From 32b8612ce1e16f03058731c8b8bbd1a629ae1057 Mon Sep 17 00:00:00 2001 From: Riley Apeldoorn Date: Thu, 15 Jun 2023 20:29:20 +0200 Subject: [PATCH 1/3] Add backups config --- flake.lock | 88 ++++++++++++++++++++++++++++++-- flake.nix | 4 +- secret/backblaze.age | 10 ++++ secrets.nix | 9 ++++ shared/core/backups.nix | 33 ++++++++++++ shared/secrets.nix | 5 ++ system/dev-lt-63/keys/riley.pub | 1 + system/strawberry/keys/riley.pub | 1 + 8 files changed, 146 insertions(+), 5 deletions(-) create mode 100644 secret/backblaze.age create mode 100644 secrets.nix create mode 100644 shared/core/backups.nix create mode 100644 shared/secrets.nix create mode 100644 system/dev-lt-63/keys/riley.pub create mode 100644 system/strawberry/keys/riley.pub diff --git a/flake.lock b/flake.lock index 40c8408..de1330e 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,47 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1684153753, + "narHash": "sha256-PVbWt3qrjYAK+T5KplFcO+h7aZWfEj1UtyoKlvcDxh0=", + "owner": "ryantm", + "repo": "agenix", + "rev": "db5637d10f797bb251b94ef9040b237f4702cde3", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1673295039, + "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "87b9d090ad39b25b2400029c64825fc2a8868943", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "flake-utils": { "locked": { "lastModified": 1667395993, @@ -17,7 +59,28 @@ }, "home-manager": { "inputs": { - "nixpkgs": "nixpkgs" + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1682203081, + "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_2": { + "inputs": { + "nixpkgs": "nixpkgs_2" }, "locked": { "lastModified": 1684596126, @@ -50,6 +113,22 @@ } }, "nixpkgs": { + "locked": { + "lastModified": 1677676435, + "narHash": "sha256-6FxdcmQr5JeZqsQvfinIMr0XcTyTuR7EXX0H3ANShpQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a08d6979dd7c82c4cef0dcc6ac45ab16051c1169", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { "locked": { "lastModified": 1683286087, "narHash": "sha256-xseOd7W7xwF5GOF2RW8qhjmVGrKoBz+caBlreaNzoeI=", @@ -65,7 +144,7 @@ "type": "github" } }, - "nixpkgs_2": { + "nixpkgs_3": { "locked": { "lastModified": 1684570954, "narHash": "sha256-FX5y4Sm87RWwfu9PI71XFvuRpZLowh00FQpIJ1WfXqE=", @@ -122,8 +201,9 @@ }, "root": { "inputs": { - "home-manager": "home-manager", - "nixpkgs": "nixpkgs_2", + "agenix": "agenix", + "home-manager": "home-manager_2", + "nixpkgs": "nixpkgs_3", "pwnix": "pwnix" } } diff --git a/flake.nix b/flake.nix index 89f6327..b1f7633 100644 --- a/flake.nix +++ b/flake.nix @@ -7,9 +7,10 @@ inputs.nixpkgs.follows = "nixpkgs"; url = git+https://im.badat.dev/bad/pwnix.git; }; + agenix.url = github:ryantm/agenix; }; - outputs = args@{ home-manager, nixpkgs, ... }: with nixpkgs; { + outputs = args@{ home-manager, nixpkgs, agenix, ... }: with nixpkgs; { # Configurations for NixOS machines. nixosConfigurations = @@ -32,6 +33,7 @@ system = "x86_64-linux"; modules = [ (mkUserConfig ./system/strawberry) + agenix.nixosModules.default ./system/strawberry/core.nix ./shared/core ]; diff --git a/secret/backblaze.age b/secret/backblaze.age new file mode 100644 index 0000000..0fe0632 --- /dev/null +++ b/secret/backblaze.