Merge pull request 'cpu-fix' (#30) from cpu-fix into main

Reviewed-on: #30

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1689793660,
-        "narHash": "sha256-aPGhep6kAcFFbHQWf4pWZHcxf7osGtznEmyCjgAJ+iY=",
+        "lastModified": 1689943059,
+        "narHash": "sha256-DXBCl0n4yLwY8OmrZDFWD3vxyzs2tSAv+iu1h6vebOA=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "774ce7df25538bd73a8d456e0828907fa6b62572",
+        "rev": "f2248036d2aeb61690903130458b4e7f975b1c78",
         "type": "github"
       },
       "original": {

modules/web01/borgbackup.nix

@@ -3,13 +3,26 @@
 
   # $ nix run nixpkgs#xkcdpass -- -d '-' -n 3 -C capitalize "$@"
   sops.secrets.hetzner-borgbackup-ssh = { };
+  # Also enable ssh support in the storagebox web interface.
+  # By default the storage box is only accessible from the hetzner network.
   # $ ssh-keygen -t ed25519 -N "" -f /tmp/ssh_host_ed25519_key
+  # $ cat /tmp/ssh_host_ed25519_key.pub | ssh -p23 u359378@u359378.your-storagebox.de install-ssh-key
   sops.secrets.hetzner-borgbackup-passphrase = { };
 
   systemd.services.borgbackup-job-clan-lol.serviceConfig.ReadWritePaths = [
     "/var/log/telegraf"
   ];
 
+  # Run this from the hetzner network:
+  # ssh-keyscan -p 23 u359378.your-storagebox.de
+  programs.ssh.knownHosts = {
+    storagebox-ecdsa.hostNames = [ "[u359378.your-storagebox.de]:23" ];
+    storagebox-ecdsa.publicKey = "ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAGK0po6usux4Qv2d8zKZN1dDvbWjxKkGsx7XwFdSUCnF19Q8psHEUWR7C/LtSQ5crU/g+tQVRBtSgoUcE8T+FWp5wBxKvWG2X9gD+s9/4zRmDeSJR77W6gSA/+hpOZoSE+4KgNdnbYSNtbZH/dN74EG7GLb/gcIpbUUzPNXpfKl7mQitw==";
+
+    storagebox-rsa.hostNames = [ "[u359378.your-storagebox.de]:23" ];
+    storagebox-rsa.publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw==";
+  };
+
   services.borgbackup.jobs.clan-lol = {
     paths = [
       "/home"
@@ -37,8 +50,18 @@
       "/var/log"
     ];
     repo = "u359378@u359378.your-storagebox.de:/./borgbackup";
+
+    # Disaster recovery:
+    # get the backup passphrase and ssh key from the sops and store them in /tmp
+    # $ export BORG_PASSCOMMAND='cat /tmp/hetzner-borgbackup-passphrase'
+    # $ export BORG_REPO='u359378@u359378.your-storagebox.de:/./borgbackup'
+    # $ export BORG_RSH='ssh -oPort=23 -i /tmp/hetzner-borgbackup-ssh' 
+    # $ borg list
+    # web01-clan-lol-2023-07-21T14:12:22   Fri, 2023-07-21 14:12:27 [539b1037669ffd0d3f50020f439bbe2881b7234910e405eafc333125383351bc]
+    # $ borg mount u359378@u359378.your-storagebox.de:/./borgbackup::web01-clan-lol-2023-07-21T14:12:22 /tmp/backup
+    doInit = true;
     encryption = {
-      mode = "repokey";
+      mode = "repokey-blake2";
       passCommand = "cat ${config.sops.secrets.hetzner-borgbackup-passphrase.path}";
     };
     compression = "auto,zstd";

