encrypt backups by default
All checks were successful
checks / check-links (pull_request) Successful in 21s
checks / checks-impure (pull_request) Successful in 1m55s
checks / checks (pull_request) Successful in 2m21s

This commit is contained in:
Jörg Thalheim 2024-02-22 14:50:07 +01:00
parent a1e2a4f64a
commit 81fc60eef8
3 changed files with 41 additions and 13 deletions

View File

@ -46,6 +46,25 @@ in
users.users.root.openssh.authorizedKeys.keyFiles = [
../lib/ssh/pubkey
];
systemd.tmpfiles.settings."vmsecrets" = {
"/etc/secrets/borgbackup.ssh" = {
C.argument = "${../lib/ssh/privkey}";
z = {
mode = "0400";
user = "root";
};
};
"/etc/secrets/borgbackup.repokey" = {
C.argument = builtins.toString (pkgs.writeText "repokey" "repokey12345");
z = {
mode = "0400";
user = "root";
};
};
};
clanCore.secretStore = "vm";
environment.systemPackages = [ self.packages.${pkgs.system}.clan-cli ];
environment.etc."install-closure".source = "${closureInfo}/store-paths";
nix.settings = {
@ -58,10 +77,7 @@ in
clanCore.state.test-backups.folders = [ "/var/test-backups" ];
clan.borgbackup = {
enable = true;
destinations.test_backup_server = {
repo = "borg@server:.";
rsh = "ssh -i /root/.ssh/id_ed25519 -o StrictHostKeyChecking=no";
};
destinations.test_backup_server.repo = "borg@server:.";
};
};
};

View File

@ -1,7 +1,7 @@
(import ../lib/test-base.nix) ({ ... }: {
name = "borgbackup";
nodes.machine = { self, ... }: {
nodes.machine = { self, pkgs, ... }: {
imports = [
self.clanModules.borgbackup
self.nixosModules.clanCore
@ -18,21 +18,27 @@
clanCore.clanDir = ./.;
clanCore.state.testState.folders = [ "/etc/state" ];
environment.etc.state.text = "hello world";
systemd.tmpfiles.settings = {
"ssh-key"."/root/.ssh/id_ed25519" = {
systemd.tmpfiles.settings."vmsecrets" = {
"/etc/secrets/borgbackup.ssh" = {
C.argument = "${../lib/ssh/privkey}";
z = {
mode = "0400";
user = "root";
};
};
"/etc/secrets/borgbackup.repokey" = {
C.argument = builtins.toString (pkgs.writeText "repokey" "repokey12345");
z = {
mode = "0400";
user = "root";
};
};
};
clanCore.secretStore = "vm";
clan.borgbackup = {
enable = true;
destinations.test = {
repo = "borg@localhost:.";
rsh = "ssh -i /root/.ssh/id_ed25519 -o StrictHostKeyChecking=no";
};
destinations.test.repo = "borg@localhost:.";
};
}
];

View File

@ -37,7 +37,6 @@ in
exclude = [ "*.pyc" ];
repo = dest.repo;
environment.BORG_RSH = dest.rsh;
encryption.mode = "none";
compression = "auto,zstd";
startAt = "*-*-* 01:00:00";
persistentTimer = true;
@ -45,6 +44,11 @@ in
set -x
'';
encryption = {
mode = "repokey";
passCommand = "cat ${config.clanCore.secrets.borgbackup.secrets."borgbackup.repokey".path}";
};
prune.keep = {
within = "1d"; # Keep all archives from the last day
daily = 7;
@ -57,10 +61,12 @@ in
clanCore.secrets.borgbackup = {
facts."borgbackup.ssh.pub" = { };
secrets."borgbackup.ssh" = { };
generator.path = [ pkgs.openssh pkgs.coreutils ];
secrets."borgbackup.repokey" = { };
generator.path = [ pkgs.openssh pkgs.coreutils pkgs.xkcdpass ];
generator.script = ''
ssh-keygen -t ed25519 -N "" -f "$secrets"/borgbackup.ssh
mv "$secrets"/borgbackup.ssh.pub "$facts"/borgbackup.ssh.pub
xkcdpass -n 4 -d - > "$secrets"/borgbackup.repokey
'';
};