3 files changed, 65 insertions, 1 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index 4e9826bd..9271515f 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -1,4 +1,4 @@
-{ flake, pkgs, customUtils, lib, config, ... }:
+{ flake, pkgs, customUtils, lib, config, path, ... }:
 {
  imports = with flake.nixosModules.systemProfiles; [
    ./hw.nix
@@ -259,6 +259,30 @@
      SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${systemd}/bin/systemctl --no-block start ac-plugged.service"
    '';
+    services.borgbackup = {
+      snapshots = "btrfs";
+      prefix = "yggdrasil.midgard.sif.";
+      targets = {
+        "munin" = {
+          repo = "borg.munin:borg";
+          paths = [ "/home/gkleen" ];
+          prune = {
+            "home" =
+              [ "--keep-within" "24H"
+                "--keep-daily" "31"
+                "--keep-monthly" "12"
+                "--keep-yearly" "-1"
+              ];
+          };
+          keyFile = "/run/secrets/borg-repokey--borg_munin__borg";
+        };
+      };
+    };
+    sops.secrets.borg-repokey--borg_munin__borg = {
+      sopsFile = /. + path + "/modules/borgbackup/repokeys/borg_munin__borg.yaml";
+      key = "key";
+    };
    services.btrfs.autoScrub = {
      enable = true;
      fileSystems = [ "/" "/home" ];
diff --git a/modules/borgbackup/default.nix b/modules/borgbackup/default.nix
index 47f8e06d..a0419d0e 100644
--- a/modules/borgbackup/default.nix
+++ b/modules/borgbackup/default.nix
@@ -65,6 +65,11 @@ let
        type = types.int;
        default = 600;
      };
+      keyFile = mkOption {
+        type = types.nullOr types.path;
+        default = null;
+      };
    };
  };
 in {
@@ -171,6 +176,7 @@ in {
        IOSchedulingPriority = 7;
        SuccessExitStatus = [1 2];
        Slice = "system-borgbackup.slice";
+        Environment = lib.mkIf (tCfg.keyFile != null) "BORG_KEY_FILE=${tCfg.keyFile}";
      };
    })) cfg.targets) // (mapAttrs' (target: tCfg: nameValuePair "borgbackup-prune-${target}" {
      enable = tCfg.prune != {};
@@ -193,6 +199,7 @@ in {
      serviceConfig = {
        Type = "oneshot";
        Slice = "system-borgbackup.slice";
+        Environment = lib.mkIf (tCfg.keyFile != null) "BORG_KEY_FILE=${tCfg.keyFile}";
      };
    }) cfg.targets);
  };
diff --git a/modules/borgbackup/repokeys/borg_munin__borg.yaml b/modules/borgbackup/repokeys/borg_munin__borg.yaml
new file mode 100644
index 00000000..f302fe06
--- /dev/null
+++ b/modules/borgbackup/repokeys/borg_munin__borg.yaml
@@ -0,0 +1,33 @@
