From 22590cd1cd9d50195b64d4342045f7f921863478 Mon Sep 17 00:00:00 2001 From: Eric Torres Date: Wed, 20 Aug 2025 22:38:19 -0700 Subject: [PATCH 01/22] flake.nix: add sops-nix input --- flake.lock | 55 ++++++++++++++++++++++++++++++++++++++++++++---------- flake.nix | 1 + 2 files changed, 46 insertions(+), 10 deletions(-) diff --git a/flake.lock b/flake.lock index 5a9a1d9..931f41e 100644 --- a/flake.lock +++ b/flake.lock @@ -61,11 +61,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1755223770, - "narHash": "sha256-PJfiLvHd59Jw/97xTKbc8CFoR0ypg2s8d2pNZXLc18U=", + "lastModified": 1755741527, + "narHash": "sha256-XBP8Ld94EsXi/42MQ6H0If1vCdWPf+N6RA9M+2Wuos0=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "22e7b0d160e59473faac30a64e984c1819875b6d", + "rev": "a13d8cd9cef44144db3bc7333882916f4454aa91", "type": "github" }, "original": { @@ -92,11 +92,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1755186698, - "narHash": "sha256-wNO3+Ks2jZJ4nTHMuks+cxAiVBGNuEBXsT29Bz6HASo=", + "lastModified": 1755615617, + "narHash": "sha256-HMwfAJBdrr8wXAkbGhtcby1zGFvs+StOp19xNsbqdOg=", "owner": "nixos", "repo": "nixpkgs", - "rev": "fbcf476f790d8a217c3eab4e12033dc4a0f6d23c", + "rev": "20075955deac2583bb12f07151c2df830ef346b4", "type": "github" }, "original": { @@ -108,11 +108,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1755078291, - "narHash": "sha256-Hu/gTDoi4uy6TAKISPHQusSMy8U6xUbLSDjKBYdhDIY=", + "lastModified": 1755593991, + "narHash": "sha256-BA9MuPjBDx/WnpTJ0EGhStyfE7hug8g85Y3Ju9oTsM4=", "owner": "nixos", "repo": "nixpkgs", - "rev": "3385ca0cd7e14c1a1eb80401fe011705ff012323", + "rev": "a58390ab6f1aa810eb8e0f0fc74230e7cc06de03", "type": "github" }, "original": { @@ -122,12 +122,47 @@ "type": "github" } }, + "nixpkgs_3": { + "locked": { + "lastModified": 1744868846, + "narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { "comin": "comin", "nix-minecraft": "nix-minecraft", "nixpkgs": "nixpkgs_2", - "nixpkgs-unstable": "nixpkgs-unstable" + "nixpkgs-unstable": "nixpkgs-unstable", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_3" + }, + "locked": { + "lastModified": 1754988908, + "narHash": "sha256-t+voe2961vCgrzPFtZxha0/kmFSHFobzF00sT8p9h0U=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "3223c7a92724b5d804e9988c6b447a0d09017d48", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" } }, "systems": { diff --git a/flake.nix b/flake.nix index 99bfd7a..223efa3 100644 --- a/flake.nix +++ b/flake.nix @@ -9,6 +9,7 @@ url = "github:nlewo/comin"; inputs.nixpkgs.follows = "nixpkgs"; }; + sops-nix.url = "github:Mic92/sops-nix"; }; outputs = From 44089168bf12e4814a3b1b8b78b8b455cd9a3eda Mon Sep 17 00:00:00 2001 From: Eric Torres Date: Wed, 20 