add backup secrets to config for hosts

2022-08-07 12:50:07 +02:00 · 2022-08-07 12:50:07 +02:00 · 3fccfe3b67
commit 3fccfe3b67
parent c43341a8b2
25 changed files with 242 additions and 75 deletions
--- a/nixos/configurations.nix
+++ b/nixos/configurations.nix
@ -1,5 +1,7 @@
+# TODO refactor adapterModule and redundant module config
 { self
 , admins
+, agenixModule
 , nixpkgs
 , nixosSystem
 , home-manager
@ -8,6 +10,7 @@
 , nvd
 , scripts
 , recipemd
+, secretsPath
 ,
 }:
 let
@ -23,17 +26,16 @@ let
      ];
  };
  lib = nixpkgs.lib;
-  adminConfig = users: {
-    dadada.admin.users = lib.getAttrs users admins;
-  };
 in
 {
  gorgon = nixosSystem rec {
    system = "x86_64-linux";
+    specialArgs = { inherit admins secretsPath; };
    modules =
      (nixpkgs.lib.attrValues self.nixosModules)
      ++ [
        (adapterModule system)
+        agenixModule
        nixos-hardware.nixosModules.lenovo-thinkpad-t14s-amd-gen1
        home-manager.nixosModules.home-manager
        {
@ -52,34 +54,38 @@ in
  };
  ifrit = nixosSystem rec {
    system = "x86_64-linux";
+    specialArgs = { inherit admins secretsPath; };
    modules =
      (nixpkgs.lib.attrValues self.nixosModules)
      ++ [
-        (adminConfig [ "dadada" ])
+        agenixModule
        (adapterModule system)
        ./modules/profiles/server.nix
        ./ifrit/configuration.nix
+        ./ifrit/hardware-configuration.nix
      ];
  };

  surgat = nixosSystem rec {
    system = "x86_64-linux";
+    specialArgs = { inherit admins secretsPath; };
    modules =
      (nixpkgs.lib.attrValues self.nixosModules)
      ++ [
-        (adminConfig [ "dadada" ])
        (adapterModule system)
+        agenixModule
        ./modules/profiles/server.nix
        ./surgat/configuration.nix
      ];
  };
  pruflas = nixosSystem rec {
    system = "x86_64-linux";
+    specialArgs = { inherit admins secretsPath; };
    modules =
      (nixpkgs.lib.attrValues self.nixosModules)
      ++ [
-        (adminConfig [ "dadada" ])
        (adapterModule system)
+        agenixModule
        ./modules/profiles/laptop.nix
        ./pruflas/configuration.nix
      ];
@ -87,11 +93,12 @@ in

  agares = nixosSystem rec {
    system = "x86_64-linux";
+    specialArgs = { inherit admins secretsPath; };
    modules =
      (nixpkgs.lib.attrValues self.nixosModules)
      ++ [
-        (adminConfig [ "dadada" ])
        (adapterModule system)
+        agenixModule
        ./modules/profiles/server.nix
        ./agares/configuration.nix
      ];
--- a/nixos/gorgon/configuration.nix
+++ b/nixos/gorgon/configuration.nix
@ -1,6 +1,7 @@
 { config
 , pkgs
 , lib
+, secretsPath
 , ...
 }:
 let
@ -50,10 +51,6 @@ in
      };
      vpnExtension = "3";
    };
-    backupClient = {
-      bs.enable = true;
-      gs.enable = false;
-    };
  };

