From 73e31ca37cd6339b697c7ce395274c0e65739dd1 Mon Sep 17 00:00:00 2001
From: Philipp Hochkamp <git@phochkamp.de>
Date: Wed, 13 Apr 2022 08:39:53 +0200
Subject: [PATCH] feat: picard to ds9 backups

---
 hosts/ds9/default.nix            |  31 ++++++++++---------------------
 hosts/picard/default.nix         |  21 +++++++++++++++++++++
 secrets/picardResticPassword.age |  13 +++++++++++++
 secrets/picardResticSSHKey.age   | Bin 0 -> 957 bytes
 secrets/secrets.nix              |   4 ++--
 5 files changed, 46 insertions(+), 23 deletions(-)
 create mode 100644 secrets/picardResticPassword.age
 create mode 100644 secrets/picardResticSSHKey.age

diff --git a/hosts/ds9/default.nix b/hosts/ds9/default.nix
index b03b5aea..4f4ab21c 100644
--- a/hosts/ds9/default.nix
+++ b/hosts/ds9/default.nix
@@ -51,27 +51,16 @@ in
 
   };
 
-  # services.restic.backups."ds9" = {
-  #   rcloneConfigFile = "/run/secrets/ds9rcloneConfig";
-  #   passwordFile = "/run/secrets/ds9resticPassword";
-  #   pruneOpts = [
-  #     "--keep-daily 7"
-  #     "--keep-weekly 5"
-  #     "--keep-monthly 12"
-  #     "--keep-yearly 75"
-  #   ];
-  #   initialize = true;
-  #   repository = "rclone:ds9:/ds9";
-  #   paths = [
-  #     "/data"
-  #     "/persistent/var/lib"
-  #   ];
-
-  # };
-
-  ragon.agenix.secrets."ds9rcloneConfig" = { };
-  ragon.agenix.secrets."ds9resticPassword" = { };
-
+  # Backup Target
+  users.users.picardbackup = {
+    createHome = true;
+    group = "users";
+    home = "/backups/picard";
+    isSystemUser = true;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHvCF8KGgpF9O8Q7k+JXqZ5eMeEeTaMhCIk/2ZFOzXL0"
+    ];
+  };
 
   # Enable Scanning
   hardware.sane.enable = true;
diff --git a/hosts/picard/default.nix b/hosts/picard/default.nix
index a5a1ab7a..936ece5a 100644
--- a/hosts/picard/default.nix
+++ b/hosts/picard/default.nix
@@ -41,6 +41,27 @@
   users.mutableUsers = false;
 
   services.postgresql.package = pkgs.postgresql_13;
+  ragon.agenix.secrets."picardResticPassword" = { };
+  ragon.agenix.secrets."picardResticSSHKey" = { };
+
+  services.restic.backups."picard" = {
+    passwordFile = config.age.secrets.picardResticPassword.path;
+    extraOptions = [
+      "sftp.command='ssh picardbackup@ds9 -i ${config.age.secrets.picardResticSSHKey.path} -s sftp'"
+    ];
+    pruneOpts = [
+      "--keep-daily 7"
+      "--keep-weekly 5"
+      "--keep-monthly 12"
+      "--keep-yearly 75"
+    ];
+    initialize = true;
+    repository = "sftp:ds9:/backups/picard/restic";
+    paths = [
+      "/persistent"
+    ];
+
+  };
 
