diff --git a/.sops.yaml b/.sops.yaml index a6e7c7d8..69b4f6e2 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -25,3 +25,9 @@ creation_rules: - *user_desko_colin - *user_uninsane_colin - *host_uninsane + - path_regex: secrets/desko.yaml$ + key_groups: + - age: + - *user_desko_colin + - *user_lappy_colin + - *host_desko diff --git a/machines/desko/default.nix b/machines/desko/default.nix index c87e9b4b..0a961b02 100644 --- a/machines/desko/default.nix +++ b/machines/desko/default.nix @@ -8,6 +8,11 @@ pkgs.electron ]; colinsane.gui.sway.enable = true; + colinsane.services.duplicity.enable = true; + + sops.secrets.duplicity_passphrase = { + sopsFile = ../../secrets/desko.yaml; + }; # docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion system.stateVersion = "21.05"; diff --git a/machines/uninsane/default.nix b/machines/uninsane/default.nix index 03809f16..650d70da 100644 --- a/machines/uninsane/default.nix +++ b/machines/uninsane/default.nix @@ -24,9 +24,8 @@ ]; colinsane.services.duplicity.enable = true; - sops.secrets."duplicity_passphrase" = { + sops.secrets.duplicity_passphrase = { sopsFile = ../../secrets/uninsane.yaml; - # owner = "duplicity"; }; # This value determines the NixOS release from which the default diff --git a/modules/services/duplicity.nix b/modules/services/duplicity.nix index 41f21fcf..af1e99bc 100644 --- a/modules/services/duplicity.nix +++ b/modules/services/duplicity.nix @@ -1,5 +1,5 @@ # docs: https://search.nixos.org/options?channel=21.11&query=duplicity -{ config, ... }: +{ config, lib, ... }: with lib; let @@ -19,6 +19,12 @@ in services.duplicity.escapeUrl = false; # format: PASSPHRASE= \n DUPLICITY_URL=b2://... # two sisters + # PASSPHRASE: remote backups will be encrypted using this passphrase (using gpg) + # DUPLICITY_URL: b2://$key_id:$app_key@$bucket + # create key with: backblaze-b2 create-key --bucket uninsane-host-duplicity uninsane-host-duplicity-safe listBuckets,listFiles,readBuckets,readFiles,writeFiles + # ^ run this until you get a key with no forward slashes :upside_down: + # web-created keys are allowed to delete files, which you probably don't want for an incremental backup program + # you need to create a new application key from the web in order to first get a key which can create new keys (use env vars in the above command) # TODO: s/duplicity_passphrase/duplicity_env/ services.duplicity.secretFile = config.sops.secrets.duplicity_passphrase.path; # NB: manually trigger with `systemctl start duplicity` @@ -38,6 +44,10 @@ in "/mnt" # data that's not worth the cost to