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 WzdOcw /csNPlpruF3Qq1YHu2sf9AUZVrECvlo9kQ+d/U7SsDY +grIBod4k2TvmiYh5rhh/mWfg37ezuRYz5sgw8jI3sVw +-> ssh-ed25519 tvCYbQ NNrvjiXnK+QnKcyXyGEQdGkGYOHma9IXS+xXt5kKlkY +YRoXtSrYy+6c92J8+A3i1R6WZWAApsBDdg4lnZzV534 +-> j58*}-grease -LZ i +Rvy8Armemfb+G1DyL1JbbvQsfRbVeWgte507ozmnUjL3q+tUspegA5XxOA15XwVM +wHCjU9FYC+WgL8a2m65vDs4 +--- Mwn5PvXnc54IJ1JGFAZ3E4oErHBfPZImj58twTviCVo +<[>"PȨ݄bš/\o)7tS{@pQ:ܕKY >kK3t꒡=wR Aj 4;B蠘1z>XȪPx']8mֶ\xJ/NJN2 \ No newline at end of file diff --git a/secrets.nix b/secrets.nix new file mode 100644 index 0000000..d8b4bde --- /dev/null +++ b/secrets.nix @@ -0,0 +1,9 @@ +let strawberry = builtins.readFile ./system/strawberry/keys/riley.pub; + dev-lt-63 = builtins.readFile ./system/dev-lt-63/keys/riley.pub; +in { + # Secrets for backup cloud storage provider + "secret/backblaze.age".publicKeys = [ + strawberry + dev-lt-63 + ]; +} \ No newline at end of file diff --git a/shared/core/backups.nix b/shared/core/backups.nix new file mode 100644 index 0000000..f6b2480 --- /dev/null +++ b/shared/core/backups.nix @@ -0,0 +1,33 @@ +{ pkgs, lib, config, ... }: + +let cfg = config.custom.backups; +in with lib; { + + options.custom.backups = { + enable = mkEnableOption "Automatic backups to Backblaze"; + bucket = mkOption { + type = types.str; + default = "ezri-${config.networking.hostName}-backups"; + }; + }; + + config = lib.mkIf (cfg.enable) { + services.duplicity = { + enable = true; + secretFile = config.age.secrets."backblaze".path; + include = [ + "/home" + ]; + exclude = [ + "/home/**/.config" + "/home/**/.cache" + "/home/**/.cargo" + "/home/**/.local" + # NixOS configuration, we keep that elsewhere. + "/home/**/os" + ]; + targetUrl = "b2://005c7170636d5ef0000000001@${cfg.bucket}"; + }; + }; + +} \ No newline at end of file diff --git a/shared/secrets.nix b/shared/secrets.nix new file mode 100644 index 0000000..9d10595 --- /dev/null +++ b/shared/secrets.nix @@ -0,0 +1,5 @@ +{ + age.secrets = { + "backblaze".file = ../secret/backblaze.age; + }; +} \ No newline at end of file diff --git a/system/dev-lt-63/keys/riley.pub b/system/dev-lt-63/keys/riley.pub new file mode 100644 index 0000000..f2aaa66 --- /dev/null +++ b/system/dev-lt-63/keys/riley.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDroUHLf56zlYLiMoD1JV5XXZNwY9tftobDttC6hnfiM riley@dev-lt-63 diff --git a/system/strawberry/keys/riley.pub b/system/strawberry/keys/riley.pub new file mode 100644 index 0000000..cf58c21 --- /dev/null +++ b/system/strawberry/keys/riley.