Merge branch 'sops-nix'

2025-08-22 00:46:42 -07:00
parent 7ed4aa7248 44c3044729
commit d9a26c336c
8 changed files with 112 additions and 13 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -0,0 +1,10 @@
+# .sops.yaml
+
+keys:
+  - &fs-01 age1e9s4v2k3tfyc0lvz84wkg8uacv6283va58al2yy8dt6jgswf99vs9z4ujt
+
+creation_rules:
+  - path_regex: fs-01.yml
+    key_groups:
+      - age:
+          - *fs-01
--- a/base/base.nix
+++ b/base/base.nix
@@ -30,6 +30,7 @@ in
    ./grafana-alloy.nix
    ./network.nix
    ./qemu.nix
+    ./secrets.nix
    ./spice.nix
  ];

--- a/base/secrets.nix
+++ b/base/secrets.nix
@@ -0,0 +1,18 @@
+{
+  config,
+  lib,
+  pkgs,
+  pkgsUnstable,
+  inputs,
+  ...
+}:
+
+with lib;
+
+{
+  imports = [ inputs.sops-nix.nixosModules.sops ];
+
+  sops.defaultSopsFile = ../secrets/${config.networking.hostName}.yml;
+  sops.defaultSopsFormat = "yaml";
+  sops.age.keyFile = "/home/etorres/.config/sops/age/keys.txt";
+}
--- a/flake.lock
+++ b/flake.lock
@@ -61,11 +61,11 @@
        "nixpkgs": "nixpkgs"
      },
      "locked": {
-        "lastModified": 1755223770,
-        "narHash": "sha256-PJfiLvHd59Jw/97xTKbc8CFoR0ypg2s8d2pNZXLc18U=",
+        "lastModified": 1755741527,
+        "narHash": "sha256-XBP8Ld94EsXi/42MQ6H0If1vCdWPf+N6RA9M+2Wuos0=",
        "owner": "Infinidoge",
        "repo": "nix-minecraft",
-        "rev": "22e7b0d160e59473faac30a64e984c1819875b6d",
+        "rev": "a13d8cd9cef44144db3bc7333882916f4454aa91",
        "type": "github"
      },
      "original": {
@@ -92,11 +92,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1755186698,
-        "narHash": "sha256-wNO3+Ks2jZJ4nTHMuks+cxAiVBGNuEBXsT29Bz6HASo=",
+        "lastModified": 1755615617,
+        "narHash": "sha256-HMwfAJBdrr8wXAkbGhtcby1zGFvs+StOp19xNsbqdOg=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "fbcf476f790d8a217c3eab4e12033dc4a0f6d23c",
+        "rev": "20075955deac2583bb12f07151c2df830ef346b4",
        "type": "github"
      },
      "original": {
@@ -108,11 +108,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1755078291,
-        "narHash": "sha256-Hu/gTDoi4uy6TAKISPHQusSMy8U6xUbLSDjKBYdhDIY=",
+        "lastModified": 1755593991,
+        "narHash": "sha256-BA9MuPjBDx/WnpTJ0EGhStyfE7hug8g85Y3Ju9oTsM4=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "3385ca0cd7e14c1a1eb80401fe011705ff012323",
+        "rev": "a58390ab6f1aa810eb8e0f0fc74230e7cc06de03",
        "type": "github"
      },
      "original": {
@@ -122,12 +122,47 @@
        "type": "github"
      }
    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1744868846,
+        "narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "root": {
      "inputs": {
        "comin": "comin",
        "nix-minecraft": "nix-minecraft",
        "nixpkgs": "nixpkgs_2",
-        "nixpkgs-unstable": "nixpkgs-unstable"
+        "nixpkgs-unstable": "nixpkgs-unstable",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_3"
+      },
+      "locked": {
+        "lastModified": 1754988908,
+        "narHash": "sha256-t+voe2961vCgrzPFtZxha0/kmFSHFobzF00sT8p9h0U=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "3223c7a92724b5d804e9988c6b447a0d09017d48",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
      }
    },
    "systems": {
--- a/flake.nix
+++ b/flake.nix
@@ -9,6 +9,7 @@
      url = "github:nlewo/comin";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+    sops-nix.url = "github:Mic92/sops-nix";
  };

  outputs =
--- a/hosts/borg-01/default.nix
+++ b/hosts/borg-01/default.nix
@@ -36,6 +36,12 @@
      ];
      path = "/mnt/data/backups/databases/db-pg17";
    };
+    "fs-01" = {
+      authorizedKeys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPHMJMvsMZ6sckMi3PFM4ARrV21emTU1VSIyjFEYk8SX borg@fs-01"
+      ];
+      path = "/mnt/data/backups/databases/db-pg17";
+    };
    "lax-01" = {
      authorizedKeys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJwdizQ4FKsM7WvZsQ94N1x6k2Fuda5NkIio967vakg5 borg@lax-01"
--- a/hosts/fs-01/default.nix
+++ b/hosts/fs-01/default.nix
@@ -19,6 +19,11 @@

  syncthingserver.enable = true;

