From 914d84ef23cbd0d0e468a31ca72d8dc9dd3012f2 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 7 Jan 2024 15:57:30 +0100 Subject: [PATCH] encrypt borg repository also backup to AWS EC2 instance --- nixos/default.nix | 1 + nixos/modules/backups.nix | 16 +++++++++++----- nixos/secrets/borg_passphrase.age | 6 ++++++ nixos/secrets/ec2_borg_server.pem.age | Bin 0 -> 599 bytes nixos/secrets/secrets.nix | 3 +++ 5 files changed, 21 insertions(+), 5 deletions(-) create mode 100644 nixos/secrets/borg_passphrase.age create mode 100644 nixos/secrets/ec2_borg_server.pem.age diff --git a/nixos/default.nix b/nixos/default.nix index 596a355..04a4ecd 100644 --- a/nixos/default.nix +++ b/nixos/default.nix @@ -112,6 +112,7 @@ tcpdump lsof parted + borgbackup ]; diff --git a/nixos/modules/backups.nix b/nixos/modules/backups.nix index 977159a..4e4beae 100644 --- a/nixos/modules/backups.nix +++ b/nixos/modules/backups.nix @@ -17,10 +17,13 @@ let repositories: - path: ${cfg.repoLocation} label: nfs + - path: ssh://admin@ec2-3-254-121-39.eu-west-1.compute.amazonaws.com/mnt/data/nfs.borg + label: ec2 + ssh_command: "${pkgs.openssh}/bin/ssh -i ${config.age.secrets."ec2_borg_server.pem".path} -o StrictHostKeychecking=no -o ConnectTimeout=10 -o ConnectionAttempts=3" keep_daily: 7 keep_weekly: 4 keep_monthly: 6 - unknown_unencrypted_repo_access_is_ok: true + encryption_passcommand: "${pkgs.coreutils}/bin/cat ''${BORG_PASSPHRASE_FILE}" before_everything: - ${beforeEverything}/bin/beforeEverything postgresql_databases: @@ -64,7 +67,7 @@ in }; snapshotLocation = lib.mkOption { - default = "${config.lab.storage.dataMountPoint}/nfs-backup"; + default = "${config.lab.storage.dataMountPoint}/snapshot-nfs"; type = lib.types.str; description = '' Location to (temporary) create a snapshot of the subvolume. @@ -73,7 +76,7 @@ in }; config = lib.mkIf cfg.enable { - environment.systemPackages = with pkgs; [ borgbackup postgresql ]; + environment.systemPackages = with pkgs; [ postgresql ]; # Converted from: # https://github.com/borgmatic-collective/borgmatic/tree/84823dfb912db650936e3492f6ead7e0e0d32a0f/sample/systemd systemd.services.borgmatic = { @@ -94,6 +97,7 @@ in Restart = "no"; LogRateLimitIntervalSec = 0; EnvironmentFile = config.age.secrets."database_passwords.env".path; + Environment = "BORG_PASSPHRASE_FILE=${config.age.secrets."borg_passphrase".path}"; }; script = "${pkgs.systemd}/bin/systemd-inhibit --who=\"borgmatic\" --what=\"sleep:shutdown\" --why=\"Prevent interrupting scheduled backup\" ${pkgs.borgmatic}/bin/borgmatic --verbosity -2 --syslog-verbosity 1 -c ${borgmaticConfig}"; @@ -109,8 +113,10 @@ in }; }; - age.secrets."database_passwords.env" = { - file = ../secrets/database_passwords.env.age; + age.secrets = { + "database_passwords.env".file = ../secrets/database_passwords.env.age; + "borg_passphrase".file = ../secrets/borg_passphrase.age; + "ec2_borg_server.pem".file = ../secrets/ec2_borg_server.pem.age; }; }; } diff --git a/nixos/secrets/borg_passphrase.age b/nixos/secrets/borg_passphrase.age new file mode 100644 index 0000000..ccfb7ca --- /dev/null +++ b/nixos/secrets/borg_passphrase.age @@ -0,0 +1,6 @@ +age-encryption.org/v1 +-> ssh-ed25519 aqswPA BWfWJ0Detm+1l0tYnjR9n5rIUBfdHb/wTnZnGoYx6SU +gp5vcIXtJpF6KJ0cHJ6GRpHQvxi7ij//1LH0afFoRuo +--- exwOM8D5yMcDFp0uzRnbD6TWSgs12WmZo7sKlnHYOwY + 4Öš¾0 +e(+×}²½f%Àã^‘ kÀbד{WèŒôVüPän­×“ù:…Å6ý£s \ No newline at end of file diff --git a/nixos/secrets/ec2_borg_server.pem.age b/nixos/secrets/ec2_borg_server.pem.age new file mode 100644 index 0000000000000000000000000000000000000000..05f15bcc22ab9804aaafc4e4ec8e2a8a463c6d14 GIT binary patch literal 599 zcmV-d0;v6AXJsvAZewzJaCB*JZZ217* zT4+viIZRMZOgUp~Hdr=PLq<_CR%k?1PiZ%Lb}(Z|WmO6-EiE7`F*r72Gcjs$M^9^c zdU7~)W=&~xMQ1cYNJTesWn(pEG%rvwVpnNdcXtXue3XE(+00wEI#_ii&2mAyJ9JqB zlj}P!qHqC4{{(j(9WUP3KEiCFO<`iAuA<3~{DMbdWj)l@c&AD%bw&&?E~_@qU^%_) z(BG6GlL%JMVkwQZR3%d)m|xw=r~ez$(kC07+=gnFRdc!HDXyE}sG8=z#K2{Mu_)-x z?CMUYy$6Srt{9|)2qDN`fLbp$sC}v}{O+snv_Eh!H`!RiqIy<)sqvI_fR%fdQ zdo8t$*D0Wvc@*%P6Mg<0a$I$zC8%+W@NdByBlUp$ow!MnA)vS!!U6(d&>z;l8ZIeq ze<5N3EX&k}S3{ho<%U=ylx=CeLS;PocRzbz$07=_XMx7%4BQm`9^(RsVF^PHVurvA z|FC{y<2f5#TWR}d8$}0)z4i9gPKdMV@-M3tWfDpzS0a7AVP(nN9teEurRDhfBH_eN z%V(Tb05;oSr3#o=$_YL)pvYHIKqyB==KrL}WD%?^pj{f+QE5mnfQ?TlBmxWSc)(CR ltu`cw36UQRdHQTTb*)R~s~~T6q|Bh!4W?G##qsUD?6sg01Y7_B literal 0 HcmV?d00001 diff --git a/nixos/secrets/secrets.nix b/nixos/secrets/secrets.nix index 9ce4ece..9899923 100644 --- a/nixos/secrets/secrets.nix +++ b/nixos/secrets/secrets.nix @@ -1,3 +1,4 @@ +# TODO: Just encrypt each file with all hosts' public keys (plus our personal public keys) and deploy when demanded. let pkgs = import { }; lib = pkgs.lib; @@ -29,6 +30,8 @@ let "lewis_host_ed25519.age" "lewis_user_ed25519.age" "database_passwords.env.age" + "borg_passphrase.age" + "ec2_borg_server.pem.age" ]; }; };