diff --git a/flake.lock b/flake.lock index 934be91..501d90e 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1689793660, - "narHash": "sha256-aPGhep6kAcFFbHQWf4pWZHcxf7osGtznEmyCjgAJ+iY=", + "lastModified": 1689943059, + "narHash": "sha256-DXBCl0n4yLwY8OmrZDFWD3vxyzs2tSAv+iu1h6vebOA=", "owner": "nix-community", "repo": "disko", - "rev": "774ce7df25538bd73a8d456e0828907fa6b62572", + "rev": "f2248036d2aeb61690903130458b4e7f975b1c78", "type": "github" }, "original": { diff --git a/modules/web01/borgbackup.nix b/modules/web01/borgbackup.nix index 1fdf820..2d1358f 100644 --- a/modules/web01/borgbackup.nix +++ b/modules/web01/borgbackup.nix @@ -3,13 +3,26 @@ # $ nix run nixpkgs#xkcdpass -- -d '-' -n 3 -C capitalize "$@" sops.secrets.hetzner-borgbackup-ssh = { }; + # Also enable ssh support in the storagebox web interface. + # By default the storage box is only accessible from the hetzner network. # $ ssh-keygen -t ed25519 -N "" -f /tmp/ssh_host_ed25519_key + # $ cat /tmp/ssh_host_ed25519_key.pub | ssh -p23 u359378@u359378.your-storagebox.de install-ssh-key sops.secrets.hetzner-borgbackup-passphrase = { }; systemd.services.borgbackup-job-clan-lol.serviceConfig.ReadWritePaths = [ "/var/log/telegraf" ]; + # Run this from the hetzner network: + # ssh-keyscan -p 23 u359378.your-storagebox.de + programs.ssh.knownHosts = { + storagebox-ecdsa.hostNames = [ "[u359378.your-storagebox.de]:23" ]; + storagebox-ecdsa.publicKey = "ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAGK0po6usux4Qv2d8zKZN1dDvbWjxKkGsx7XwFdSUCnF19Q8psHEUWR7C/LtSQ5crU/g+tQVRBtSgoUcE8T+FWp5wBxKvWG2X9gD+s9/4zRmDeSJR77W6gSA/+hpOZoSE+4KgNdnbYSNtbZH/dN74EG7GLb/gcIpbUUzPNXpfKl7mQitw=="; + + storagebox-rsa.hostNames = [ "[u359378.your-storagebox.de]:23" ]; + storagebox-rsa.publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw=="; + }; + services.borgbackup.jobs.clan-lol = { paths = [ "/home" @@ -37,8 +50,18 @@ "/var/log" ]; repo = "u359378@u359378.your-storagebox.de:/./borgbackup"; + + # Disaster recovery: + # get the backup passphrase and ssh key from the sops and store them in /tmp + # $ export BORG_PASSCOMMAND='cat /tmp/hetzner-borgbackup-passphrase' + # $ export BORG_REPO='u359378@u359378.your-storagebox.de:/./borgbackup' + # $ export BORG_RSH='ssh -oPort=23 -i /tmp/hetzner-borgbackup-ssh' + # $ borg list + # web01-clan-lol-2023-07-21T14:12:22 Fri, 2023-07-21 14:12:27 [539b1037669ffd0d3f50020f439bbe2881b7234910e405eafc333125383351bc] + # $ borg mount u359378@u359378.your-storagebox.de:/./borgbackup::web01-clan-lol-2023-07-21T14:12:22 /tmp/backup + doInit = true; encryption = { - mode = "repokey"; + mode = "repokey-blake2"; passCommand = "cat ${config.sops.secrets.hetzner-borgbackup-passphrase.path}"; }; compression = "auto,zstd"; diff --git a/targets/web01/secrets.yaml b/targets/web01/secrets.yaml index 