diff --git a/flake.lock b/flake.lock index bdec885..c6dd996 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,25 @@ { "nodes": { + "agenix": { + "inputs": { + "nixpkgs": [ + "myNixpkgs" + ] + }, + "locked": { + "lastModified": 1652712410, + "narHash": "sha256-hMJ2TqLt0DleEnQFGUHK9sV2aAzJPU8pZeiZoqRozbE=", + "owner": "ryantm", + "repo": "agenix", + "rev": "7e5e58b98c3dcbf497543ff6f22591552ebfe65b", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "doom-emacs": { "flake": false, "locked": { @@ -580,6 +600,7 @@ }, "root": { "inputs": { + "agenix": "agenix", "flake-utils": "flake-utils", "home-manager": "home-manager", "homePage": "homePage", diff --git a/flake.nix b/flake.nix index ed6374c..501b480 100644 --- a/flake.nix +++ b/flake.nix @@ -28,6 +28,10 @@ recipemd = { url = github:dadada/recipemd/nix-flake; }; + agenix = { + url = "github:ryantm/agenix"; + inputs.nixpkgs.follows = "myNixpkgs"; + }; }; outputs = { ... } @ args: import ./outputs.nix args; diff --git a/nixos/configurations.nix b/nixos/configurations.nix index f7be74d..d155ab0 100644 --- a/nixos/configurations.nix +++ b/nixos/configurations.nix @@ -1,5 +1,7 @@ +# TODO refactor adapterModule and redundant module config { self , admins +, agenixModule , nixpkgs , nixosSystem , home-manager @@ -8,6 +10,7 @@ , nvd , scripts , recipemd +, secretsPath , }: let @@ -23,17 +26,16 @@ let ]; }; lib = nixpkgs.lib; - adminConfig = users: { - dadada.admin.users = lib.getAttrs users admins; - }; in { gorgon = nixosSystem rec { system = "x86_64-linux"; + specialArgs = { inherit admins secretsPath; }; modules = (nixpkgs.lib.attrValues self.nixosModules) ++ [ (adapterModule system) + agenixModule nixos-hardware.nixosModules.lenovo-thinkpad-t14s-amd-gen1 home-manager.nixosModules.home-manager { @@ -52,34 +54,38 @@ in }; ifrit = nixosSystem rec { system = "x86_64-linux"; + specialArgs = { inherit admins secretsPath; }; modules = (nixpkgs.lib.attrValues self.nixosModules) ++ [ - (adminConfig [ "dadada" ]) + agenixModule (adapterModule system) ./modules/profiles/server.nix ./ifrit/configuration.nix + ./ifrit/hardware-configuration.nix ]; }; surgat = nixosSystem rec { system = "x86_64-linux"; + specialArgs = { inherit admins secretsPath; }; modules = (nixpkgs.lib.attrValues self.nixosModules) ++ [ - (adminConfig [ "dadada" ]) (adapterModule system) + agenixModule ./modules/profiles/server.nix ./surgat/configuration.nix ]; }; pruflas = nixosSystem rec { system = "x86_64-linux"; + specialArgs = { inherit admins secretsPath; }; modules = (nixpkgs.lib.attrValues self.nixosModules) ++ [ - (adminConfig [ "dadada" ]) (adapterModule system) + agenixModule ./modules/profiles/laptop.nix ./pruflas/configuration.nix ]; @@ -87,11 +93,12 @@ in agares = nixosSystem rec { system = "x86_64-linux"; + specialArgs = { inherit admins secretsPath; }; modules = (nixpkgs.lib.attrValues self.nixosModules) ++ [ - (adminConfig [ "dadada" ]) (adapterModule system) + agenixModule ./modules/profiles/server.nix ./agares/configuration.nix ]; diff --git a/nixos/gorgon/configuration.nix b/nixos/gorgon/configuration.nix index 6a164ba..fe65a95 100644 --- a/nixos/gorgon/configuration.nix +++ b/nixos/gorgon/configuration.nix @@ -1,6 +1,7 @@ { config , pkgs , lib +, secretsPath , ... }: let @@ -50,10 +51,6 @@ in }; vpnExtension = "3"; }; - backupClient = { - bs.enable = true; - gs.enable = false; - }; }; boot.kernel.sysctl = { diff --git a/nixos/ifrit/configuration.nix b/nixos/ifrit/configuration.nix index 0a71801..89130f1 100644 --- a/nixos/ifrit/configuration.nix +++ b/nixos/ifrit/configuration.nix @@ -9,71 +9,12 @@ let "media.dadada.li" "backup0.dadada.li" ]; - backups = "/mnt/storage/backup"; in { - imports = [ - ./hardware-configuration.nix - ]; - dadada = { admin.enable = true; - ddns.domains = [ - "backup0.dadada.li" - ]; - }; - - users.users.borg.home = backups; - services.borgbackup.repos = { - "metis" = { - allowSubRepos = false; - authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDnc1gCi8lbhlLmPKvaExtCxVaAni8RrOuHUQO6wTbzR root@metis" ]; - authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" ]; - path = "${backups}/metis"; - quota = "1T"; - }; - "gorgon" = { - allowSubRepos = false; - authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP6p9b2D7y2W+9BGee2yk2xsCRewNNaE6oS3CqlW61ti root@gorgon" ]; - authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" ]; - path = "${backups}/gorgon"; - quota = "1T"; - }; - "surgat" = { - allowSubRepos = false; - authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGhatanrNG+M6jAkU7Yi44mJmTreJkqyZ6Z+qiEgV7O root@surgat" ]; - authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" ]; - path = "${backups}/surgat"; - quota = "50G"; - }; - "pruflas" = { - allowSubRepos = false; - authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBk7f9DSnXCOIUsxFsjCKG23vHShV4TSzzPJunPOwa1I root@pruflas" ]; - authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" ]; - path = "${backups}/pruflas"; - quota = "50G"; - }; - "wohnzimmerpi" = { - allowSubRepos = false; - authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6uZ8mPQJWOL984gZKKPyxp7VLcxk42TpTh5iPP6N6k root@wohnzimmerpi" ]; - authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" ]; - path = "${backups}/wohnzimmerpi"; - quota = "50G"; - }; - "fginfo" = { - allowSubRepos = false; - authorizedKeysAppendOnly = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxsyJeZVlVix0FPE8S/Gx0DVutS1ZNESVdYvHBwo36wGlYpSsQoSy/2HSwbpxs88MOGw1QNboxvvpBxCWxZ5HyjxuO5SwYgtmpjPXvmqfVqNXXnLChhSnKgk9b+HesQJCbHyrF9ZAJXEFCOGhOL3YTgd6lTX3lQUXgh/LEDlrPrigUMDNPecPWxpPskP6Vvpe9u+duhL+ihyxXaV+CoPk8nkWrov5jCGPiM48pugbwAfqARyZDgFpmWwL7Xg2UKgVZ1ttHZCWwH+htgioVZMYpdkQW1aq6LLGwN34Hj2VKXzmJN5frh6vQoZr2AFGHNKyJwAMpqnoY//QwuREpZTrh