diff options
Diffstat (limited to 'nix-conf/machines/edrahil')
| -rw-r--r-- | nix-conf/machines/edrahil/configuration.nix | 117 | ||||
| -rw-r--r-- | nix-conf/machines/edrahil/network-configuration.nix | 2 | ||||
| -rw-r--r-- | nix-conf/machines/edrahil/secrets.yaml | 31 |
3 files changed, 144 insertions, 6 deletions
diff --git a/nix-conf/machines/edrahil/configuration.nix b/nix-conf/machines/edrahil/configuration.nix index d78c2a8..a1bc8e3 100644 --- a/nix-conf/machines/edrahil/configuration.nix +++ b/nix-conf/machines/edrahil/configuration.nix @@ -3,6 +3,7 @@ imports = [ ./hardware-configuration.nix ./network-configuration.nix + <sops-nix/modules/sops> ]; boot.tmp.cleanOnBoot = true; @@ -17,6 +18,16 @@ ]; }; + sops = { + defaultSopsFile = builtins.path { + path = /etc/nixos/secrets.yaml; + name = "edrahil-secrets.yaml"; + }; + secrets.restic_password = { + owner = config.users.users.djm.name; + }; + }; + services.openssh = { enable = true; ports = [ 2222 ]; @@ -38,10 +49,95 @@ services.sshguard.enable = true; services.oidentd.enable = true; - services.locate = { - enable = true; - package = pkgs.plocate; - localuser = null; + services.locate.enable = true; + + services.restic = { + backups = { + hb = { + paths = [ "${config.users.users.djm.home}" ]; + repository = "sftp:djm@hb-backup:/home/djm/backup/edrahil"; + initialize = true; + user = "djm"; + environmentFile = "/etc/restic-environment"; + passwordFile = config.sops.secrets.restic_password.path; + timerConfig = { + OnCalendar = "02:25"; + RandomizedDelaySec = "20min"; + }; + exclude = [ + "irclogs" + ".cache" + ".config" + ".directory_history" + ".local" + "nixpkgs" + ]; + extraBackupArgs = [ + "--compression=max" + ]; + pruneOpts = [ + "--keep-daily 5" + "--keep-weekly 2" + "--keep-monthly 3" + ]; + }; + bs = { + paths = [ "${config.users.users.djm.home}" ]; + repository = "sftp:djm@bs-backup:/home/djm/backup/edrahil"; + initialize = true; + user = "djm"; + environmentFile = "/etc/restic-environment"; + passwordFile = config.sops.secrets.restic_password.path; + timerConfig = { + OnCalendar = "03:15"; + RandomizedDelaySec = "20min"; + }; + exclude = [ + "irclogs" + ".cache" + ".config" + ".directory_history" + ".local" + "nixpkgs" + ]; + extraBackupArgs = [ + "--compression=max" + ]; + pruneOpts = [ + "--keep-daily 5" + "--keep-weekly 2" + "--keep-monthly 3" + ]; + }; + tt = { + paths = [ "${config.users.users.djm.home}" ]; + repository = "sftp:djm@tt-backup:/home/djm/backup/edrahil"; + initialize = true; + user = "djm"; + environmentFile = "/etc/restic-environment"; + passwordFile = config.sops.secrets.restic_password.path; + timerConfig = { + OnCalendar = "04:05"; + RandomizedDelaySec = "20min"; + }; + exclude = [ + "irclogs" + ".cache" + ".config" + ".directory_history" + ".local" + "nixpkgs" + ]; + extraBackupArgs = [ + "--compression=max" + ]; + pruneOpts = [ + "--keep-daily 5" + "--keep-weekly 2" + "--keep-monthly 3" + ]; + }; + }; }; time.timeZone = "Europe/London"; @@ -77,7 +173,18 @@ programs.zsh.enable = true; - programs.vim.defaultEditor = true; + programs.vim = { + enable = true; + defaultEditor = true; + }; + + environment.etc = { + "restic-environment" = { + text = '' + RESTIC_COMPRESSION=max + ''; + }; + }; environment.systemPackages = with pkgs; [ #procmail diff --git a/nix-conf/machines/edrahil/network-configuration.nix b/nix-conf/machines/edrahil/network-configuration.nix index b8ce55f..4b85912 100644 --- a/nix-conf/machines/edrahil/network-configuration.nix +++ b/nix-conf/machines/edrahil/network-configuration.nix @@ -6,7 +6,7 @@ # Emulate nix-sops. Technically an anti-pattern, but IP addresses aren't real secrets, and this has to be embedded here, # as we cannot set a file path to read it from. # Populate/update with: - # SOPS_AGE_KEY=$(doas ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key) sops -d --extract '["ipv6_address"]' secrets/edrahil.yaml | doas tee /root/.config/secrets/ipv6_address + # SOPS_AGE_KEY=$(doas ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key) sops -d --extract '["ipv6_address"]' machines/edrahil/secrets.yaml | doas tee /root/.config/secrets/ipv6_address address = builtins.readFile "/root/.config/secrets/ipv6_address"; prefixLength = 64; } diff --git a/nix-conf/machines/edrahil/secrets.yaml b/nix-conf/machines/edrahil/secrets.yaml new file mode 100644 index 0000000..1f4c31e --- /dev/null +++ b/nix-conf/machines/edrahil/secrets.yaml @@ -0,0 +1,31 @@ +ipv6_address: ENC[AES256_GCM,data:CGQWUSuwmucIEwtlLK0FodXOWjM=,iv:ZLPiACwjOmes+FbezZKjjwUETujhTbT++4zCuoptpkY=,tag:VjMtetJhRDlJXdKAmJlOxQ==,type:str] +restic_password: ENC[AES256_GCM,data:2sxeUDRdh9cPv0ACY9EIP7JcmPFo/w==,iv:bkA/FW82l5gSEOZPtVhSNoATmoJf07kC0FJLAcXFkZU=,tag:PbDY039oBas7CvK8RaFRkA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1tjfctwnwldmyxnu6qmeufgr9l79vyzmrs7fy58v3d0qj4x4nhqhq2gjmlp + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvUGNnbm1Jemc5dVZYM01h + R0h4RlRpVnU1ZGxyL3V2TXdYS2JUSHFNTm1BCjJxdlFFbURjdXBaNjNUdldXNkJy + blZYRkhkZUgxR0lST2MxM3hENUhiQkEKLS0tIDhvYjhpRnpIVnVmV0VoTDFNOXIx + RlB1dXVsdEhETTNUdTRIbGxIMGNFSEkKqeafOyRg3F9dtENNnH5DhJzJU+AEEqrV + nfndOlVQe0G/e8SUzUYjVtD6V6Hj/x8OxN6FSOfZnNFNFHQgJ42jFg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1w7kjp0qdgfyg9cyj5w4qc4fc9qz3w65xw2veazesfgdenqrd3ucqsc5ejv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwSGIvTjdEZGdGWm9ldnow + RGxnZ3RhMmthQXFhOCtaNUk1UGhYSytQdkFnCmY3UUxWVFJKeDE5eG9GNktobndz + UjBLOFBNWmFXSmJ2akRDYitsZm9TcmMKLS0tIDZoTGFxSWpwWmFTNjN6b2Q2T2Y3 + Qm1PWnAvZGcxWGZjcnE4QWJZaDE2cGMKOAfTIipI68eJnOnvpQyLCOyH1KAWd/d/ + SLnJQ+rmh9onA/znahB7Pn3LQtfKLNBADVtwLIuPID0FcgUW7nlOiw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-17T13:43:53Z" + mac: ENC[AES256_GCM,data:lVMbjnDvwlw72CiixJkEXCO7a20DYi4zKA8JTf0kSVQR/xjr9WbLpyllNq9Ex+eca/X0yaHBYjyOnBBpgz1h5o4i5iq738VXOEqD9v5BMdOrVmmDNnVcTAXqmWZGE7/pGmkiKef/iXOyJT2vsrrYR0vhgrvo/0WXce1YLUA4NTs=,iv:Y1w/llSNDry+PWz4oA/0MBJ+Ra6ceC1ZHMKb+CPCvE0=,tag:r2RR6ZfGL9TYwHtV9auL3A==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 |