desko: enable duplicity backups

.sops.yaml

@@ -25,3 +25,9 @@ creation_rules:
       - *user_desko_colin
       - *user_uninsane_colin
       - *host_uninsane
+  - path_regex: secrets/desko.yaml$
+    key_groups:
+    - age:
+      - *user_desko_colin
+      - *user_lappy_colin
+      - *host_desko

machines/desko/default.nix

@@ -8,6 +8,11 @@
     pkgs.electron
   ];
   colinsane.gui.sway.enable = true;
+  colinsane.services.duplicity.enable = true;
+
+  sops.secrets.duplicity_passphrase = {
+    sopsFile = ../../secrets/desko.yaml;
+  };
 
   # docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
   system.stateVersion = "21.05";

machines/uninsane/default.nix

@@ -24,9 +24,8 @@
   ];
   colinsane.services.duplicity.enable = true;
 
-  sops.secrets."duplicity_passphrase" = {
+  sops.secrets.duplicity_passphrase = {
     sopsFile = ../../secrets/uninsane.yaml;
-    # owner = "duplicity";
   };
 
   # This value determines the NixOS release from which the default

modules/services/duplicity.nix

@@ -1,5 +1,5 @@
 # docs: https://search.nixos.org/options?channel=21.11&query=duplicity
-{ config, ... }:
+{ config, lib, ... }:
 
 with lib;
 let
@@ -19,6 +19,12 @@ in
     services.duplicity.escapeUrl = false;
     # format: PASSPHRASE=<cleartext> \n DUPLICITY_URL=b2://...
     # two sisters
+    # PASSPHRASE: remote backups will be encrypted using this passphrase (using gpg)
+    # DUPLICITY_URL: b2://$key_id:$app_key@$bucket
+    # create key with: backblaze-b2 create-key --bucket uninsane-host-duplicity uninsane-host-duplicity-safe listBuckets,listFiles,readBuckets,readFiles,writeFiles
+    #   ^ run this until you get a key with no forward slashes :upside_down:
+    #   web-created keys are allowed to delete files, which you probably don't want for an incremental backup program
+    #   you need to create a new application key from the web in order to first get a key which can create new keys (use env vars in the above command)
     # TODO: s/duplicity_passphrase/duplicity_env/
     services.duplicity.secretFile = config.sops.secrets.duplicity_passphrase.path;
     # NB: manually trigger with `systemctl start duplicity`
@@ -38,6 +44,10 @@ in
       "/mnt"
       # data that's not worth the cost to backup:
       "/opt/uninsane/media"
+      "/home/colin/tmp"
+      "/home/colin/Videos"
+      # TODO: transitional
+      "/home/colin/internal"
     ];
 
     services.duplicity.extraFlags = [
@@ -48,4 +58,5 @@ in
     # set this for the FIRST backup, then remove it to enable incremental backups
     #   (that the first backup *isn't* full i think is a defect)
     # services.duplicity.fullIfOlderThan = "always";
+  };
 }

