diff --git a/.sops.yaml b/.sops.yaml index 55d6eb3..4912d0e 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -11,9 +11,14 @@ creation_rules: - *wodan pgp: - *lander - - path_regex: home/lander/global/secrets.yam?l$ + - path_regex: hosts/common/optional/secrets.yam?l$ key_groups: - age: - *wodan pgp: - *lander + - path_regex: home/lander/global/secrets.yam?l$ + key_groups: + - age: + - *wodan + pgp: diff --git a/hosts/common/global/secrets.nix b/hosts/common/global/secrets.nix index 7a8735a..818b24e 100644 --- a/hosts/common/global/secrets.nix +++ b/hosts/common/global/secrets.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ sops.secrets.inuits-mail-pass = { owner = "lander"; group = "users"; diff --git a/hosts/common/optional/restic.nix b/hosts/common/optional/restic.nix new file mode 100644 index 0000000..2342911 --- /dev/null +++ b/hosts/common/optional/restic.nix @@ -0,0 +1,40 @@ +{ pkgs, config, ... }: +{ + sops.secrets.restic-environment = { + owner = "root"; + group = "root"; + sopsFile = ./secrets.yaml; + }; + + sops.secrets.restic-password = { + owner = "root"; + group = "root"; + sopsFile = ./secrets.yaml; + }; + + sops.secrets.restic-repository = { + owner = "root"; + group = "root"; + sopsFile = ./secrets.yaml; + }; + + services.restic.backups = { + daily = { + initialize = true; + + repositoryFile = config.sops.secrets.restic-repository.path; + passwordFile = config.sops.secrets.restic-password.path; + environmentFile = config.sops.secrets.restic-environment.path; + + paths = [ + config.users.users.lander.home + ]; + + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 5" + "--keep-weekly 12" + ]; + }; + }; +} diff --git a/hosts/common/optional/secrets.yaml b/hosts/common/optional/secrets.yaml new file mode 100644 index 0000000..198807b --- /dev/null +++ b/hosts/common/optional/secrets.yaml @@ -0,0 +1,34 @@ +restic-environment: ENC[AES256_GCM,data:CkgRnXNGAsVlWWPj4pvADpNTPyufafaO745vySUBNqWoZbcnjZyvZUkUuZ2xp/EwbRrtMYL0DQXBgW3BqRVZuSkm6/9go2rMMmmNRYvzuJOkap5ePIiaHa9UrS87eupgeaODxRcj,iv:lOtadnRCC6tZkaHKCdfT1v0hG1wMo/hRAlWKtCvs2vc=,tag:fvI+Vb+stHa9sgrziMjQGQ==,type:str] +restic-password: ENC[AES256_GCM,data:BsJ7fkoeZHxGbKP7YGuD13s1feYWeVj+hg==,iv:vmpWp/vWBt2bw61p43HTp7fuTKOX4k7io/HGt4yPPo4=,tag:f3pfbcWqccKJ1fI00AyKLA==,type:str] +restic-repository: ENC[AES256_GCM,data:GAm8+hE96byqeyIb9qQ7QCstBYd0j+WIXp69quZ/f8joH2fUst/Kxb18mOKQozlu6Q==,iv:VQYZmGv+fyyYWUeAQTNiwxhAwR6o0LRw2s6G4lYkkDQ=,tag:P0bAsB3Wp9Vw7YH73XspIg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age15m0pdv8mkt4aue8wjay9k4endyymtka5je3gc2t63dgamfzh9vts7774hh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5Q1BObXBYUFhXdStEbWFa + Z29mZXp6NkJZbitZcjhibkl4UGlBazV2MGc4CklZSG82bU9oMUt1WUpUamt2QmpS + VDBqWHBQZGl0YUtXOTFSOThOeGk1YmMKLS0tIFJkSlhibVFwVnl0WHl4aUd4ajRm + RWRuU0tKTzNQb0hwZHZJYlhjZ2lJYkUK6T9iTfsfgajho1UUgcYTQa3ppT0CaoT7 + rVLOyhLGHZLoBkmAm0gTJ1SOFHOyYZMbRMvN2saSLgMIiCuvXm4eEg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-01-13T17:47:53Z" + mac: ENC[AES256_GCM,data:qKEbUu0/kt4eM7JXCOl73hJ3IuHr6kr3A7Y0xdXKZ0A/5Ex2F2dgLRTtmFeEMdmm77dYr6PLm8u+eQ+FmpuMb59+q1Y3k/IUpaQXfBJ6qtQCX5lOxJrE9VpR84OIDVQZ7pKclXuNfc6H+MKlGEbmVRnpdJrd6lWxIkpgwmBLBRc=,iv:xh6ywlS7sn/BVpYpej7mmxV/Be33wvQYn/8glbMLnrA=,tag:iIixjf9VZ6OuP5Pgw0w/WA==,type:str] + pgp: + - created_at: "2025-01-13T15:15:34Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DARdpY4woM6wSAQdAwVc6Y2JuSKZ+CfVXGcZwXGLPxd4qzYEYCXeVw6fUMn0w + 8nCY3GAdJR2doPeQFtakqulb6sNH+sA2eGSUS1B+MQ7HpxkungLAbWI0wpFYwnfw + 0lwB5Zz4+rRkhPTqQNudTSBHX018kR5/A6/jLslox6vaKesyPIFSMejJqFp3hmHu + 3QoK0HNLTCgmUw4OZsYtgPLw00KxDYNbUN6JY9H/MOuBT3Uwe4y8HXlffPXr1w== + =Csbt + -----END PGP MESSAGE----- + fp: 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92 + unencrypted_suffix: _unencrypted + version: 3.9.2 diff --git a/hosts/wodan/default.nix b/hosts/wodan/default.nix index 412347f..9b48172 100644 --- a/hosts/wodan/default.nix +++ b/hosts/wodan/default.nix @@ -9,6 +9,7 @@ ../common/optional/fonts.nix ../common/optional/yubikey-gpg.nix ../common/optional/virt.nix + ../common/optional/restic.nix ../common/optional/steam.nix ];