root@fginfo.ibr.cs.tu-bs.de" ]; - authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" ]; - path = "${backups}/fginfo"; - quota = "10G"; - }; - "fginfo-git" = { - allowSubRepos = false; - authorizedKeysAppendOnly = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmI6cUv3j0T9ofFB286sDwXwwczqi41cp4MZyGH3VWQnqBPNjICqAdY3CLhgvGBCxSe6ZgKQ+5YLsGSSlU1uhrJXW2UiVKuIPd0kjMF/9e8hmNoTTh0pdk9THfz9LLAdI1vPin1EeVReuDXlZkCI7DFYuTO9yiyZ1uLZUfT1KBRoqiqyypZhut7zT3UaDs2L+Y5hho6WiTdm7INuz6HEB7qYXzrmx93hlcuLZA7fDfyMO9F4APZFUqefcUIEyDI2b+Q/8Q2/rliT2PoC69XLVlj7HyVhfgKsOnopwBDNF3rRcJ6zz4WICPM18i4ZCmfoDTL/cFr5c41Lan1X7wS5wR root@fginfo-git" ]; - authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" ]; - path = "${backups}/fginfo-git"; - quota = "10G"; - }; + borgServer.enable = true; + borgServer.path = "/mnt/storage/backup"; }; networking.hostName = "ifrit"; diff --git a/nixos/modules/backup.nix b/nixos/modules/backup.nix index 8887057..44087f0 100644 --- a/nixos/modules/backup.nix +++ b/nixos/modules/backup.nix @@ -19,6 +19,7 @@ with lib; let "/sys" "/tmp" "/var/cache" + "/var/lib/machines" "/var/log" "/var/tmp" ]; diff --git a/nixos/modules/borg-server.nix b/nixos/modules/borg-server.nix new file mode 100644 index 0000000..5da2280 --- /dev/null +++ b/nixos/modules/borg-server.nix @@ -0,0 +1,81 @@ +{ config, lib, admins, ... }: +let + inherit (lib) mkEnableOption mkIf mkOption types; + cfg = config.dadada.borgServer; +in +{ + options = { + dadada.borgServer = { + enable = mkEnableOption "Enable Borg backup server"; + path = mkOption { + type = types.path; + default = "/var/lib/backup"; + example = "/mnt/storage/backup"; + }; + }; + }; + + config = mkIf cfg.enable { + + dadada.ddns.domains = [ + "backup0.dadada.li" + ]; + + users.users.borg.home = cfg.path; + services.borgbackup.repos = { + "metis" = { + allowSubRepos = false; + authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDnc1gCi8lbhlLmPKvaExtCxVaAni8RrOuHUQO6wTbzR root@metis" ]; + authorizedKeys = admins.dadada.keys; + path = "${cfg.path}/metis"; + quota = "1T"; + }; + "gorgon" = { + allowSubRepos = false; + authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP6p9b2D7y2W+9BGee2yk2xsCRewNNaE6oS3CqlW61ti root@gorgon" ]; + authorizedKeys = admins.dadada.keys; + path = "${cfg.path}/gorgon"; + quota = "1T"; + }; + "surgat" = { + allowSubRepos = false; + authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGhatanrNG+M6jAkU7Yi44mJmTreJkqyZ6Z+qiEgV7O root@surgat" ]; + authorizedKeys = admins.dadada.keys; + path = "${cfg.path}/surgat"; + quota = "50G"; + }; + "pruflas" = { + allowSubRepos = false; + authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBk7f9DSnXCOIUsxFsjCKG23vHShV4TSzzPJunPOwa1I root@pruflas" ]; + authorizedKeys = admins.dadada.keys; + path = "${cfg.path}/pruflas"; + quota = "50G"; + }; + "wohnzimmerpi" = { + allowSubRepos = false; + authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6uZ8mPQJWOL984gZKKPyxp7VLcxk42TpTh5iPP6N6k