targets/web01/secrets.yaml

@@ -1,4 +1,5 @@
 cryptsetup_key: ENC[AES256_GCM,data:79qOTOi4ftTmIWuc/7bFf3NXaa2Fs6mTUfji,iv:xq9HM2uB4rr75qeZEAh2pFvEDAtXdFhsrT/manI7RqM=,tag:iELo+UHSplsQWIK9aQ+uMw==,type:str]
+hetzner-storagebox-password: ENC[AES256_GCM,data:vmH1NlKTuEDGb1F3Ni0PSDk=,iv:0q3vngK4SvjjPVHTGTBmpU+bdBc7IyY90EL3zJsf+BQ=,tag:iWqmuT6IJgVG8yPT6YZzUQ==,type:str]
 hetzner-borgbackup-ssh: ENC[AES256_GCM,data:/x2bRdkv6Q7ymBmiedK0eV+FxKAS3R192KjReIvixLvPLOZFr9ajFy0mHSZiDjjzPn7vaP2/PI9/PWzGrkWeXv4MAbU9S8QvgUFPYbfUSQV2srSh1/UTl7rv0o2tw/LuCIbBivSu5d4xMWtHE4e/x50eWImG6e20q4+5ZF4hSXPGLmSayCGptbSq7JlgtcVNmTHFSdxPesGx7t50553nzU2ZoJxn9GDnhuVbSOmvhDpwaUYCDY/bGhmMpk32inzUxtPFacgz2JSygo3JCyWxervaE2OMd69fGI24F6cbqPV4ORWNymOnGGsFmMiTCyfKZjOVxhnBXAyeP444PE7MeNf6s2fFhAyV1M/mToa/ElYPHeJbY9t4bK0UPBXtral3vqMVNP6sYMzIPl0DBYsPeY71uEo5ctGJMum+AIhSulYzfTPq7IdPqo1NZGIXQbPb+8P+FZxUOEBm6imLdhG1DmL4Ji80yAPJ7w6Qgs7VoJPHdYTOOE+Z/s/1o52VUtGsSVergP8macRGHR432UIZjRvIxjdu7wvs7GLM,iv:af8J70mGekRpNCT15NjrYkgmoBQyTzBR866fRyrSmos=,tag:ZWLvsFQCFz72ih6UCDP2uA==,type:str]
 hetzner-borgbackup-passphrase: ENC[AES256_GCM,data:Stu8kYR+jP9aOjWz16/DhUTpxf4xwK8e7kJo,iv:rU6Gi0yoe7EBxQJ4wczDEjZG4GrB2mPmB1dD143HyeA=,tag:sSR3Do4vepb0vaMRhkj1Vw==,type:str]
 initrd_ssh_key: ENC[AES256_GCM,data:SpSX6RgnpgVkd3sL+mJx0Lk6RnagfxwO1cUKtbj4wxlJHpSsBnI6+tGJjssoCp38jHOPYZ4U0IE960ojjtXyBL/sF37Sw0E8uDGr0rL/wuuQmzhF3AC9VfuDOQNbe0pYTr7HldzIvbDRowIShxqbKfBVizkR1bxZkmHfDpMKE1gGivFLYeHC+gSVgTBtPEgDCx361+I103K2kCczu2VGnfmfc9ExrTO6/7ruj2DRjFLOaVmkXe896KjN+YpTTjT85gjEZJ75AGEUNKCNppQRkM0RpJBJyRunHmKqxh5VnFnlbiklsX2S5ev07G9oqIu0kZI6XduQjj/okB/4SeoY9QE6FOj6dRi2WSBNGpT9fBnV4i6bv2Z612ISXwO0GGfXQeWE4mA8QSaJ9oa/fnVFb7WolU9DISq8sYPc85VXVJGCFZ17DDVGK/capjveGErXnk6lJieBwArN5xEZfr/tPL15Q1DNdyYOJwiL1bODQwxYExpFu32XJ/ZMDiucWDXnEwJJf7WpThh0FiAZFzGAJ0b3SeJpuQvK6xXD,iv:w+YuoZMUswV9sw31PXFLKHbinRit9twPDqofeojVdZo=,tag:eCYSUX5EA/NTD3yIdTC7PA==,type:str]
@@ -52,8 +53,8 @@ sops:
             TGk4dUlwcE9XWWIzZE1nQXdXcWY0V0kKJi5yXdrsEOP4Z8K6k/sPA7yadNPKQtzo
             Iyt//Y+Y7n55KwuO8Doogu42SiVTUhHDICM9lezQmcugFqCoh3Lk4A==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-07-19T12:39:56Z"
-    mac: ENC[AES256_GCM,data:baVe7FXbyJ7qAiTFtSB6YO/cNZTaHskRiut7XjmvqIltLGvMAkmOKYYzjPgSZ+RHz2az/MAF+05npP0Poy/jgR3qQ8s+Z3ml6u+Ze53bZFBofnNf8oxKp5uZ7RjDnPKwh3Uz3x4hTW2QbC2s1ik+LdxMpwuU641y0N32UkODU44=,iv:oYtjQUjL7pkxE7gpdDv9SGpJAl1UellVXztvKG5mH+U=,tag:U7bL1zr2y74LSDXQzmqRtw==,type:str]
+    lastmodified: "2023-07-21T13:58:56Z"
+    mac: ENC[AES256_GCM,data:GD2lZplaOjw2vRYYAIFydFK1NndJRv5MeXNHDCr/H7G5t8jnO2XstOuUYLhzqO1lpL2dRi4vc+B0UuM6jS3mzUkUqfV201qQ4MxDnViYxgNRk+7XuVaM940yw4UwUJQA2IN7C9EOU/xmYRqpvHFWptjrGFkEnBEVChKncqpen4k=,iv:Zn9i3Y7pkz5OsGHeOi2VBuF2Ha0dUDbDJl+BhXKMgaI=,tag:azmGDxfkQ9P49QTQBxdjSQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3