From bcdbe40580def42683c64f818fdb3ad485be0604 Mon Sep 17 00:00:00 2001
From: zowoq <59103226+zowoq@users.noreply.github.com>
Date: Thu, 19 Dec 2024 10:25:06 +1000
Subject: [PATCH] modules/nixos/backup: move secrets to sops
---
.sops.yaml | 11 ++++
modules/nixos/backup.nix | 6 +--
modules/secrets/backup.yaml | 84 +++++++++++++++++++++++++++++
secrets/hetzner-borgbackup-ssh.age | Bin 1625 -> 0 bytes
secrets/secrets.nix | 7 ---
sops.nix | 5 ++
6 files changed, 103 insertions(+), 10 deletions(-)
create mode 100644 modules/secrets/backup.yaml
delete mode 100644 secrets/hetzner-borgbackup-ssh.age
diff --git a/.sops.yaml b/.sops.yaml
index 9551646..2370d58 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -63,6 +63,17 @@ creation_rules:
- age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
- age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
path_regex: ^hosts/web02/secrets.yaml$
+ - key_groups:
+ - age:
+ - age1kh6yvgxz9ys74as7aufdy8je7gmqjtguhnjuxvj79qdjswk2r3xqxf2n6d
+ - age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
+ - age158v8dpppnw3yt2kqgqekwamaxpst5alfrnvvt7z36wfdk4veydrsqxc2tl
+ - age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
+ - age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+ - age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
+ - age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
+ - age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
+ path_regex: ^modules/secrets/backup.yaml$
- key_groups:
- age:
- age17jtyn2y4fpey6q7ers9gtnh4580xj89zdjuew9nqhxywmsaw94fs5udupc
diff --git a/modules/nixos/backup.nix b/modules/nixos/backup.nix
index 317b831..9aeda6d 100644
--- a/modules/nixos/backup.nix
+++ b/modules/nixos/backup.nix
@@ -32,8 +32,8 @@
config = {
# 100GB storagebox is attached to the build02 server
- age.secrets.hetzner-borgbackup-ssh = {
- file = "${inputs.self}/secrets/hetzner-borgbackup-ssh.age";
+ sops.secrets.hetzner-borgbackup-ssh = {
+ sopsFile = "${inputs.self}/modules/secrets/backup.yaml";
};
programs.ssh.knownHosts.hetzner-storage-box = {
@@ -49,7 +49,7 @@
repo = "u416406@u416406.your-storagebox.de:/./${config.networking.hostName}-${backup.name}";
encryption.mode = "none";
compression = "auto,zstd";
- environment.BORG_RSH = "ssh -oPort=23 -i ${config.age.secrets.hetzner-borgbackup-ssh.path}";