Aug 2025 22:38:49 -0700 Subject: [PATCH 02/22] base/secrets: add module --- base/base.nix | 1 + base/secrets.nix | 25 +++++++++++++++++++++++++ 2 files changed, 26 insertions(+) create mode 100644 base/secrets.nix diff --git a/base/base.nix b/base/base.nix index a0ad135..f73846d 100644 --- a/base/base.nix +++ b/base/base.nix @@ -30,6 +30,7 @@ in ./grafana-alloy.nix ./network.nix ./qemu.nix + ./secrets.nix ./spice.nix ]; diff --git a/base/secrets.nix b/base/secrets.nix new file mode 100644 index 0000000..db09317 --- /dev/null +++ b/base/secrets.nix @@ -0,0 +1,25 @@ +{ + config, + lib, + pkgs, + pkgsUnstable, + inputs, + ... +}: + +with lib; + +let + cfg = config.secrets; +in +{ + options.spice = { + enable = mkEnableOption "Enable SPICE guest setup"; + }; + + config = { + sops.defaultSopsFile = ./secrets/secrets.yaml; + sops.defaultSopsFormat = "yaml"; + sops.age.keyFile = ""; + }; +} From 89b0444e7c89fb8cf277e90aa573e3c78ca1ead4 Mon Sep 17 00:00:00 2001 From: Eric Torres Date: Wed, 20 Aug 2025 22:39:11 -0700 Subject: [PATCH 03/22] .sops.yaml: add sops config --- .sops.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 .sops.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..73d1e05 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,9 @@ +# .sops.yaml + +keys: + - &primary age1ca3zdn9s0fnlyrgcwu2fvkcu0qn9hj8dlvv96egju006y2lhvyzs3hw29z +creation_rules: + - path_regex: secrets/secrets.yaml$ + key_groups: + - age: + - *primary From c3876198bf5aa9b53514dd61fd1d303bd50c3bbf Mon Sep 17 00:00:00 2001 From: Eric Torres Date: Thu, 21 Aug 2025 00:18:59 -0700 Subject: [PATCH 04/22] .sops.yaml: allow subpaths and arbitrary names on secrets files --- .sops.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.sops.yaml b/.sops.yaml index 73d1e05..1fae27f 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -3,7 +3,7 @@ keys: - &primary age1ca3zdn9s0fnlyrgcwu2fvkcu0qn9hj8dlvv96egju006y2lhvyzs3hw29z creation_rules: - - path_regex: secrets/secrets.yaml$ + - path_regex: '^.*\.ya?ml$' key_groups: - age: - *primary From a48a0769e4f013a34f1afd0b260b0cb6d3320f0b Mon Sep 17 00:00:00 2001 From: Eric Torres Date: Thu, 21 Aug 2025 00:33:44 -0700 Subject: [PATCH 05/22] secrets/fs-01: add file --- secrets/fs-01.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 secrets/fs-01.yml diff --git a/secrets/fs-01.yml b/secrets/fs-01.yml new file mode 100644 index 0000000..f4a34ca --- /dev/null +++ b/secrets/fs-01.yml @@ -0,0 +1,20 @@ +repo_pass: + local: null + remote: null +healthchecks_url_local: ENC[AES256_GCM,data:qO8M4Lb98Z8RWGpAXDWGNaY+6qtJD7u70o0/uR70M8PpwQ9Sq784PvO9jqrY/I1Vu6YlbQzXcN5mCepzBRGAIko=,iv:uBjXL6Xz9D0blU4GcnRBKoFnjYA6SSVnp/i6XtyzsfY=,tag:eXhLa+vvVjssbb1Y4YOQKQ==,type:str] +healthchecks_url_remote: ENC[AES256_GCM,data:czmesOnltYRZ8G+kJ7RX8fm4mCm0P84zO4JL64SL3dq1cW5IzpqhQ/X18XUUhBt8ZpY+Noqn1rEwt++gl4ZtNiPy9KTyuiOy,iv:9EKTwG1LYW12rpEJgSLuvsr1uWw5sUzkP2RdZO+d3zo=,tag:jZqhxMV942Eofk0lU+5Y0w==,type:str] +sops: + age: + - recipient: age1ca3zdn9s0fnlyrgcwu2fvkcu0qn9hj8dlvv96egju006y2lhvyzs3hw29z + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWaENSaTQ1TU1zUFBNYUp5 + Ti9RbndzM05odllGSWhOemFmbUFxRnRJV1dFCkZSZ1JCWlVSa1RDbGpzZERvaDVZ + OTZxcGNQYlJKMEpaaFVWSzlORXZ3V1UKLS0tIFY5TmVFOVduOVdPNEl6cHp5eGFJ + a1kyK1VBNDRKeXU4anZUUmkraE1nVTAK1L1mn9za+4LbEEFXddtwg8aS36S+XUT/ + s2qBTMr3t8USkwWwhGXsQ/79b1l8KXuSerZW5RNl7VZXjIzyk24fig== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-08-21T06:17:22Z" + mac: ENC[AES256_GCM,data:UAK41K5NRydLs12wPyoC7U2+jxdDG1Is/ed/b2kt2SomcSjKCCdxLTVNPFwZK7dDjw1MYpgGue7PmObR9nMHihoQhWTPdC5KZxQ98dkCngisSmM4s4NMFAZC8vF9/MLo9LfOdSQIhbSQbGvEhlxHv2ujJdTQ3fiQuQCP0ULp1xI=,iv:/iKUKP4tqGMp8sAMS2mv+z1Myen9w0atYWzMxA/wS2s=,tag:FaVKhFli/GPaGS7MZEmImA==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 From b8e780f91c652c8de13c263f14d7cabec87ae606 Mon Sep 17 00:00:00 2001 From: Eric Torres Date: Thu, 21 Aug 2025 22:01:50 -0700 Subject: [PATCH 06/22] base/secrets: prep secrets module for usage --- base/secrets.nix | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/base/secrets.nix b/base/secrets.nix index db09317..c5b7527 100644 --- a/base/secrets.nix +++ b/base/secrets.nix @@ -9,17 +9,10 @@ with lib; -let - cfg = config.secrets; -in { - options.spice = { - enable = mkEnableOption "Enable SPICE guest setup"; - }; - config = { sops.defaultSopsFile = ./secrets/secrets.yaml; sops.defaultSopsFormat = "yaml"; - sops.age.keyFile = ""; + sops.age.keyFile = "/home/etorres/.config/sops-nix/keys.txt"; }; } From 4d5917ac0dcf4e3888494d3a7d74d783e3ce31a1 Mon Sep 17 00:00:00 2001 From: Eric Torres Date: Thu, 21 Aug 2025 22:10:25 -0700 Subject: [PATCH 07/22] base/secrets: revert key location to $XDG_CONFIG_HOME/sops/age/keys.txt --- base/secrets.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/base/secrets.nix b/base/secrets.nix index c5b7527..a62e205 100644 --- a/base/secrets.nix +++ b/base/secrets.nix @@ -13,6 +13,6 @@ with lib; config = { sops.defaultSopsFile = ./secrets/secrets.yaml; sops.defaultSopsFormat = "yaml"; - sops.age.keyFile = "/home/etorres/.config/sops-nix/keys.txt"; + sops.age.keyFile = "/home/etorres/.config/sops/age/keys.txt"; }; } From 475b28ac67f13ecd015f75cc275f14abf301d7ff Mon Sep 17 00:00:00 2001 From: Eric Torres Date: Thu, 21 Aug 2025 22:10:46 -0700 Subject: [PATCH 08/22] secrets/fs-01: re-encrypt with local key --- secrets/fs-01.yml | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/secrets/fs-01.yml