diff --git a/nixos/default.nix b/nixos/default.nix index 596a355..04a4ecd 100644 --- a/nixos/default.nix +++ b/nixos/default.nix @@ -112,6 +112,7 @@ tcpdump lsof parted + borgbackup ]; diff --git a/nixos/modules/backups.nix b/nixos/modules/backups.nix index 977159a..4e4beae 100644 --- a/nixos/modules/backups.nix +++ b/nixos/modules/backups.nix @@ -17,10 +17,13 @@ let repositories: - path: ${cfg.repoLocation} label: nfs + - path: ssh://admin@ec2-3-254-121-39.eu-west-1.compute.amazonaws.com/mnt/data/nfs.borg + label: ec2 + ssh_command: "${pkgs.openssh}/bin/ssh -i ${config.age.secrets."ec2_borg_server.pem".path} -o StrictHostKeychecking=no -o ConnectTimeout=10 -o ConnectionAttempts=3" keep_daily: 7 keep_weekly: 4 keep_monthly: 6 - unknown_unencrypted_repo_access_is_ok: true + encryption_passcommand: "${pkgs.coreutils}/bin/cat ''${BORG_PASSPHRASE_FILE}" before_everything: - ${beforeEverything}/bin/beforeEverything postgresql_databases: @@ -64,7 +67,7 @@ in }; snapshotLocation = lib.mkOption { - default = "${config.lab.storage.dataMountPoint}/nfs-backup"; + default = "${config.lab.storage.dataMountPoint}/snapshot-nfs"; type = lib.types.str; description = '' Location to (temporary) create a snapshot of the subvolume. @@ -73,7 +76,7 @@ in }; config = lib.mkIf cfg.enable { - environment.systemPackages = with pkgs; [ borgbackup postgresql ]; + environment.systemPackages = with pkgs; [ postgresql ]; # Converted from: # https://github.com/borgmatic-collective/borgmatic/tree/84823dfb912db650936e3492f6ead7e0e0d32a0f/sample/systemd systemd.services.borgmatic = { @@ -94,6 +97,7 @@ in Restart = "no"; LogRateLimitIntervalSec = 0; EnvironmentFile = config.age.secrets."database_passwords.env".path; + Environment = "BORG_PASSPHRASE_FILE=${config.age.secrets."borg_passphrase".path}"; }; script = "${pkgs.systemd}/bin/systemd-inhibit --who=\"borgmatic\" --what=\"sleep:shutdown\" --why=\"Prevent interrupting scheduled backup\" ${pkgs.borgmatic}/bin/borgmatic --verbosity -2 --syslog-verbosity 1 -c ${borgmaticConfig}"; @@ -109,8 +113,10 @@ in }; }; - age.secrets."database_passwords.env" = { - file = ../secrets/database_passwords.env.age; + age.secrets = { + "database_passwords.env".file = ../secrets/database_passwords.env.age; + "borg_passphrase".file = ../secrets/borg_passphrase.age; + "ec2_borg_server.pem".file = ../secrets/ec2_borg_server.pem.age; }; }; } diff --git a/nixos/secrets/borg_passphrase.age b/nixos/secrets/borg_passphrase.age new file mode 100644 index 0000000..ccfb7ca --- /dev/null +++ b/nixos/secrets/borg_passphrase.age @@ -0,0 +1,6 @@ +age-encryption.org/v1 +-> ssh-ed25519 aqswPA BWfWJ0Detm+1l0tYnjR9n5rIUBfdHb/wTnZnGoYx6SU +gp5vcIXtJpF6KJ0cHJ6GRpHQvxi7ij//1LH0afFoRuo +--- exwOM8D5yMcDFp0uzRnbD6TWSgs12WmZo7sKlnHYOwY + 4Öš¾0 +e(+×}²½f%Àã^‘ kÀbד{WèŒôVüPän­×“ù:…Å6ý£s \ No newline at end of file diff --git a/nixos/secrets/ec2_borg_server.pem.age b/nixos/secrets/ec2_borg_server.pem.age new file mode 100644 index 0000000..05f15bc Binary files /dev/null and b/nixos/secrets/ec2_borg_server.pem.age differ diff --git a/nixos/secrets/secrets.nix b/nixos/secrets/secrets.nix index 9ce4ece..9899923 100644 --- a/nixos/secrets/secrets.nix +++ b/nixos/secrets/secrets.nix @@ -1,3 +1,4 @@ +# TODO: Just encrypt each file with all hosts' public keys (plus our personal public keys) and deploy when demanded. let pkgs = import { }; lib = pkgs.lib; @@ -29,6 +30,8 @@ let "lewis_host_ed25519.age" "lewis_user_ed25519.age" "database_passwords.env.age" + "borg_passphrase.age" + "ec2_borg_server.pem.age" ]; }; };