diff --git a/.sops.yaml b/.sops.yaml
index 9551646..2370d58 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -63,6 +63,17 @@ creation_rules:
- age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
- age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
path_regex: ^hosts/web02/secrets.yaml$
+ - key_groups:
+ - age:
+ - age1kh6yvgxz9ys74as7aufdy8je7gmqjtguhnjuxvj79qdjswk2r3xqxf2n6d
+ - age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
+ - age158v8dpppnw3yt2kqgqekwamaxpst5alfrnvvt7z36wfdk4veydrsqxc2tl
+ - age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
+ - age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+ - age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
+ - age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
+ - age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
+ path_regex: ^modules/secrets/backup.yaml$
- key_groups:
- age:
- age17jtyn2y4fpey6q7ers9gtnh4580xj89zdjuew9nqhxywmsaw94fs5udupc
diff --git a/modules/nixos/backup.nix b/modules/nixos/backup.nix
index 317b831..9aeda6d 100644
--- a/modules/nixos/backup.nix
+++ b/modules/nixos/backup.nix
@@ -32,8 +32,8 @@
config = {
# 100GB storagebox is attached to the build02 server
- age.secrets.hetzner-borgbackup-ssh = {
- file = "${inputs.self}/secrets/hetzner-borgbackup-ssh.age";
+ sops.secrets.hetzner-borgbackup-ssh = {
+ sopsFile = "${inputs.self}/modules/secrets/backup.yaml";
};
programs.ssh.knownHosts.hetzner-storage-box = {
@@ -49,7 +49,7 @@
repo = "u416406@u416406.your-storagebox.de:/./${config.networking.hostName}-${backup.name}";
encryption.mode = "none";
compression = "auto,zstd";
- environment.BORG_RSH = "ssh -oPort=23 -i ${config.age.secrets.hetzner-borgbackup-ssh.path}";
+ environment.BORG_RSH = "ssh -oPort=23 -i ${config.sops.secrets.hetzner-borgbackup-ssh.path}";
preHook = "set -x";
postHook = ''
cat > /var/log/telegraf/borgbackup-job-${backup.name}.service <<EOF
diff --git a/modules/secrets/backup.yaml b/modules/secrets/backup.yaml
new file mode 100644
index 0000000..c54ffca
--- /dev/null
+++ b/modules/secrets/backup.yaml
@@ -0,0 +1,84 @@
