vidhar: borg

author: Gregor Kleen <gkleen@yggdrasil.li> 2022-02-06 21:20:24 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2022-02-06 21:20:24 +0100
commit: 32282ae39d352428988891207fb4f276a311846a (patch)
tree: 03b3e562996b5c47b29fbc43beae72801fc66844 /hosts
parent: ab822140ffb2980ced0026bbd6e4f417b53451b0 (diff)
download: nixos-32282ae39d352428988891207fb4f276a311846a.tar
nixos-32282ae39d352428988891207fb4f276a311846a.tar.gz
nixos-32282ae39d352428988891207fb4f276a311846a.tar.bz2
nixos-32282ae39d352428988891207fb4f276a311846a.tar.xz
nixos-32282ae39d352428988891207fb4f276a311846a.zip
9 files changed, 120 insertions, 37 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index 07ba564d..9516ceba 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -405,30 +405,6 @@ in {
      ACTION=="add", SUBSYSTEM=="net", KERNEL=="virbr0", ENV{NM_UNMANAGED}="1"
    '';
-    services.borgbackup = {
-      snapshots = "btrfs";
-      prefix = "yggdrasil.midgard.sif.";
-      targets = {
-        "munin" = {
-          repo = "borg.munin:borg";
-          paths = [ "/home/gkleen" ];
-          prune = {
-            "home" =
-              [ "--keep-within" "24H"
-                "--keep-daily" "31"
-                "--keep-monthly" "12"
-                "--keep-yearly" "-1"
-              ];
-          };
-          keyFile = "/run/secrets/borg-repokey--borg_munin__borg";
-        };
-      };
-    };
-    sops.secrets.borg-repokey--borg_munin__borg = {
-      sopsFile = /. + path + "/modules/borgbackup/repokeys/borg_munin__borg.yaml";
-      key = "key";
-    };
    services.btrfs.autoScrub = {
      enable = true;
      fileSystems = [ "/" "/home" ];
diff --git a/hosts/vidhar/borg.nix b/hosts/vidhar/borg.nix
deleted file mode 100644
index 0a0b37a5..00000000
--- a/hosts/vidhar/borg.nix
+++ /dev/null
@@ -1,12 +0,0 @@
-{ ... }:
-{
-  config = {
-    users.users.borg = {
-      isSystemUser = true;
-      createHome = false;
-      group = "borg";
-      extraGroups = [ "ssh" ];
-    };
-    users.groups."borg" = {};
-  };
-}
diff --git a/hosts/vidhar/borg/authorized-keys/surtr b/hosts/vidhar/borg/authorized-keys/surtr
new file mode 100644
index 00000000..26d286b4
--- /dev/null
+++ b/hosts/vidhar/borg/authorized-keys/surtr
@@ -0,0 +1,26 @@
+{
+        "data": "ENC[AES256_GCM,data:UFWmVs/D1MtAW9ql+e9S5XRPBEmW5k09zCw+ftP8UgXPWSnNrutRpncsyvM07yqZw8qr4bhEErOrkmMk+BGcVlxGg55S7f6iJsj8GCFMhfJ5gVEa9jJRmEX8F9NZ2wlj3aeMni2JjBNnbypCwD7ffudK+sLNlhmVVwdNFCws2JQLnFW7mQOo/d8+BlPOxCebJIvmTq4K/b7+RqVuuqiK9t28Qt/eo0+F9aciXKyKZVM0bxw54Hh6yADqZ6ZTIzWbHb9+TL3HhP6dquNDqe2iiWaPzI5J63agpNDJ7uEtwTDW/irsIl3Ob5ekrXJ1FOaTmIUqRdyxty71ir6Aa/+JQIeVoC80oUgu1ImD9xenYD2v0EX4s6yJJV3a9bla3D3HRvZSfSuShbjfJDkegehXzFK0pVt2oAZMKKLHF25cx3In428evW7vb0R2aakf/tF0Gjlbooc+zEc2UgEp/YjYW5WaelWIK4ItwfmBRNYG9G5ZE0GT2I8UtHOiMQRA78ShxN7i,iv:H+YVF7wiUATbwnwzqO/LEZgWagnbeRRdMS9aK09vCbg=,tag:sDbC2g2xtjifS8Px3YI6vA==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": null,