secrets/desko.yaml

@@ -0,0 +1,39 @@
+duplicity_passphrase: ENC[AES256_GCM,data:rzUfcxe5YPloOrqgVwdCjsccexWc5RvmFf1i3Xs459iVTfWHlVJeT/IqReY6ZqdAkPJteTtrUZzak2GXyRUkE13+W0kE8isnDjPX/YDQwoK2sa+dwc4xGTekboc0gf6HH3vQpF1aiJDBfb3GtGyDVLH9MVIRPJGXSztZBduUDezA2wAx2wI=,iv:EHJg8kE/07v+ySSFDtW4FA4y1y/+fcGxfNCWoainwBI=,tag:S3ecM4DbDl8jqXLRKipZmQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGUk1qc2QzQ0E5YzBuaGxv
+            Y2R4ckRWOWhlVEdKQlFOS0FJckNBZFdwQ0JZCis2Ui8va1A2SEYwWkNpdzM5Qy8z
+            YklOcnFQbXVVODVNUEp2T1E2aE4xRUkKLS0tIHdLdC8vbGlvWkprWlJyWHNZTkFm
+            WTQwSFJVYWVDVTZIWW43RXlWVGtiQmcKVr+601K6sctCFHVcwBM652C9j/mAAqv5
+            ES1cPjWlYC4GpJLrGYmGfdlJLNKjdIx7rew8wAtcqnmNacQxfFxEDg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ml8kkppftygu2wag57yld98jlrkh4avp54eheq7q0fa2rup843csqjajs6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2UXBVUDlvc0RUUWttT0lJ
+            RnlLU0JJQlhmRmJ5K3J2Tzg0SUNRdU1BTzNJCk1aQWJJcU0ybVlvbi9EUkJ0dFNL
+            UUVQdHFRbWdvUHhqZmx4Z05Kb1llZVkKLS0tIGdkYkwyVldYM2hwRjBZVkFWUGNr
+            VW1rMnFMTEZJbEM5VUlBZTN0UUVjNEUKtFlqPE3s4QifVmoWTReRgm2oBBgKuoX2
+            6fEv8TMrOAYbtxLCoB1GbXJ31vqCB4Fm//1wq3IbO6nHVYpYAbbH3A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQTjdxMTdCcHZUWHMvZGpF
+            NmFwajhidnQ3TlhTMmtzR3dPRFNTMks1VWxvCmR1YUFQUHpnWmpOQityeGthbmh6
+            R0xKQmRWckdRQkdCTWg3ZXgvUXd6Y00KLS0tIEhHaExPZWZFeHFZRkxzOFFVSCs5
+            OGVZSzdjdU5WOTh2N2VmcDdsemlITFEKwkcNTgLNqSdfzJ88fIb+zx9dN+K7usVR
+            uWnSbFedcJB2iSmN8SaZQZ6IHa63hY1DpaCKMMDeBZ/vYJNMeEGpGA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-06-10T08:41:13Z"
+    mac: ENC[AES256_GCM,data:51N4a+P+eXVAdPFAI3h4TFKsR6IOGBnyusW4k7ZrMOleH1l4C3khYaUmCoE1nnLlmD2q+kmtdGdU6FWyB7BYiSytjqvQa0WumEhf5PpOtj5k+55c1sljvtK58BxQd7N5Th+R4VmlqZ7LXviwzIb8OkoiCf0yC+jxZRi/2MQiKC4=,iv:Jjrrnp7isbmEP9vAYZ+lVRit2RNbrq2unXzuZD8C/2Q=,tag:HvKUFKdhE3O75o8hX+hIsA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