+ environment.BORG_RSH = "ssh -oPort=23 -i ${config.sops.secrets.hetzner-borgbackup-ssh.path}";
preHook = "set -x";
postHook = ''
cat > /var/log/telegraf/borgbackup-job-${backup.name}.service <<EOF
diff --git a/modules/secrets/backup.yaml b/modules/secrets/backup.yaml
new file mode 100644
index 0000000..c54ffca
--- /dev/null
+++ b/modules/secrets/backup.yaml
@@ -0,0 +1,84 @@
+hetzner-borgbackup-ssh: ENC[AES256_GCM,data:2I+Pezi/5+9g9M1FC1gnAMMN8k2U2B+oD0u3EdU7NNm81m+gutl28Awkn6ih8YSX+b+hODbvsFfOM0lzkmej0ewOdjBcPuDUixLmmLr+XdsWD8iCg0EFsx/vGrljbXn6GVho1DwPyCMFhm22n4fK5SpIAioJ4TnJBJVBHpmm9IzZBqN5iIwRtXhSD0LD+PLuh3/xGXUa+y6tWVLyvELnm+lgfcPKqCNKFrVBgcaSWvgAMGxscC02A14ymGKGexlyF/srZQhNu/VWZoCJZjSuGuiDWFvtXW7ag6/wpK7XrKwkGz44CzI6mV7B6GKjaVi/M5WG3e8x0bClvVCLESG1HvD/T35P24NthWIK+qUqd7KlM9gjHwbk00SROSRGoMRsBTRok0DzimbfbPI/7EE14SCcRtptuYXM8tJUmPP0Z5gHfK69F58gxlWKYEXBAbZBO5RlKJSScj5HS53WRB5/eBjanIBdMOn3iEp0U8WAIDaYz+pGrTuY9pSHy/21FHKP/UoD,iv:T9Ib38LMfX7Ljc8Q3Q6qrvpc43c+S4eeHtEEHrItngY=,tag:IIVeZGkPYUqfwivvC3gjRg==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age1kh6yvgxz9ys74as7aufdy8je7gmqjtguhnjuxvj79qdjswk2r3xqxf2n6d
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhV2k5SVBzSDNBUURMWWV0
+ K3hkMnZNZURUbXRMdktCclJqY3gxNTBGNG0wCnZkaEM5MFR4SVhGbDlSRVhyU0lK
+ SStib1VtY1JtUEFwL1JTNkhnNUpkUnMKLS0tIG15M0J3NmZKalh4MmttV1BGWHMv
+ bkNudTlPaUF4WTRvektZdmhqY3FHNzgKctwWnoyn3YQtQRWIlB+3usnxu2NSWBNI
+ uvxc+l2Gg3D+Ur47kBWyoEIzRUEJpnKrm0SpvnSbDh9XyHubJXTTMQ==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2OEE1Ly8yVG1YckJhVUMv
+ Q3dzMkliT2syOGEvc2hMMlg1QXZxc2RvOFE0CmlKbXQvSjZMNHVxa1VIdEl6ODFR
+ T1k1L3lMYUZwQVk0WmNpS2lqa3JaOG8KLS0tIGw4cGcrOFZaMUhLajVVWE16VG8z
+ VWY0d0J2VklrL2tDOFk4U1M1RVcxSUUK87kCs2C/0gBzAuSmH4BJxgvF7/MeTfv/
+ CJswV45PmxSvW2fYKvoKPc44nr8kMXLzjUhgWcNHDRMfBV+pYqF68w==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age158v8dpppnw3yt2kqgqekwamaxpst5alfrnvvt7z36wfdk4veydrsqxc2tl
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDMllSdDUwMmh0Z0Q1U2N0
+ NHFUZm1ETzI4dklkaW80cE5PQzJQZ2JXZ3dvClVwSXpEL08yQmRkSGtxTmFvWldD
+ SUFFTmtRNFBEZk1LcGJUdndhRHh5NUkKLS0tIEVCQktIYk81WEcvbkU5Vjl5WjEx
+ VWJGM0cweGtWTUZzbWNKSEpSUVc2Z1UKsiS+7ppdu2BWoXnqbYXkfDe3UxpnUh+Q
+ MQMrrtA+mj0YgpLhbOMdxY3g1v/2M/TNoQI7Mqv8N2QbwS9TFdMI2g==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4cFFVZ1k3RHdlVldPQytZ
+ ZE1NNEhjZkVQOE1HRTE2WWdoR0hnS2pJVDNjCjhpNEI2NHFLcUR5QXJ5TU1LSUR0