+                "lastmodified": "2022-02-06T19:43:25Z",
+                "mac": "ENC[AES256_GCM,data:K3Y96+TM4/Jsl8JQ56tpJNHmkDVuetUtQbUpDqIHbqm65d+RKoL/Qy/IWVGqcfUxZMUvzM2J3fEo/05q8mcxn+wZd2tECSJEUbgFDhGrpPZV8Ir8cQCYlPn+UBTS4rNUfEpSBlymND/vFjQ0lneqMo5lapbetSs4h/GvFzUFw8M=,iv:TyzMk7wKzZpq8TrE9uHRFXi+JzvNePcWrmyogcoCZo0=,tag:KB6ZBlGrBSGuQFg4fB407w==,type:str]",
+                "pgp": [
+                        {
+                                "created_at": "2022-02-06T19:43:24Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAWSCnyt9/7PkWecNhcOwuw0TRJMld9dmV0Ti6KjR6bkAw\nQxTdj0rMaXFayEyyXxotbjxb/ZMTesYCqAce7RKoj0GS2GngmP6Xzpt151uSmyPs\n0l4Bh5Ohfln3bAq6iJvJfOZvwYqmoIicRZFFY7afuBDO7oad4fkoWpQWDRtuLc9M\nIC0ReFXCuQOI5eoFF3V8xT+X+icjFUCVC2OktO/6AlAtXxi6BSL+574CUMivuQz0\n=3v/M\n-----END PGP MESSAGE-----\n",
+                                "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+                        },
+                        {
+                                "created_at": "2022-02-06T19:43:24Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAqlj4zYxkXgnJEEt/RfxQORgOzyfiZdQKzlhm78OhsBkw\nc2EdfAgpGwIm1F8tpVtwYcfNXYgfaJdADMzYSHL8qqn8DJrvhCArJdT/m7ZPWKy2\n0l4B1hpQdga7KQTD/iDlIrTJtiZ9/AMtUJM/HU9KtCl9AFGRNEGTAEdlHTUBDzOP\nTSF+R4NAqoY742C7Lf7pkHbVhhpXige37qJhvu7AMgnT5TT17McsXUj52Sy+Qv3z\n=cBYd\n-----END PGP MESSAGE-----\n",
+                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+                        }
+                ],
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.7.1"
+        }
+}
+\ No newline at end of file
diff --git a/hosts/vidhar/borg/authorized-keys/surtr.pub b/hosts/vidhar/borg/authorized-keys/surtr.pub
new file mode 100644
index 00000000..5c044d7a
--- /dev/null
+++ b/hosts/vidhar/borg/authorized-keys/surtr.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG5rfNezLOoI4ijzNNg61OGFfq4AXHlzVT0z/+RO0/ju surtr
diff --git a/hosts/vidhar/borg/authorized-keys/ymir b/hosts/vidhar/borg/authorized-keys/ymir
new file mode 100644
index 00000000..f3dd360c
--- /dev/null
+++ b/hosts/vidhar/borg/authorized-keys/ymir
@@ -0,0 +1,21 @@
+{