backup: "/opt/uninsane/media" + "/home/colin/tmp" + "/home/colin/Videos" + # TODO: transitional + "/home/colin/internal" ]; services.duplicity.extraFlags = [ @@ -48,4 +58,5 @@ in # set this for the FIRST backup, then remove it to enable incremental backups # (that the first backup *isn't* full i think is a defect) # services.duplicity.fullIfOlderThan = "always"; + }; } diff --git a/secrets/desko.yaml b/secrets/desko.yaml new file mode 100644 index 00000000..685ea7ad --- /dev/null +++ b/secrets/desko.yaml @@ -0,0 +1,39 @@ +duplicity_passphrase: ENC[AES256_GCM,data:rzUfcxe5YPloOrqgVwdCjsccexWc5RvmFf1i3Xs459iVTfWHlVJeT/IqReY6ZqdAkPJteTtrUZzak2GXyRUkE13+W0kE8isnDjPX/YDQwoK2sa+dwc4xGTekboc0gf6HH3vQpF1aiJDBfb3GtGyDVLH9MVIRPJGXSztZBduUDezA2wAx2wI=,iv:EHJg8kE/07v+ySSFDtW4FA4y1y/+fcGxfNCWoainwBI=,tag:S3ecM4DbDl8jqXLRKipZmQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGUk1qc2QzQ0E5YzBuaGxv + Y2R4ckRWOWhlVEdKQlFOS0FJckNBZFdwQ0JZCis2Ui8va1A2SEYwWkNpdzM5Qy8z + YklOcnFQbXVVODVNUEp2T1E2aE4xRUkKLS0tIHdLdC8vbGlvWkprWlJyWHNZTkFm + WTQwSFJVYWVDVTZIWW43RXlWVGtiQmcKVr+601K6sctCFHVcwBM652C9j/mAAqv5 + ES1cPjWlYC4GpJLrGYmGfdlJLNKjdIx7rew8wAtcqnmNacQxfFxEDg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ml8kkppftygu2wag57yld98jlrkh4avp54eheq7q0fa2rup843csqjajs6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2UXBVUDlvc0RUUWttT0lJ + RnlLU0JJQlhmRmJ5K3J2Tzg0SUNRdU1BTzNJCk1aQWJJcU0ybVlvbi9EUkJ0dFNL + UUVQdHFRbWdvUHhqZmx4Z05Kb1llZVkKLS0tIGdkYkwyVldYM2hwRjBZVkFWUGNr + VW1rMnFMTEZJbEM5VUlBZTN0UUVjNEUKtFlqPE3s4QifVmoWTReRgm2oBBgKuoX2 + 6fEv8TMrOAYbtxLCoB1GbXJ31vqCB4Fm//1wq3IbO6nHVYpYAbbH3A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQTjdxMTdCcHZUWHMvZGpF + NmFwajhidnQ3TlhTMmtzR3dPRFNTMks1VWxvCmR1YUFQUHpnWmpOQityeGthbmh6 + R0xKQmRWckdRQkdCTWg3ZXgvUXd6Y00KLS0tIEhHaExPZWZFeHFZRkxzOFFVSCs5 + OGVZSzdjdU5WOTh2N2VmcDdsemlITFEKwkcNTgLNqSdfzJ88fIb+zx9dN+K7usVR + uWnSbFedcJB2iSmN8SaZQZ6IHa63hY1DpaCKMMDeBZ/vYJNMeEGpGA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-06-10T08:41:13Z" + mac: ENC[AES256_GCM,data:51N4a+P+eXVAdPFAI3h4TFKsR6IOGBnyusW4k7ZrMOleH1l4C3khYaUmCoE1nnLlmD2q+kmtdGdU6FWyB7BYiSytjqvQa0WumEhf5PpOtj5k+55c1sljvtK58BxQd7N5Th+R4VmlqZ7LXviwzIb8OkoiCf0yC+jxZRi/2MQiKC4=,iv:Jjrrnp7isbmEP9vAYZ+lVRit2RNbrq2unXzuZD8C/2Q=,tag:HvKUFKdhE3O75o8hX+hIsA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/uninsane.yaml b/secrets/uninsane.yaml index b6ccc901..3cd9fb03 100644 --- a/secrets/uninsane.yaml +++ b/secrets/uninsane.yaml @@ -1,8 +1,3 @@ -#ENC[AES256_GCM,data:jBCVxBRtHCzOKua2vVVJ92TiNNrT8kABylT0tEz7JNNN0tmqsBCJMfDH9rBAMFpyf/orKXQVxkWV80qWVxzUwNDexwixrd0rs32gOXK1tQ==,iv:8d9EzGTXVEfmd8Su571zBySo5iIaQ9pDMLmC1lrYe5o=,tag:GDOxbWxNjTZ1unqLws2Wng==,type:comment] -#ENC[AES256_GCM,data:KeKi7dkXTNiUZHfV7FyxKMO3AgR8ePeOE0H1ynZmtMLNRm4uHUSB7pL57n1s,iv:PQhqt0TAWJq/GondbIGYyN5pvonQGPpfQ0h2GqXYX6w=,tag:AnixV9wm/Unx4yYf6G4ntg==,type:comment] -#ENC[AES256_GCM,data:fLQIrV4bWsUdPXxEbkYaXDgxr4B0dBs0+KiQC//xno02+8tNTxg5p956WZAK/iHPt7wGtm2bW6ay2oe18sgW3pDGLI1JOrOU0pBBcJSXns+1yJtgQSN8N4e+iVSM+EulppFk/fpMD20S3ToJhx2RvWmCcqHqH9wPHfD67B/1/IGSRhStH7AqCnfeB5ncN6d86C8Z+Q==,iv:02xufkIcNyvrALuD8P5TWk6CXxsFNvjTCiRQgquALTM=,tag:sGz4kFiku+R1gGLMkG1+jQ==,type:comment] -#ENC[AES256_GCM,data:mfjzNHS72mmkebXz8tqrBpiVbHLWG7RTFfPTsLphoc3E5jz/NOQLQ0q76pJLDXlZQ+BIc5TE2RqDH649opWAAiM/hd2QFr8=,iv:0bjh5bWwcYS2FLUr3O9Moh1YJW+Id1a2cEkkH98maMs=,tag:0r61r+/kpGHbK0ttVCPhow==,type:comment] -#ENC[AES256_GCM,data:l5E8Ji9v6shdOjDsg+pvRmSgWz7Spbq1s4lO01WUSaGzmfJdr/nnVrIE6gQNImTKfW8McqY4ZHTFTUSZ5Fs8BkjpSQ+9N1OIJl7wmg6G168zSL2hgQtpM4DbECQNgfjCJxAG9TN/2wnQkhN0f5Lrqw==,iv:HyfnJKJQABwMj7X7fQxVcakBs1PBpWVWlr6PyVn1EvY=,tag:84aMXP8kCGVksYpw389klg==,type:comment] duplicity_passphrase: ENC[AES256_GCM,data:WAQE+xhfRg+4N9Q1P9U8Lt7sVwpcEZFPJzyHIA+FIcCcZZhv+QmvCT/eTRtAOIFvII5l9f0A4GRnSEagalyaZgTgq7t8qOhvvB+s8cIj7prM1psnKstpx3+BxsinGOsZcPqbBxph9gdGuIVP3qH7pYAT+6GMPLnxW21s0r26mZFZM8Mu15VGyuvTz2Pknw==,iv:hu+6w6TWQensA4y5wBz1vPgw8YlBk5TuxEm2rRjV6Ao=,tag:UJ2joJZNxr/+O5y0dx6q9g==,type:str] ddns_he: ENC[AES256_GCM,data:zAKbEAIMIsENUctG9bNAAjAty6g+w3QW5VM=,iv:ncIjblXnTiU3TQcHJutz9lCl0wBdWs+FybY0sZcnaH0=,tag:7O6EIob2/if1fcVDVEkVzQ==,type:str] #ENC[AES256_GCM,data:LMfqz2Rih6CR7RcCbA==,iv:MQ7z93Mhus2Z2q7HZMk4BzkkY/apBIR+9hIiZlknolc=,tag:HU5McecdYk12I3AcvVHEBw==,type:comment] @@ -51,8 +46,8 @@ sops: U0ZlOUljcE9BL1lhcmIrVVl6eFdTUmMKBHmv96FmkL/oQw9//ATfem6HtORRjcce xJNwnsdrEqrBS3sG6xDkmJYOjaFrg1pwxYZRG87zeLShgkXkMNvz2A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-06-09T00:01:31Z" - mac: ENC[AES256_GCM,data:hMin/DRXcK9l64uCRb+efUPm01xoh4n00ghNHnrMOtn5UrVzwKY+BGaJdLM0VXx+rfZgm+en8accRLUPqv5OrAeccikqhCjaAJUcSK8MaYOueVBytttbHySGao2H2+FUQe/92980kucUuClvuZKHDXZ/zHX8rxJpFoBhpJWZXIc=,iv:dmD5H0l8VlOT3N7l75y9EhzR4dyJ3oKF6CyDnagSfwk=,tag:MlikPcmJZiWmWnaax0gydQ==,type:str] + lastmodified: "2022-06-10T08:38:03Z" + mac: ENC[AES256_GCM,data:DroE9KGyV6hba0aPVYmwxpL8yXDa+AFsjyF5ttImW5bKzE9EM2I76APoGOyvOnnnbBRrOditWXA2HQzhf4M/7hq0CmLLph1J3I8xgEsaiJiExaKZQpQTBS/ZAHeygR/fvRcMmAY9VZRubv1iQ94rDkZ3C3UJ+8SMuwpdmdlaPYc=,iv:KkY0Kmd02QYx0Ds0LUY9tXz+AayKj6Y5p/rUO8sLYCc=,tag:gZDe+GOw2ULJ1yHONlt7bw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3