+ ZGRkbVlWcHhoLzRCV3VNeURwWDJVdFEKLS0tIGpWTTQ4WVYzRyt4K29NNW5BQVBI
+ NXd6bXcxWmpvYTJWMDRDcUtlOVJJOGsKc0/ZJMso2mmlN3N/AV3mwlRHfmB57nPN
+ 9mJnS4fCfWrZ6/0jBKraPXDfuPzEpQSkVHmk98mP3IrfxbabPYGBnw==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrcUVkTG5xNThMM0xieTZL
+ K3g3MGM3cW9nYXVyUlpyN04rU3oyTjBzUEFvCkNjZ2FINjdRcHk1cnQ2Tk5xb3VT
+ RXdjQ2Q1UnJTTWxWVTg1L0dzQzVGVWsKLS0tIFpxbCtFcWoxRkpNSFl5OE96VVlL
+ S3g3YTJwcHNpTTJucmdTb2VhL2RSVFkKo0EUJLgfiemiKhNRIcL4FMmPYd7/fwXh
+ 4CLMYiK6HxfceCL0TMlBpZnqT0e90PEmPTYNm7LdU7GO5rf/ojNPtQ==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvcllpbXVSZS85Rk45ZXVu
+ cUdGVnc2T2w0U2s3MGVPK3pIWUZtV0lBQmpZClhEWXY1eDRCcitPRFRyR05iQ3lV
+ TExXeFZJMEVKUFc2bElPVlhCQ1dETVkKLS0tIHdSbXNFWG1tVHQ4Nit2TnZ6RlJK
+ cmEvVS8weUJEVHFxMm1Sa25DMEFTRm8KsE5OFR1Uv/NnWGxgoCJ3pSl4Qbn9+zQF
+ j+feAhjjq5TOzEPCqRg1N9PUxCKxnAVPEsFs7Zky4FrN/QwM1yLj3g==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuREZ3RTNmRnp6b1Y4anBE
+ VFVTTi9tMDZ0L2NuM1NKWG1HcGUvS2VaQm5RCjVlZ21xUVExRmFDOXZPRi90M3R6
+ dnpVUUhWVlNyV0lUejh3YlRiZ0daTVkKLS0tIENiMnBBV3dqTCt2V0xwUnA2RGk2
+ Z2JaRXhDc2VwSWY5bEN0b2VqY0lnSGcKeI36DZ893S6Vrqsf3p45g89NaMpkS3YC
+ miPE4MHUl6l2xF5t59SfyM9/XmwuUN9jUqtIcFhZs3Rgp5hFKhoemQ==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAraHd1U0trUVBVNXBzNWpv
+ cXQ4bXFpaG5CcittV2hCZVM1OGRoNTlqTndvCjYvNHErZmY4ZThYTkIrTHVad0pt
+ YlV2c1lZUGhpVzFKL21PSGZiL3pKV3cKLS0tIHJ3SlNGSUJEMHdNK3FjQ0pQeEFz
+ WGtXNjdiWEMyNjluMHJSSTZuQmpmTncKLjw4WduNFzwVw7MW5JqPftAYD14SMSpE
+ ZL2ivi0hCGiub3QGaNp07zLUbM8DktcgKcntmSkM+hMOv/9mYMnnvQ==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2024-12-19T00:28:56Z"
+ mac: ENC[AES256_GCM,data:jc/oaE8thHZzrCkHfcD40YiyZczKoltvxU9DkX8VUsCkLaEIHjoPyyo82EA4DH3GH4Nk4f6+AN84MFzBjh4k/2PVctUukpB5uqQyTtluhMxA7MhIaIquDA44qmYU3tg3jTaTJwaWzUf1UdFxjOG489U7coqWzPtSw4yMLLK6KEk=,iv:fymEmLFZGHWpoNbUYZuqydF1ssGCqKVYqOOVtkLbVbQ=,tag:ZXFZI24XBCLqUaNAUlW7gA==,type:str]
+ pgp: []
+ unencrypted_suffix: _unencrypted
+ version: 3.9.2
diff --git a/secrets/hetzner-borgbackup-ssh.age b/secrets/hetzner-borgbackup-ssh.age
deleted file mode 100644
index 7c2eb384fbd29f890eab02be6e2fd078025dc5dd..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001
literal 1625
zcmZXT>#y5{0mZwu(r73f>i`MHhiC<{;@-xI6F(+e>cp@38OKg+UkQZc*pBVQj-A{%
z@m>{sYFBFu8``u9=-8m0xPyvE>D0Tisp~3rgUbY)v<?Q0P8ZNxRozr>#Rlt_ekp&!