+        "data": "ENC[AES256_GCM,data:uzfOHmr0fct77EW5F/b5mSlckywoAKp/LCSZYTtUKa6HzbYujCUhlwqwFcc1lOQxfiDyQuJmhZaFbMgTSHyzf5zAfirQnCFPoUJFQf62TkQIoRNkTIYlzyzsaGl5uMZukl3r+qmd92Xoaf/d300Oq9P2k1RHQw2+UtyNn5B2OHD9hR9X6yXr8lRH8ABLKSFcqS2KrJXzYofoHub/V8OSldSRKpG3yy/CpsbVTOkc+ygBaH7orR6PWIy/iSummSGN6EaXdv2GZcqqf/h3iP8+xZlgqWnxRt0X5se6hrXNM0oU04fcs0sneqxUAQTvcnT75uO4z/lZ8ZTKDi05hCDzOF2iKybGjuJTGBMdAitQVC3DG7dtjbtnQ2xWrkZjkIRAGSz9Ud6rXmP0OILWYIhBHXgruyCJVJkTSBlu2Kcc+gwgEMfUHBq5k6rW13f1hlqikINDT6rkKH8IJyvMF0WTNdW0KVEemImKqfJccsfdPK6EdQDLOApq1vjd2djQVnIrCccV,iv:0qExktFJCrwkPbDzyUn2mWrHXCJsDPyZ0w2pSYl/bu8=,tag:N6RWe6owTuohMpyJoJaEjQ==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": null,
+                "lastmodified": "2022-02-06T20:15:30Z",
+                "mac": "ENC[AES256_GCM,data:uuScAvmls3hQFnuzG2KJXPEC2crHmkAlQGhIsxJRKCfsrlIyLZbDhNmB+MkYSJza4X4Cshm95DcFh7+A1QFa9VlZl+7iFx2RT23dMpW4aDGPB9w/SPUTFoUiKUkxsGIl0VemnoT3EuU3iPRGqGX859MGHAFe6XprCRKUnpU0OyA=,iv:pbG7dQ2ZEVMWmlx9AQfIJBs5Wu2pKCfYQ3DrzteJj28=,tag:UvDuRPJUU7ScgwrmbGjPiA==,type:str]",
+                "pgp": [
+                        {
+                                "created_at": "2022-02-06T20:15:29Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAAju8aRDlzlNFdCuiVeg7Kak6DgixY2Gq5fRqS78PP3Mw\nRZyzG8ZaNBSHIG+lZtgdYcMEe1kH83KZ7pimlh3jKCumpdyB0jEdoMl1VLYhaaw9\n0l4B8yQ4DbxuJuTrrlI4XtMO4srMQXn88UlqDb33ScURLPhl2Xmlhn9JNEoOgut9\nr+vQ5jj1/Cf7jE9fLeB9JcPyKeJJftIM4TBn+trvC/RaKs4gq1UVRH15WFTNRG5/\n=ncoV\n-----END PGP MESSAGE-----\n",
+                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+                        }
+                ],
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.7.1"
+        }
+}
+\ No newline at end of file
diff --git a/hosts/vidhar/borg/authorized-keys/ymir.pub b/hosts/vidhar/borg/authorized-keys/ymir.pub
new file mode 100644
index 00000000..a62fcfdf
--- /dev/null
+++ b/hosts/vidhar/borg/authorized-keys/ymir.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGRPw65gJccLR1bdKeyD/GB6dBBXPffP0JM9FvvIATzS ymir
diff --git a/hosts/vidhar/borg/default.nix b/hosts/vidhar/borg/default.nix
new file mode 100644
index 00000000..d338dfd6
--- /dev/null
+++ b/hosts/vidhar/borg/default.nix
@@ -0,0 +1,36 @@
+{ pkgs, lib, ... }:
+with lib;
+{
+  config = {
+    services.borgbackup.repos.borg = {
+      path = "/srv/backup/borg";
+      authorizedKeysAppendOnly = let
+        dir = ./authorized-keys;
+        toAuthKey = fname: ftype: if ftype != "regular" || !(hasSuffix ".pub" fname) then null else builtins.readFile (dir + "/${fname}");
+      in filter (v: v != null) (lib.mapAttrsToList toAuthKey (builtins.readDir dir));
+    };
+    boot.postBootCommands = mkBefore ''
+      ${pkgs.findutils}/bin/find /srv/backup/borg -maxdepth 1 -type d -empty -delete
+    '';
+    services.openssh.extraConfig = ''
+      Match User borg
