diff --git a/hosts/ds9/default.nix b/hosts/ds9/default.nix index b03b5aea..4f4ab21c 100644 --- a/hosts/ds9/default.nix +++ b/hosts/ds9/default.nix @@ -51,27 +51,16 @@ in }; - # services.restic.backups."ds9" = { - # rcloneConfigFile = "/run/secrets/ds9rcloneConfig"; - # passwordFile = "/run/secrets/ds9resticPassword"; - # pruneOpts = [ - # "--keep-daily 7" - # "--keep-weekly 5" - # "--keep-monthly 12" - # "--keep-yearly 75" - # ]; - # initialize = true; - # repository = "rclone:ds9:/ds9"; - # paths = [ - # "/data" - # "/persistent/var/lib" - # ]; - - # }; - - ragon.agenix.secrets."ds9rcloneConfig" = { }; - ragon.agenix.secrets."ds9resticPassword" = { }; - + # Backup Target + users.users.picardbackup = { + createHome = true; + group = "users"; + home = "/backups/picard"; + isSystemUser = true; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHvCF8KGgpF9O8Q7k+JXqZ5eMeEeTaMhCIk/2ZFOzXL0" + ]; + }; # Enable Scanning hardware.sane.enable = true; diff --git a/hosts/picard/default.nix b/hosts/picard/default.nix index a5a1ab7a..936ece5a 100644 --- a/hosts/picard/default.nix +++ b/hosts/picard/default.nix @@ -41,6 +41,27 @@ users.mutableUsers = false; services.postgresql.package = pkgs.postgresql_13; + ragon.agenix.secrets."picardResticPassword" = { }; + ragon.agenix.secrets."picardResticSSHKey" = { }; + + services.restic.backups."picard" = { + passwordFile = config.age.secrets.picardResticPassword.path; + extraOptions = [ + "sftp.command='ssh picardbackup@ds9 -i ${config.age.secrets.picardResticSSHKey.path} -s sftp'" + ]; + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 5" + "--keep-monthly 12" + "--keep-yearly 75" + ]; + initialize = true; + repository = "sftp:ds9:/backups/picard/restic"; + paths = [ + "/persistent" + ]; + + }; ragon = { cli.enable = true; diff --git a/secrets/picardResticPassword.age b/secrets/picardResticPassword.age new file mode 100644 index 00000000..78c9b230 --- /dev/null +++ b/secrets/picardResticPassword.age @@ -0,0 +1,13 @@ +age-encryption.org/v1 +-> ssh-ed25519 WceKOQ k2R5Jitq8cEQPR6XFnucyYE3BDlBTnXeXakig5Rb6CQ +aXWMcZDMsC4UqpgkUywkOuHGTb5aeTHvpKNjxEUfTDo +-> ssh-ed25519 ugHWWw 0CCoHYRYlYq5wFt8R26y5pSfSqTQzcR4jzdWl2E12TQ +6qjep1dn6B5DA2lcMZXItnAzxE2eHY/XSJYVyDGRwW4 +-> ssh-ed25519 UU9RSA CMo9lkcazC9TXypP/o/majaFp0UP++XAbh65TYvEiDo +GD1/sNmjRM2+9RpPbCMoMU9Q0JQb2jsjji1Yt0+LR9w +-> +!c:-grease zi]- eO\* +nKAD5+pPHB3K+HtpEHA+bDBG/P9ec6pb +--- 5x5Rpg23SqXQK/sSiUNEZ0tdXF+GxgBSTWVSbIOmmNw +IXnTBth|XwmӺS=SrMC萊{M…^HaWi +;} +,:t=rC||h$ \ No newline at end of file diff --git a/secrets/picardResticSSHKey.age b/secrets/picardResticSSHKey.age new file mode 100644 index 00000000..0dd651f5 Binary files /dev/null and b/secrets/picardResticSSHKey.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 225aa993..d1dccb62 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -10,8 +10,6 @@ in "ragonPasswd.age".publicKeys = pubkeys.ragon.computers; "tailscaleKey.age".publicKeys = pubkeys.ragon.computers; "paperlessAdminPW.age".publicKeys = pubkeys.ragon.host "ds9"; - "ds9rcloneConfig.age".publicKeys = pubkeys.ragon.host "ds9"; - "ds9resticPassword.age".publicKeys = pubkeys.ragon.host "ds9"; "hedgedocSecret.age".publicKeys = pubkeys.ragon.host "picard"; "gitlabInitialRootPassword.age".publicKeys = pubkeys.ragon.host "picard"; "gitlabSecretFile.age".publicKeys = pubkeys.ragon.host "picard"; @@ -19,4 +17,6 @@ in "gitlabOTPFile.age".publicKeys = pubkeys.ragon.host "picard"; "gitlabJWSFile.age".publicKeys = pubkeys.ragon.host "picard"; "nextcloudAdminPass.age".publicKeys = pubkeys.ragon.host "picard"; + "picardResticSSHKey.age".publicKeys = pubkeys.ragon.host "picard"; + "picardResticPassword.age".publicKeys = pubkeys.ragon.host "picard"; }