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINV6ECtM7dCAWwGX20Is9dbk9B2SHEGZN8bMzwoq5A3W riley@strawberry \ No newline at end of file -- 2.45.2 From f189a59a9cea63deb28358af9c565be7c1d64e12 Mon Sep 17 00:00:00 2001 From: Riley Apeldoorn Date: Thu, 15 Jun 2023 20:39:45 +0200 Subject: [PATCH 2/3] Enable backups for strawberry --- flake.nix | 1 + secret/backblaze.age | 21 ++++++++++++--------- secrets.nix | 14 ++++++++------ shared/core/default.nix | 1 + system/strawberry/core.nix | 1 + system/strawberry/keys/root.pub | 1 + 6 files changed, 24 insertions(+), 15 deletions(-) create mode 100644 system/strawberry/keys/root.pub diff --git a/flake.nix b/flake.nix index b1f7633..1e19955 100644 --- a/flake.nix +++ b/flake.nix @@ -36,6 +36,7 @@ agenix.nixosModules.default ./system/strawberry/core.nix ./shared/core + ./shared/secrets.nix ]; specialArgs = args; }; diff --git a/secret/backblaze.age b/secret/backblaze.age index 0fe0632..7a0e039 100644 --- a/secret/backblaze.age +++ b/secret/backblaze.age @@ -1,10 +1,13 @@ age-encryption.org/v1 --> ssh-ed25519 WzdOcw /csNPlpruF3Qq1YHu2sf9AUZVrECvlo9kQ+d/U7SsDY -grIBod4k2TvmiYh5rhh/mWfg37ezuRYz5sgw8jI3sVw --> ssh-ed25519 tvCYbQ NNrvjiXnK+QnKcyXyGEQdGkGYOHma9IXS+xXt5kKlkY -YRoXtSrYy+6c92J8+A3i1R6WZWAApsBDdg4lnZzV534 --> j58*}-grease -LZ i -Rvy8Armemfb+G1DyL1JbbvQsfRbVeWgte507ozmnUjL3q+tUspegA5XxOA15XwVM -wHCjU9FYC+WgL8a2m65vDs4 ---- Mwn5PvXnc54IJ1JGFAZ3E4oErHBfPZImj58twTviCVo -<[>"PȨ݄bš/\o)7tS{@pQ:ܕKY >kK3t꒡=wR Aj 4;B蠘1z>XȪPx']8mֶ\xJ/NJN2 \ No newline at end of file +-> ssh-ed25519 WzdOcw +G45tWielvhzLS+4KWh9vKo7nUlXZU5pC9XUHJ+lITg +iyznrg1UPA0DAkRPyjfYretMIeF32O+ej4QARUIDXPM +-> ssh-ed25519 qlXMTg GVBSMuYGSZDZUYvBd+jRQr5QgcFKjXKPNIr7PQYFfm8 +dqQB4AEhU5PFNeyI3dBnIAoRo1X7vypNz0pCd9hb6Vc +-> ssh-ed25519 tvCYbQ HqrKfYn9NHjv+X996pU8kCJl17juaZBrD1hPWJacGVU +3lFVji0VCQciHewFQJ9yEj+anhVdQ13gif0s7Pyu1L8 +-> KgQ[5-grease " xDo<4{l: xJ y+$GwT+ +VtYV6LGrhE52cf/+baTLxlGlHXEKqjVy0A +--- Qhc+wm4WQIL2elyAiv/M14r6pyvuFSbwRzBV9hQjT94 +٬Yhnڐo[D[iT6H@j4v 4˜+R2fOx 6;S> w%y˼[$-j"Ah2Q +~QM;]E6mNKz* +c;rDGB=+kI.H+O"~4K \ No newline at end of file diff --git a/secrets.nix b/secrets.nix index d8b4bde..731359f 100644 --- a/secrets.nix +++ b/secrets.nix @@ -1,9 +1,11 @@ -let strawberry = builtins.readFile ./system/strawberry/keys/riley.pub; - dev-lt-63 = builtins.readFile ./system/dev-lt-63/keys/riley.pub; +let strawberry = [ + (builtins.readFile ./system/strawberry/keys/riley.pub) + (builtins.readFile ./system/strawberry/keys/root.pub) + ]; + dev-lt-63 = [ + (builtins.readFile ./system/dev-lt-63/keys/riley.pub) + ]; in { # Secrets for backup cloud storage provider - "secret/backblaze.age".publicKeys = [ - strawberry - dev-lt-63 - ]; + "secret/backblaze.age".publicKeys = strawberry ++ dev-lt-63; } \ No newline at end of file diff --git a/shared/core/default.nix b/shared/core/default.nix index 9709b26..8c33cba 100644 --- a/shared/core/default.nix +++ b/shared/core/default.nix @@ -3,6 +3,7 @@ { imports = [ + ./backups.nix ./gui.nix ./nix.nix ./ssh.nix diff --git a/system/strawberry/core.nix b/system/strawberry/core.nix index 7b1a5cd..46ccc7a 100644 --- a/system/strawberry/core.nix +++ b/system/strawberry/core.nix @@ -2,6 +2,7 @@ custom = { gui.enable = true; + backups.enable = true; }; system.stateVersion = "21.11"; diff --git a/system/strawberry/keys/root.pub b/system/strawberry/keys/root.pub new file mode 100644 index 0000000..e0881d5 --- /dev/null +++ b/system/strawberry/keys/root.