From 35eac0db2efeb9fe32a918d8b90813e6e77d4a60 Mon Sep 17 00:00:00 2001
From: Eric Torres <eric.torres@its-et.me>
Date: Sun, 19 Oct 2025 11:36:44 -0700
Subject: [PATCH] hosts/hel-01: add config and credentials for borg backups

---
 .sops.yaml               |  8 ++++++++
 hosts/hel-01/default.nix | 21 +++++++++++++++++++++
 secrets/hel-01.yml       | 38 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 67 insertions(+)
 create mode 100644 secrets/hel-01.yml

diff --git a/.sops.yaml b/.sops.yaml
index 8a33c8e..00a92d8 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -8,6 +8,7 @@ keys:
   - &db-mdb11 age16hzcrlm978x5g2frhgr8sm9hjf8f9l9ez5g8adkw2uj4m3h89d5qmzggk2
   - &fs-01 age1e9s4v2k3tfyc0lvz84wkg8uacv6283va58al2yy8dt6jgswf99vs9z4ujt
   - &gms-01 age10lgzwck6lapvsvl7ycg3acp7hgjlt45z5x68qkx95d9jv653443s0pwxhg
+  - &hel-01 age1u3h4r85rnffdm3ydfhz67gxuqnkxmafy9pju7saaz0j25k4j43ksmh9792
   - &lax-01 age1whehwala9q7hp8dx6tn27mtuzerxhvwz6wf3f4m54ln6gggzcsns7ax87l
   - &log-01 age1j6t53w5dzxhpm9mp6nuu698p7j5txg5r6zgnfqlfcjpdg454fcsquqswya
   - &nbg-01 age1n2j7c5s98y60j7cvaa8sf85rfpkkhk2s3mfmc22l8yq2uqsedgnswacwq6
@@ -48,6 +49,13 @@ creation_rules:
           - *mac
           - *gms-01
 
+  - path_regex: hel-01[\w_]*.(env|yml)$
+    key_groups:
+      - age:
+          - *xenon
+          - *mac
+          - *hel-01
+
   - path_regex: lax-01[\w_]*.(env|yml)$
     key_groups:
       - age:
diff --git a/hosts/hel-01/default.nix b/hosts/hel-01/default.nix
index 91bd232..819f5e9 100644
--- a/hosts/hel-01/default.nix
+++ b/hosts/hel-01/default.nix
@@ -29,10 +29,31 @@
   qemu.enable = true;
   spice.enable = true;
 
+  sops.secrets = {
+    #"crowdsec/lapiKey" = {
+    #  owner = "traefik";
+    #  mode = "0400";
+    #};
+    "borgmatic_pass/local" = { };
+    "borgmatic_pass/remote" = { };
+  };
+
   crowdsec-firewall-bouncer = {
     enable = true;
   };
 