root@wohnzimmerpi" ]; + authorizedKeys = admins.dadada.keys; + path = "${cfg.path}/wohnzimmerpi"; + quota = "50G"; + }; + "fginfo" = { + allowSubRepos = false; + authorizedKeysAppendOnly = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxsyJeZVlVix0FPE8S/Gx0DVutS1ZNESVdYvHBwo36wGlYpSsQoSy/2HSwbpxs88MOGw1QNboxvvpBxCWxZ5HyjxuO5SwYgtmpjPXvmqfVqNXXnLChhSnKgk9b+HesQJCbHyrF9ZAJXEFCOGhOL3YTgd6lTX3lQUXgh/LEDlrPrigUMDNPecPWxpPskP6Vvpe9u+duhL+ihyxXaV+CoPk8nkWrov5jCGPiM48pugbwAfqARyZDgFpmWwL7Xg2UKgVZ1ttHZCWwH+htgioVZMYpdkQW1aq6LLGwN34Hj2VKXzmJN5frh6vQoZr2AFGHNKyJwAMpqnoY//QwuREpZTrh root@fginfo.ibr.cs.tu-bs.de" ]; + authorizedKeys = admins.dadada.keys; + path = "${cfg.path}/fginfo"; + quota = "10G"; + }; + "fginfo-git" = { + allowSubRepos = false; + authorizedKeysAppendOnly = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmI6cUv3j0T9ofFB286sDwXwwczqi41cp4MZyGH3VWQnqBPNjICqAdY3CLhgvGBCxSe6ZgKQ+5YLsGSSlU1uhrJXW2UiVKuIPd0kjMF/9e8hmNoTTh0pdk9THfz9LLAdI1vPin1EeVReuDXlZkCI7DFYuTO9yiyZ1uLZUfT1KBRoqiqyypZhut7zT3UaDs2L+Y5hho6WiTdm7INuz6HEB7qYXzrmx93hlcuLZA7fDfyMO9F4APZFUqefcUIEyDI2b+Q/8Q2/rliT2PoC69XLVlj7HyVhfgKsOnopwBDNF3rRcJ6zz4WICPM18i4ZCmfoDTL/cFr5c41Lan1X7wS5wR root@fginfo-git" ]; + authorizedKeys = admins.dadada.keys; + path = "${cfg.path}/fginfo-git"; + quota = "10G"; + }; + }; + + systemd.tmpfiles.rules = [ + "d ${cfg.path} 0750 ${config.users.users.borg.name} ${config.users.users.borg.group} - -" + ]; + }; +} diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix index 814e40e..7813a3a 100644 --- a/nixos/modules/default.nix +++ b/nixos/modules/default.nix @@ -1,6 +1,7 @@ { ... } @ inputs: { admin = import ./admin.nix; backup = import ./backup.nix; + borgServer = import ./borg-server.nix; ddns = import ./ddns.nix; element = import ./element.nix; fido2 = import ./fido2.nix; diff --git a/nixos/modules/profiles/backup.nix b/nixos/modules/profiles/backup.nix new file mode 100644 index 0000000..0c41380 --- /dev/null +++ b/nixos/modules/profiles/backup.nix @@ -0,0 +1,11 @@ +{ config, secretsPath, ... }: +{ + dadada.backupClient.bs = { + enable = true; + passphrasePath = config.age.secrets."${config.networking.hostName}-backup-passphrase.path"; + sshIdentityFile = config.age.secrets."${config.networking.hostName}-backup-ssh-key.path"; + }; + + age.secrets."${config.networking.hostName}-backup-passphrase".file = "${toString secretsPath}/${config.networking.hostName}-backup-passphrase.age"; + age.secrets."