b/secrets/fs-01.yml index f4a34ca..f0259af 100644 --- a/secrets/fs-01.yml +++ b/secrets/fs-01.yml @@ -1,20 +1,18 @@ -repo_pass: - local: null - remote: null -healthchecks_url_local: ENC[AES256_GCM,data:qO8M4Lb98Z8RWGpAXDWGNaY+6qtJD7u70o0/uR70M8PpwQ9Sq784PvO9jqrY/I1Vu6YlbQzXcN5mCepzBRGAIko=,iv:uBjXL6Xz9D0blU4GcnRBKoFnjYA6SSVnp/i6XtyzsfY=,tag:eXhLa+vvVjssbb1Y4YOQKQ==,type:str] -healthchecks_url_remote: ENC[AES256_GCM,data:czmesOnltYRZ8G+kJ7RX8fm4mCm0P84zO4JL64SL3dq1cW5IzpqhQ/X18XUUhBt8ZpY+Noqn1rEwt++gl4ZtNiPy9KTyuiOy,iv:9EKTwG1LYW12rpEJgSLuvsr1uWw5sUzkP2RdZO+d3zo=,tag:jZqhxMV942Eofk0lU+5Y0w==,type:str] +borgmatic_ping_urls: + local: ENC[AES256_GCM,data:7qFq0nrqqrH556Ttf3KeRpDl2UicOBeWD8VBVSiN+TbVDVeIs/AXMKY2+IJMU2i15htL05hk2Y59bqSKr5fM3Ag=,iv:lII62b/Mw8dTgnHiBU3aM1s2bNGK1olk9Ef9squ8qME=,tag:fBlO16/h01QEfJnRwfLnxg==,type:str] + remote: ENC[AES256_GCM,data:3/4av4qjlC55VzjG1nB849mhN+FIn1S4Z20s2i/MKjQQAk+WsPLoTzCgiYY8M7MJxnB+xQusSmbPY+nlNbAW3SnbpOnQilr/,iv:yladJ+d5wncv9CDvF3GbNgPdYKIh6OdeAo9qLsKQy/4=,tag:TO1Tc/dyxF0N4YHXd7YzSg==,type:str] sops: age: - - recipient: age1ca3zdn9s0fnlyrgcwu2fvkcu0qn9hj8dlvv96egju006y2lhvyzs3hw29z + - recipient: age1e9s4v2k3tfyc0lvz84wkg8uacv6283va58al2yy8dt6jgswf99vs9z4ujt enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWaENSaTQ1TU1zUFBNYUp5 - Ti9RbndzM05odllGSWhOemFmbUFxRnRJV1dFCkZSZ1JCWlVSa1RDbGpzZERvaDVZ - OTZxcGNQYlJKMEpaaFVWSzlORXZ3V1UKLS0tIFY5TmVFOVduOVdPNEl6cHp5eGFJ - a1kyK1VBNDRKeXU4anZUUmkraE1nVTAK1L1mn9za+4LbEEFXddtwg8aS36S+XUT/ - s2qBTMr3t8USkwWwhGXsQ/79b1l8KXuSerZW5RNl7VZXjIzyk24fig== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVFU2YWRjMVVuUmM2MVdq + SWZtWkxEenpqakxBcGdLVEw3aWZvZnplV3pZCmFWSHg2ZmYxd0ttVXkySTljMk1j + ZERLb3pBZnJML1RsYUw2djBSNk5RUDgKLS0tIDRGSm5xbThZeTlUK2R2RXd4VEc3 + ajV1dUpEc3hNc1gzYWZVMDVMKzN4c2MK1WN3yUzgwP9ilZTCnI99EU1t8csxqgGw + TbE1f1WKcBiECj70+tnWE+jDG5gNPOVkP4AJ/XpraQ0MmrwKo8OrYQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-08-21T06:17:22Z" - mac: ENC[AES256_GCM,data:UAK41K5NRydLs12wPyoC7U2+jxdDG1Is/ed/b2kt2SomcSjKCCdxLTVNPFwZK7dDjw1MYpgGue7PmObR9nMHihoQhWTPdC5KZxQ98dkCngisSmM4s4NMFAZC8vF9/MLo9LfOdSQIhbSQbGvEhlxHv2ujJdTQ3fiQuQCP0ULp1xI=,iv:/iKUKP4tqGMp8sAMS2mv+z1Myen9w0atYWzMxA/wS2s=,tag:FaVKhFli/GPaGS7MZEmImA==,type:str] + lastmodified: "2025-08-22T05:07:02Z" + mac: ENC[AES256_GCM,data:pj6BlaUk2Ne6dQmgvDy+rCj9/wCh7N+wyVaJ2QL9//OHHQZKE/K9tG+T/gXrwHKlPdPqcITe0IaAVldE12yTYXD1tiQKB6aZou7sVxER7xGzQSyHjEmBZeC3uIBvJUgGnrEOqRLQ31/RDBFIkmKWhK4lHrzeo0BQOw/FGROLqMw=,iv:VtGNfNTKirxw1V1Kmwm9Pr5DzWOVw1B3gurJhNUq+bE=,tag:4VT7HHxkv2J+hhu5ZN4VmA==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 From eccee53abb8b38f5d24843f0daadfc36ff043a14 Mon Sep 17 00:00:00 2001 From: Eric Torres Date: Thu, 21 Aug 2025 22:11:06 -0700 Subject: [PATCH 09/22] .sops.yaml: add fs-01 key reference --- .sops.