secrets/uninsane.yaml

@@ -1,8 +1,3 @@
-#ENC[AES256_GCM,data:jBCVxBRtHCzOKua2vVVJ92TiNNrT8kABylT0tEz7JNNN0tmqsBCJMfDH9rBAMFpyf/orKXQVxkWV80qWVxzUwNDexwixrd0rs32gOXK1tQ==,iv:8d9EzGTXVEfmd8Su571zBySo5iIaQ9pDMLmC1lrYe5o=,tag:GDOxbWxNjTZ1unqLws2Wng==,type:comment]
-#ENC[AES256_GCM,data:KeKi7dkXTNiUZHfV7FyxKMO3AgR8ePeOE0H1ynZmtMLNRm4uHUSB7pL57n1s,iv:PQhqt0TAWJq/GondbIGYyN5pvonQGPpfQ0h2GqXYX6w=,tag:AnixV9wm/Unx4yYf6G4ntg==,type:comment]
-#ENC[AES256_GCM,data:fLQIrV4bWsUdPXxEbkYaXDgxr4B0dBs0+KiQC//xno02+8tNTxg5p956WZAK/iHPt7wGtm2bW6ay2oe18sgW3pDGLI1JOrOU0pBBcJSXns+1yJtgQSN8N4e+iVSM+EulppFk/fpMD20S3ToJhx2RvWmCcqHqH9wPHfD67B/1/IGSRhStH7AqCnfeB5ncN6d86C8Z+Q==,iv:02xufkIcNyvrALuD8P5TWk6CXxsFNvjTCiRQgquALTM=,tag:sGz4kFiku+R1gGLMkG1+jQ==,type:comment]
-#ENC[AES256_GCM,data:mfjzNHS72mmkebXz8tqrBpiVbHLWG7RTFfPTsLphoc3E5jz/NOQLQ0q76pJLDXlZQ+BIc5TE2RqDH649opWAAiM/hd2QFr8=,iv:0bjh5bWwcYS2FLUr3O9Moh1YJW+Id1a2cEkkH98maMs=,tag:0r61r+/kpGHbK0ttVCPhow==,type:comment]
-#ENC[AES256_GCM,data:l5E8Ji9v6shdOjDsg+pvRmSgWz7Spbq1s4lO01WUSaGzmfJdr/nnVrIE6gQNImTKfW8McqY4ZHTFTUSZ5Fs8BkjpSQ+9N1OIJl7wmg6G168zSL2hgQtpM4DbECQNgfjCJxAG9TN/2wnQkhN0f5Lrqw==,iv:HyfnJKJQABwMj7X7fQxVcakBs1PBpWVWlr6PyVn1EvY=,tag:84aMXP8kCGVksYpw389klg==,type:comment]
 duplicity_passphrase: ENC[AES256_GCM,data:WAQE+xhfRg+4N9Q1P9U8Lt7sVwpcEZFPJzyHIA+FIcCcZZhv+QmvCT/eTRtAOIFvII5l9f0A4GRnSEagalyaZgTgq7t8qOhvvB+s8cIj7prM1psnKstpx3+BxsinGOsZcPqbBxph9gdGuIVP3qH7pYAT+6GMPLnxW21s0r26mZFZM8Mu15VGyuvTz2Pknw==,iv:hu+6w6TWQensA4y5wBz1vPgw8YlBk5TuxEm2rRjV6Ao=,tag:UJ2joJZNxr/+O5y0dx6q9g==,type:str]
 ddns_he: ENC[AES256_GCM,data:zAKbEAIMIsENUctG9bNAAjAty6g+w3QW5VM=,iv:ncIjblXnTiU3TQcHJutz9lCl0wBdWs+FybY0sZcnaH0=,tag:7O6EIob2/if1fcVDVEkVzQ==,type:str]
 #ENC[AES256_GCM,data:LMfqz2Rih6CR7RcCbA==,iv:MQ7z93Mhus2Z2q7HZMk4BzkkY/apBIR+9hIiZlknolc=,tag:HU5McecdYk12I3AcvVHEBw==,type:comment]
@@ -51,8 +46,8 @@ sops:
             U0ZlOUljcE9BL1lhcmIrVVl6eFdTUmMKBHmv96FmkL/oQw9//ATfem6HtORRjcce
             xJNwnsdrEqrBS3sG6xDkmJYOjaFrg1pwxYZRG87zeLShgkXkMNvz2A==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-06-09T00:01:31Z"
-    mac: ENC[AES256_GCM,data:hMin/DRXcK9l64uCRb+efUPm01xoh4n00ghNHnrMOtn5UrVzwKY+BGaJdLM0VXx+rfZgm+en8accRLUPqv5OrAeccikqhCjaAJUcSK8MaYOueVBytttbHySGao2H2+FUQe/92980kucUuClvuZKHDXZ/zHX8rxJpFoBhpJWZXIc=,iv:dmD5H0l8VlOT3N7l75y9EhzR4dyJ3oKF6CyDnagSfwk=,tag:MlikPcmJZiWmWnaax0gydQ==,type:str]
+    lastmodified: "2022-06-10T08:38:03Z"
+    mac: ENC[AES256_GCM,data:DroE9KGyV6hba0aPVYmwxpL8yXDa+AFsjyF5ttImW5bKzE9EM2I76APoGOyvOnnnbBRrOditWXA2HQzhf4M/7hq0CmLLph1J3I8xgEsaiJiExaKZQpQTBS/ZAHeygR/fvRcMmAY9VZRubv1iQ94rDkZ3C3UJ+8SMuwpdmdlaPYc=,iv:KkY0Kmd02QYx0Ds0LUY9tXz+AayKj6Y5p/rUO8sLYCc=,tag:gZDe+GOw2ULJ1yHONlt7bw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3