+  sops.secrets."borgmatic_ping_urls/local" = { };
+  sops.secrets."borgmatic_ping_urls/remote" = { };
+  sops.secrets."borgmatic_pass/local" = { };
+  sops.secrets."borgmatic_pass/remote" = { };
+
  services.borgmatic = {
    enable = true;
    enableConfigCheck = true;
@@ -28,10 +33,10 @@
      repositories = [
        {
          label = "local";
-          path = "";
+          path = "borg@borg-01.tail755c5.ts.net:.";
        }
      ];
-      encryption_passphrase = "";
+      encryption_passcommand = ''cat ${config.sops.secrets."borgmatic_pass/local".path}'';

      keep_daily = 7;
      keep_weekly = 4;
@@ -40,8 +45,10 @@

      unknown_unencrypted_repo_access_is_ok = false;

+      ssh_command = "ssh -i /etc/borgmatic.d/borg-local";
+
      healthchecks = {
-        ping_url = "";
+        ping_url = "https://hc.its-et.me/ping/PlGPBqq-0rLI4N4ya3jYmg/backup-syncthing";
      };
    };
  };
--- a/secrets/fs-01.yml
+++ b/secrets/fs-01.yml
@@ -0,0 +1,21 @@
+borgmatic_ping_urls:
+    local: ENC[AES256_GCM,data:7qFq0nrqqrH556Ttf3KeRpDl2UicOBeWD8VBVSiN+TbVDVeIs/AXMKY2+IJMU2i15htL05hk2Y59bqSKr5fM3Ag=,iv:lII62b/Mw8dTgnHiBU3aM1s2bNGK1olk9Ef9squ8qME=,tag:fBlO16/h01QEfJnRwfLnxg==,type:str]
+    remote: ENC[AES256_GCM,data:3/4av4qjlC55VzjG1nB849mhN+FIn1S4Z20s2i/MKjQQAk+WsPLoTzCgiYY8M7MJxnB+xQusSmbPY+nlNbAW3SnbpOnQilr/,iv:yladJ+d5wncv9CDvF3GbNgPdYKIh6OdeAo9qLsKQy/4=,tag:TO1Tc/dyxF0N4YHXd7YzSg==,type:str]
+borgmatic_pass:
+    local: ENC[AES256_GCM,data:raZ6iz4ZHGBl7t1ZiVkqLASsDoI=,iv:7RficWkWV6WGKmyYUcVoBXlHX0axlvEgZ8TEdtb8tI0=,tag:ILozLRHDXMdvAz9nOyqQOw==,type:str]
+    remote: ENC[AES256_GCM,data:zzelomQZuPEmMiuhTcdnX3Jtu8E=,iv:uYDvwlcy29nn0XUkr4waQcdnvimDhNTNR4HGQ/w10gU=,tag:Knx3nQxJ5L4IlwtdFOm8+w==,type:str]
+sops:
+    age:
+        - recipient: age1e9s4v2k3tfyc0lvz84wkg8uacv6283va58al2yy8dt6jgswf99vs9z4ujt
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVFU2YWRjMVVuUmM2MVdq
+            SWZtWkxEenpqakxBcGdLVEw3aWZvZnplV3pZCmFWSHg2ZmYxd0ttVXkySTljMk1j
+            ZERLb3pBZnJML1RsYUw2djBSNk5RUDgKLS0tIDRGSm5xbThZeTlUK2R2RXd4VEc3
+            ajV1dUpEc3hNc1gzYWZVMDVMKzN4c2MK1WN3yUzgwP9ilZTCnI99EU1t8csxqgGw
+            TbE1f1WKcBiECj70+tnWE+jDG5gNPOVkP4AJ/XpraQ0MmrwKo8OrYQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-08-22T06:44:32Z"
+    mac: ENC[AES256_GCM,data:fD9OV0FFBHr8whgiqKPoxrT2rAzr27F8zxt/RaJcOR9iEeZ8NQJGo3LmP18Mogi1g+Qb7ChWZKcXrJtmUX/qmwkhbacjY2bwLdX4XIGs2w7/fWv5yBOAWyqO6ArBJfIjkDrE+jti44vRCVzn14IMG8XdS+KR/n9Ojm43ycYtikE=,iv:IlpoSDgSn6ekFRJHOcIeAhTL4vp0iL5dhEQkwgZu+Tk=,tag:CvL3XNoMr1uNGi8r+mM7mg==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2