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index 1fae27f..f463f23 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,9 +1,10 @@ # .sops.yaml keys: - - &primary age1ca3zdn9s0fnlyrgcwu2fvkcu0qn9hj8dlvv96egju006y2lhvyzs3hw29z + - &fs-01 age1e9s4v2k3tfyc0lvz84wkg8uacv6283va58al2yy8dt6jgswf99vs9z4ujt + creation_rules: - - path_regex: '^.*\.ya?ml$' + - path_regex: fs-01.yml key_groups: - age: - - *primary + - *fs-01 From ea5d1e037678c0e46308ba3758ca3a648e647bd8 Mon Sep 17 00:00:00 2001 From: Eric Torres Date: Thu, 21 Aug 2025 22:18:32 -0700 Subject: [PATCH 10/22] hosts/fs-01: add secrets for borgmatic ping URLs --- hosts/fs-01/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hosts/fs-01/default.nix b/hosts/fs-01/default.nix index 89030e3..8ea3932 100644 --- a/hosts/fs-01/default.nix +++ b/hosts/fs-01/default.nix @@ -19,6 +19,9 @@ syncthingserver.enable = true; + sops.secrets."borgmatic_ping_urls/local" = { }; + sops.secrets."borgmatic_ping_urls/remote" = { }; + services.borgmatic = { enable = true; enableConfigCheck = true; From 4d8d65650ee8328a2b7e26fc3d86f9176f60eaf3 Mon Sep 17 00:00:00 2001 From: Eric Torres Date: Thu, 21 Aug 2025 22:20:56 -0700 Subject: [PATCH 11/22] base/secrets: explicitly import sops-nix module --- base/secrets.nix | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/base/secrets.nix b/base/secrets.nix index a62e205..ea45034 100644 --- a/base/secrets.nix +++ b/base/secrets.nix @@ -10,9 +10,9 @@ with lib; { - config = { - sops.defaultSopsFile = ./secrets/secrets.yaml; - sops.defaultSopsFormat = "yaml"; - sops.age.keyFile = "/home/etorres/.config/sops/age/keys.txt"; - }; + imports = [ inputs.sops-nix.nixosModules.sops ]; + + sops.defaultSopsFile = ./secrets/secrets.yaml; + sops.defaultSopsFormat = "yaml"; + sops.age.keyFile = "/home/etorres/.config/sops/age/keys.txt"; } From 1a3a8ffc609709d1a8703284704b6a2da5db21a9 Mon Sep 17 00:00:00 2001 From: Eric Torres Date: Thu, 21 Aug 2025 23:33:55 -0700 Subject: [PATCH 12/22] base/secrets: fix key read path --- base/secrets.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/base/secrets.nix b/base/secrets.nix index ea45034..25287fc 100644 --- a/base/secrets.nix +++ b/base/secrets.nix @@ -12,7 +12,7 @@ with lib; { imports = [ inputs.sops-nix.nixosModules.sops ]; - sops.defaultSopsFile = ./secrets/secrets.yaml; + sops.defaultSopsFile = ../secrets/${config.networking.hostName}.yml; sops.defaultSopsFormat = "yaml"; sops.age.keyFile = "/home/etorres/.config/sops/age/keys.txt"; } From a9cd4e07afe72331649e4a4656dc1bb16b7ab7e2 Mon Sep 17 00:00:00 2001 From: Eric Torres Date: Thu, 21 Aug 2025 23:38:59 -0700 Subject: [PATCH 13/22] secrets/fs-01: add borgmatic repo creds --- secrets/fs-01.