+  #borg-config = {
+  #  enable = true;
+
+  #  backupLabel = "hel-01";
+  #  localRepoPath = "ssh://borg@borg-01.tail755c5.ts.net/./";
+  #  remoteRepoPath = "ssh://fm1833@fm1833.rsync.net/./hosts/hel-01";
+  #  sourceDirectories = [
+  #  ];
+  #  hcPingUrlLocal = "https://hc.its-et.me/ping/PlGPBqq-0rLI4N4ya3jYmg/backup-hel-01";
+  #  hcPingUrlRemote = "https://hc.its-et.me/ping/PlGPBqq-0rLI4N4ya3jYmg/backup-hel-01-remote";
+  #};
+
   base.userSSHKeys = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF3oNF68M+TaN8LB+jQH9hFaW3vpR3i54UiVRPqJxyAN etorres@xenon"
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIISjU0h15s29Ir6ANHNujlOO0/7+bGvkpbpN6WzVhgW6 etorres@radon"
diff --git a/secrets/hel-01.yml b/secrets/hel-01.yml
new file mode 100644
index 0000000..aa4e12a
--- /dev/null
+++ b/secrets/hel-01.yml
@@ -0,0 +1,38 @@
+borgmatic_pass:
+    local: ENC[AES256_GCM,data:o7nCLKlA5auaLuJ3NnOABM6VXps=,iv:q/mluFtXtQcaGGzRK02HLIne5WyuKEUxOufVQ+bENs8=,tag:oeZfqMlGRaKbXujDhymsxA==,type:str]
+    remote: ENC[AES256_GCM,data:pCegNxQk4L1fGO9dWoZgQFR3Lu8=,iv:gklAf5QmNLKA6wZvzBmoqhpcUUA8UQPRgoDNfJ3wAE4=,tag:zgoCbyQ/Ogzh1KI+hWxf1A==,type:str]
+crowdsec:
+    lapiKey: ENC[AES256_GCM,data:YO7AX28ZSidNPmnRjxdHmnLtTgzTEbrw42cyHAk+1hjX0KswKOwdTlaRHQ==,iv:FUeie4P/ddsMeblSIPJm6dlZDui5bdu7+gHrc+80vRA=,tag:SzFOhlTDASg5zTtvCTVEVw==,type:str]
+sops:
+    age:
+        - recipient: age1jmsrfddctahhznfv7jv77tgw5crmhjhe0e0kzc967hvax4sulv3s6hp2su
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOQkozODNMWFZRQVM3UGF5
+            WkZDTEtjWkJaaVNzb1VKRlNVNHR2d3JLbFEwCjlDdnMxLy9UNUNGWDZZeDFJKzVD
+            TklGTFpGdzIzWjA1WXRoeFY5T1dnK3cKLS0tIEF5MkxnQlNCaTE5RDM0S09odGoz
+            ZlY0cDlVelBFSzNFb0NBUlRxN1Y0dEkKpxwIS6D74U6oJTOtkCb3NbyFVkjOJ16c
+            IRC/dwVwQCExQeHH8B1cBqc8jDkGb8v18Sz8u4QGtIjlibejbHAfnQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1g0vx0dgpzy3et6kuejf4xn4n0acr3666p8j4ygaulefh5mq3vyxs7mgjat
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdElJb05Za1kyZFpOL0lX
+            UDdMY01PY3VKZUlpd3ROKzMvcTZBellSYTJrClU1YkprTm1nMW5mU0taMVF1RTM3
+            K0hSa2hKc1h1amtaVTdKM0QvMFFPWUkKLS0tIFIxMUZTK1BRSkk5RVJIWlA4NlFI
+            bGswVndoQUUzOWZYcTdCOXlkK1pVc0kKZEbEELwyk2s2uCslBrRsWBWL5GfUZIvj
+            TJVJIY5C0sE9RG2hnUyvQT1+RrQwK3sKW/Zc4l5VTktGqhOpvs+n9Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1u3h4r85rnffdm3ydfhz67gxuqnkxmafy9pju7saaz0j25k4j43ksmh9792
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQlUybW5BQ2F3YjVMWVRk
+            cEdKNDZhQ3krTC9tQ3drVUtmQW5CYUdpOTNNCmJGcUJjaERrMk81bThVUVBCOGM5
+            cllsQ3B5cWFnRG13MmJhUElBcmM3Zm8KLS0tIC9KdWtmNFVpR0grVVdFTE5VeUJX
+            Yit0WlZjODBSd0ZTMU01N1FDNnZ5ZEEKa6gtn0XlGSzPaliO5ndYSturZcudgTY4
+            1Gg6Tg67V/A7YsNva4tT5HLH2HZpREI7K8RsvZxCkP6369nKlk0cuQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-10-19T18:36:33Z"
+    mac: ENC[AES256_GCM,data:K2ZG4+nMG3EoQ9GVgjn3q8i5St7DC/nBqK1dHiRMZys71sc03OstC+NssGIhtUlR+NWGiJ1/jcL/lAzCMdGkWpCIw5cs+WLJcfrcF8ATc7/siZeSzvy2Eep1LzmY5jA4Ywebt5cFFVhz7mpQN5oGtp/2w/VBxWxgdQfF4HzGqSA=,iv:htwgLG7rgyxycPVZUvisclYBCgT/bVnthdJFZEQoTZ8=,tag:zwynws26QE0PvI8OoNRlPQ==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0