+        ClientAliveInterval 10
+        ClientAliveCountMax 30
+      Match All
+    '';
+    sops.secrets.borg-passphrase = {
+      sopsFile = ./passphrase.yaml;
+      format = "yaml";
+      key = "borg";
+      owner = "borg";
+      group = "borg";
+      mode = "0440";
+    };
+  };
+}
diff --git a/hosts/vidhar/borg/passphrase.yaml b/hosts/vidhar/borg/passphrase.yaml
new file mode 100644
index 00000000..6a306cea
--- /dev/null
+++ b/hosts/vidhar/borg/passphrase.yaml
@@ -0,0 +1,34 @@
+borg: ENC[AES256_GCM,data:Ly3WfFtHqQAK7E3MwSPMMOfVshwPurMLtAMYdfStlOk=,iv:taLOAWrdD8AkrPdMjxq3fdvIzyGAtU0NBGhdm6DKRO8=,tag:o84PE6fiVFT/NVp5HanZrg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2022-02-06T20:18:06Z"
+    mac: ENC[AES256_GCM,data:Se6Sft5FgW9SYw2PRzDCO/v0BXQSLgRSHh9UGMUCI3sfoZ00D5a3GGgNB7JN0D598ztGmShWUJi03JzxxYOOhIaJZB/Fk5cUUOsEx4kQErXCBrlktowZz7grq3E04tNzKQqzUJ83g3W/4/N6YrAKUnu/mWtMOwnxEithdTtrpS4=,iv:XVmFDCqm3Oa4/gZRVI3XWHyQ0GQE0II7OKWGDGn5TXI=,tag:e2L/dmYlpoGZb4cXClQ0vg==,type:str]
+    pgp:
+        - created_at: "2022-02-06T20:16:31Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+            hF4DyFKFNkTVG5oSAQdAShFePaI/3pObNwFOa51ZPydA89cfwnErU9zE1/A68Qow
+            knL5rHbFSUUqGkiKT7syl1G9BupEAHz4BrFEXzc11VE5qc5vF3W6Lm9Agp3W/21W
+            0l4BAmm/sqUKSCCqRiSQmVVlpl5Hs7tOMwUsBpZb53edik4oBd7hzsI4y9n0viEa
+            FhAkXtGI0LzpFRosrbHt1jTK+u9360BO4959AMIfcUCYmIYKscs47Ux3EDzk6+2i
+            =Azsm
+            -----END PGP MESSAGE-----
+          fp: 7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8
+        - created_at: "2022-02-06T20:16:31Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+            hF4DXxoViZlp6dISAQdAIlHLZ6ipYghBjZeqfGv/VSsqsJHU3c6589TiSxXmCV8w
+            gScJtpO/R3DX1zUAVxxkOoGnJ0qS9IhBEOB4D/ET+vPteR5IIx26a3TFp4vlMXRc
+            0l4BSikg39kSaxp+URvRJyAT1VQIprVkuEEmvgM5klvB+gitU0BhW//cEBvhW7SE
+            v+lfGy9PrpCb5yWpCN1H3DyfGwcRl6Qp3gkH5rs+/vpg39fs/Hh0CG+YnlHMzZ39
+            =I8PE
+            -----END PGP MESSAGE-----
+          fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51
+    unencrypted_suffix: _unencrypted
+    version: 3.7.1
diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index 09ae1e1e..c2d3461b 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -1,7 +1,7 @@
 { hostName, flake, config, pkgs, lib, ... }:
 {
  imports = with flake.nixosModules.systemProfiles; [
-    ./zfs.nix ./network ./samba.nix ./dns.nix ./prometheus ./borg.nix
+    ./zfs.nix ./network ./samba.nix ./dns.nix ./prometheus ./borg
    initrd-all-crypto-modules default-locale openssh rebuild-machines
    build-server
    initrd-ssh
