From 32282ae39d352428988891207fb4f276a311846a Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 6 Feb 2022 21:20:24 +0100 Subject: vidhar: borg --- hosts/sif/default.nix | 24 ------------------- hosts/vidhar/borg.nix | 12 ---------- hosts/vidhar/borg/authorized-keys/surtr | 26 +++++++++++++++++++++ hosts/vidhar/borg/authorized-keys/surtr.pub | 1 + hosts/vidhar/borg/authorized-keys/ymir | 21 +++++++++++++++++ hosts/vidhar/borg/authorized-keys/ymir.pub | 1 + hosts/vidhar/borg/default.nix | 36 +++++++++++++++++++++++++++++ hosts/vidhar/borg/passphrase.yaml | 34 +++++++++++++++++++++++++++ hosts/vidhar/default.nix | 2 +- 9 files changed, 120 insertions(+), 37 deletions(-) delete mode 100644 hosts/vidhar/borg.nix create mode 100644 hosts/vidhar/borg/authorized-keys/surtr create mode 100644 hosts/vidhar/borg/authorized-keys/surtr.pub create mode 100644 hosts/vidhar/borg/authorized-keys/ymir create mode 100644 hosts/vidhar/borg/authorized-keys/ymir.pub create mode 100644 hosts/vidhar/borg/default.nix create mode 100644 hosts/vidhar/borg/passphrase.yaml (limited to 'hosts') diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index 07ba564d..9516ceba 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix @@ -405,30 +405,6 @@ in { ACTION=="add", SUBSYSTEM=="net", KERNEL=="virbr0", ENV{NM_UNMANAGED}="1" ''; - services.borgbackup = { - snapshots = "btrfs"; - prefix = "yggdrasil.midgard.sif."; - targets = { - "munin" = { - repo = "borg.munin:borg"; - paths = [ "/home/gkleen" ]; - prune = { - "home" = - [ "--keep-within" "24H" - "--keep-daily" "31" - "--keep-monthly" "12" - "--keep-yearly" "-1" - ]; - }; - keyFile = "/run/secrets/borg-repokey--borg_munin__borg"; - }; - }; - }; - sops.secrets.borg-repokey--borg_munin__borg = { - sopsFile = /. + path + "/modules/borgbackup/repokeys/borg_munin__borg.yaml"; - key = "key"; - }; - services.btrfs.autoScrub = { enable = true; fileSystems = [ "/" "/home" ]; diff --git a/hosts/vidhar/borg.nix b/hosts/vidhar/borg.nix deleted file mode 100644 index 0a0b37a5..00000000 --- a/hosts/vidhar/borg.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ ... }: -{ - config = { - users.users.borg = { - isSystemUser = true; - createHome = false; - group = "borg"; - extraGroups = [ "ssh" ]; - }; - users.groups."borg" = {}; - }; -} diff --git a/hosts/vidhar/borg/authorized-keys/surtr b/hosts/vidhar/borg/authorized-keys/surtr new file mode 100644 index 00000000..26d286b4 --- /dev/null +++ b/hosts/vidhar/borg/authorized-keys/surtr @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:UFWmVs/D1MtAW9ql+e9S5XRPBEmW5k09zCw+ftP8UgXPWSnNrutRpncsyvM07yqZw8qr4bhEErOrkmMk+BGcVlxGg55S7f6iJsj8GCFMhfJ5gVEa9jJRmEX8F9NZ2wlj3aeMni2JjBNnbypCwD7ffudK+sLNlhmVVwdNFCws2JQLnFW7mQOo/d8+BlPOxCebJIvmTq4K/b7+RqVuuqiK9t28Qt/eo0+F9aciXKyKZVM0bxw54Hh6yADqZ6ZTIzWbHb9+TL3HhP6dquNDqe2iiWaPzI5J63agpNDJ7uEtwTDW/irsIl3Ob5ekrXJ1FOaTmIUqRdyxty71ir6Aa/+JQIeVoC80oUgu1ImD9xenYD2v0EX4s6yJJV3a9bla3D3HRvZSfSuShbjfJDkegehXzFK0pVt2oAZMKKLHF25cx3In428evW7vb0R2aakf/tF0Gjlbooc+zEc2UgEp/YjYW5WaelWIK4ItwfmBRNYG9G5ZE0GT2I8UtHOiMQRA78ShxN7i,iv:H+YVF7wiUATbwnwzqO/LEZgWagnbeRRdMS9aK09vCbg=,tag:sDbC2g2xtjifS8Px3YI6vA==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-02-06T19:43:25Z", + "mac": "ENC[AES256_GCM,data:K3Y96+TM4/Jsl8JQ56tpJNHmkDVuetUtQbUpDqIHbqm65d+RKoL/Qy/IWVGqcfUxZMUvzM2J3fEo/05q8mcxn+wZd2tECSJEUbgFDhGrpPZV8Ir8cQCYlPn+UBTS4rNUfEpSBlymND/vFjQ0lneqMo5lapbetSs4h/GvFzUFw8M=,iv:TyzMk7wKzZpq8TrE9uHRFXi+JzvNePcWrmyogcoCZo0=,tag:KB6ZBlGrBSGuQFg4fB407w==,type:str]", + "pgp": [ + { + "created_at": "2022-02-06T19:43:24Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAWSCnyt9/7PkWecNhcOwuw0TRJMld9dmV0Ti6KjR6bkAw\nQxTdj0rMaXFayEyyXxotbjxb/ZMTesYCqAce7RKoj0GS2GngmP6Xzpt151uSmyPs\n0l4Bh5Ohfln3bAq6iJvJfOZvwYqmoIicRZFFY7afuBDO7oad4fkoWpQWDRtuLc9M\nIC0ReFXCuQOI5eoFF3V8xT+X+icjFUCVC2OktO/6AlAtXxi6BSL+574CUMivuQz0\n=3v/M\n-----END PGP MESSAGE-----\n", + "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" + }, + { + "created_at": "2022-02-06T19:43:24Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAqlj4zYxkXgnJEEt/RfxQORgOzyfiZdQKzlhm78OhsBkw\nc2EdfAgpGwIm1F8tpVtwYcfNXYgfaJdADMzYSHL8qqn8DJrvhCArJdT/m7ZPWKy2\n0l4B1hpQdga7KQTD/iDlIrTJtiZ9/AMtUJM/HU9KtCl9AFGRNEGTAEdlHTUBDzOP\nTSF+R4NAqoY742C7Lf7pkHbVhhpXige37qJhvu7AMgnT5TT17McsXUj52Sy+Qv3z\n=cBYd\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.1" + } +} \ No newline at end of file diff --git a/hosts/vidhar/borg/authorized-keys/surtr.pub b/hosts/vidhar/borg/authorized-keys/surtr.pub new file mode 100644 index 00000000..5c044d7a --- /dev/null +++ b/hosts/vidhar/borg/authorized-keys/surtr.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG5rfNezLOoI4ijzNNg61OGFfq4AXHlzVT0z/+RO0/ju surtr diff --git a/hosts/vidhar/borg/authorized-keys/ymir b/hosts/vidhar/borg/authorized-keys/ymir new file mode 100644 index 00000000..f3dd360c --- /dev/null +++ b/hosts/vidhar/borg/authorized-keys/ymir @@ -0,0 +1,21 @@ +{ + "data": "ENC[AES256_GCM,data:uzfOHmr0fct77EW5F/b5mSlckywoAKp/LCSZYTtUKa6HzbYujCUhlwqwFcc1lOQxfiDyQuJmhZaFbMgTSHyzf5zAfirQnCFPoUJFQf62TkQIoRNkTIYlzyzsaGl5uMZukl3r+qmd92Xoaf/d300Oq9P2k1RHQw2+UtyNn5B2OHD9hR9X6yXr8lRH8ABLKSFcqS2KrJXzYofoHub/V8OSldSRKpG3yy/CpsbVTOkc+ygBaH7orR6PWIy/iSummSGN6EaXdv2GZcqqf/h3iP8+xZlgqWnxRt0X5se6hrXNM0oU04fcs0sneqxUAQTvcnT75uO4z/lZ8ZTKDi05hCDzOF2iKybGjuJTGBMdAitQVC3DG7dtjbtnQ2xWrkZjkIRAGSz9Ud6rXmP0OILWYIhBHXgruyCJVJkTSBlu2Kcc+gwgEMfUHBq5k6rW13f1hlqikINDT6rkKH8IJyvMF0WTNdW0KVEemImKqfJccsfdPK6EdQDLOApq1vjd2djQVnIrCccV,iv:0qExktFJCrwkPbDzyUn2mWrHXCJsDPyZ0w2pSYl/bu8=,tag:N6RWe6owTuohMpyJoJaEjQ==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-02-06T20:15:30Z", + "mac": "ENC[AES256_GCM,data:uuScAvmls3hQFnuzG2KJXPEC2crHmkAlQGhIsxJRKCfsrlIyLZbDhNmB+MkYSJza4X4Cshm95DcFh7+A1QFa9VlZl+7iFx2RT23dMpW4aDGPB9w/SPUTFoUiKUkxsGIl0VemnoT3EuU3iPRGqGX859MGHAFe6XprCRKUnpU0OyA=,iv:pbG7dQ2ZEVMWmlx9AQfIJBs5Wu2pKCfYQ3DrzteJj28=,tag:UvDuRPJUU7ScgwrmbGjPiA==,type:str]", + "pgp": [ + { + "created_at": "2022-02-06T20:15:29Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAAju8aRDlzlNFdCuiVeg7Kak6DgixY2Gq5fRqS78PP3Mw\nRZyzG8ZaNBSHIG+lZtgdYcMEe1kH83KZ7pimlh3jKCumpdyB0jEdoMl1VLYhaaw9\n0l4B8yQ4DbxuJuTrrlI4XtMO4srMQXn88UlqDb33ScURLPhl2Xmlhn9JNEoOgut9\nr+vQ5jj1/Cf7jE9fLeB9JcPyKeJJftIM4TBn+trvC/RaKs4gq1UVRH15WFTNRG5/\n=ncoV\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.1" + } +} \ No newline at end of file diff --git a/hosts/vidhar/borg/authorized-keys/ymir.pub b/hosts/vidhar/borg/authorized-keys/ymir.pub new file mode 100644 index 00000000..a62fcfdf --- /dev/null +++ b/hosts/vidhar/borg/authorized-keys/ymir.