+hetzner-borgbackup-ssh: ENC[AES256_GCM,data:2I+Pezi/5+9g9M1FC1gnAMMN8k2U2B+oD0u3EdU7NNm81m+gutl28Awkn6ih8YSX+b+hODbvsFfOM0lzkmej0ewOdjBcPuDUixLmmLr+XdsWD8iCg0EFsx/vGrljbXn6GVho1DwPyCMFhm22n4fK5SpIAioJ4TnJBJVBHpmm9IzZBqN5iIwRtXhSD0LD+PLuh3/xGXUa+y6tWVLyvELnm+lgfcPKqCNKFrVBgcaSWvgAMGxscC02A14ymGKGexlyF/srZQhNu/VWZoCJZjSuGuiDWFvtXW7ag6/wpK7XrKwkGz44CzI6mV7B6GKjaVi/M5WG3e8x0bClvVCLESG1HvD/T35P24NthWIK+qUqd7KlM9gjHwbk00SROSRGoMRsBTRok0DzimbfbPI/7EE14SCcRtptuYXM8tJUmPP0Z5gHfK69F58gxlWKYEXBAbZBO5RlKJSScj5HS53WRB5/eBjanIBdMOn3iEp0U8WAIDaYz+pGrTuY9pSHy/21FHKP/UoD,iv:T9Ib38LMfX7Ljc8Q3Q6qrvpc43c+S4eeHtEEHrItngY=,tag:IIVeZGkPYUqfwivvC3gjRg==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age1kh6yvgxz9ys74as7aufdy8je7gmqjtguhnjuxvj79qdjswk2r3xqxf2n6d
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhV2k5SVBzSDNBUURMWWV0
+ K3hkMnZNZURUbXRMdktCclJqY3gxNTBGNG0wCnZkaEM5MFR4SVhGbDlSRVhyU0lK
+ SStib1VtY1JtUEFwL1JTNkhnNUpkUnMKLS0tIG15M0J3NmZKalh4MmttV1BGWHMv
+ bkNudTlPaUF4WTRvektZdmhqY3FHNzgKctwWnoyn3YQtQRWIlB+3usnxu2NSWBNI
+ uvxc+l2Gg3D+Ur47kBWyoEIzRUEJpnKrm0SpvnSbDh9XyHubJXTTMQ==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2OEE1Ly8yVG1YckJhVUMv
+ Q3dzMkliT2syOGEvc2hMMlg1QXZxc2RvOFE0CmlKbXQvSjZMNHVxa1VIdEl6ODFR
+ T1k1L3lMYUZwQVk0WmNpS2lqa3JaOG8KLS0tIGw4cGcrOFZaMUhLajVVWE16VG8z
+ VWY0d0J2VklrL2tDOFk4U1M1RVcxSUUK87kCs2C/0gBzAuSmH4BJxgvF7/MeTfv/
+ CJswV45PmxSvW2fYKvoKPc44nr8kMXLzjUhgWcNHDRMfBV+pYqF68w==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age158v8dpppnw3yt2kqgqekwamaxpst5alfrnvvt7z36wfdk4veydrsqxc2tl
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDMllSdDUwMmh0Z0Q1U2N0
+ NHFUZm1ETzI4dklkaW80cE5PQzJQZ2JXZ3dvClVwSXpEL08yQmRkSGtxTmFvWldD
+ SUFFTmtRNFBEZk1LcGJUdndhRHh5NUkKLS0tIEVCQktIYk81WEcvbkU5Vjl5WjEx
+ VWJGM0cweGtWTUZzbWNKSEpSUVc2Z1UKsiS+7ppdu2BWoXnqbYXkfDe3UxpnUh+Q
+ MQMrrtA+mj0YgpLhbOMdxY3g1v/2M/TNoQI7Mqv8N2QbwS9TFdMI2g==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4cFFVZ1k3RHdlVldPQytZ
+ ZE1NNEhjZkVQOE1HRTE2WWdoR0hnS2pJVDNjCjhpNEI2NHFLcUR5QXJ5TU1LSUR0
+ ZGRkbVlWcHhoLzRCV3VNeURwWDJVdFEKLS0tIGpWTTQ4WVYzRyt4K29NNW5BQVBI
+ NXd6bXcxWmpvYTJWMDRDcUtlOVJJOGsKc0/ZJMso2mmlN3N/AV3mwlRHfmB57nPN
+ 9mJnS4fCfWrZ6/0jBKraPXDfuPzEpQSkVHmk98mP3IrfxbabPYGBnw==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrcUVkTG5xNThMM0xieTZL
+ K3g3MGM3cW9nYXVyUlpyN04rU3oyTjBzUEFvCkNjZ2FINjdRcHk1cnQ2Tk5xb3VT
+ RXdjQ2Q1UnJTTWxWVTg1L0dzQzVGVWsKLS0tIFpxbCtFcWoxRkpNSFl5OE96VVlL
+ S3g3YTJwcHNpTTJucmdTb2VhL2RSVFkKo0EUJLgfiemiKhNRIcL4FMmPYd7/fwXh
+ 4CLMYiK6HxfceCL0TMlBpZnqT0e90PEmPTYNm7LdU7GO5rf/ojNPtQ==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvcllpbXVSZS85Rk45ZXVu
+ cUdGVnc2T2w0U2s3MGVPK3pIWUZtV0lBQmpZClhEWXY1eDRCcitPRFRyR05iQ3lV