${config.networking.hostName}-backup-ssh-key".file = "${toString secretsPath}/${config.networking.hostName}n-backup-ssh-key.age"; +} diff --git a/nixos/modules/profiles/laptop.nix b/nixos/modules/profiles/laptop.nix index f734585..8713a41 100644 --- a/nixos/modules/profiles/laptop.nix +++ b/nixos/modules/profiles/laptop.nix @@ -4,10 +4,16 @@ , ... }: with lib; { + imports = [ + ./backup.nix + ]; + networking.domain = mkDefault "dadada.li"; services.fwupd.enable = mkDefault true; + age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + fonts.fonts = mkDefault (with pkgs; [ source-code-pro ]); diff --git a/nixos/modules/profiles/server.nix b/nixos/modules/profiles/server.nix index 487000a..d0032f8 100644 --- a/nixos/modules/profiles/server.nix +++ b/nixos/modules/profiles/server.nix @@ -1,9 +1,16 @@ { config +, admins , pkgs , lib , ... }: with lib; { + imports = [ + ./backup.nix + ]; + + dadada.admin.users = admins; + networking.domain = mkDefault "dadada.li"; networking.tempAddresses = "disabled"; diff --git a/nixos/pruflas/configuration.nix b/nixos/pruflas/configuration.nix index f0f3208..032425a 100644 --- a/nixos/pruflas/configuration.nix +++ b/nixos/pruflas/configuration.nix @@ -103,6 +103,7 @@ with lib; { }; networking.domain = "dadada.li"; + networking.tempAddresses = "disabled"; users.mutableUsers = true; diff --git a/outputs.nix b/outputs.nix index abd57e1..8c7de6b 100644 --- a/outputs.nix +++ b/outputs.nix @@ -9,13 +9,18 @@ , nvd , scripts , recipemd +, agenix , ... } @ inputs: +let + secretsPath = ./secrets; +in (flake-utils.lib.eachDefaultSystem (system: let pkgs = nixpkgs.legacyPackages.${system}; selfPkgs = self.packages.${system}; formatter = self.formatter.${system}; + agenix-bin = agenix.packages."${system}".agenix; in { apps.nixos-switch = { @@ -51,7 +56,7 @@ $link/activate ''); }; - devShell = pkgs.callPackage ./shell.nix { }; + devShell = pkgs.callPackage ./shell.nix { inherit agenix-bin; }; formatter = nixpkgs.legacyPackages."${system}".nixpkgs-fmt; checks = { format = pkgs.runCommand "check-format" { buildInputs = [ formatter ]; } "${formatter}/bin/nixpkgs-fmt --check ${./.} && touch $out"; @@ -63,9 +68,10 @@ }; hmModules = import ./home/modules inputs; nixosConfigurations = import ./nixos/configurations.nix { + agenixModule = agenix.nixosModule; nixosSystem = nixpkgs.lib.nixosSystem; admins = import ./admins.nix; - inherit self nixpkgs home-manager nixos-hardware nvd scripts homePage recipemd; + inherit self secretsPath nixpkgs home-manager nixos-hardware nvd scripts homePage recipemd; }; nixosModules = import ./nixos/modules inputs; overlays = import ./overlays; diff --git a/secrets/agares-backup-passphrase.age b/secrets/agares-backup-passphrase.age new file mode 100644 index 0000000..702b900 --- /dev/null +++ b/secrets/agares-backup-passphrase.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 L7f05w zuSOhGaD5loTrVe42D+9wisBe9uLPVk4jB04aNOnVkE +TPkwqjoryGxiw02PJEOXTU/Ypt3ux5DG0df2FmLVCY0 +-> ssh-ed25519 Otklkw I6aDhKl2KS+JLkKzh1Wh2dlCHsjFaQpfoNvsoudBF38 +HsSCHtawaNCyhd5p8mdXQGiMidCp2PtFydES4frjGY0 +-> C'Lx21-grease "Ab:ca- # +/jYss39MTt1fbOK1t7s +--- ulSvMSFv1Ow1k20uMbgeQCO62S8wRNtuWuJVkjAlx/4 +璾劶(6'40建税9)遀^np5:锼蛅dDфM騾?OD啄Z哮Z396萳 \ No newline at end of file diff --git a/secrets/agares-backup-ssh-key.age b/secrets/agares-backup-ssh-key.age new file mode 100644 index 0000000..2e6dd67 Binary files /dev/null and b/secrets/agares-backup-ssh-key.age differ diff --git a/secrets/gorgon-backup-passphrase.age b/secrets/gorgon-backup-passphrase.age new file mode 100644 index 0000000..f6532ea --- /dev/null +++ b/secrets/gorgon-backup-passphrase.