encrypt backups by default
This commit is contained in:
parent
a1e2a4f64a
commit
81fc60eef8
@ -46,6 +46,25 @@ in
|
|||||||
users.users.root.openssh.authorizedKeys.keyFiles = [
|
users.users.root.openssh.authorizedKeys.keyFiles = [
|
||||||
../lib/ssh/pubkey
|
../lib/ssh/pubkey
|
||||||
];
|
];
|
||||||
|
|
||||||
|
systemd.tmpfiles.settings."vmsecrets" = {
|
||||||
|
"/etc/secrets/borgbackup.ssh" = {
|
||||||
|
C.argument = "${../lib/ssh/privkey}";
|
||||||
|
z = {
|
||||||
|
mode = "0400";
|
||||||
|
user = "root";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
"/etc/secrets/borgbackup.repokey" = {
|
||||||
|
C.argument = builtins.toString (pkgs.writeText "repokey" "repokey12345");
|
||||||
|
z = {
|
||||||
|
mode = "0400";
|
||||||
|
user = "root";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
clanCore.secretStore = "vm";
|
||||||
|
|
||||||
environment.systemPackages = [ self.packages.${pkgs.system}.clan-cli ];
|
environment.systemPackages = [ self.packages.${pkgs.system}.clan-cli ];
|
||||||
environment.etc."install-closure".source = "${closureInfo}/store-paths";
|
environment.etc."install-closure".source = "${closureInfo}/store-paths";
|
||||||
nix.settings = {
|
nix.settings = {
|
||||||
@ -58,10 +77,7 @@ in
|
|||||||
clanCore.state.test-backups.folders = [ "/var/test-backups" ];
|
clanCore.state.test-backups.folders = [ "/var/test-backups" ];
|
||||||
clan.borgbackup = {
|
clan.borgbackup = {
|
||||||
enable = true;
|
enable = true;
|
||||||
destinations.test_backup_server = {
|
destinations.test_backup_server.repo = "borg@server:.";
|
||||||
repo = "borg@server:.";
|
|
||||||
rsh = "ssh -i /root/.ssh/id_ed25519 -o StrictHostKeyChecking=no";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
(import ../lib/test-base.nix) ({ ... }: {
|
(import ../lib/test-base.nix) ({ ... }: {
|
||||||
name = "borgbackup";
|
name = "borgbackup";
|
||||||
|
|
||||||
nodes.machine = { self, ... }: {
|
nodes.machine = { self, pkgs, ... }: {
|
||||||
imports = [
|
imports = [
|
||||||
self.clanModules.borgbackup
|
self.clanModules.borgbackup
|
||||||
self.nixosModules.clanCore
|
self.nixosModules.clanCore
|
||||||
@ -18,21 +18,27 @@
|
|||||||
clanCore.clanDir = ./.;
|
clanCore.clanDir = ./.;
|
||||||
clanCore.state.testState.folders = [ "/etc/state" ];
|
clanCore.state.testState.folders = [ "/etc/state" ];
|
||||||
environment.etc.state.text = "hello world";
|
environment.etc.state.text = "hello world";
|
||||||
systemd.tmpfiles.settings = {
|
systemd.tmpfiles.settings."vmsecrets" = {
|
||||||
"ssh-key"."/root/.ssh/id_ed25519" = {
|
"/etc/secrets/borgbackup.ssh" = {
|
||||||
C.argument = "${../lib/ssh/privkey}";
|
C.argument = "${../lib/ssh/privkey}";
|
||||||
z = {
|
z = {
|
||||||
mode = "0400";
|
mode = "0400";
|
||||||
user = "root";
|
user = "root";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
"/etc/secrets/borgbackup.repokey" = {
|
||||||
|
C.argument = builtins.toString (pkgs.writeText "repokey" "repokey12345");
|
||||||
|
z = {
|
||||||
|
mode = "0400";
|
||||||
|
user = "root";
|
||||||
};
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
clanCore.secretStore = "vm";
|
||||||
|
|
||||||
clan.borgbackup = {
|
clan.borgbackup = {
|
||||||
enable = true;
|
enable = true;
|
||||||
destinations.test = {
|
destinations.test.repo = "borg@localhost:.";
|
||||||
repo = "borg@localhost:.";
|
|
||||||
rsh = "ssh -i /root/.ssh/id_ed25519 -o StrictHostKeyChecking=no";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
@ -37,7 +37,6 @@ in
|
|||||||
exclude = [ "*.pyc" ];
|
exclude = [ "*.pyc" ];
|
||||||
repo = dest.repo;
|
repo = dest.repo;
|
||||||
environment.BORG_RSH = dest.rsh;
|
environment.BORG_RSH = dest.rsh;
|
||||||
encryption.mode = "none";
|
|
||||||
compression = "auto,zstd";
|
compression = "auto,zstd";
|
||||||
startAt = "*-*-* 01:00:00";
|
startAt = "*-*-* 01:00:00";
|
||||||
persistentTimer = true;
|
persistentTimer = true;
|
||||||
@ -45,6 +44,11 @@ in
|
|||||||
set -x
|
set -x
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
encryption = {
|
||||||
|
mode = "repokey";
|
||||||
|
passCommand = "cat ${config.clanCore.secrets.borgbackup.secrets."borgbackup.repokey".path}";
|
||||||
|
};
|
||||||
|
|
||||||
prune.keep = {
|
prune.keep = {
|
||||||
within = "1d"; # Keep all archives from the last day
|
within = "1d"; # Keep all archives from the last day
|
||||||
daily = 7;
|
daily = 7;
|
||||||
@ -57,10 +61,12 @@ in
|
|||||||
clanCore.secrets.borgbackup = {
|
clanCore.secrets.borgbackup = {
|
||||||
facts."borgbackup.ssh.pub" = { };
|
facts."borgbackup.ssh.pub" = { };
|
||||||
secrets."borgbackup.ssh" = { };
|
secrets."borgbackup.ssh" = { };
|
||||||
generator.path = [ pkgs.openssh pkgs.coreutils ];
|
secrets."borgbackup.repokey" = { };
|
||||||
|
generator.path = [ pkgs.openssh pkgs.coreutils pkgs.xkcdpass ];
|
||||||
generator.script = ''
|
generator.script = ''
|
||||||
ssh-keygen -t ed25519 -N "" -f "$secrets"/borgbackup.ssh
|
ssh-keygen -t ed25519 -N "" -f "$secrets"/borgbackup.ssh
|
||||||
mv "$secrets"/borgbackup.ssh.pub "$facts"/borgbackup.ssh.pub
|
mv "$secrets"/borgbackup.ssh.pub "$facts"/borgbackup.ssh.pub
|
||||||
|
xkcdpass -n 4 -d - > "$secrets"/borgbackup.repokey
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user