+ TExXeFZJMEVKUFc2bElPVlhCQ1dETVkKLS0tIHdSbXNFWG1tVHQ4Nit2TnZ6RlJK
+ cmEvVS8weUJEVHFxMm1Sa25DMEFTRm8KsE5OFR1Uv/NnWGxgoCJ3pSl4Qbn9+zQF
+ j+feAhjjq5TOzEPCqRg1N9PUxCKxnAVPEsFs7Zky4FrN/QwM1yLj3g==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuREZ3RTNmRnp6b1Y4anBE
+ VFVTTi9tMDZ0L2NuM1NKWG1HcGUvS2VaQm5RCjVlZ21xUVExRmFDOXZPRi90M3R6
+ dnpVUUhWVlNyV0lUejh3YlRiZ0daTVkKLS0tIENiMnBBV3dqTCt2V0xwUnA2RGk2
+ Z2JaRXhDc2VwSWY5bEN0b2VqY0lnSGcKeI36DZ893S6Vrqsf3p45g89NaMpkS3YC
+ miPE4MHUl6l2xF5t59SfyM9/XmwuUN9jUqtIcFhZs3Rgp5hFKhoemQ==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAraHd1U0trUVBVNXBzNWpv
+ cXQ4bXFpaG5CcittV2hCZVM1OGRoNTlqTndvCjYvNHErZmY4ZThYTkIrTHVad0pt
+ YlV2c1lZUGhpVzFKL21PSGZiL3pKV3cKLS0tIHJ3SlNGSUJEMHdNK3FjQ0pQeEFz
+ WGtXNjdiWEMyNjluMHJSSTZuQmpmTncKLjw4WduNFzwVw7MW5JqPftAYD14SMSpE
+ ZL2ivi0hCGiub3QGaNp07zLUbM8DktcgKcntmSkM+hMOv/9mYMnnvQ==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2024-12-19T00:28:56Z"
+ mac: ENC[AES256_GCM,data:jc/oaE8thHZzrCkHfcD40YiyZczKoltvxU9DkX8VUsCkLaEIHjoPyyo82EA4DH3GH4Nk4f6+AN84MFzBjh4k/2PVctUukpB5uqQyTtluhMxA7MhIaIquDA44qmYU3tg3jTaTJwaWzUf1UdFxjOG489U7coqWzPtSw4yMLLK6KEk=,iv:fymEmLFZGHWpoNbUYZuqydF1ssGCqKVYqOOVtkLbVbQ=,tag:ZXFZI24XBCLqUaNAUlW7gA==,type:str]
+ pgp: []
+ unencrypted_suffix: _unencrypted
+ version: 3.9.2
diff --git a/secrets/hetzner-borgbackup-ssh.age b/secrets/hetzner-borgbackup-ssh.age
deleted file mode 100644
index 7c2eb38..0000000
Binary files a/secrets/hetzner-borgbackup-ssh.age and /dev/null differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index b39c7fc..e6b023b 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -11,17 +11,10 @@ let
inherit ((import ../modules/shared/known-hosts.nix).programs.ssh) knownHosts;
- build02 = knownHosts.build02.publicKey;
- build03 = knownHosts.build03.publicKey;
web02 = knownHosts.web02.publicKey;
secrets = {
grafana-client-secret = [ web02 ];
- hetzner-borgbackup-ssh = [
- build02
- build03
- web02
- ];
nix-community-matrix-bot-token = [ web02 ];
oauth2-proxy-key-file = [ web02 ];
};
diff --git a/sops.nix b/sops.nix
index 4732db9..7705e4c 100644
--- a/sops.nix
+++ b/sops.nix
@@ -23,6 +23,11 @@ let
"terraform/secrets.yaml" = [ ];
}
// builtins.mapAttrs (_: value: (map (x: keys.hosts.${x}) value)) {
+ "modules/secrets/backup.yaml" = [
+ "build02"
+ "build03"
+ "web02"
+ ];
"modules/secrets/community-builder.yaml" = [
"build01"
"darwin01"