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 0aOabg 2h4VEFdhUUGkviD4i0wm3NL9944guan9O0BDoz/7mGQ +D9clRO4ibGPMMA5KLOXU9CPlNSulZA9RmKelxUKqy4E +-> ssh-ed25519 Otklkw kG8jXHeM2kYTBTpYfo2N4V/hJx2HdLPlgAXTZRKJmR8 +fesI+DSgCTMIY1pLJMx0q86+va3dF1ZFj3kRK+O0MIc +-> Z7_:1-grease 17g=iG^I #3%B ,.5lz +6YSTWBwtchUxqxCR2EvUic+OfO+XByzyqirtt8hW8eFdF/blR4McETrV3lb6n+xW +8SyICmVL60yGj3QDZWmus/FV8xaXh5hSJLqGNtwPdiM82mez +--- klL1U0W7ki7TRcM/lDsoR+/facAm7PDKTEw7bPWUmvc +L鱂櫇7[j?EDc(蚑4e刬9椙6C鈙`8讪2о"X5婙℡愦鹡B囋酜 姎莔0n? `^蒠Wy鴆 \ No newline at end of file diff --git a/secrets/gorgon-backup-ssh-key.age b/secrets/gorgon-backup-ssh-key.age new file mode 100644 index 0000000..9131537 Binary files /dev/null and b/secrets/gorgon-backup-ssh-key.age differ diff --git a/secrets/ifrit-backup-passphrase.age b/secrets/ifrit-backup-passphrase.age new file mode 100644 index 0000000..a15f6d8 --- /dev/null +++ b/secrets/ifrit-backup-passphrase.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 yMjj5g V9rC+0UIZO6GMFXjsoF3qvSkEnc3iHaqsv9yQHg6XWg +lLkAndMDp8blMYJqviD+6H4l2uEqzsP9fsr8sZVCdXk +-> ssh-ed25519 Otklkw ehLzOysl9JmqPb0MuaSwg8MvNnPg44807PGyMsh5hhA +pf8vtXa85gF1XL2Xm1zCaAzDdCaebNFpZC1wm7lnUCg +-> #|)e#-g[-grease +UPUrPqT4ez2irVMxwsVYiAhM6pEaAzWt8RYNWzMtARHsTDLU9J17+x4 +--- rigjthxdwl7djFf8pSoQuZEZfWLsMa0oWLplrQMOe7c +忼 +橖6.=遝 聖踥尵嬱(9 +d里C语V稓噮9緕椳%J曔R覐D_ \ No newline at end of file diff --git a/secrets/ifrit-backup-ssh-key.age b/secrets/ifrit-backup-ssh-key.age new file mode 100644 index 0000000..165e75a Binary files /dev/null and b/secrets/ifrit-backup-ssh-key.age differ diff --git a/secrets/pruflas-backup-passphrase.age b/secrets/pruflas-backup-passphrase.age new file mode 100644 index 0000000..fab2fdf --- /dev/null +++ b/secrets/pruflas-backup-passphrase.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 thf/Uw PPtflHayBrV0oWfJQr6RW9nJphdVFI9S5XjI+kmRe1M +fnwzt27PMwUYMqS25Z+0zxouC27KjeXaIbN4dYZPRLA +-> ssh-ed25519 Otklkw Ko14b+XMTZHVXMRN/JrfwTUrZA8ndj7bfaxe4O8/BCY +zRt6bLCbZPhoxKuLDglex2SpDwjUxyP6eKFaHzc0zu0 +-> /:G-grease c5#5Vm+\ KX, +nljmCZ+NP2fbmIjzA/OiL4i4A2+UPRBf3KrXe3C6/lJaxiRggeXqdrucy/lLNjda +Y8emrCT5o7DfryEo3QGUQkPujBgUgYvcB4Q/XlaWaLBcsSnW2D4eZQ +--- SYKRV9hejrBWXgVt8pCRKcTxFNljA2IIFkONLn8+nuo +5J-颡 閜舫c mJ|龈!蕻ˊ耥檯嵿匱]勗=&;5}=9Ё 探y傞 \ No newline at end of file diff --git a/secrets/pruflas-backup-ssh-key.age b/secrets/pruflas-backup-ssh-key.age new file mode 100644 index 0000000..9a5ec8a Binary files /dev/null and b/secrets/pruflas-backup-ssh-key.