+key: ENC[AES256_GCM,data:mxh+Jtxx+HyD246yPwo0vy7vSTz3IG8VmfbxPMwqJRreh9ZwkGnH5aCTDOvWOHIrkmzaRMF3oCi1P8D29+abMUZdt0MuJ3UE6iL8+SXlflR+WACgALM2Df+x9B3BwQM3yeoCiWG+ebr0iQPHM3jqqpkjoRv1CcythxG2deZueur9lzgC2CwG1g3O8Prnl9z0JQGOa+gjic8Zwfn38B1BECeNPrbjzICGBOrSbN/6EnfBDygI2QzseamzK2I6R6jT+QxHvkl+Zi1m2TRB+4o82VgTjPhIReJyT7PrlDnUyrKObhCOlb3v+LiSdp16IPIDVs968kyDzgyi7QPOpGr+5tutWCZrau5xhPDrONKByl/0nVVwEZfRIYATvEXtn5okJru/mglcpeD0I7AtLt+Vfv9CB9pQczvkHo0cDtgudQDf9ADt/nkmqHugm5VfMg9m9aGbKqzXt6pPOMsXSbS43K7wgDaduLZ/PW4Ookx9gTNLtJHnZ64GBorOv4QSrZIZF8pE1FsQdUhmp/YzVhaNBnjCr+Jh77sYjoOwzF77Xy+VP2C/yVIf492P+FcgkSj6XhYYqHffpFW9l/xmUvyQF5gjj2k5T21UvgChhI1HeLPzQ7W9+xuGSMtg58aD/VPe1loCy8zLITNl71bneararRS5vItoZyzMdmIRMLAZD1klPmDNe1yufTpubOXzNYbWUqFUZtwH/mDL5GRZBD9dqs2b3F26c1CUyw==,iv:NJBHesKSZ1zuKk8qHnYKqIwMnFkH+rkQD1bam5XpLXU=,tag:EiYbIFY/r/eTSTJIhYV+GA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    lastmodified: '2021-01-02T20:38:48Z'
+    mac: ENC[AES256_GCM,data:3rkFTOk3r2dx3hOqu1u7XIIibTDfqNlRcWY9X2N/LFa/BKojgDt5tcpbphV4HqWvl8nS+fPcVrIElJfQ/QGFEOx68G95BhByntT9+JhSbHJt73dGnCSroZCw5QefdydREGvA5n00Vo9yT9IMvQsQbmpRzo6hcrSSUvagZqmZckA=,iv:F/HllDzyxgulIWZbfz9bFKR+SFg4PoaUYZ5N5hfIzw0=,tag:h2NXmvj/thhBg1rIkwdXXA==,type:str]
+    pgp:
+    -   created_at: '2021-01-02T20:38:09Z'
+        enc: |
+            -----BEGIN PGP MESSAGE-----
+            hF4Dgwm4NZSaLAcSAQdAwmvyXlr9MyfPfLgkfQkoktKBV2WA2xhZrGL7NeeGfhAw
+            REk+clJ9WgiJ0iceRAONPnEjeiK0J6Fsj+5Ulq8flFGkoj5Pta0pm/9fudKmcPdC
+            0l4BF0G5LSpG1EmY+LmVdSdas16rWgthnojoXPvbbHG6jZs3aDETshdiN8Bdlqsf
+            aVhq2LYzscnYezNcdernR4uojtiFny8qcmdF3tFacr+mkgfgIQr0W9yWFhDH15gm
+            =4TwU
+            -----END PGP MESSAGE-----
+        fp: F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8
+    -   created_at: '2021-01-02T20:38:09Z'
+        enc: |
+            -----BEGIN PGP MESSAGE-----
+            hF4DXxoViZlp6dISAQdAruPXj9IsllEN7R5jk4gF7bW0ZirhvX7qsu22/6HbSw8w
+            66RwN3WGjYO1CcVbHKuLqVVaUBCnrR/4XHN0JYUaqjubrSZBTWFKTBFsKSTT0LZq
+            0l4BKcsXrbGpYC5+yQvg0RHJ7LplxpKOmqMY8KGckvGnVf2xg7k6wuWQREFzqwt+
+            lOa3x+xFy9c0JwE8AafyKjb/cgqJiMb96lhsH57BpXJa2E39ImQbXqzDzdx2jEUt
+            =3rxi
+            -----END PGP MESSAGE-----
+        fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51
+    unencrypted_suffix: _unencrypted
+    version: 3.6.1

diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index 4e9826bd..9271515f 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix
@@ -1,4 +1,4 @@
1	{ flake, pkgs, customUtils, lib, config, ... }:	1	{ flake, pkgs, customUtils, lib, config, path, ... }:
2	{	2	{
3	imports = with flake.nixosModules.systemProfiles; [	3	imports = with flake.nixosModules.systemProfiles; [
4	./hw.nix	4	./hw.nix
@@ -259,6 +259,30 @@
259	SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${systemd}/bin/systemctl --no-block start ac-plugged.service"	259	SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${systemd}/bin/systemctl --no-block start ac-plugged.service"
260	'';	260	'';
261		261
		262	services.borgbackup = {
		263	snapshots = "btrfs";
		264	prefix = "yggdrasil.midgard.sif.";
		265	targets = {
		266	"munin" = {
		267	repo = "borg.munin:borg";
		268	paths = [ "/home/gkleen" ];
		269	prune = {
		270	"home" =
		271	[ "--keep-within" "24H"
		272	"--keep-daily" "31"
		273	"--keep-monthly" "12"
		274	"--keep-yearly" "-1"
		275	];
		276	};
		277	keyFile = "/run/secrets/borg-repokey--borg_munin__borg";
		278	};
		279	};
		280	};
		281	sops.secrets.borg-repokey--borg_munin__borg = {
		282	sopsFile = /. + path + "/modules/borgbackup/repokeys/borg_munin__borg.yaml";
		283	key = "key";
		284	};
		285
262	services.btrfs.autoScrub = {	286	services.btrfs.autoScrub = {
263	enable = true;	287	enable = true;
264	fileSystems = [ "/" "/home" ];	288	fileSystems = [ "/" "/home" ];


diff --git a/modules/borgbackup/default.nix b/modules/borgbackup/default.nix index 47f8e06d..a0419d0e 100644 --- a/modules/borgbackup/default.nix +++ b/modules/borgbackup/default.nix
@@ -65,6 +65,11 @@ let
65	type = types.int;	65	type = types.int;
66	default = 600;	66	default = 600;
67	};	67	};
		68
		69	keyFile = mkOption {
		70	type = types.nullOr types.path;
		71	default = null;
		72	};
68	};	73	};
69	};	74	};
70	in {	75	in {
@@ -171,6 +176,7 @@ in {
171	IOSchedulingPriority = 7;	176	IOSchedulingPriority = 7;
172	SuccessExitStatus = [1 2];	177	SuccessExitStatus = [1 2];
173	Slice = "system-borgbackup.slice";	178	Slice = "system-borgbackup.slice";
		179	Environment = lib.mkIf (tCfg.keyFile != null) "BORG_KEY_FILE=${tCfg.keyFile}";
174	};	180	};
175	})) cfg.targets) // (mapAttrs' (target: tCfg: nameValuePair "borgbackup-prune-${target}" {	181	})) cfg.targets) // (mapAttrs' (target: tCfg: nameValuePair "borgbackup-prune-${target}" {
176	enable = tCfg.prune != {};	182	enable = tCfg.prune != {};
@@ -193,6 +199,7 @@ in {
193	serviceConfig = {	199	serviceConfig = {
194	Type = "oneshot";	200	Type = "oneshot";
195	Slice = "system-borgbackup.slice";	201	Slice = "system-borgbackup.slice";
		202	Environment = lib.mkIf (tCfg.keyFile != null) "BORG_KEY_FILE=${tCfg.keyFile}";
196	};	203	};