   ragon = {
     cli.enable = true;
diff --git a/secrets/picardResticPassword.age b/secrets/picardResticPassword.age
new file mode 100644
index 00000000..78c9b230
--- /dev/null
+++ b/secrets/picardResticPassword.age
@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 WceKOQ k2R5Jitq8cEQPR6XFnucyYE3BDlBTnXeXakig5Rb6CQ
+aXWMcZDMsC4UqpgkUywkOuHGTb5aeTHvpKNjxEUfTDo
+-> ssh-ed25519 ugHWWw 0CCoHYRYlYq5wFt8R26y5pSfSqTQzcR4jzdWl2E12TQ
+6qjep1dn6B5DA2lcMZXItnAzxE2eHY/XSJYVyDGRwW4
+-> ssh-ed25519 UU9RSA CMo9lkcazC9TXypP/o/majaFp0UP++XAbh65TYvEiDo
+GD1/sNmjRM2+9RpPbCMoMU9Q0JQb2jsjji1Yt0+LR9w
+-> +!c:-grease zi]- eO\*
+nKAD5+pPHB3K+HtpEHA+bDBG/P9ec6pb
+--- 5x5Rpg23SqXQK/sSiUNEZ0tdXF+GxgBSTWVSbIOmmNw
+IåXnTBt·Œh¥|XÇwmôúèÎÓºSç=Sr”MCàâèŠ²{¢¢MÂ…›^¯µÒHa›„£Wâi
+;†}ÿ
+,€:´—Ït’=öÓâùÐrC|À|h«©”$¹†–
\ No newline at end of file
diff --git a/secrets/picardResticSSHKey.age b/secrets/picardResticSSHKey.age
new file mode 100644
index 0000000000000000000000000000000000000000..0dd651f57e0c7d683a76446f397003afa4b866d4
GIT binary patch
literal 957
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCR+Pfqpr4^%J+Hz@H)
z&x%UR3-)p^EOs_>tum}kEi(#tcdpFT&UMVqadbEE^>M1KbmdC*D0E3n&MWp049hoh
zOwD%8OENXi&M6FWib~4~D~}9wG|S2?HYiOo4n()DG~FXSyj&rqDks~~&%4~iDas?u
zt0+I$B*QGSMBk*MD!|gxvE0KT*EGP@KP|B+!h*}tConU`Ff}72qc}ULxV*9=G|9Ls
zA~n-9u_7nWImaWlsNCDdGQ29x-4Wfk&``^uU`K_tJc}}K{Qzg9GS?y(_lS(Nw2<^L
zXU`&S$JB~qe?Rk7ON*$|%oNiiLkq4l|3I%O|9~>@!XTrhk}z|Focs!d%)Cs;^u#EC
z!_Y7n#|mT1RQ-%xL$KchR1{rw(~D9Qi&GW6xSTWdDt&XxEkg_{jgx%!-9svjgEB(`
zf_&V3a}Cl=jZ%EGvyviAO^pp*{Ywf8(*vp;ouV>K91{zZeH?w=%ecxa!b9D2Lp}W*
zO$;5qd<`;+JhcO(%AN8ejZ*X@47hZ4brrlks={0<!+oR596j@kN{!u0y^|unofCca
z!@Zm;B3;5Awau$aor|)|9l5TDxKGd&w@)m6JSApP<r7g3wMVOO)};tuSlr6E*YVw_
zDc%mxO&7{vpOJFAPAlf&r(OU2f2Lgg^qjSqx%*e2fK#y8ArY?X9n%(;CTw}O{EwY|
zMqR*{27x};9EBUc*Y66g5b$vjygai#+$3qL|MR68Y`aQRg?_(V^&%!<>XW*4Cb`^E
zrt<?IiPnF;yF@H1wIu1ym&f6U=V`{>JgB}besx6N&CC5#HY&f;YQEWg*gJoAv4rXm
z`F_QO72yw8Cf^ZTvh4G;Cs{_}XE$?gkFZ<*aeLXDT+XTcOU1p44AU8XRWo^l?H&~d
zKeK$Aa7H+4_41&mwT0Qw>?3FUJhDzb`dP~}P2p<dNrqFquB$Kqw)K>x(!ZnKYU&5I
zMYeacAHML~!mwI*eXZEih3h!ZN6ky&UK<e+XqcU`vx?)LIk(^Mzv7>bo-?LZFYr#E
zBapPt-%aP?{<3ou(;9v38vm?6suNj#eT|TmNYIMK_ifttM;x70v*k_Ji7D0Fe{i?N
zYR`1j@>wCt^rhqIvBrw<@=MJ-+qGlL4+pPT3yU>4D!5n6Wwm!Xd+?(Rbt}~!mA3kt
VpY_`Ky6ES=2e-0>*p!VQ007lEeq8_n

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 225aa993..d1dccb62 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -10,8 +10,6 @@ in
   "ragonPasswd.age".publicKeys = pubkeys.ragon.computers;
   "tailscaleKey.age".publicKeys = pubkeys.ragon.computers;
   "paperlessAdminPW.age".publicKeys = pubkeys.ragon.host "ds9";
-  "ds9rcloneConfig.age".publicKeys = pubkeys.ragon.host "ds9";
-  "ds9resticPassword.age".publicKeys = pubkeys.ragon.host "ds9";
   "hedgedocSecret.age".publicKeys = pubkeys.ragon.host "picard";
   "gitlabInitialRootPassword.age".publicKeys = pubkeys.ragon.host "picard";
   "gitlabSecretFile.age".publicKeys = pubkeys.ragon.host "picard";
@@ -19,4 +17,6 @@ in
   "gitlabOTPFile.age".publicKeys = pubkeys.ragon.host "picard";
   "gitlabJWSFile.age".publicKeys = pubkeys.ragon.host "picard";
   "nextcloudAdminPass.age".publicKeys = pubkeys.ragon.host "picard";
+  "picardResticSSHKey.age".publicKeys = pubkeys.ragon.host "picard";
+  "picardResticPassword.age".publicKeys = pubkeys.ragon.host "picard";
 }