From d2ea4c5ffef8274fabb91d14cab9ab2cfc4590f2 Mon Sep 17 00:00:00 2001 From: Colin Date: Mon, 6 Jun 2022 19:06:53 -0700 Subject: [PATCH] migrate duplicity PASSPHRASE to sops --- .sops.yaml | 6 ++++ helpers/universal/secrets.nix | 4 +++ machines/uninsane/services/duplicity.nix | 8 +++-- secrets/default.nix | 2 +- secrets/uninsane/duplicity.yaml | 39 ++++++++++++++++++++++++ 5 files changed, 55 insertions(+), 4 deletions(-) create mode 100644 secrets/uninsane/duplicity.yaml diff --git a/.sops.yaml b/.sops.yaml index 6a892c0b..ab886b69 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -19,3 +19,9 @@ creation_rules: - *host_lappy - *host_uninsane - *host_moby + - path_regex: secrets/uninsane/[^/]+\.yaml$ + key_groups: + - age: + - *user_desko_colin + - *user_uninsane_colin + - *host_uninsane diff --git a/helpers/universal/secrets.nix b/helpers/universal/secrets.nix index d6096669..cffcfd81 100644 --- a/helpers/universal/secrets.nix +++ b/helpers/universal/secrets.nix @@ -47,6 +47,10 @@ sops.secrets.example_key = { owner = config.users.users.colin.name; }; + sops.secrets."duplicity_passphrase" = { + sopsFile = ../../secrets/uninsane/duplicity.yaml; + # owner = "duplicity"; + }; # sops.secrets."myservice/my_subdir/my_secret" = {}; } diff --git a/machines/uninsane/services/duplicity.nix b/machines/uninsane/services/duplicity.nix index 819c86b7..b7d38490 100644 --- a/machines/uninsane/services/duplicity.nix +++ b/machines/uninsane/services/duplicity.nix @@ -1,13 +1,13 @@ # docs: https://search.nixos.org/options?channel=21.11&query=duplicity -{ secrets, ... }: +{ secrets, config, ... }: { services.duplicity.enable = true; + # TODO: can we put an arbitrary shell expression here, to `cat` the url at runtime? services.duplicity.targetUrl = secrets.duplicity.url; # format: PASSPHRASE= # two sisters - services.duplicity.secretFile = - builtins.toFile "duplicity_env" "PASSPHRASE=${secrets.duplicity.passphrase}"; + services.duplicity.secretFile = config.sops.secrets.duplicity_passphrase.path; # NB: manually trigger with `systemctl start duplicity` services.duplicity.frequency = "daily"; services.duplicity.exclude = [ @@ -21,6 +21,8 @@ "/var/lib/pleroma" "/var/lib/transmission/Downloads" "/var/lib/transmission/.incomplete" + # other mounts + "/mnt" # data that's not worth the cost to backup: "/opt/uninsane/media" ]; diff --git a/secrets/default.nix b/secrets/default.nix index 273a82a7..ef123c73 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -7,7 +7,7 @@ # web-created keys are allowed to delete files, which you probably don't want for an incremental backup program duplicity.url = "b2://::"; # remote backups will be encrypted using this (gpg) passphrase - duplicity.passphrase = ""; + # duplicity.passphrase = ""; # to generate: # wg genkey > wg0.private diff --git a/secrets/uninsane/duplicity.yaml b/secrets/uninsane/duplicity.yaml new file mode 100644 index 00000000..099d73e8 --- /dev/null +++ b/secrets/uninsane/duplicity.yaml @@ -0,0 +1,39 @@ +duplicity_passphrase: ENC[AES256_GCM,data:oh3iXKAnkVz0B25kHYTBz4FG+3OURLe4yMXQuZDpHEXCXavPgOg=,iv:jfwzog65SDZTjXmm2OUI9zGffOSdRJxwmtCbZReRXPU=,tag:Z0mGljg0n1mQX2WcybZvaw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyTWJwNXplSnJQTzUxVjBt + TzZ2aUZ4RUkyejVUQnpOdnpKajcxa0l3WWlrCmkwZVJuenhpN0R2OUxFV1pXUkVa + dk8ydnlnU1JvOElvNVovVlBjKzZVYlkKLS0tIHlVbkRRYllJR2J5UWhKeGg5SWJj + VExDaHc3amdTcWdUU3ZRUDNGREtxelEKXHuDfNM3uc3UBiPCAveG/u5b7C8zPzTi + GGCx0R+6swS9yVSAJ//nUvu1zFuFfGgm3mKaSqfqWKfDSMFvAp0Pyg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDY3NCbCtjY2ZHNkE2dWxN + Vk5nQ0Z2M1pQOXUzMVYyS3MxT252T1lhKzFJCm5NZ25DSlpZbnhTV0JMbVBvbm9j + SEtzdDJWS3gxby8rVlpzZ20yY3hRK2MKLS0tIGVqNUFZeGYxRnVSd3E1eitNUGFW + dEszSTFicTZRUzZxbFF5YWF1RmtwSkkKPle5Xw5gyd5YCPIAABaABNdgbpialJTV + hUOVdYCsmqd+spCA0Q9f0D3S5ud59iFq8moBh97BZQuLcc2qUeyJ2g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4UGdCMjRpRUFMdXJRQVgx + aklIY1dkOXRXNmliVjIyNHlUN1B1ZmZZbTB3CnFxQjZLbWkwWHRTN2lycEx4K3RL + UGdFVktETXJCSXhKSWFsbnNyU25tRzgKLS0tIDVsdmdxRDFnQU9XeHpibm00bm1C + U0ZlOUljcE9BL1lhcmIrVVl6eFdTUmMKBHmv96FmkL/oQw9//ATfem6HtORRjcce + xJNwnsdrEqrBS3sG6xDkmJYOjaFrg1pwxYZRG87zeLShgkXkMNvz2A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-06-07T01:44:34Z" + mac: ENC[AES256_GCM,data:Mf0unN7x/x+hI56ECMuyLpLWoxRg5APIyhB7UtY7BzQ/UzHEYE/mektw7LrvPm3GkhkSBeTa8yw9UUeMkNBgNFfp6df3oiIZnZc/RriXUWasgtqeMWD35LYQqz/jZ8O2usP5E5OySOuzV332ZHhrNqxUVABQdBY8Kz6anEFMlZU=,iv:IVQFzyOrDevcuMNr1ul/FtJnDLMw+FeeQy5nLWNb3Jc=,tag:fvmbjYszc4+Y6vV8wtJx0g==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3