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILniE+LdfdV9V9+Zj5gJXqKEv1CzQaEySy1u5OdbKa8d root@strawberry -- 2.45.2 From 6f25ceba0c4591c0c9e52fa02e6ad5191bde0f60 Mon Sep 17 00:00:00 2001 From: Riley Apeldoorn Date: Sat, 17 Jun 2023 07:32:00 +0200 Subject: [PATCH 3/3] Make backups only include /home --- secret/backblaze.age | Bin 636 -> 727 bytes shared/core/backups.nix | 13 ++++++++----- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/secret/backblaze.age b/secret/backblaze.age index 7a0e0396573bd46e7e231f4b664d8cd81c202a36..a97ce5be624b56eb2888f1d1df0c8fc730440a84 100644 GIT binary patch delta 675 zcmWm9%WKnc003Yo4kYNsgGE7?gJVioo20Kq#nH#wCTW|dX_6-3SlXmn+oWmp>mwc0 zA_zOEFxgFqUIlSp1QpSX4i)CXDTs%8P!M$tafrfH5WoN6`?Krq@WS{Yh{!3rA@tBD z5&=p#q|p5o&wzr>*6oJrqx02fK(xv#k|ZFNYlI}y5NyCC+@fXZR1(oz>2QfBgfPbT zeEy6QYQ}v{HUfE1!vM^9bqx;&F%oW>#Z19~<*re53X_#Ug5qnq%d&}?wy3Aev}}f* zc7}3_h?#Dsv(a?E42Ar0%t3340327W21E+<<7A46u#DR^l6pSaFUiRsuLBaj^4&Aw z_yp1E*-V*8Nse2~xfxE4^;{%3Q=-v?6rXj;SXJdxzE~Mj#2Oow7$1eT8z2_2*a{+P zJ~PCkY7Aj&bY4%oRTATItNed5Yq8T_!_ifs!&CGGYaE9WV(d&>JO-PvWLr3dfB~TR z2$L7GU7tu>X0DphIt|XUa7VTgOo>#Ab`y}UE^>Y_Gg--I>h5f@B*dk*iVA@?gh@eA z&RZ3~ zuh$DV%$8C}rNc&1>Hv)B!~{*uxLHC(<$A$JN_sEX&!=ncP$d9S=J}Vc`P&!whE8$&hvyLW#K=zV$-MJ?d3+e(km2kD&$Tsq{V#GC9US^PM&9}vRfMgJAI8^S zuU))`#{koqLw}c3^RPtO<=CnVNh0`2I3}6Q_Q77GC`W$e{A0 delta 583 zcmWm9OKZ~r003Y_Wg5Lqro)SbF)zlrrcKht=`d-UN7Hsm+oVa0hb~R?Sk_0nrcH&F z74)KqITbv3(UYi5FM|o*>_vA`5M+ANiwDPWGSJCD@%sng$HV)Fme2Pf7R46ww&D6# zH<^V{A#V}BP>WV&S1rg`Jw~W9mw;S8X99N6t$HRRi)4r<=Q3j8R5Z_6Nbv>}3C}== zgGyvZ=4n+-0q``~Y+A5U4r3TXfDKno3X)DPT>vBZ3$q_c_)L|jI3?2ry-&;wvwV%h24LO@8~rfcx5m QzCWEA>)%~OHwVJXKeM3JZ~y=R diff --git a/shared/core/backups.nix b/shared/core/backups.nix index f6b2480..fe413c3 100644 --- a/shared/core/backups.nix +++ b/shared/core/backups.nix @@ -15,19 +15,22 @@ in with lib; { services.duplicity = { enable = true; secretFile = config.age.secrets."backblaze".path; - include = [ - "/home" - ]; + frequency = null; # We set this later + root = "/home"; + fullIfOlderThan = "1M"; exclude = [ "/home/**/.config" "/home/**/.cache" "/home/**/.cargo" - "/home/**/.local" # NixOS configuration, we keep that elsewhere. "/home/**/os" ]; targetUrl = "b2://005c7170636d5ef0000000001@${cfg.bucket}"; }; + systemd.services.duplicity.wants = ["network.target"]; + systemd.timers.duplicity.timerConfig."OnBootSec" = "20m"; + systemd.timers.duplicity.timerConfig."OnCalendar" = "daily"; + systemd.timers.duplicity.timerConfig."Persistent" = true; }; -} \ No newline at end of file +} -- 2.45.2