author	Gregor Kleen <gkleen@yggdrasil.li>	2022-02-06 21:20:24 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2022-02-06 21:20:24 +0100
commit	32282ae39d352428988891207fb4f276a311846a (patch)
tree	03b3e562996b5c47b29fbc43beae72801fc66844 /hosts
parent	ab822140ffb2980ced0026bbd6e4f417b53451b0 (diff)
download	nixos-32282ae39d352428988891207fb4f276a311846a.tar nixos-32282ae39d352428988891207fb4f276a311846a.tar.gz nixos-32282ae39d352428988891207fb4f276a311846a.tar.bz2 nixos-32282ae39d352428988891207fb4f276a311846a.tar.xz nixos-32282ae39d352428988891207fb4f276a311846a.zip

diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index 07ba564d..9516ceba 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix
@@ -405,30 +405,6 @@ in {
405	ACTION=="add", SUBSYSTEM=="net", KERNEL=="virbr0", ENV{NM_UNMANAGED}="1"	405	ACTION=="add", SUBSYSTEM=="net", KERNEL=="virbr0", ENV{NM_UNMANAGED}="1"
406	'';	406	'';
407		407
408	services.borgbackup = {
409	snapshots = "btrfs";
410	prefix = "yggdrasil.midgard.sif.";
411	targets = {
412	"munin" = {
413	repo = "borg.munin:borg";
414	paths = [ "/home/gkleen" ];
415	prune = {
416	"home" =
417	[ "--keep-within" "24H"
418	"--keep-daily" "31"
419	"--keep-monthly" "12"
420	"--keep-yearly" "-1"
421	];
422	};
423	keyFile = "/run/secrets/borg-repokey--borg_munin__borg";
424	};
425	};
426	};
427	sops.secrets.borg-repokey--borg_munin__borg = {
428	sopsFile = /. + path + "/modules/borgbackup/repokeys/borg_munin__borg.yaml";
429	key = "key";
430	};
431
432	services.btrfs.autoScrub = {	408	services.btrfs.autoScrub = {
433	enable = true;	409	enable = true;
434	fileSystems = [ "/" "/home" ];	410	fileSystems = [ "/" "/home" ];


diff --git a/hosts/vidhar/borg.nix b/hosts/vidhar/borg.nix deleted file mode 100644 index 0a0b37a5..00000000 --- a/hosts/vidhar/borg.nix +++ /dev/null
@@ -1,12 +0,0 @@
1	{ ... }:
2	{
3	config = {
4	users.users.borg = {
5	isSystemUser = true;
6	createHome = false;
7	group = "borg";
8	extraGroups = [ "ssh" ];
9	};
10	users.groups."borg" = {};
11	};
12	}


diff --git a/hosts/vidhar/borg/authorized-keys/surtr b/hosts/vidhar/borg/authorized-keys/surtr new file mode 100644 index 00000000..26d286b4 --- /dev/null +++ b/hosts/vidhar/borg/authorized-keys/surtr
@@ -0,0 +1,26 @@
		1	{
		2	"data": "ENC[AES256_GCM,data:UFWmVs/D1MtAW9ql+e9S5XRPBEmW5k09zCw+ftP8UgXPWSnNrutRpncsyvM07yqZw8qr4bhEErOrkmMk+BGcVlxGg55S7f6iJsj8GCFMhfJ5gVEa9jJRmEX8F9NZ2wlj3aeMni2JjBNnbypCwD7ffudK+sLNlhmVVwdNFCws2JQLnFW7mQOo/d8+BlPOxCebJIvmTq4K/b7+RqVuuqiK9t28Qt/eo0+F9aciXKyKZVM0bxw54Hh6yADqZ6ZTIzWbHb9+TL3HhP6dquNDqe2iiWaPzI5J63agpNDJ7uEtwTDW/irsIl3Ob5ekrXJ1FOaTmIUqRdyxty71ir6Aa/+JQIeVoC80oUgu1ImD9xenYD2v0EX4s6yJJV3a9bla3D3HRvZSfSuShbjfJDkegehXzFK0pVt2oAZMKKLHF25cx3In428evW7vb0R2aakf/tF0Gjlbooc+zEc2UgEp/YjYW5WaelWIK4ItwfmBRNYG9G5ZE0GT2I8UtHOiMQRA78ShxN7i,iv:H+YVF7wiUATbwnwzqO/LEZgWagnbeRRdMS9aK09vCbg=,tag:sDbC2g2xtjifS8Px3YI6vA==,type:str]",