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGRPw65gJccLR1bdKeyD/GB6dBBXPffP0JM9FvvIATzS ymir diff --git a/hosts/vidhar/borg/default.nix b/hosts/vidhar/borg/default.nix new file mode 100644 index 00000000..d338dfd6 --- /dev/null +++ b/hosts/vidhar/borg/default.nix @@ -0,0 +1,36 @@ +{ pkgs, lib, ... }: + +with lib; + +{ + config = { + services.borgbackup.repos.borg = { + path = "/srv/backup/borg"; + authorizedKeysAppendOnly = let + dir = ./authorized-keys; + toAuthKey = fname: ftype: if ftype != "regular" || !(hasSuffix ".pub" fname) then null else builtins.readFile (dir + "/${fname}"); + in filter (v: v != null) (lib.mapAttrsToList toAuthKey (builtins.readDir dir)); + }; + + boot.postBootCommands = mkBefore '' + ${pkgs.findutils}/bin/find /srv/backup/borg -maxdepth 1 -type d -empty -delete + ''; + + services.openssh.extraConfig = '' + Match User borg + ClientAliveInterval 10 + ClientAliveCountMax 30 + + Match All + ''; + + sops.secrets.borg-passphrase = { + sopsFile = ./passphrase.yaml; + format = "yaml"; + key = "borg"; + owner = "borg"; + group = "borg"; + mode = "0440"; + }; + }; +} diff --git a/hosts/vidhar/borg/passphrase.yaml b/hosts/vidhar/borg/passphrase.yaml new file mode 100644 index 00000000..6a306cea --- /dev/null +++ b/hosts/vidhar/borg/passphrase.yaml @@ -0,0 +1,34 @@ +borg: ENC[AES256_GCM,data:Ly3WfFtHqQAK7E3MwSPMMOfVshwPurMLtAMYdfStlOk=,iv:taLOAWrdD8AkrPdMjxq3fdvIzyGAtU0NBGhdm6DKRO8=,tag:o84PE6fiVFT/NVp5HanZrg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2022-02-06T20:18:06Z" + mac: ENC[AES256_GCM,data:Se6Sft5FgW9SYw2PRzDCO/v0BXQSLgRSHh9UGMUCI3sfoZ00D5a3GGgNB7JN0D598ztGmShWUJi03JzxxYOOhIaJZB/Fk5cUUOsEx4kQErXCBrlktowZz7grq3E04tNzKQqzUJ83g3W/4/N6YrAKUnu/mWtMOwnxEithdTtrpS4=,iv:XVmFDCqm3Oa4/gZRVI3XWHyQ0GQE0II7OKWGDGn5TXI=,tag:e2L/dmYlpoGZb4cXClQ0vg==,type:str] + pgp: + - created_at: "2022-02-06T20:16:31Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4DyFKFNkTVG5oSAQdAShFePaI/3pObNwFOa51ZPydA89cfwnErU9zE1/A68Qow + knL5rHbFSUUqGkiKT7syl1G9BupEAHz4BrFEXzc11VE5qc5vF3W6Lm9Agp3W/21W + 0l4BAmm/sqUKSCCqRiSQmVVlpl5Hs7tOMwUsBpZb53edik4oBd7hzsI4y9n0viEa + FhAkXtGI0LzpFRosrbHt1jTK+u9360BO4959AMIfcUCYmIYKscs47Ux3EDzk6+2i + =Azsm + -----END PGP MESSAGE----- + fp: 7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8 + - created_at: "2022-02-06T20:16:31Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4DXxoViZlp6dISAQdAIlHLZ6ipYghBjZeqfGv/VSsqsJHU3c6589TiSxXmCV8w + gScJtpO/R3DX1zUAVxxkOoGnJ0qS9IhBEOB4D/ET+vPteR5IIx26a3TFp4vlMXRc + 0l4BSikg39kSaxp+URvRJyAT1VQIprVkuEEmvgM5klvB+gitU0BhW//cEBvhW7SE + v+lfGy9PrpCb5yWpCN1H3DyfGwcRl6Qp3gkH5rs+/vpg39fs/Hh0CG+YnlHMzZ39 + =I8PE + -----END PGP MESSAGE----- + fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51 + unencrypted_suffix: _unencrypted + version: 3.7.1 diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index 09ae1e1e..c2d3461b 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix @@ -1,7 +1,7 @@ { hostName, flake, config, pkgs, lib, ... }: { imports = with flake.nixosModules.systemProfiles; [ - ./zfs.nix ./network ./samba.nix ./dns.nix ./prometheus ./borg.nix + ./zfs.nix ./network ./samba.nix ./dns.nix ./prometheus ./borg initrd-all-crypto-modules default-locale openssh rebuild-machines build-server initrd-ssh -- cgit v1.2.3