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..e51cb39 --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,20 @@ +let + dadada = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+bBJptw2H35vMPV7Mfj9oaepR7cHCQH8ZsvL8qnj+r dadada (nix-config-secrets) "; + systems = { + agares = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPcbuLtU9/VhFy5VAp/ZI0T+gr7kExG73hmjjvno10gP root@nixos"; + gorgon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCcwG8BkqjZJ1bPdFbLYfXeBgaI10+gyVs1r1aNJ49H root@gorgon"; + ifrit = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEYO4L5EvKRtVUB6YHtHN7R980fwH9kKVt0V3kj6rORS root@nixos"; + pruflas = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJKnYOgzxZ4DAeFL88MhIVtNmMEHMQhi/pNJDbwFWOJW root@pruflas"; + surgat = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOJ9UgAle5sX0pAawfRztckVwaQm2U8o0Bawv7cZfXE root@surgat"; + }; + backupSecrets = hostName: { + "${hostName}-backup-passphrase.age".publicKeys = [ systems.${hostName} dadada ]; + "${hostName}-backup-ssh-key.age".publicKeys = [ systems.${hostName} dadada ]; + }; +in +{ } // +backupSecrets "gorgon" // +backupSecrets "ifrit" // +backupSecrets "pruflas" // +backupSecrets "surgat" // +backupSecrets "agares" diff --git a/secrets/surgat-backup-passphrase.age b/secrets/surgat-backup-passphrase.age new file mode 100644 index 0000000..be011a6 --- /dev/null +++ b/secrets/surgat-backup-passphrase.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 jUOjpw U3EPRp3r/aE8kSb+D4kd3F2pJyyPgrG13KvJ4ImavUQ +lsWg2WW/nC9FT0JrZfhXPHcHduPfd+wm/vktSpUbRBY +-> ssh-ed25519 Otklkw +Ic/y3KF0l4/hlFGSRCJEQ+HsK1U9eZusMhSsBuIsDc +QE2W7F9fg49UlX3n0baZVEoq9zsahcEr5oEzOk12FMg +-> +'GD%5-grease |:[SW0@b c 36`)g +rvXcBtMeumpqo2OKg4q5wvvIDkCqlnwbdPEzJSqsEXXI2LenSbV0NM1mVjCXyvvr +4pwDLhQkRnQ3DkftGp3veOluxRLmmg +--- PMICHLb+oVMRdtD93FZyDc6lWL35bjvF1QWJYXhP2IY +`鮲=鬮>县斎m虏潋^澡q5 瘣9欬s畠2╟"J屦绲5[籷R眤j- \ No newline at end of file diff --git a/secrets/surgat-backup-ssh-key.age b/secrets/surgat-backup-ssh-key.age new file mode 100644 index 0000000..8e9d15e --- /dev/null +++ b/secrets/surgat-backup-ssh-key.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 jUOjpw tm81EffU7KnPZZwEg1qy/fNr8leqD2y0oJcR5CWXTCs +Rnby8Wipp9jwYmbc0UskdYMRxYQ4t9Yhxa498Wsn8jc +-> ssh-ed25519 Otklkw q99wMvDcRSZzW5Zu7QtJO9ThlyYKpUBf1Rn9w+j7f2M +3aqp1If/L7Db7ikXwBlqsAbKTdcozDat+on9jQip+Zg +-> t1"Uq-grease WXdB"' +EUhZx0b3UqMCazu+zjPWOfWNs8s+rRWyyZh3TvvvYs5fLNJJzSAfAXbG17zfhHMP +DgBwNaTjSvwhMjqAiBYafAbsIzuwxp4bcZA3jRQ+FMUerwhWhHrw +--- sZ0GULTVh54+TtUY+oOfgicZmiDB6RCavVjWkSR7A7s ++O!p英W?/d"庅%a6逪m籨YW⑴ 勴R J蓔甜臃课?P 2H蠌磾+閫j$0澬SoUB?滣Z'C-K +峤lE(妖D姥乇9楏秒擡K3鲂:O碭 崫R鳛'玬Xt}琈 +A绯镌鰎蝅舨讠zApt傲C穤l4r"3闊肛"3癄橪1EWK厦廄焢踴q遼d陬$饡rI扚i欯鵝瀨l$;繈仉譈E舋灬8岞^< 7G埋%-簴櫌貁浨oVWOE+螔<鉣鐀 <]衦虨l窿鋊P馓慲檽:O&齯*┦8f誳牕沀 7挠才4蟨V聻飒喻"p栠C沛y霨猬5伽哔9@i裩4禋T5ni4硡?顛!鐛 \ No newline at end of file diff --git a/shell.nix b/shell.nix index e2a7c3d..1e70b6f 100644 --- a/shell.nix +++ b/shell.nix @@ -1,5 +1,6 @@ -{ mkShell }: +{ agenix-bin, mkShell }: mkShell { buildInputs = [ + agenix-bin ]; }