		3	"sops": {
		4	"kms": null,
		5	"gcp_kms": null,
		6	"azure_kv": null,
		7	"hc_vault": null,
		8	"age": null,
		9	"lastmodified": "2022-02-06T19:43:25Z",
		10	"mac": "ENC[AES256_GCM,data:K3Y96+TM4/Jsl8JQ56tpJNHmkDVuetUtQbUpDqIHbqm65d+RKoL/Qy/IWVGqcfUxZMUvzM2J3fEo/05q8mcxn+wZd2tECSJEUbgFDhGrpPZV8Ir8cQCYlPn+UBTS4rNUfEpSBlymND/vFjQ0lneqMo5lapbetSs4h/GvFzUFw8M=,iv:TyzMk7wKzZpq8TrE9uHRFXi+JzvNePcWrmyogcoCZo0=,tag:KB6ZBlGrBSGuQFg4fB407w==,type:str]",
		11	"pgp": [
		12	{
		13	"created_at": "2022-02-06T19:43:24Z",
		14	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAWSCnyt9/7PkWecNhcOwuw0TRJMld9dmV0Ti6KjR6bkAw\nQxTdj0rMaXFayEyyXxotbjxb/ZMTesYCqAce7RKoj0GS2GngmP6Xzpt151uSmyPs\n0l4Bh5Ohfln3bAq6iJvJfOZvwYqmoIicRZFFY7afuBDO7oad4fkoWpQWDRtuLc9M\nIC0ReFXCuQOI5eoFF3V8xT+X+icjFUCVC2OktO/6AlAtXxi6BSL+574CUMivuQz0\n=3v/M\n-----END PGP MESSAGE-----\n",
		15	"fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
		16	},
		17	{
		18	"created_at": "2022-02-06T19:43:24Z",
		19	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAqlj4zYxkXgnJEEt/RfxQORgOzyfiZdQKzlhm78OhsBkw\nc2EdfAgpGwIm1F8tpVtwYcfNXYgfaJdADMzYSHL8qqn8DJrvhCArJdT/m7ZPWKy2\n0l4B1hpQdga7KQTD/iDlIrTJtiZ9/AMtUJM/HU9KtCl9AFGRNEGTAEdlHTUBDzOP\nTSF+R4NAqoY742C7Lf7pkHbVhhpXige37qJhvu7AMgnT5TT17McsXUj52Sy+Qv3z\n=cBYd\n-----END PGP MESSAGE-----\n",
		20	"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
		21	}
		22	],
		23	"unencrypted_suffix": "_unencrypted",
		24	"version": "3.7.1"
		25	}
		26	} \ No newline at end of file


diff --git a/hosts/vidhar/borg/authorized-keys/surtr.pub b/hosts/vidhar/borg/authorized-keys/surtr.pub new file mode 100644 index 00000000..5c044d7a --- /dev/null +++ b/hosts/vidhar/borg/authorized-keys/surtr.pub
@@ -0,0 +1 @@
			ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG5rfNezLOoI4ijzNNg61OGFfq4AXHlzVT0z/+RO0/ju surtr


diff --git a/hosts/vidhar/borg/authorized-keys/ymir b/hosts/vidhar/borg/authorized-keys/ymir new file mode 100644 index 00000000..f3dd360c --- /dev/null +++ b/hosts/vidhar/borg/authorized-keys/ymir
@@ -0,0 +1,21 @@
		1	{
		2	"data": "ENC[AES256_GCM,data:uzfOHmr0fct77EW5F/b5mSlckywoAKp/LCSZYTtUKa6HzbYujCUhlwqwFcc1lOQxfiDyQuJmhZaFbMgTSHyzf5zAfirQnCFPoUJFQf62TkQIoRNkTIYlzyzsaGl5uMZukl3r+qmd92Xoaf/d300Oq9P2k1RHQw2+UtyNn5B2OHD9hR9X6yXr8lRH8ABLKSFcqS2KrJXzYofoHub/V8OSldSRKpG3yy/CpsbVTOkc+ygBaH7orR6PWIy/iSummSGN6EaXdv2GZcqqf/h3iP8+xZlgqWnxRt0X5se6hrXNM0oU04fcs0sneqxUAQTvcnT75uO4z/lZ8ZTKDi05hCDzOF2iKybGjuJTGBMdAitQVC3DG7dtjbtnQ2xWrkZjkIRAGSz9Ud6rXmP0OILWYIhBHXgruyCJVJkTSBlu2Kcc+gwgEMfUHBq5k6rW13f1hlqikINDT6rkKH8IJyvMF0WTNdW0KVEemImKqfJccsfdPK6EdQDLOApq1vjd2djQVnIrCccV,iv:0qExktFJCrwkPbDzyUn2mWrHXCJsDPyZ0w2pSYl/bu8=,tag:N6RWe6owTuohMpyJoJaEjQ==,type:str]",