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/secrets/fs-01.yml b/secrets/fs-01.yml index f0259af..3a5f1d2 100644 --- a/secrets/fs-01.yml +++ b/secrets/fs-01.yml @@ -1,6 +1,9 @@ borgmatic_ping_urls: local: ENC[AES256_GCM,data:7qFq0nrqqrH556Ttf3KeRpDl2UicOBeWD8VBVSiN+TbVDVeIs/AXMKY2+IJMU2i15htL05hk2Y59bqSKr5fM3Ag=,iv:lII62b/Mw8dTgnHiBU3aM1s2bNGK1olk9Ef9squ8qME=,tag:fBlO16/h01QEfJnRwfLnxg==,type:str] remote: ENC[AES256_GCM,data:3/4av4qjlC55VzjG1nB849mhN+FIn1S4Z20s2i/MKjQQAk+WsPLoTzCgiYY8M7MJxnB+xQusSmbPY+nlNbAW3SnbpOnQilr/,iv:yladJ+d5wncv9CDvF3GbNgPdYKIh6OdeAo9qLsKQy/4=,tag:TO1Tc/dyxF0N4YHXd7YzSg==,type:str] +borgmatic_pass: + local: ENC[AES256_GCM,data:raZ6iz4ZHGBl7t1ZiVkqLASsDoI=,iv:7RficWkWV6WGKmyYUcVoBXlHX0axlvEgZ8TEdtb8tI0=,tag:ILozLRHDXMdvAz9nOyqQOw==,type:str] + remote: ENC[AES256_GCM,data:zzelomQZuPEmMiuhTcdnX3Jtu8E=,iv:uYDvwlcy29nn0XUkr4waQcdnvimDhNTNR4HGQ/w10gU=,tag:Knx3nQxJ5L4IlwtdFOm8+w==,type:str] sops: age: - recipient: age1e9s4v2k3tfyc0lvz84wkg8uacv6283va58al2yy8dt6jgswf99vs9z4ujt @@ -12,7 +15,7 @@ sops: ajV1dUpEc3hNc1gzYWZVMDVMKzN4c2MK1WN3yUzgwP9ilZTCnI99EU1t8csxqgGw TbE1f1WKcBiECj70+tnWE+jDG5gNPOVkP4AJ/XpraQ0MmrwKo8OrYQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-08-22T05:07:02Z" - mac: ENC[AES256_GCM,data:pj6BlaUk2Ne6dQmgvDy+rCj9/wCh7N+wyVaJ2QL9//OHHQZKE/K9tG+T/gXrwHKlPdPqcITe0IaAVldE12yTYXD1tiQKB6aZou7sVxER7xGzQSyHjEmBZeC3uIBvJUgGnrEOqRLQ31/RDBFIkmKWhK4lHrzeo0BQOw/FGROLqMw=,iv:VtGNfNTKirxw1V1Kmwm9Pr5DzWOVw1B3gurJhNUq+bE=,tag:4VT7HHxkv2J+hhu5ZN4VmA==,type:str] + lastmodified: "2025-08-22T06:44:32Z" + mac: ENC[AES256_GCM,data:fD9OV0FFBHr8whgiqKPoxrT2rAzr27F8zxt/RaJcOR9iEeZ8NQJGo3LmP18Mogi1g+Qb7ChWZKcXrJtmUX/qmwkhbacjY2bwLdX4XIGs2w7/fWv5yBOAWyqO6ArBJfIjkDrE+jti44vRCVzn14IMG8XdS+KR/n9Ojm43ycYtikE=,iv:IlpoSDgSn6ekFRJHOcIeAhTL4vp0iL5dhEQkwgZu+Tk=,tag:CvL3XNoMr1uNGi8r+mM7mg==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 From 8d0c143169050b2e68746a5b389fde5629012967 Mon Sep 17 00:00:00 2001 From: Eric Torres Date: Fri, 22 Aug 2025 00:07:06 -0700 Subject: [PATCH 14/22] hosts/fs-01: config borg repo passwords --- hosts/fs-01/default.nix | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/hosts/fs-01/default.nix b/hosts/fs-01/default.nix index 8ea3932..00f2c71 100644 --- a/hosts/fs-01/default.nix +++ b/hosts/fs-01/default.nix @@ -21,6 +21,10 @@ sops.secrets."borgmatic_ping_urls/local" = { }; sops.secrets."borgmatic_ping_urls/remote" = { }; + sops.secrets."borgmatic_pass/local" = { + owner = "borg"; + }; + sops.secrets."borgmatic_pass/remote" = { }; services.borgmatic = { enable = true; @@ -34,7 +38,7 @@ path = ""; } ]; - encryption_passphrase = ""; + encryption_passcommand = "cat ${sops.secrets.borgmatic_pass/local.path}"; keep_daily = 7; keep_weekly = 4; From 0d819a30a22ee4c41dd3939a73375bcad270e034 Mon Sep 17 00:00:00 2001 From: Eric Torres Date: Fri, 22 Aug 2025 00:14:36 -0700 Subject: [PATCH 15/22] hosts/fs-01: don't set owner for cred --- hosts/fs-01/default.