sercanto/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

modules/nixos/backup: move secrets to sops

Browse source
This commit is contained in:
zowoq 2024-12-19 10:25:06 +10:00
parent 518f527936
commit bcdbe40580
6 changed files with 103 additions and 10 deletions

11
.sops.yaml
View file

@ -63,6 +63,17 @@ creation_rules:
- age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
- age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
path_regex: ^hosts/web02/secrets.yaml$
- key_groups:
- age:
- age1kh6yvgxz9ys74as7aufdy8je7gmqjtguhnjuxvj79qdjswk2r3xqxf2n6d
- age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
- age158v8dpppnw3yt2kqgqekwamaxpst5alfrnvvt7z36wfdk4veydrsqxc2tl
- age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
- age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
- age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
- age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
- age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
path_regex: ^modules/secrets/backup.yaml$
- key_groups:
- age:
- age17jtyn2y4fpey6q7ers9gtnh4580xj89zdjuew9nqhxywmsaw94fs5udupc

6
modules/nixos/backup.nix
View file

@ -32,8 +32,8 @@
config = {
# 100GB storagebox is attached to the build02 server
age.secrets.hetzner-borgbackup-ssh = {
file = "${inputs.self}/secrets/hetzner-borgbackup-ssh.age";
sops.secrets.hetzner-borgbackup-ssh = {
sopsFile = "${inputs.self}/modules/secrets/backup.yaml";
};
programs.ssh.knownHosts.hetzner-storage-box = {
@ -49,7 +49,7 @@
repo = "u416406@u416406.your-storagebox.de:/./${config.networking.hostName}-${backup.name}";
encryption.mode = "none";
compression = "auto,zstd";
environment.BORG_RSH = "ssh -oPort=23 -i ${config.age.secrets.hetzner-borgbackup-ssh.path}";
environment.BORG_RSH = "ssh -oPort=23 -i ${config.sops.secrets.hetzner-borgbackup-ssh.path}";
preHook = "set -x";
postHook = ''
cat > /var/log/telegraf/borgbackup-job-${backup.name}.service <<EOF