		3	"sops": {
		4	"kms": null,
		5	"gcp_kms": null,
		6	"azure_kv": null,
		7	"hc_vault": null,
		8	"age": null,
		9	"lastmodified": "2022-02-06T20:15:30Z",
		10	"mac": "ENC[AES256_GCM,data:uuScAvmls3hQFnuzG2KJXPEC2crHmkAlQGhIsxJRKCfsrlIyLZbDhNmB+MkYSJza4X4Cshm95DcFh7+A1QFa9VlZl+7iFx2RT23dMpW4aDGPB9w/SPUTFoUiKUkxsGIl0VemnoT3EuU3iPRGqGX859MGHAFe6XprCRKUnpU0OyA=,iv:pbG7dQ2ZEVMWmlx9AQfIJBs5Wu2pKCfYQ3DrzteJj28=,tag:UvDuRPJUU7ScgwrmbGjPiA==,type:str]",
		11	"pgp": [
		12	{
		13	"created_at": "2022-02-06T20:15:29Z",
		14	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAAju8aRDlzlNFdCuiVeg7Kak6DgixY2Gq5fRqS78PP3Mw\nRZyzG8ZaNBSHIG+lZtgdYcMEe1kH83KZ7pimlh3jKCumpdyB0jEdoMl1VLYhaaw9\n0l4B8yQ4DbxuJuTrrlI4XtMO4srMQXn88UlqDb33ScURLPhl2Xmlhn9JNEoOgut9\nr+vQ5jj1/Cf7jE9fLeB9JcPyKeJJftIM4TBn+trvC/RaKs4gq1UVRH15WFTNRG5/\n=ncoV\n-----END PGP MESSAGE-----\n",
		15	"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
		16	}
		17	],
		18	"unencrypted_suffix": "_unencrypted",
		19	"version": "3.7.1"
		20	}
		21	} \ No newline at end of file


diff --git a/hosts/vidhar/borg/authorized-keys/ymir.pub b/hosts/vidhar/borg/authorized-keys/ymir.pub new file mode 100644 index 00000000..a62fcfdf --- /dev/null +++ b/hosts/vidhar/borg/authorized-keys/ymir.pub
@@ -0,0 +1 @@
			ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGRPw65gJccLR1bdKeyD/GB6dBBXPffP0JM9FvvIATzS ymir


diff --git a/hosts/vidhar/borg/default.nix b/hosts/vidhar/borg/default.nix new file mode 100644 index 00000000..d338dfd6 --- /dev/null +++ b/hosts/vidhar/borg/default.nix
@@ -0,0 +1,36 @@
		1	{ pkgs, lib, ... }:
		2
		3	with lib;
		4
		5	{
		6	config = {
		7	services.borgbackup.repos.borg = {
		8	path = "/srv/backup/borg";
		9	authorizedKeysAppendOnly = let
		10	dir = ./authorized-keys;
		11	toAuthKey = fname: ftype: if ftype != "regular" \|\| !(hasSuffix ".pub" fname) then null else builtins.readFile (dir + "/${fname}");
		12	in filter (v: v != null) (lib.mapAttrsToList toAuthKey (builtins.readDir dir));
		13	};
		14
		15	boot.postBootCommands = mkBefore ''
		16	${pkgs.findutils}/bin/find /srv/backup/borg -maxdepth 1 -type d -empty -delete
		17	'';
		18
		19	services.openssh.extraConfig = ''
		20	Match User borg
		21	ClientAliveInterval 10
		22	ClientAliveCountMax 30
		23
		24	Match All
		25	'';
		26
		27	sops.secrets.borg-passphrase = {