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/hosts/fs-01/default.nix b/hosts/fs-01/default.nix index 00f2c71..42dfdb5 100644 --- a/hosts/fs-01/default.nix +++ b/hosts/fs-01/default.nix @@ -21,9 +21,7 @@ sops.secrets."borgmatic_ping_urls/local" = { }; sops.secrets."borgmatic_ping_urls/remote" = { }; - sops.secrets."borgmatic_pass/local" = { - owner = "borg"; - }; + sops.secrets."borgmatic_pass/local" = { }; sops.secrets."borgmatic_pass/remote" = { }; services.borgmatic = { From 5316c0cad3f8f146933188c9a9ef1d17064414e9 Mon Sep 17 00:00:00 2001 From: Eric Torres Date: Fri, 22 Aug 2025 00:18:30 -0700 Subject: [PATCH 16/22] hosts/fs-01: add healthchecks ping url for local job --- hosts/fs-01/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/fs-01/default.nix b/hosts/fs-01/default.nix index 42dfdb5..d5b5403 100644 --- a/hosts/fs-01/default.nix +++ b/hosts/fs-01/default.nix @@ -46,7 +46,7 @@ unknown_unencrypted_repo_access_is_ok = false; healthchecks = { - ping_url = ""; + ping_url = "https://hc.its-et.me/ping/PlGPBqq-0rLI4N4ya3jYmg/backup-syncthing"; }; }; }; From 4e79250c7c40dcda5c0eef6b38e96a0aab38bab3 Mon Sep 17 00:00:00 2001 From: Eric Torres Date: Fri, 22 Aug 2025 00:19:47 -0700 Subject: [PATCH 17/22] hosts/fs-01: fix quoting issue for called secret --- hosts/fs-01/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/fs-01/default.nix b/hosts/fs-01/default.nix index d5b5403..12b3e02 100644 --- a/hosts/fs-01/default.nix +++ b/hosts/fs-01/default.nix @@ -36,7 +36,7 @@ path = ""; } ]; - encryption_passcommand = "cat ${sops.secrets.borgmatic_pass/local.path}"; + encryption_passcommand = ''cat ${sops.secrets."borgmatic_pass/local".path}''; keep_daily = 7; keep_weekly = 4; From c232aac08fbc035ad9fd9c9b1b1bb832e4d32bcf Mon Sep 17 00:00:00 2001 From: Eric Torres Date: Fri, 22 Aug 2025 00:20:31 -0700 Subject: [PATCH 18/22] hosts/fs-01: fix path for sops secret --- hosts/fs-01/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/fs-01/default.nix b/hosts/fs-01/default.nix index 12b3e02..c03ac84 100644 --- a/hosts/fs-01/default.nix +++ b/hosts/fs-01/default.nix @@ -36,7 +36,7 @@ path = ""; } ]; - encryption_passcommand = ''cat ${sops.secrets."borgmatic_pass/local".path}''; + encryption_passcommand = ''cat ${config.sops.secrets."borgmatic_pass/local".path}''; keep_daily = 7; keep_weekly = 4; From 30af6ca944804966a6e7a5008e38a16a2e8fbbab Mon Sep 17 00:00:00 2001 From: Eric Torres Date: Fri, 22 Aug 2025 00:29:23 -0700 Subject: [PATCH 19/22] hosts/borg-01: add pubkey for fs-01 borgmatic --- hosts/borg-01/default.