Setup borg backup on fusion

2022-11-29 00:22:23 -05:00 · 2022-11-29 00:22:23 -05:00 · ff2e176b1b
parent d33096c296
commit ff2e176b1b
3 changed files with 52 additions and 1 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -25,6 +25,11 @@ creation_rules:
      - age:
          - *nathan
          - *levitation
+  - path_regex: secrets/fusion
+    key_groups:
+      - age:
+          - *nathan
+          - *fusion
  - path_regex: secrets/oracles
    key_groups:
      - age:
--- a/machines/fusion/configuration.nix
+++ b/machines/fusion/configuration.nix
@ -2,7 +2,16 @@

 {
  # Sops setup for this machine
-  sops.secrets = { };
+  sops.secrets = {
+    "borg-ssh-key" = {
+      sopsFile = ../../secrets/levitation/borg.yaml;
+      format = "yaml";
+    };
+    "borg-password" = {
+      sopsFile = ../../secrets/levitation/borg.yaml;
+      format = "yaml";
+    };
+  };
  # Setup system configuration
  nathan = {
    services = {
@ -10,6 +19,12 @@
        enable = true;
        acme = true;
      };
+      borg = {
+        enable = true;
+        extraExcludes = [ "/var/log" ];
+        passwordFile = config.sops.secrets."borg-password".path;
+        sshKey = config.sops.secrets."borg-ssh-key".path;
+      };
    };
    config = {
      setupGrub = false;
--- a/secrets/fusion/borg.yaml
+++ b/secrets/fusion/borg.yaml
@ -0,0 +1,31 @@
+borg-ssh-key: ENC[AES256_GCM,data:J7QYJM5TI+m8uuqYU0xoWoEWV+c+QKAgWyXLhmoOZUiWTfiExqSLRlTvGYPKxoU7aGVediVTOfr7vSE3YbD40rxSj386xPTZPNmwlq29fuhNX4PXbDjNVKaVHpcLkC60doxnrM2DojVxuOY1jw9evB0nNhi/2Ex+eF73o3IX9q19ulUeMLS/DxvkuospeVasXnjH1VrWmgIf0C325bmF1yIA7C7IT2uDQFbkl/ch+R3EYE5LY9PiKZ1y0FbPUaGBxYZaPT8LHzRY10PS8Xz9ac3HoyW/7y1roWa5bqDRaSz4B4D4KYcGmHMrvqGdzTzu5/ctUdVMutwYlIYihm6s3AgglbjION1aYUJkJ96Dbhs3dALiGLfS1AVW16KBl648CBNek2Orwr27XmaOZBMED42cZnamANBSyW1peLIuPK0A/PrKw04R2UqZCfSXoclwFcnOi5O95Fx+ZH4kmVgAqH95CkmykfUjwdQdClCQEGEMjXo7fjzTmpc8W68wTvhOppfCnNYRAGHtGFICmEgXReMnzhHJ7d4CM0yY,iv:OtvnfkqCVGjZAnfAAHnfL+nTwccQHY/OsHfs8ILjZy8=,tag:TxZMP4MiED9vdqLy0X5vsQ==,type:str]
+borg-password: ENC[AES256_GCM,data:Mi5s3MakaN+YBUS0hJEgBi/KdftWFec4FucsEnMBrpBXsqYwpqrYelEejR0hyfKdLt2lAkmm,iv:/8Nhr4vv+IVJh5+odXE2e/u0ixRdGvnPh3FO58y9fFA=,tag:vm18v7nOJIr3gU92f7PvKQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3V01sRCtCU2tpdmhYaVQ1
+            SDZkd0RzTk1JSjNKTEo5MHF0aHlxczdlN1JvCnQyYVFiS1l5OXZhU3NFQjZtYkxR
+            UXpCR3czWkdDanpTNjMyd2cwcW8wVE0KLS0tIHZoZUtpTWEveFM5R2J6Y3h5KzI0
+            ZTdWejJIM1BOQ0VlUEU2MTBxQTFkc2sKs5FVtMLLBbC+3IM17xNzEKxrb7+5jO35
+            AeC+fy+ygwfTVTvlfZirE2WlaVtxsOHLHCyO8YUXH76nEJ7BmK0etA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1fe57fel46lk5n9t34lh5nl909gk88trwy9ttgxqk3up9d83wxsnsdmuu3a
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQNjltdHhzeForM1lsVVVs
+            Y0I2TzZJNTRQSjBCT3N1VUhPY3ZoalVSbUMwCmJySmtDUzhXNUhWeGhkNklOOVJq
+            SlpONzBjRzFOWlhmZW94TUYyTE1oMjgKLS0tIDBBSDIyc3pCbEsrTm9sQ3NMSUZt
+            alhxa2lSOG4rdkphR0Jray9qaEpxZjgKXSvvWbMM+vo1giYzXLzJCgLyPiMdolqt
+            MgvmvazUyPsrli5SgjoaqsTc4Lc8Bk3b8dYVDEvhrYcFUOnLWkYc5Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-11-29T05:17:22Z"
+    mac: ENC[AES256_GCM,data:fP8oCY8+tUY2cNWGepiSVmKeRZjfr0GB9H7BKUL+Y5mKW4Wa8Pn1LVfKyVQJXR7aLIQh60HFekIdxOoHzGbfKF4zePvQ/zduuNAIMBtcGMucXdrbbCzG7dxeYORQaT9Ggap+r8rsHRYNWMDuygiVJS+dD5CazWRzpK4PHGbXSZw=,iv:lbFzydL3BbgXGuYh0fYqQlJfOvB9zkMbosUwO3QF7yY=,tag:RSNnNmUvYpfteLBDtls8LQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3