		28	sopsFile = ./passphrase.yaml;
		29	format = "yaml";
		30	key = "borg";
		31	owner = "borg";
		32	group = "borg";
		33	mode = "0440";
		34	};
		35	};
		36	}


diff --git a/hosts/vidhar/borg/passphrase.yaml b/hosts/vidhar/borg/passphrase.yaml new file mode 100644 index 00000000..6a306cea --- /dev/null +++ b/hosts/vidhar/borg/passphrase.yaml
@@ -0,0 +1,34 @@
		1	borg: ENC[AES256_GCM,data:Ly3WfFtHqQAK7E3MwSPMMOfVshwPurMLtAMYdfStlOk=,iv:taLOAWrdD8AkrPdMjxq3fdvIzyGAtU0NBGhdm6DKRO8=,tag:o84PE6fiVFT/NVp5HanZrg==,type:str]
		2	sops:
		3	kms: []
		4	gcp_kms: []
		5	azure_kv: []
		6	hc_vault: []
		7	age: []
		8	lastmodified: "2022-02-06T20:18:06Z"
		9	mac: ENC[AES256_GCM,data:Se6Sft5FgW9SYw2PRzDCO/v0BXQSLgRSHh9UGMUCI3sfoZ00D5a3GGgNB7JN0D598ztGmShWUJi03JzxxYOOhIaJZB/Fk5cUUOsEx4kQErXCBrlktowZz7grq3E04tNzKQqzUJ83g3W/4/N6YrAKUnu/mWtMOwnxEithdTtrpS4=,iv:XVmFDCqm3Oa4/gZRVI3XWHyQ0GQE0II7OKWGDGn5TXI=,tag:e2L/dmYlpoGZb4cXClQ0vg==,type:str]
		10	pgp:
		11	- created_at: "2022-02-06T20:16:31Z"
		12	enc: \|
		13	-----BEGIN PGP MESSAGE-----
		14
		15	hF4DyFKFNkTVG5oSAQdAShFePaI/3pObNwFOa51ZPydA89cfwnErU9zE1/A68Qow
		16	knL5rHbFSUUqGkiKT7syl1G9BupEAHz4BrFEXzc11VE5qc5vF3W6Lm9Agp3W/21W
		17	0l4BAmm/sqUKSCCqRiSQmVVlpl5Hs7tOMwUsBpZb53edik4oBd7hzsI4y9n0viEa
		18	FhAkXtGI0LzpFRosrbHt1jTK+u9360BO4959AMIfcUCYmIYKscs47Ux3EDzk6+2i
		19	=Azsm
		20	-----END PGP MESSAGE-----
		21	fp: 7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8
		22	- created_at: "2022-02-06T20:16:31Z"
		23	enc: \|
		24	-----BEGIN PGP MESSAGE-----
		25
		26	hF4DXxoViZlp6dISAQdAIlHLZ6ipYghBjZeqfGv/VSsqsJHU3c6589TiSxXmCV8w
		27	gScJtpO/R3DX1zUAVxxkOoGnJ0qS9IhBEOB4D/ET+vPteR5IIx26a3TFp4vlMXRc
		28	0l4BSikg39kSaxp+URvRJyAT1VQIprVkuEEmvgM5klvB+gitU0BhW//cEBvhW7SE
		29	v+lfGy9PrpCb5yWpCN1H3DyfGwcRl6Qp3gkH5rs+/vpg39fs/Hh0CG+YnlHMzZ39
		30	=I8PE
		31	-----END PGP MESSAGE-----
		32	fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51
		33	unencrypted_suffix: _unencrypted
		34	version: 3.7.1


diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index 09ae1e1e..c2d3461b 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix
@@ -1,7 +1,7 @@
1	{ hostName, flake, config, pkgs, lib, ... }:	1	{ hostName, flake, config, pkgs, lib, ... }:
2	{	2	{
3	imports = with flake.nixosModules.systemProfiles; [	3	imports = with flake.nixosModules.systemProfiles; [
4	./zfs.nix ./network ./samba.nix ./dns.nix ./prometheus ./borg.nix	4	./zfs.nix ./network ./samba.nix ./dns.nix ./prometheus ./borg
5	initrd-all-crypto-modules default-locale openssh rebuild-machines	5	initrd-all-crypto-modules default-locale openssh rebuild-machines
6	build-server	6	build-server
7	initrd-ssh	7	initrd-ssh