  boot.kernel.sysctl = {
--- a/nixos/ifrit/configuration.nix
+++ b/nixos/ifrit/configuration.nix
@ -9,71 +9,12 @@ let
    "media.dadada.li"
    "backup0.dadada.li"
  ];
-  backups = "/mnt/storage/backup";
 in
 {
-  imports = [
-    ./hardware-configuration.nix
-  ];
-
  dadada = {
    admin.enable = true;
-    ddns.domains = [
-      "backup0.dadada.li"
-    ];
-  };
-
-  users.users.borg.home = backups;
-  services.borgbackup.repos = {
-    "metis" = {
-      allowSubRepos = false;
-      authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDnc1gCi8lbhlLmPKvaExtCxVaAni8RrOuHUQO6wTbzR root@metis" ];
-      authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" ];
-      path = "${backups}/metis";
-      quota = "1T";
-    };
-    "gorgon" = {
-      allowSubRepos = false;
-      authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP6p9b2D7y2W+9BGee2yk2xsCRewNNaE6oS3CqlW61ti root@gorgon" ];
-      authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" ];
-      path = "${backups}/gorgon";
-      quota = "1T";
-    };
-    "surgat" = {
-      allowSubRepos = false;
-      authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGhatanrNG+M6jAkU7Yi44mJmTreJkqyZ6Z+qiEgV7O root@surgat" ];
-      authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" ];
-      path = "${backups}/surgat";
-      quota = "50G";
-    };
-    "pruflas" = {
-      allowSubRepos = false;
-      authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBk7f9DSnXCOIUsxFsjCKG23vHShV4TSzzPJunPOwa1I root@pruflas" ];
-      authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" ];
-      path = "${backups}/pruflas";
-      quota = "50G";
-    };
-    "wohnzimmerpi" = {
-      allowSubRepos = false;
-      authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6uZ8mPQJWOL984gZKKPyxp7VLcxk42TpTh5iPP6N6k root@wohnzimmerpi" ];
-      authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" ];
-      path = "${backups}/wohnzimmerpi";
-      quota = "50G";
-    };
-    "fginfo" = {
-      allowSubRepos = false;
-      authorizedKeysAppendOnly = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxsyJeZVlVix0FPE8S/Gx0DVutS1ZNESVdYvHBwo36wGlYpSsQoSy/2HSwbpxs88MOGw1QNboxvvpBxCWxZ5HyjxuO5SwYgtmpjPXvmqfVqNXXnLChhSnKgk9b+HesQJCbHyrF9ZAJXEFCOGhOL3YTgd6lTX3lQUXgh/LEDlrPrigUMDNPecPWxpPskP6Vvpe9u+duhL+ihyxXaV+CoPk8nkWrov5jCGPiM48pugbwAfqARyZDgFpmWwL7Xg2UKgVZ1ttHZCWwH+htgioVZMYpdkQW1aq6LLGwN34Hj2VKXzmJN5frh6vQoZr2AFGHNKyJwAMpqnoY//QwuREpZTrh root@fginfo.ibr.cs.tu-bs.de" ];
-      authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" ];
-      path = "${backups}/fginfo";
-      quota = "10G";
-    };
-    "fginfo-git" = {
-      allowSubRepos = false;
-      authorizedKeysAppendOnly = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmI6cUv3j0T9ofFB286sDwXwwczqi41cp4MZyGH3VWQnqBPNjICqAdY3CLhgvGBCxSe6ZgKQ+5YLsGSSlU1uhrJXW2UiVKuIPd0kjMF/9e8hmNoTTh0pdk9THfz9LLAdI1vPin1EeVReuDXlZkCI7DFYuTO9yiyZ1uLZUfT1KBRoqiqyypZhut7zT3UaDs2L+Y5hho6WiTdm7INuz6HEB7qYXzrmx93hlcuLZA7fDfyMO9F4APZFUqefcUIEyDI2b+Q/8Q2/rliT2PoC69XLVlj7HyVhfgKsOnopwBDNF3rRcJ6zz4WICPM18i4ZCmfoDTL/cFr5c41Lan1X7wS5wR root@fginfo-git" ];
-      authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" ];
-      path = "${backups}/fginfo-git";
-      quota = "10G";
-    };
+    borgServer.enable = true;
+    borgServer.path = "/mnt/storage/backup";
  };

