migrate duplicity PASSPHRASE to sops
This commit is contained in:
parent
c7252f9c96
commit
d2ea4c5ffe
|
|
@ -19,3 +19,9 @@ creation_rules:
|
|||
- *host_lappy
|
||||
- *host_uninsane
|
||||
- *host_moby
|
||||
- path_regex: secrets/uninsane/[^/]+\.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *user_desko_colin
|
||||
- *user_uninsane_colin
|
||||
- *host_uninsane
|
||||
|
|
|
|||
|
|
@ -47,6 +47,10 @@
|
|||
sops.secrets.example_key = {
|
||||
owner = config.users.users.colin.name;
|
||||
};
|
||||
sops.secrets."duplicity_passphrase" = {
|
||||
sopsFile = ../../secrets/uninsane/duplicity.yaml;
|
||||
# owner = "duplicity";
|
||||
};
|
||||
# sops.secrets."myservice/my_subdir/my_secret" = {};
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -1,13 +1,13 @@
|
|||
# docs: https://search.nixos.org/options?channel=21.11&query=duplicity
|
||||
{ secrets, ... }:
|
||||
{ secrets, config, ... }:
|
||||
|
||||
{
|
||||
services.duplicity.enable = true;
|
||||
# TODO: can we put an arbitrary shell expression here, to `cat` the url at runtime?
|
||||
services.duplicity.targetUrl = secrets.duplicity.url;
|
||||
# format: PASSPHRASE=<cleartext>
|
||||
# two sisters
|
||||
services.duplicity.secretFile =
|
||||
builtins.toFile "duplicity_env" "PASSPHRASE=${secrets.duplicity.passphrase}";
|
||||
services.duplicity.secretFile = config.sops.secrets.duplicity_passphrase.path;
|
||||
# NB: manually trigger with `systemctl start duplicity`
|
||||
services.duplicity.frequency = "daily";
|
||||
services.duplicity.exclude = [
|
||||
|
|
@ -21,6 +21,8 @@
|
|||
"/var/lib/pleroma"
|
||||
"/var/lib/transmission/Downloads"
|
||||
"/var/lib/transmission/.incomplete"
|
||||
# other mounts
|
||||
"/mnt"
|
||||
# data that's not worth the cost to backup:
|
||||
"/opt/uninsane/media"
|
||||
];
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@
|
|||
# web-created keys are allowed to delete files, which you probably don't want for an incremental backup program
|
||||
duplicity.url = "b2://<REPLACEME:KEY_ID>:<REPLACEME:APPKEY>:<REPLACEME:BUCKET>";
|
||||
# remote backups will be encrypted using this (gpg) passphrase
|
||||
duplicity.passphrase = "<REPLACEME>";
|
||||
# duplicity.passphrase = "<REPLACEME>";
|
||||
|
||||
# to generate:
|
||||
# wg genkey > wg0.private
|
||||
|
|
|
|||
|
|
@ -0,0 +1,39 @@
|
|||
duplicity_passphrase: ENC[AES256_GCM,data:oh3iXKAnkVz0B25kHYTBz4FG+3OURLe4yMXQuZDpHEXCXavPgOg=,iv:jfwzog65SDZTjXmm2OUI9zGffOSdRJxwmtCbZReRXPU=,tag:Z0mGljg0n1mQX2WcybZvaw==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyTWJwNXplSnJQTzUxVjBt
|
||||
TzZ2aUZ4RUkyejVUQnpOdnpKajcxa0l3WWlrCmkwZVJuenhpN0R2OUxFV1pXUkVa
|
||||
dk8ydnlnU1JvOElvNVovVlBjKzZVYlkKLS0tIHlVbkRRYllJR2J5UWhKeGg5SWJj
|
||||
VExDaHc3amdTcWdUU3ZRUDNGREtxelEKXHuDfNM3uc3UBiPCAveG/u5b7C8zPzTi
|
||||
GGCx0R+6swS9yVSAJ//nUvu1zFuFfGgm3mKaSqfqWKfDSMFvAp0Pyg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDY3NCbCtjY2ZHNkE2dWxN
|
||||
Vk5nQ0Z2M1pQOXUzMVYyS3MxT252T1lhKzFJCm5NZ25DSlpZbnhTV0JMbVBvbm9j
|
||||
SEtzdDJWS3gxby8rVlpzZ20yY3hRK2MKLS0tIGVqNUFZeGYxRnVSd3E1eitNUGFW
|
||||
dEszSTFicTZRUzZxbFF5YWF1RmtwSkkKPle5Xw5gyd5YCPIAABaABNdgbpialJTV
|
||||
hUOVdYCsmqd+spCA0Q9f0D3S5ud59iFq8moBh97BZQuLcc2qUeyJ2g==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4UGdCMjRpRUFMdXJRQVgx
|
||||
aklIY1dkOXRXNmliVjIyNHlUN1B1ZmZZbTB3CnFxQjZLbWkwWHRTN2lycEx4K3RL
|
||||
UGdFVktETXJCSXhKSWFsbnNyU25tRzgKLS0tIDVsdmdxRDFnQU9XeHpibm00bm1C
|
||||
U0ZlOUljcE9BL1lhcmIrVVl6eFdTUmMKBHmv96FmkL/oQw9//ATfem6HtORRjcce
|
||||
xJNwnsdrEqrBS3sG6xDkmJYOjaFrg1pwxYZRG87zeLShgkXkMNvz2A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2022-06-07T01:44:34Z"
|
||||
mac: ENC[AES256_GCM,data:Mf0unN7x/x+hI56ECMuyLpLWoxRg5APIyhB7UtY7BzQ/UzHEYE/mektw7LrvPm3GkhkSBeTa8yw9UUeMkNBgNFfp6df3oiIZnZc/RriXUWasgtqeMWD35LYQqz/jZ8O2usP5E5OySOuzV332ZHhrNqxUVABQdBY8Kz6anEFMlZU=,iv:IVQFzyOrDevcuMNr1ul/FtJnDLMw+FeeQy5nLWNb3Jc=,tag:fvmbjYszc4+Y6vV8wtJx0g==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
||||
Loading…
Reference in New Issue