zPv@N9F<pDk4y|N19D7l?Jxbidq?nuAnIDaMb9T2>sT8q1sT9V6oS)3(iI34V)KRsd
z%*>!M+7+2Nma1H$u<B@vWM#_o_(U^uwpUWBDlVfQArG+<V;e#OcS?M>S`B>=!kQv(
zH+c>#bkZwnDWvfZp6|6nid0~to_Ok@uDCthz=}LmMaBfeno65BYokU%q7gaDRbmK|
zvaA(&PHaR}G>A&{0Ei`(MJ7C49oKC_odL5FQz5UU4eZP;x%ui?Xi92FY^DIvh45)*
zTIJ-xY7K>947s=tl0d>o4c{H0xpb^GsFc=GST?P)W?L?!SMX_C4cu5EIG@K8k8ewG
zRViPlB_lJB^P-}qxj_L1S{$h0^BEUTr@E|WK*1ciP$bX0&X5o~emx52EuI<R-~!AS
z$*O~5*rcXUGc3UEoTi|xtyG#uEQw<_Yw=*G3l4Z^p==4W`AS&mIm13vP#b)xWcCaI
z-MFDFjQYKPbKXlNB{yMeGl_!IQmGOM*i4<zip927@2f%^is}+sF-Z~;Mxx7h<~?Tu
z>6|<=29g(Wx)IcnFgGj?b)-|4)4Icj;n0-=Zj|_ziJ1Jf5>8_pE(umAs8>^ENLnl)
zIbCN)kvi6_8<i&A%DF~XHau0K%SoZ*6TAX<4Ag;#3Sh$JNgd#@X;y2J<955tN1d>3
z8a@(F6IkyXA`fBJoFuw{(!nE~pc`~7<AT6ZI)1tB%ihW!G7-}}xG>RTOXQ?(m#Q=w
z9)wGsv_(%NV=@#)9kqO+tu_&S!5!s%w{LkpAS+UyuaQ9oY9wZcx4r&2>&iCP!XP#v
zCQWo|e8gKp1D%?i*IG3<8k!(qN}Xzes4&e(l<rW}WI&OAITc27&l9XP49T3@6ox==
z)<XJ&%!VfkTQy8c6T!afYGob?`vjG-Oa}8_bY(WI)X_aW-%{)7fGR0OyASy!#?To#
zbBBeb8qL7U#PR9?#!X|h&i8~|kQCY?r?zWIrLAc+&~3O8(P(nM1or@;Y*{wmi4_?T
ziyz6>EB5X1(kFFa)wF_6d9g=MF~k+)k>xurMNb(zl>@BR?-!LzV$yO>k;cP*@sctU
z>Ih=ZQP>~^$A~J))tZrooB-)!tK}0cb7{A^xjX^X#$KN+njY3@FHq=sAPaKE){u@Y
zgAfF>K-N_lCmb+j?sHq_c0a!1p6iIh+T)b){E1t>auj5D|9JhKXP1`(^;Yx7=uP6>
zYs#MUi>vIO$G(__{dccFa=5wp-z~(J?|rjWcyjxPE0YgCzEOJO?4yTrfB4CcUvIkq
z!{fJq>hKrtJ%0Dmo2c8$^2P7Gc=s*W9NTo^vmUmt$Gl4NZ@mxgYrODcwxYW~f3WyG
zKmJ|$+^e6w^~P7GyEypI7JXpfUi%n(>SpWUb3fX(b?L9+jyrq%8;7>-ISqX2z}kI}
zihp!&{>JOvXLf#Y#{(yS|Mup4=B)2NjLq&nxrCOsUjOjx8#XSj2lt=&*tUaDon2b@
zwN>EQ<{P%Im<#A@i%&1EeSZ6i+cq4zYVn!VWpwqWtDmL){~SGY0lK(4I<2vOxXS<U
zl~4ccsc#(ye(=?oFC6g??EfWwt@ZCS?U%r(fA-Ezznb3u-h1bl-`$7;zx~T|cf9$h
z9#1{C^2nA8U*`}0roQt5;_rKR@7Q+N)=zwU*O!->Q&**i(fj_~@}_I?`yV+IVVm!I
z{}<QnyC}Z%#zm>Ly7t!IH{M<&_O*_$UtTO9`suSPe|zYKZTFqL;h)4m&b|D@Q|k_0
HeO~=P0E$$u
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index b39c7fc..e6b023b 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -11,17 +11,10 @@ let
inherit ((import ../modules/shared/known-hosts.nix).programs.ssh) knownHosts;
- build02 = knownHosts.build02.publicKey;
- build03 = knownHosts.build03.publicKey;
web02 = knownHosts.web02.publicKey;
secrets = {
grafana-client-secret = [ web02 ];
- hetzner-borgbackup-ssh = [
- build02
- build03
- web02
- ];
nix-community-matrix-bot-token = [ web02 ];
oauth2-proxy-key-file = [ web02 ];
};
diff --git a/sops.nix b/sops.nix
index 4732db9..7705e4c 100644
--- a/sops.nix
+++ b/sops.nix
@@ -23,6 +23,11 @@ let
"terraform/secrets.yaml" = [ ];
}
// builtins.mapAttrs (_: value: (map (x: keys.hosts.${x}) value)) {
+ "modules/secrets/backup.yaml" = [
+ "build02"
+ "build03"
+ "web02"
+ ];
"modules/secrets/community-builder.yaml" = [
"build01"
"darwin01"