From ff2e176b1b34d5f5dbd108b566f80ce561786d9f Mon Sep 17 00:00:00 2001 From: Nathan McCarty Date: Tue, 29 Nov 2022 00:22:23 -0500 Subject: [PATCH] Setup borg backup on fusion --- .sops.yaml | 5 +++++ machines/fusion/configuration.nix | 17 ++++++++++++++++- secrets/fusion/borg.yaml | 31 +++++++++++++++++++++++++++++++ 3 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 secrets/fusion/borg.yaml diff --git a/.sops.yaml b/.sops.yaml index 2fa8313..84c46fb 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -25,6 +25,11 @@ creation_rules: - age: - *nathan - *levitation + - path_regex: secrets/fusion + key_groups: + - age: + - *nathan + - *fusion - path_regex: secrets/oracles key_groups: - age: diff --git a/machines/fusion/configuration.nix b/machines/fusion/configuration.nix index b24dc8f..62eba83 100644 --- a/machines/fusion/configuration.nix +++ b/machines/fusion/configuration.nix @@ -2,7 +2,16 @@ { # Sops setup for this machine - sops.secrets = { }; + sops.secrets = { + "borg-ssh-key" = { + sopsFile = ../../secrets/levitation/borg.yaml; + format = "yaml"; + }; + "borg-password" = { + sopsFile = ../../secrets/levitation/borg.yaml; + format = "yaml"; + }; + }; # Setup system configuration nathan = { services = { @@ -10,6 +19,12 @@ enable = true; acme = true; }; + borg = { + enable = true; + extraExcludes = [ "/var/log" ]; + passwordFile = config.sops.secrets."borg-password".path; + sshKey = config.sops.secrets."borg-ssh-key".path; + }; }; config = { setupGrub = false; diff --git a/secrets/fusion/borg.yaml b/secrets/fusion/borg.yaml new file mode 100644 index 0000000..b730a7d --- /dev/null +++ b/secrets/fusion/borg.yaml @@ -0,0 +1,31 @@ +borg-ssh-key: ENC[AES256_GCM,data:J7QYJM5TI+m8uuqYU0xoWoEWV+c+QKAgWyXLhmoOZUiWTfiExqSLRlTvGYPKxoU7aGVediVTOfr7vSE3YbD40rxSj386xPTZPNmwlq29fuhNX4PXbDjNVKaVHpcLkC60doxnrM2DojVxuOY1jw9evB0nNhi/2Ex+eF73o3IX9q19ulUeMLS/DxvkuospeVasXnjH1VrWmgIf0C325bmF1yIA7C7IT2uDQFbkl/ch+R3EYE5LY9PiKZ1y0FbPUaGBxYZaPT8LHzRY10PS8Xz9ac3HoyW/7y1roWa5bqDRaSz4B4D4KYcGmHMrvqGdzTzu5/ctUdVMutwYlIYihm6s3AgglbjION1aYUJkJ96Dbhs3dALiGLfS1AVW16KBl648CBNek2Orwr27XmaOZBMED42cZnamANBSyW1peLIuPK0A/PrKw04R2UqZCfSXoclwFcnOi5O95Fx+ZH4kmVgAqH95CkmykfUjwdQdClCQEGEMjXo7fjzTmpc8W68wTvhOppfCnNYRAGHtGFICmEgXReMnzhHJ7d4CM0yY,iv:OtvnfkqCVGjZAnfAAHnfL+nTwccQHY/OsHfs8ILjZy8=,tag:TxZMP4MiED9vdqLy0X5vsQ==,type:str] +borg-password: ENC[AES256_GCM,data:Mi5s3MakaN+YBUS0hJEgBi/KdftWFec4FucsEnMBrpBXsqYwpqrYelEejR0hyfKdLt2lAkmm,iv:/8Nhr4vv+IVJh5+odXE2e/u0ixRdGvnPh3FO58y9fFA=,tag:vm18v7nOJIr3gU92f7PvKQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3V01sRCtCU2tpdmhYaVQ1 + SDZkd0RzTk1JSjNKTEo5MHF0aHlxczdlN1JvCnQyYVFiS1l5OXZhU3NFQjZtYkxR + UXpCR3czWkdDanpTNjMyd2cwcW8wVE0KLS0tIHZoZUtpTWEveFM5R2J6Y3h5KzI0 + ZTdWejJIM1BOQ0VlUEU2MTBxQTFkc2sKs5FVtMLLBbC+3IM17xNzEKxrb7+5jO35 + AeC+fy+ygwfTVTvlfZirE2WlaVtxsOHLHCyO8YUXH76nEJ7BmK0etA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1fe57fel46lk5n9t34lh5nl909gk88trwy9ttgxqk3up9d83wxsnsdmuu3a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQNjltdHhzeForM1lsVVVs + Y0I2TzZJNTRQSjBCT3N1VUhPY3ZoalVSbUMwCmJySmtDUzhXNUhWeGhkNklOOVJq + SlpONzBjRzFOWlhmZW94TUYyTE1oMjgKLS0tIDBBSDIyc3pCbEsrTm9sQ3NMSUZt + alhxa2lSOG4rdkphR0Jray9qaEpxZjgKXSvvWbMM+vo1giYzXLzJCgLyPiMdolqt + MgvmvazUyPsrli5SgjoaqsTc4Lc8Bk3b8dYVDEvhrYcFUOnLWkYc5Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-11-29T05:17:22Z" + mac: ENC[AES256_GCM,data:fP8oCY8+tUY2cNWGepiSVmKeRZjfr0GB9H7BKUL+Y5mKW4Wa8Pn1LVfKyVQJXR7aLIQh60HFekIdxOoHzGbfKF4zePvQ/zduuNAIMBtcGMucXdrbbCzG7dxeYORQaT9Ggap+r8rsHRYNWMDuygiVJS+dD5CazWRzpK4PHGbXSZw=,iv:lbFzydL3BbgXGuYh0fYqQlJfOvB9zkMbosUwO3QF7yY=,tag:RSNnNmUvYpfteLBDtls8LQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3