77b86a0..e3da316 100644 --- a/targets/web01/secrets.yaml +++ b/targets/web01/secrets.yaml @@ -1,4 +1,5 @@ cryptsetup_key: ENC[AES256_GCM,data:79qOTOi4ftTmIWuc/7bFf3NXaa2Fs6mTUfji,iv:xq9HM2uB4rr75qeZEAh2pFvEDAtXdFhsrT/manI7RqM=,tag:iELo+UHSplsQWIK9aQ+uMw==,type:str] +hetzner-storagebox-password: ENC[AES256_GCM,data:vmH1NlKTuEDGb1F3Ni0PSDk=,iv:0q3vngK4SvjjPVHTGTBmpU+bdBc7IyY90EL3zJsf+BQ=,tag:iWqmuT6IJgVG8yPT6YZzUQ==,type:str] hetzner-borgbackup-ssh: ENC[AES256_GCM,data:/x2bRdkv6Q7ymBmiedK0eV+FxKAS3R192KjReIvixLvPLOZFr9ajFy0mHSZiDjjzPn7vaP2/PI9/PWzGrkWeXv4MAbU9S8QvgUFPYbfUSQV2srSh1/UTl7rv0o2tw/LuCIbBivSu5d4xMWtHE4e/x50eWImG6e20q4+5ZF4hSXPGLmSayCGptbSq7JlgtcVNmTHFSdxPesGx7t50553nzU2ZoJxn9GDnhuVbSOmvhDpwaUYCDY/bGhmMpk32inzUxtPFacgz2JSygo3JCyWxervaE2OMd69fGI24F6cbqPV4ORWNymOnGGsFmMiTCyfKZjOVxhnBXAyeP444PE7MeNf6s2fFhAyV1M/mToa/ElYPHeJbY9t4bK0UPBXtral3vqMVNP6sYMzIPl0DBYsPeY71uEo5ctGJMum+AIhSulYzfTPq7IdPqo1NZGIXQbPb+8P+FZxUOEBm6imLdhG1DmL4Ji80yAPJ7w6Qgs7VoJPHdYTOOE+Z/s/1o52VUtGsSVergP8macRGHR432UIZjRvIxjdu7wvs7GLM,iv:af8J70mGekRpNCT15NjrYkgmoBQyTzBR866fRyrSmos=,tag:ZWLvsFQCFz72ih6UCDP2uA==,type:str] hetzner-borgbackup-passphrase: ENC[AES256_GCM,data:Stu8kYR+jP9aOjWz16/DhUTpxf4xwK8e7kJo,iv:rU6Gi0yoe7EBxQJ4wczDEjZG4GrB2mPmB1dD143HyeA=,tag:sSR3Do4vepb0vaMRhkj1Vw==,type:str] initrd_ssh_key: ENC[AES256_GCM,data:SpSX6RgnpgVkd3sL+mJx0Lk6RnagfxwO1cUKtbj4wxlJHpSsBnI6+tGJjssoCp38jHOPYZ4U0IE960ojjtXyBL/sF37Sw0E8uDGr0rL/wuuQmzhF3AC9VfuDOQNbe0pYTr7HldzIvbDRowIShxqbKfBVizkR1bxZkmHfDpMKE1gGivFLYeHC+gSVgTBtPEgDCx361+I103K2kCczu2VGnfmfc9ExrTO6/7ruj2DRjFLOaVmkXe896KjN+YpTTjT85gjEZJ75AGEUNKCNppQRkM0RpJBJyRunHmKqxh5VnFnlbiklsX2S5ev07G9oqIu0kZI6XduQjj/okB/4SeoY9QE6FOj6dRi2WSBNGpT9fBnV4i6bv2Z612ISXwO0GGfXQeWE4mA8QSaJ9oa/fnVFb7WolU9DISq8sYPc85VXVJGCFZ17DDVGK/capjveGErXnk6lJieBwArN5xEZfr/tPL15Q1DNdyYOJwiL1bODQwxYExpFu32XJ/ZMDiucWDXnEwJJf7WpThh0FiAZFzGAJ0b3SeJpuQvK6xXD,iv:w+YuoZMUswV9sw31PXFLKHbinRit9twPDqofeojVdZo=,tag:eCYSUX5EA/NTD3yIdTC7PA==,type:str] @@ -52,8 +53,8 @@ sops: TGk4dUlwcE9XWWIzZE1nQXdXcWY0V0kKJi5yXdrsEOP4Z8K6k/sPA7yadNPKQtzo Iyt//Y+Y7n55KwuO8Doogu42SiVTUhHDICM9lezQmcugFqCoh3Lk4A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-19T12:39:56Z" - mac: ENC[AES256_GCM,data:baVe7FXbyJ7qAiTFtSB6YO/cNZTaHskRiut7XjmvqIltLGvMAkmOKYYzjPgSZ+RHz2az/MAF+05npP0Poy/jgR3qQ8s+Z3ml6u+Ze53bZFBofnNf8oxKp5uZ7RjDnPKwh3Uz3x4hTW2QbC2s1ik+LdxMpwuU641y0N32UkODU44=,iv:oYtjQUjL7pkxE7gpdDv9SGpJAl1UellVXztvKG5mH+U=,tag:U7bL1zr2y74LSDXQzmqRtw==,type:str] + lastmodified: "2023-07-21T13:58:56Z" + mac: ENC[AES256_GCM,data:GD2lZplaOjw2vRYYAIFydFK1NndJRv5MeXNHDCr/H7G5t8jnO2XstOuUYLhzqO1lpL2dRi4vc+B0UuM6jS3mzUkUqfV201qQ4MxDnViYxgNRk+7XuVaM940yw4UwUJQA2IN7C9EOU/xmYRqpvHFWptjrGFkEnBEVChKncqpen4k=,iv:Zn9i3Y7pkz5OsGHeOi2VBuF2Ha0dUDbDJl+BhXKMgaI=,tag:azmGDxfkQ9P49QTQBxdjSQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3