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hosts/borg-01/default.nix b/hosts/borg-01/default.nix index 8d6e4ae..b7d1602 100644 --- a/hosts/borg-01/default.nix +++ b/hosts/borg-01/default.nix @@ -36,6 +36,12 @@ ]; path = "/mnt/data/backups/databases/db-pg17"; }; + "fs-01" = { + authorizedKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPHMJMvsMZ6sckMi3PFM4ARrV21emTU1VSIyjFEYk8SX borg@fs-01" + ]; + path = "/mnt/data/backups/databases/db-pg17"; + }; "lax-01" = { authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJwdizQ4FKsM7WvZsQ94N1x6k2Fuda5NkIio967vakg5 borg@lax-01" From 5f5e1f3c709f0a1fae265933444a0479f629b5b9 Mon Sep 17 00:00:00 2001 From: Eric Torres Date: Fri, 22 Aug 2025 00:35:04 -0700 Subject: [PATCH 20/22] hosts/fs-01: add ssh_command --- hosts/fs-01/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts/fs-01/default.nix b/hosts/fs-01/default.nix index c03ac84..5196cf2 100644 --- a/hosts/fs-01/default.nix +++ b/hosts/fs-01/default.nix @@ -45,6 +45,8 @@ unknown_unencrypted_repo_access_is_ok = false; + ssh_command = "ssh -i /etc/borgmatic.d/borg-local" + healthchecks = { ping_url = "https://hc.its-et.me/ping/PlGPBqq-0rLI4N4ya3jYmg/backup-syncthing"; }; From dca7e6b345143589f920857b4964bfdd55aa2cbc Mon Sep 17 00:00:00 2001 From: Eric Torres Date: Fri, 22 Aug 2025 00:36:16 -0700 Subject: [PATCH 21/22] hosts/fs-01: add semicolon --- hosts/fs-01/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/fs-01/default.nix b/hosts/fs-01/default.nix index 5196cf2..6b35b1a 100644 --- a/hosts/fs-01/default.nix +++ b/hosts/fs-01/default.nix @@ -45,7 +45,7 @@ unknown_unencrypted_repo_access_is_ok = false; - ssh_command = "ssh -i /etc/borgmatic.d/borg-local" + ssh_command = "ssh -i /etc/borgmatic.d/borg-local"; healthchecks = { ping_url = "https://hc.its-et.me/ping/PlGPBqq-0rLI4N4ya3jYmg/backup-syncthing"; From 44c3044729706583275836cd501fac324b8662cd Mon Sep 17 00:00:00 2001 From: Eric Torres Date: Fri, 22 Aug 2025 00:46:00 -0700 Subject: [PATCH 22/22] hosts/fs-01: add local backup repo path --- hosts/fs-01/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/fs-01/default.nix b/hosts/fs-01/default.nix index 6b35b1a..6398e32 100644 --- a/hosts/fs-01/default.nix +++ b/hosts/fs-01/default.nix @@ -33,7 +33,7 @@ repositories = [ { label = "local"; - path = ""; + path = "borg@borg-01.tail755c5.ts.net:."; } ]; encryption_passcommand = ''cat ${config.sops.secrets."borgmatic_pass/local".path}'';