diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..f463f23 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,10 @@ +# .sops.yaml + +keys: + - &fs-01 age1e9s4v2k3tfyc0lvz84wkg8uacv6283va58al2yy8dt6jgswf99vs9z4ujt + +creation_rules: + - path_regex: fs-01.yml + key_groups: + - age: + - *fs-01 diff --git a/base/base.nix b/base/base.nix index b99f12a..c04751b 100644 --- a/base/base.nix +++ b/base/base.nix @@ -30,6 +30,7 @@ in ./grafana-alloy.nix ./network.nix ./qemu.nix + ./secrets.nix ./spice.nix ]; diff --git a/base/secrets.nix b/base/secrets.nix new file mode 100644 index 0000000..25287fc --- /dev/null +++ b/base/secrets.nix @@ -0,0 +1,18 @@ +{ + config, + lib, + pkgs, + pkgsUnstable, + inputs, + ... +}: + +with lib; + +{ + imports = [ inputs.sops-nix.nixosModules.sops ]; + + sops.defaultSopsFile = ../secrets/${config.networking.hostName}.yml; + sops.defaultSopsFormat = "yaml"; + sops.age.keyFile = "/home/etorres/.config/sops/age/keys.txt"; +} diff --git a/flake.lock b/flake.lock index 5a9a1d9..931f41e 100644 --- a/flake.lock +++ b/flake.lock @@ -61,11 +61,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1755223770, - "narHash": "sha256-PJfiLvHd59Jw/97xTKbc8CFoR0ypg2s8d2pNZXLc18U=", + "lastModified": 1755741527, + "narHash": "sha256-XBP8Ld94EsXi/42MQ6H0If1vCdWPf+N6RA9M+2Wuos0=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "22e7b0d160e59473faac30a64e984c1819875b6d", + "rev": "a13d8cd9cef44144db3bc7333882916f4454aa91", "type": "github" }, "original": { @@ -92,11 +92,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1755186698, - "narHash": "sha256-wNO3+Ks2jZJ4nTHMuks+cxAiVBGNuEBXsT29Bz6HASo=", + "lastModified": 1755615617, + "narHash": "sha256-HMwfAJBdrr8wXAkbGhtcby1zGFvs+StOp19xNsbqdOg=", "owner": "nixos", "repo": "nixpkgs", - "rev": "fbcf476f790d8a217c3eab4e12033dc4a0f6d23c", + "rev": "20075955deac2583bb12f07151c2df830ef346b4", "type": "github" }, "original": { @@ -108,11 +108,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1755078291, - "narHash": "sha256-Hu/gTDoi4uy6TAKISPHQusSMy8U6xUbLSDjKBYdhDIY=", + "lastModified": 1755593991, + "narHash": "sha256-BA9MuPjBDx/WnpTJ0EGhStyfE7hug8g85Y3Ju9oTsM4=", "owner": "nixos", "repo": "nixpkgs", - "rev": "3385ca0cd7e14c1a1eb80401fe011705ff012323", + "rev": "a58390ab6f1aa810eb8e0f0fc74230e7cc06de03", "type": "github" }, "original": { @@ -122,12 +122,47 @@ "type": "github" } }, + "nixpkgs_3": { + "locked": { + "lastModified": 1744868846, + "narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { "comin": "comin", "nix-minecraft": "nix-minecraft", "nixpkgs": "nixpkgs_2", - "nixpkgs-unstable": "nixpkgs-unstable" + "nixpkgs-unstable": "nixpkgs-unstable", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_3" + }, + "locked": { + "lastModified": 1754988908, + "narHash": "sha256-t+voe2961vCgrzPFtZxha0/kmFSHFobzF00sT8p9h0U=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "3223c7a92724b5d804e9988c6b447a0d09017d48", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" } }, "systems": { diff --git a/flake.nix b/flake.nix index 99bfd7a..223efa3 100644 --- a/flake.nix +++ b/flake.nix @@ -9,6 +9,7 @@ url = "github:nlewo/comin"; inputs.nixpkgs.follows = "nixpkgs"; }; + sops-nix.url = "github:Mic92/sops-nix"; }; outputs = diff --git a/hosts/borg-01/default.nix b/hosts/borg-01/default.nix index 8d6e4ae..b7d1602 100644 --- a/hosts/borg-01/default.nix +++ b/hosts/borg-01/default.nix @@ -36,6 +36,12 @@ ]; path = "/mnt/data/backups/databases/db-pg17"; }; + "fs-01" = { + authorizedKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPHMJMvsMZ6sckMi3PFM4ARrV21emTU1VSIyjFEYk8SX borg@fs-01" + ]; + path = "/mnt/data/backups/databases/db-pg17"; + }; "lax-01" = { authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJwdizQ4FKsM7WvZsQ94N1x6k2Fuda5NkIio967vakg5 borg@lax-01" diff --git a/hosts/fs-01/default.nix b/hosts/fs-01/default.nix index 89030e3..6398e32 100644 --- a/hosts/fs-01/default.nix +++ b/hosts/fs-01/default.nix @@ -19,6 +19,11 @@ syncthingserver.enable = true; + sops.secrets."borgmatic_ping_urls/local" = { }; + sops.secrets."borgmatic_ping_urls/remote" = { }; + sops.secrets."borgmatic_pass/local" = { }; + sops.secrets."borgmatic_pass/remote" = { }; + services.borgmatic = { enable = true; enableConfigCheck = true; @@ -28,10 +33,10 @@ repositories = [ { label = "local"; - path = ""; + path = "borg@borg-01.tail755c5.ts.net:."; } ]; - encryption_passphrase = ""; + encryption_passcommand = ''cat ${config.sops.secrets."borgmatic_pass/local".path}''; keep_daily = 7; keep_weekly = 4; @@ -40,8 +45,10 @@ unknown_unencrypted_repo_access_is_ok = false; + ssh_command = "ssh -i /etc/borgmatic.d/borg-local"; + healthchecks = { - ping_url = ""; + ping_url = "https://hc.its-et.me/ping/PlGPBqq-0rLI4N4ya3jYmg/backup-syncthing"; }; }; }; diff --git a/secrets/fs-01.yml b/secrets/fs-01.yml new file mode 100644 index 0000000..3a5f1d2 --- /dev/null +++ b/secrets/fs-01.yml @@ -0,0 +1,21 @@ +borgmatic_ping_urls: + local: ENC[AES256_GCM,data:7qFq0nrqqrH556Ttf3KeRpDl2UicOBeWD8VBVSiN+TbVDVeIs/AXMKY2+IJMU2i15htL05hk2Y59bqSKr5fM3Ag=,iv:lII62b/Mw8dTgnHiBU3aM1s2bNGK1olk9Ef9squ8qME=,tag:fBlO16/h01QEfJnRwfLnxg==,type:str] + remote: ENC[AES256_GCM,data:3/4av4qjlC55VzjG1nB849mhN+FIn1S4Z20s2i/MKjQQAk+WsPLoTzCgiYY8M7MJxnB+xQusSmbPY+nlNbAW3SnbpOnQilr/,iv:yladJ+d5wncv9CDvF3GbNgPdYKIh6OdeAo9qLsKQy/4=,tag:TO1Tc/dyxF0N4YHXd7YzSg==,type:str] +borgmatic_pass: + local: ENC[AES256_GCM,data:raZ6iz4ZHGBl7t1ZiVkqLASsDoI=,iv:7RficWkWV6WGKmyYUcVoBXlHX0axlvEgZ8TEdtb8tI0=,tag:ILozLRHDXMdvAz9nOyqQOw==,type:str] + remote: ENC[AES256_GCM,data:zzelomQZuPEmMiuhTcdnX3Jtu8E=,iv:uYDvwlcy29nn0XUkr4waQcdnvimDhNTNR4HGQ/w10gU=,tag:Knx3nQxJ5L4IlwtdFOm8+w==,type:str] +sops: + age: + - recipient: age1e9s4v2k3tfyc0lvz84wkg8uacv6283va58al2yy8dt6jgswf99vs9z4ujt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVFU2YWRjMVVuUmM2MVdq + SWZtWkxEenpqakxBcGdLVEw3aWZvZnplV3pZCmFWSHg2ZmYxd0ttVXkySTljMk1j + ZERLb3pBZnJML1RsYUw2djBSNk5RUDgKLS0tIDRGSm5xbThZeTlUK2R2RXd4VEc3 + ajV1dUpEc3hNc1gzYWZVMDVMKzN4c2MK1WN3yUzgwP9ilZTCnI99EU1t8csxqgGw + TbE1f1WKcBiECj70+tnWE+jDG5gNPOVkP4AJ/XpraQ0MmrwKo8OrYQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-08-22T06:44:32Z" + mac: ENC[AES256_GCM,data:fD9OV0FFBHr8whgiqKPoxrT2rAzr27F8zxt/RaJcOR9iEeZ8NQJGo3LmP18Mogi1g+Qb7ChWZKcXrJtmUX/qmwkhbacjY2bwLdX4XIGs2w7/fWv5yBOAWyqO6ArBJfIjkDrE+jti44vRCVzn14IMG8XdS+KR/n9Ojm43ycYtikE=,iv:IlpoSDgSn6ekFRJHOcIeAhTL4vp0iL5dhEQkwgZu+Tk=,tag:CvL3XNoMr1uNGi8r+mM7mg==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2