84
modules/secrets/backup.yaml Normal file
View file

@ -0,0 +1,84 @@
hetzner-borgbackup-ssh: ENC[AES256_GCM,data:2I+Pezi/5+9g9M1FC1gnAMMN8k2U2B+oD0u3EdU7NNm81m+gutl28Awkn6ih8YSX+b+hODbvsFfOM0lzkmej0ewOdjBcPuDUixLmmLr+XdsWD8iCg0EFsx/vGrljbXn6GVho1DwPyCMFhm22n4fK5SpIAioJ4TnJBJVBHpmm9IzZBqN5iIwRtXhSD0LD+PLuh3/xGXUa+y6tWVLyvELnm+lgfcPKqCNKFrVBgcaSWvgAMGxscC02A14ymGKGexlyF/srZQhNu/VWZoCJZjSuGuiDWFvtXW7ag6/wpK7XrKwkGz44CzI6mV7B6GKjaVi/M5WG3e8x0bClvVCLESG1HvD/T35P24NthWIK+qUqd7KlM9gjHwbk00SROSRGoMRsBTRok0DzimbfbPI/7EE14SCcRtptuYXM8tJUmPP0Z5gHfK69F58gxlWKYEXBAbZBO5RlKJSScj5HS53WRB5/eBjanIBdMOn3iEp0U8WAIDaYz+pGrTuY9pSHy/21FHKP/UoD,iv:T9Ib38LMfX7Ljc8Q3Q6qrvpc43c+S4eeHtEEHrItngY=,tag:IIVeZGkPYUqfwivvC3gjRg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1kh6yvgxz9ys74as7aufdy8je7gmqjtguhnjuxvj79qdjswk2r3xqxf2n6d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhV2k5SVBzSDNBUURMWWV0
K3hkMnZNZURUbXRMdktCclJqY3gxNTBGNG0wCnZkaEM5MFR4SVhGbDlSRVhyU0lK
SStib1VtY1JtUEFwL1JTNkhnNUpkUnMKLS0tIG15M0J3NmZKalh4MmttV1BGWHMv
bkNudTlPaUF4WTRvektZdmhqY3FHNzgKctwWnoyn3YQtQRWIlB+3usnxu2NSWBNI
uvxc+l2Gg3D+Ur47kBWyoEIzRUEJpnKrm0SpvnSbDh9XyHubJXTTMQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2OEE1Ly8yVG1YckJhVUMv
Q3dzMkliT2syOGEvc2hMMlg1QXZxc2RvOFE0CmlKbXQvSjZMNHVxa1VIdEl6ODFR
T1k1L3lMYUZwQVk0WmNpS2lqa3JaOG8KLS0tIGw4cGcrOFZaMUhLajVVWE16VG8z
VWY0d0J2VklrL2tDOFk4U1M1RVcxSUUK87kCs2C/0gBzAuSmH4BJxgvF7/MeTfv/
CJswV45PmxSvW2fYKvoKPc44nr8kMXLzjUhgWcNHDRMfBV+pYqF68w==
-----END AGE ENCRYPTED FILE-----
- recipient: age158v8dpppnw3yt2kqgqekwamaxpst5alfrnvvt7z36wfdk4veydrsqxc2tl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDMllSdDUwMmh0Z0Q1U2N0
NHFUZm1ETzI4dklkaW80cE5PQzJQZ2JXZ3dvClVwSXpEL08yQmRkSGtxTmFvWldD
SUFFTmtRNFBEZk1LcGJUdndhRHh5NUkKLS0tIEVCQktIYk81WEcvbkU5Vjl5WjEx
VWJGM0cweGtWTUZzbWNKSEpSUVc2Z1UKsiS+7ppdu2BWoXnqbYXkfDe3UxpnUh+Q
MQMrrtA+mj0YgpLhbOMdxY3g1v/2M/TNoQI7Mqv8N2QbwS9TFdMI2g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4cFFVZ1k3RHdlVldPQytZ
ZE1NNEhjZkVQOE1HRTE2WWdoR0hnS2pJVDNjCjhpNEI2NHFLcUR5QXJ5TU1LSUR0
ZGRkbVlWcHhoLzRCV3VNeURwWDJVdFEKLS0tIGpWTTQ4WVYzRyt4K29NNW5BQVBI
NXd6bXcxWmpvYTJWMDRDcUtlOVJJOGsKc0/ZJMso2mmlN3N/AV3mwlRHfmB57nPN
9mJnS4fCfWrZ6/0jBKraPXDfuPzEpQSkVHmk98mP3IrfxbabPYGBnw==
-----END AGE ENCRYPTED FILE-----
- recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrcUVkTG5xNThMM0xieTZL
K3g3MGM3cW9nYXVyUlpyN04rU3oyTjBzUEFvCkNjZ2FINjdRcHk1cnQ2Tk5xb3VT
RXdjQ2Q1UnJTTWxWVTg1L0dzQzVGVWsKLS0tIFpxbCtFcWoxRkpNSFl5OE96VVlL
S3g3YTJwcHNpTTJucmdTb2VhL2RSVFkKo0EUJLgfiemiKhNRIcL4FMmPYd7/fwXh
4CLMYiK6HxfceCL0TMlBpZnqT0e90PEmPTYNm7LdU7GO5rf/ojNPtQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvcllpbXVSZS85Rk45ZXVu
cUdGVnc2T2w0U2s3MGVPK3pIWUZtV0lBQmpZClhEWXY1eDRCcitPRFRyR05iQ3lV
TExXeFZJMEVKUFc2bElPVlhCQ1dETVkKLS0tIHdSbXNFWG1tVHQ4Nit2TnZ6RlJK
cmEvVS8weUJEVHFxMm1Sa25DMEFTRm8KsE5OFR1Uv/NnWGxgoCJ3pSl4Qbn9+zQF
j+feAhjjq5TOzEPCqRg1N9PUxCKxnAVPEsFs7Zky4FrN/QwM1yLj3g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuREZ3RTNmRnp6b1Y4anBE
VFVTTi9tMDZ0L2NuM1NKWG1HcGUvS2VaQm5RCjVlZ21xUVExRmFDOXZPRi90M3R6
dnpVUUhWVlNyV0lUejh3YlRiZ0daTVkKLS0tIENiMnBBV3dqTCt2V0xwUnA2RGk2
Z2JaRXhDc2VwSWY5bEN0b2VqY0lnSGcKeI36DZ893S6Vrqsf3p45g89NaMpkS3YC
miPE4MHUl6l2xF5t59SfyM9/XmwuUN9jUqtIcFhZs3Rgp5hFKhoemQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAraHd1U0trUVBVNXBzNWpv
cXQ4bXFpaG5CcittV2hCZVM1OGRoNTlqTndvCjYvNHErZmY4ZThYTkIrTHVad0pt
YlV2c1lZUGhpVzFKL21PSGZiL3pKV3cKLS0tIHJ3SlNGSUJEMHdNK3FjQ0pQeEFz
WGtXNjdiWEMyNjluMHJSSTZuQmpmTncKLjw4WduNFzwVw7MW5JqPftAYD14SMSpE
ZL2ivi0hCGiub3QGaNp07zLUbM8DktcgKcntmSkM+hMOv/9mYMnnvQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-19T00:28:56Z"
mac: ENC[AES256_GCM,data:jc/oaE8thHZzrCkHfcD40YiyZczKoltvxU9DkX8VUsCkLaEIHjoPyyo82EA4DH3GH4Nk4f6+AN84MFzBjh4k/2PVctUukpB5uqQyTtluhMxA7MhIaIquDA44qmYU3tg3jTaTJwaWzUf1UdFxjOG489U7coqWzPtSw4yMLLK6KEk=,iv:fymEmLFZGHWpoNbUYZuqydF1ssGCqKVYqOOVtkLbVbQ=,tag:ZXFZI24XBCLqUaNAUlW7gA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.2

BIN
secrets/hetzner-borgbackup-ssh.age
View file

Binary file not shown.

7
secrets/secrets.nix
View file

@ -11,17 +11,10 @@ let
inherit ((import ../modules/shared/known-hosts.nix).programs.ssh) knownHosts;
build02 = knownHosts.build02.publicKey;
build03 = knownHosts.build03.publicKey;
web02 = knownHosts.web02.publicKey;
secrets = {
grafana-client-secret = [ web02 ];
hetzner-borgbackup-ssh = [
build02
build03
web02
];
nix-community-matrix-bot-token = [ web02 ];
oauth2-proxy-key-file = [ web02 ];
};

5
sops.nix
View file

@ -23,6 +23,11 @@ let
"terraform/secrets.yaml" = [ ];
}
// builtins.mapAttrs (_: value: (map (x: keys.hosts.${x}) value)) {
"modules/secrets/backup.yaml" = [
"build02"
"build03"
"web02"
];
"modules/secrets/community-builder.yaml" = [
"build01"
"darwin01"