encrypt borg repository

also backup to AWS EC2 instance
2024-01-07 15:57:30 +01:00 · 2024-01-07 15:57:30 +01:00 · 914d84ef23
commit 914d84ef23
parent 2804e764f5
5 changed files with 21 additions and 5 deletions
--- a/nixos/default.nix
+++ b/nixos/default.nix
@ -112,6 +112,7 @@
    tcpdump
    lsof
    parted
+    borgbackup
  ];


--- a/nixos/modules/backups.nix
+++ b/nixos/modules/backups.nix
@ -17,10 +17,13 @@ let
      repositories:
      - path: ${cfg.repoLocation}
        label: nfs
+      - path: ssh://admin@ec2-3-254-121-39.eu-west-1.compute.amazonaws.com/mnt/data/nfs.borg
+        label: ec2
+      ssh_command: "${pkgs.openssh}/bin/ssh -i ${config.age.secrets."ec2_borg_server.pem".path} -o StrictHostKeychecking=no -o ConnectTimeout=10 -o ConnectionAttempts=3"
      keep_daily: 7
      keep_weekly: 4
      keep_monthly: 6
-      unknown_unencrypted_repo_access_is_ok: true
+      encryption_passcommand: "${pkgs.coreutils}/bin/cat ''${BORG_PASSPHRASE_FILE}"
      before_everything:
      - ${beforeEverything}/bin/beforeEverything
      postgresql_databases:
@ -64,7 +67,7 @@ in
    };

    snapshotLocation = lib.mkOption {
-      default = "${config.lab.storage.dataMountPoint}/nfs-backup";
+      default = "${config.lab.storage.dataMountPoint}/snapshot-nfs";
      type = lib.types.str;
      description = ''
        Location to (temporary) create a snapshot of the subvolume.
@ -73,7 +76,7 @@ in
  };

  config = lib.mkIf cfg.enable {
-    environment.systemPackages = with pkgs; [ borgbackup postgresql ];
+    environment.systemPackages = with pkgs; [ postgresql ];
    # Converted from:
    # https://github.com/borgmatic-collective/borgmatic/tree/84823dfb912db650936e3492f6ead7e0e0d32a0f/sample/systemd
    systemd.services.borgmatic = {
@ -94,6 +97,7 @@ in
        Restart = "no";
        LogRateLimitIntervalSec = 0;
        EnvironmentFile = config.age.secrets."database_passwords.env".path;
+        Environment = "BORG_PASSPHRASE_FILE=${config.age.secrets."borg_passphrase".path}";
      };

      script = "${pkgs.systemd}/bin/systemd-inhibit --who=\"borgmatic\" --what=\"sleep:shutdown\" --why=\"Prevent interrupting scheduled backup\" ${pkgs.borgmatic}/bin/borgmatic --verbosity -2 --syslog-verbosity 1 -c ${borgmaticConfig}";
@ -109,8 +113,10 @@ in
      };
    };

-    age.secrets."database_passwords.env" = {
-      file = ../secrets/database_passwords.env.age;
+    age.secrets = {
+      "database_passwords.env".file = ../secrets/database_passwords.env.age;
+      "borg_passphrase".file = ../secrets/borg_passphrase.age;
+      "ec2_borg_server.pem".file = ../secrets/ec2_borg_server.pem.age;
    };
  };
 }
--- a/nixos/secrets/borg_passphrase.age
+++ b/nixos/secrets/borg_passphrase.age
@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 aqswPA BWfWJ0Detm+1l0tYnjR9n5rIUBfdHb/wTnZnGoYx6SU
+gp5vcIXtJpF6KJ0cHJ6GRpHQvxi7ij//1LH0afFoRuo
+--- exwOM8D5yMcDFp0uzRnbD6TWSgs12WmZo7sKlnHYOwY
+4Öš¾0
+e(+×}²½f%Àã^‘ kÀb×“{WèŒôVüPän×“ù:…Å6ý£s
--- a/nixos/secrets/ec2_borg_server.pem.age
+++ b/nixos/secrets/ec2_borg_server.pem.age
--- a/nixos/secrets/secrets.nix
+++ b/nixos/secrets/secrets.nix
@ -1,3 +1,4 @@
+# TODO: Just encrypt each file with all hosts' public keys (plus our personal public keys) and deploy when demanded.
 let
  pkgs = import <nixpkgs> { };
  lib = pkgs.lib;
@ -29,6 +30,8 @@ let
        "lewis_host_ed25519.age"
        "lewis_user_ed25519.age"
        "database_passwords.env.age"
+        "borg_passphrase.age"
+        "ec2_borg_server.pem.age"
      ];
    };
  };