migrate duplicity PASSPHRASE to sops
This commit is contained in:
parent
c7252f9c96
commit
d2ea4c5ffe
|
@ -19,3 +19,9 @@ creation_rules:
|
||||||
- *host_lappy
|
- *host_lappy
|
||||||
- *host_uninsane
|
- *host_uninsane
|
||||||
- *host_moby
|
- *host_moby
|
||||||
|
- path_regex: secrets/uninsane/[^/]+\.yaml$
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *user_desko_colin
|
||||||
|
- *user_uninsane_colin
|
||||||
|
- *host_uninsane
|
||||||
|
|
|
@ -47,6 +47,10 @@
|
||||||
sops.secrets.example_key = {
|
sops.secrets.example_key = {
|
||||||
owner = config.users.users.colin.name;
|
owner = config.users.users.colin.name;
|
||||||
};
|
};
|
||||||
|
sops.secrets."duplicity_passphrase" = {
|
||||||
|
sopsFile = ../../secrets/uninsane/duplicity.yaml;
|
||||||
|
# owner = "duplicity";
|
||||||
|
};
|
||||||
# sops.secrets."myservice/my_subdir/my_secret" = {};
|
# sops.secrets."myservice/my_subdir/my_secret" = {};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1,13 +1,13 @@
|
||||||
# docs: https://search.nixos.org/options?channel=21.11&query=duplicity
|
# docs: https://search.nixos.org/options?channel=21.11&query=duplicity
|
||||||
{ secrets, ... }:
|
{ secrets, config, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
services.duplicity.enable = true;
|
services.duplicity.enable = true;
|
||||||
|
# TODO: can we put an arbitrary shell expression here, to `cat` the url at runtime?
|
||||||
services.duplicity.targetUrl = secrets.duplicity.url;
|
services.duplicity.targetUrl = secrets.duplicity.url;
|
||||||
# format: PASSPHRASE=<cleartext>
|
# format: PASSPHRASE=<cleartext>
|
||||||
# two sisters
|
# two sisters
|
||||||
services.duplicity.secretFile =
|
services.duplicity.secretFile = config.sops.secrets.duplicity_passphrase.path;
|
||||||
builtins.toFile "duplicity_env" "PASSPHRASE=${secrets.duplicity.passphrase}";
|
|
||||||
# NB: manually trigger with `systemctl start duplicity`
|
# NB: manually trigger with `systemctl start duplicity`
|
||||||
services.duplicity.frequency = "daily";
|
services.duplicity.frequency = "daily";
|
||||||
services.duplicity.exclude = [
|
services.duplicity.exclude = [
|
||||||
|
@ -21,6 +21,8 @@
|
||||||
"/var/lib/pleroma"
|
"/var/lib/pleroma"
|
||||||
"/var/lib/transmission/Downloads"
|
"/var/lib/transmission/Downloads"
|
||||||
"/var/lib/transmission/.incomplete"
|
"/var/lib/transmission/.incomplete"
|
||||||
|
# other mounts
|
||||||
|
"/mnt"
|
||||||
# data that's not worth the cost to backup:
|
# data that's not worth the cost to backup:
|
||||||
"/opt/uninsane/media"
|
"/opt/uninsane/media"
|
||||||
];
|
];
|
||||||
|
|
|
@ -7,7 +7,7 @@
|
||||||
# web-created keys are allowed to delete files, which you probably don't want for an incremental backup program
|
# web-created keys are allowed to delete files, which you probably don't want for an incremental backup program
|
||||||
duplicity.url = "b2://<REPLACEME:KEY_ID>:<REPLACEME:APPKEY>:<REPLACEME:BUCKET>";
|
duplicity.url = "b2://<REPLACEME:KEY_ID>:<REPLACEME:APPKEY>:<REPLACEME:BUCKET>";
|
||||||
# remote backups will be encrypted using this (gpg) passphrase
|
# remote backups will be encrypted using this (gpg) passphrase
|
||||||
duplicity.passphrase = "<REPLACEME>";
|
# duplicity.passphrase = "<REPLACEME>";
|
||||||
|
|
||||||
# to generate:
|
# to generate:
|
||||||
# wg genkey > wg0.private
|
# wg genkey > wg0.private
|
||||||
|
|
|
@ -0,0 +1,39 @@
|
||||||
|
duplicity_passphrase: ENC[AES256_GCM,data:oh3iXKAnkVz0B25kHYTBz4FG+3OURLe4yMXQuZDpHEXCXavPgOg=,iv:jfwzog65SDZTjXmm2OUI9zGffOSdRJxwmtCbZReRXPU=,tag:Z0mGljg0n1mQX2WcybZvaw==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyTWJwNXplSnJQTzUxVjBt
|
||||||
|
TzZ2aUZ4RUkyejVUQnpOdnpKajcxa0l3WWlrCmkwZVJuenhpN0R2OUxFV1pXUkVa
|
||||||
|
dk8ydnlnU1JvOElvNVovVlBjKzZVYlkKLS0tIHlVbkRRYllJR2J5UWhKeGg5SWJj
|
||||||
|
VExDaHc3amdTcWdUU3ZRUDNGREtxelEKXHuDfNM3uc3UBiPCAveG/u5b7C8zPzTi
|
||||||
|
GGCx0R+6swS9yVSAJ//nUvu1zFuFfGgm3mKaSqfqWKfDSMFvAp0Pyg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDY3NCbCtjY2ZHNkE2dWxN
|
||||||
|
Vk5nQ0Z2M1pQOXUzMVYyS3MxT252T1lhKzFJCm5NZ25DSlpZbnhTV0JMbVBvbm9j
|
||||||
|
SEtzdDJWS3gxby8rVlpzZ20yY3hRK2MKLS0tIGVqNUFZeGYxRnVSd3E1eitNUGFW
|
||||||
|
dEszSTFicTZRUzZxbFF5YWF1RmtwSkkKPle5Xw5gyd5YCPIAABaABNdgbpialJTV
|
||||||
|
hUOVdYCsmqd+spCA0Q9f0D3S5ud59iFq8moBh97BZQuLcc2qUeyJ2g==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4UGdCMjRpRUFMdXJRQVgx
|
||||||
|
aklIY1dkOXRXNmliVjIyNHlUN1B1ZmZZbTB3CnFxQjZLbWkwWHRTN2lycEx4K3RL
|
||||||
|
UGdFVktETXJCSXhKSWFsbnNyU25tRzgKLS0tIDVsdmdxRDFnQU9XeHpibm00bm1C
|
||||||
|
U0ZlOUljcE9BL1lhcmIrVVl6eFdTUmMKBHmv96FmkL/oQw9//ATfem6HtORRjcce
|
||||||
|
xJNwnsdrEqrBS3sG6xDkmJYOjaFrg1pwxYZRG87zeLShgkXkMNvz2A==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2022-06-07T01:44:34Z"
|
||||||
|
mac: ENC[AES256_GCM,data:Mf0unN7x/x+hI56ECMuyLpLWoxRg5APIyhB7UtY7BzQ/UzHEYE/mektw7LrvPm3GkhkSBeTa8yw9UUeMkNBgNFfp6df3oiIZnZc/RriXUWasgtqeMWD35LYQqz/jZ8O2usP5E5OySOuzV332ZHhrNqxUVABQdBY8Kz6anEFMlZU=,iv:IVQFzyOrDevcuMNr1ul/FtJnDLMw+FeeQy5nLWNb3Jc=,tag:fvmbjYszc4+Y6vV8wtJx0g==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.7.3
|
Loading…
Reference in New Issue