etorres/nixos
0
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity

hosts/hel-01: add config and credentials for borg backups

Browse Source
This commit is contained in:
Eric Torres
2025-10-19 11:36:44 -07:00
parent 4af5feb6c8
commit 35eac0db2e
3 changed files with 67 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
.sops.yaml
View File

@@ -8,6 +8,7 @@ keys:
- &db-mdb11 age16hzcrlm978x5g2frhgr8sm9hjf8f9l9ez5g8adkw2uj4m3h89d5qmzggk2
- &fs-01 age1e9s4v2k3tfyc0lvz84wkg8uacv6283va58al2yy8dt6jgswf99vs9z4ujt
- &gms-01 age10lgzwck6lapvsvl7ycg3acp7hgjlt45z5x68qkx95d9jv653443s0pwxhg
- &hel-01 age1u3h4r85rnffdm3ydfhz67gxuqnkxmafy9pju7saaz0j25k4j43ksmh9792
- &lax-01 age1whehwala9q7hp8dx6tn27mtuzerxhvwz6wf3f4m54ln6gggzcsns7ax87l
- &log-01 age1j6t53w5dzxhpm9mp6nuu698p7j5txg5r6zgnfqlfcjpdg454fcsquqswya
- &nbg-01 age1n2j7c5s98y60j7cvaa8sf85rfpkkhk2s3mfmc22l8yq2uqsedgnswacwq6
@@ -48,6 +49,13 @@ creation_rules:
- *mac
- *gms-01
- path_regex: hel-01[\w_]*.(env|yml)$
key_groups:
- age:
- *xenon
- *mac
- *hel-01
- path_regex: lax-01[\w_]*.(env|yml)$
key_groups:
- age:

21
hosts/hel-01/default.nix
View File

@@ -29,10 +29,31 @@
qemu.enable = true;
spice.enable = true;
sops.secrets = {
#"crowdsec/lapiKey" = {
# owner = "traefik";
# mode = "0400";
#};
"borgmatic_pass/local" = { };
"borgmatic_pass/remote" = { };
};
crowdsec-firewall-bouncer = {
enable = true;
};
#borg-config = {
# enable = true;
# backupLabel = "hel-01";
# localRepoPath = "ssh://borg@borg-01.tail755c5.ts.net/./";
# remoteRepoPath = "ssh://fm1833@fm1833.rsync.net/./hosts/hel-01";
# sourceDirectories = [
# ];
# hcPingUrlLocal = "https://hc.its-et.me/ping/PlGPBqq-0rLI4N4ya3jYmg/backup-hel-01";
# hcPingUrlRemote = "https://hc.its-et.me/ping/PlGPBqq-0rLI4N4ya3jYmg/backup-hel-01-remote";
#};
base.userSSHKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF3oNF68M+TaN8LB+jQH9hFaW3vpR3i54UiVRPqJxyAN etorres@xenon"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIISjU0h15s29Ir6ANHNujlOO0/7+bGvkpbpN6WzVhgW6 etorres@radon"

38
secrets/hel-01.yml Normal file
View File

@@ -0,0 +1,38 @@
borgmatic_pass:
local: ENC[AES256_GCM,data:o7nCLKlA5auaLuJ3NnOABM6VXps=,iv:q/mluFtXtQcaGGzRK02HLIne5WyuKEUxOufVQ+bENs8=,tag:oeZfqMlGRaKbXujDhymsxA==,type:str]
remote: ENC[AES256_GCM,data:pCegNxQk4L1fGO9dWoZgQFR3Lu8=,iv:gklAf5QmNLKA6wZvzBmoqhpcUUA8UQPRgoDNfJ3wAE4=,tag:zgoCbyQ/Ogzh1KI+hWxf1A==,type:str]
crowdsec:
lapiKey: ENC[AES256_GCM,data:YO7AX28ZSidNPmnRjxdHmnLtTgzTEbrw42cyHAk+1hjX0KswKOwdTlaRHQ==,iv:FUeie4P/ddsMeblSIPJm6dlZDui5bdu7+gHrc+80vRA=,tag:SzFOhlTDASg5zTtvCTVEVw==,type:str]
sops:
age:
- recipient: age1jmsrfddctahhznfv7jv77tgw5crmhjhe0e0kzc967hvax4sulv3s6hp2su
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOQkozODNMWFZRQVM3UGF5
WkZDTEtjWkJaaVNzb1VKRlNVNHR2d3JLbFEwCjlDdnMxLy9UNUNGWDZZeDFJKzVD
TklGTFpGdzIzWjA1WXRoeFY5T1dnK3cKLS0tIEF5MkxnQlNCaTE5RDM0S09odGoz
ZlY0cDlVelBFSzNFb0NBUlRxN1Y0dEkKpxwIS6D74U6oJTOtkCb3NbyFVkjOJ16c
IRC/dwVwQCExQeHH8B1cBqc8jDkGb8v18Sz8u4QGtIjlibejbHAfnQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1g0vx0dgpzy3et6kuejf4xn4n0acr3666p8j4ygaulefh5mq3vyxs7mgjat
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdElJb05Za1kyZFpOL0lX
UDdMY01PY3VKZUlpd3ROKzMvcTZBellSYTJrClU1YkprTm1nMW5mU0taMVF1RTM3
K0hSa2hKc1h1amtaVTdKM0QvMFFPWUkKLS0tIFIxMUZTK1BRSkk5RVJIWlA4NlFI
bGswVndoQUUzOWZYcTdCOXlkK1pVc0kKZEbEELwyk2s2uCslBrRsWBWL5GfUZIvj
TJVJIY5C0sE9RG2hnUyvQT1+RrQwK3sKW/Zc4l5VTktGqhOpvs+n9Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u3h4r85rnffdm3ydfhz67gxuqnkxmafy9pju7saaz0j25k4j43ksmh9792
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQlUybW5BQ2F3YjVMWVRk
cEdKNDZhQ3krTC9tQ3drVUtmQW5CYUdpOTNNCmJGcUJjaERrMk81bThVUVBCOGM5
cllsQ3B5cWFnRG13MmJhUElBcmM3Zm8KLS0tIC9KdWtmNFVpR0grVVdFTE5VeUJX
Yit0WlZjODBSd0ZTMU01N1FDNnZ5ZEEKa6gtn0XlGSzPaliO5ndYSturZcudgTY4
1Gg6Tg67V/A7YsNva4tT5HLH2HZpREI7K8RsvZxCkP6369nKlk0cuQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-10-19T18:36:33Z"
mac: ENC[AES256_GCM,data:K2ZG4+nMG3EoQ9GVgjn3q8i5St7DC/nBqK1dHiRMZys71sc03OstC+NssGIhtUlR+NWGiJ1/jcL/lAzCMdGkWpCIw5cs+WLJcfrcF8ATc7/siZeSzvy2Eep1LzmY5jA4Ywebt5cFFVhz7mpQN5oGtp/2w/VBxWxgdQfF4HzGqSA=,iv:htwgLG7rgyxycPVZUvisclYBCgT/bVnthdJFZEQoTZ8=,tag:zwynws26QE0PvI8OoNRlPQ==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0