyf8xlhmc83a07n77e3sltyt0d + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByeUttdmhEalQ4R0EwbXVH + azZrMmx0Q1p5K2ZTTXM3RTQzWWZlNUV6cmhRCmppdGExTmU0aGF3Rk9lS3hnOHd4 + cStBejlrZU42OHJJbEVKblppUUgvdmsKLS0tIGo5YkJGdkdFUGxta3k5aGVGRGRk + WmhzcngwekJ1UzJQNzBwNU9Kb3FLNzQKgWC/Pruek+lfMtyj8M1s88l46emKVqV/ + nO3VxonQywOz1QaNEBODNTwly48MzNREwV1bUZy4DBAeraG4O3fRFg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-06-10T22:53:54Z" + mac: ENC[AES256_GCM,data:ZCTwUX3m4BPjJxMzaTmG1FNFmxJ+rO/5aKe8AB/Fca2Ut5V6GccrpnjVx43ccNSTibDEgdxvUPtAZRLZ0nZXsAFE1tI5KoCk5XxzhCddmG0gkrMDpt2bgnv+eNgwU5fpMNu1+IdwnUf9ut4LaJBtpojDQjM9wWpcVMAJKTfh83Y=,iv:M5SWFxX2anu7yoUd3S3HZ98LfzQrr20CHtX3KR9GI1U=,tag:/BXJkqtLT83AnuA6fZWQVg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3