197	}) cfg.targets);	204	}) cfg.targets);
198	};	205	};


diff --git a/modules/borgbackup/repokeys/borg_munin__borg.yaml b/modules/borgbackup/repokeys/borg_munin__borg.yaml new file mode 100644 index 00000000..f302fe06 --- /dev/null +++ b/modules/borgbackup/repokeys/borg_munin__borg.yaml
@@ -0,0 +1,33 @@
		1	key: ENC[AES256_GCM,data:mxh+Jtxx+HyD246yPwo0vy7vSTz3IG8VmfbxPMwqJRreh9ZwkGnH5aCTDOvWOHIrkmzaRMF3oCi1P8D29+abMUZdt0MuJ3UE6iL8+SXlflR+WACgALM2Df+x9B3BwQM3yeoCiWG+ebr0iQPHM3jqqpkjoRv1CcythxG2deZueur9lzgC2CwG1g3O8Prnl9z0JQGOa+gjic8Zwfn38B1BECeNPrbjzICGBOrSbN/6EnfBDygI2QzseamzK2I6R6jT+QxHvkl+Zi1m2TRB+4o82VgTjPhIReJyT7PrlDnUyrKObhCOlb3v+LiSdp16IPIDVs968kyDzgyi7QPOpGr+5tutWCZrau5xhPDrONKByl/0nVVwEZfRIYATvEXtn5okJru/mglcpeD0I7AtLt+Vfv9CB9pQczvkHo0cDtgudQDf9ADt/nkmqHugm5VfMg9m9aGbKqzXt6pPOMsXSbS43K7wgDaduLZ/PW4Ookx9gTNLtJHnZ64GBorOv4QSrZIZF8pE1FsQdUhmp/YzVhaNBnjCr+Jh77sYjoOwzF77Xy+VP2C/yVIf492P+FcgkSj6XhYYqHffpFW9l/xmUvyQF5gjj2k5T21UvgChhI1HeLPzQ7W9+xuGSMtg58aD/VPe1loCy8zLITNl71bneararRS5vItoZyzMdmIRMLAZD1klPmDNe1yufTpubOXzNYbWUqFUZtwH/mDL5GRZBD9dqs2b3F26c1CUyw==,iv:NJBHesKSZ1zuKk8qHnYKqIwMnFkH+rkQD1bam5XpLXU=,tag:EiYbIFY/r/eTSTJIhYV+GA==,type:str]
		2	sops:
		3	kms: []
		4	gcp_kms: []
		5	azure_kv: []
		6	hc_vault: []
		7	lastmodified: '2021-01-02T20:38:48Z'
		8	mac: ENC[AES256_GCM,data:3rkFTOk3r2dx3hOqu1u7XIIibTDfqNlRcWY9X2N/LFa/BKojgDt5tcpbphV4HqWvl8nS+fPcVrIElJfQ/QGFEOx68G95BhByntT9+JhSbHJt73dGnCSroZCw5QefdydREGvA5n00Vo9yT9IMvQsQbmpRzo6hcrSSUvagZqmZckA=,iv:F/HllDzyxgulIWZbfz9bFKR+SFg4PoaUYZ5N5hfIzw0=,tag:h2NXmvj/thhBg1rIkwdXXA==,type:str]
		9	pgp:
		10	- created_at: '2021-01-02T20:38:09Z'
		11	enc: \|
		12	-----BEGIN PGP MESSAGE-----
		13
		14	hF4Dgwm4NZSaLAcSAQdAwmvyXlr9MyfPfLgkfQkoktKBV2WA2xhZrGL7NeeGfhAw
		15	REk+clJ9WgiJ0iceRAONPnEjeiK0J6Fsj+5Ulq8flFGkoj5Pta0pm/9fudKmcPdC
		16	0l4BF0G5LSpG1EmY+LmVdSdas16rWgthnojoXPvbbHG6jZs3aDETshdiN8Bdlqsf
		17	aVhq2LYzscnYezNcdernR4uojtiFny8qcmdF3tFacr+mkgfgIQr0W9yWFhDH15gm
		18	=4TwU
		19	-----END PGP MESSAGE-----
		20	fp: F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8
		21	- created_at: '2021-01-02T20:38:09Z'
		22	enc: \|
		23	-----BEGIN PGP MESSAGE-----
		24
		25	hF4DXxoViZlp6dISAQdAruPXj9IsllEN7R5jk4gF7bW0ZirhvX7qsu22/6HbSw8w
		26	66RwN3WGjYO1CcVbHKuLqVVaUBCnrR/4XHN0JYUaqjubrSZBTWFKTBFsKSTT0LZq
		27	0l4BKcsXrbGpYC5+yQvg0RHJ7LplxpKOmqMY8KGckvGnVf2xg7k6wuWQREFzqwt+
		28	lOa3x+xFy9c0JwE8AafyKjb/cgqJiMb96lhsH57BpXJa2E39ImQbXqzDzdx2jEUt
		29	=3rxi
		30	-----END PGP MESSAGE-----
		31	fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51
		32	unencrypted_suffix: _unencrypted
		33	version: 3.6.1