  networking.hostName = "ifrit";
--- a/nixos/modules/backup.nix
+++ b/nixos/modules/backup.nix
@ -19,6 +19,7 @@ with lib; let
    "/sys"
    "/tmp"
    "/var/cache"
+    "/var/lib/machines"
    "/var/log"
    "/var/tmp"
  ];
--- a/nixos/modules/borg-server.nix
+++ b/nixos/modules/borg-server.nix
@ -0,0 +1,81 @@
+{ config, lib, admins, ... }:
+let
+  inherit (lib) mkEnableOption mkIf mkOption types;
+  cfg = config.dadada.borgServer;
+in
+{
+  options = {
+    dadada.borgServer = {
+      enable = mkEnableOption "Enable Borg backup server";
+      path = mkOption {
+        type = types.path;
+        default = "/var/lib/backup";
+        example = "/mnt/storage/backup";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+
+    dadada.ddns.domains = [
+      "backup0.dadada.li"
+    ];
+
+    users.users.borg.home = cfg.path;
+    services.borgbackup.repos = {
+      "metis" = {
+        allowSubRepos = false;
+        authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDnc1gCi8lbhlLmPKvaExtCxVaAni8RrOuHUQO6wTbzR root@metis" ];
+        authorizedKeys = admins.dadada.keys;
+        path = "${cfg.path}/metis";
+        quota = "1T";
+      };
+      "gorgon" = {
+        allowSubRepos = false;
+        authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP6p9b2D7y2W+9BGee2yk2xsCRewNNaE6oS3CqlW61ti root@gorgon" ];
+        authorizedKeys = admins.dadada.keys;
+        path = "${cfg.path}/gorgon";
+        quota = "1T";
+      };
+      "surgat" = {
+        allowSubRepos = false;
+        authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGhatanrNG+M6jAkU7Yi44mJmTreJkqyZ6Z+qiEgV7O root@surgat" ];
+        authorizedKeys = admins.dadada.keys;
+        path = "${cfg.path}/surgat";
+        quota = "50G";
+      };
+      "pruflas" = {
+        allowSubRepos = false;
+        authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBk7f9DSnXCOIUsxFsjCKG23vHShV4TSzzPJunPOwa1I root@pruflas" ];
+        authorizedKeys = admins.dadada.keys;
+        path = "${cfg.path}/pruflas";
+        quota = "50G";
+      };
+      "wohnzimmerpi" = {
+        allowSubRepos = false;
+        authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6uZ8mPQJWOL984gZKKPyxp7VLcxk42TpTh5iPP6N6k root@wohnzimmerpi" ];
+        authorizedKeys = admins.dadada.keys;
+        path = "${cfg.path}/wohnzimmerpi";
+        quota = "50G";
+      };
+      "fginfo" = {
+        allowSubRepos = false;
+        authorizedKeysAppendOnly = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxsyJeZVlVix0FPE8S/Gx0DVutS1ZNESVdYvHBwo36wGlYpSsQoSy/2HSwbpxs88MOGw1QNboxvvpBxCWxZ5HyjxuO5SwYgtmpjPXvmqfVqNXXnLChhSnKgk9b+HesQJCbHyrF9ZAJXEFCOGhOL3YTgd6lTX3lQUXgh/LEDlrPrigUMDNPecPWxpPskP6Vvpe9u+duhL+ihyxXaV+CoPk8nkWrov5jCGPiM48pugbwAfqARyZDgFpmWwL7Xg2UKgVZ1ttHZCWwH+htgioVZMYpdkQW1aq6LLGwN34Hj2VKXzmJN5frh6vQoZr2AFGHNKyJwAMpqnoY//QwuREpZTrh root@fginfo.ibr.cs.tu-bs.de" ];
+        authorizedKeys = admins.dadada.keys;
+        path = "${cfg.path}/fginfo";
+        quota = "10G";
+      };
+      "fginfo-git" = {
+        allowSubRepos = false;
+        authorizedKeysAppendOnly = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmI6cUv3j0T9ofFB286sDwXwwczqi41cp4MZyGH3VWQnqBPNjICqAdY3CLhgvGBCxSe6ZgKQ+5YLsGSSlU1uhrJXW2UiVKuIPd0kjMF/9e8hmNoTTh0pdk9THfz9LLAdI1vPin1EeVReuDXlZkCI7DFYuTO9yiyZ1uLZUfT1KBRoqiqyypZhut7zT3UaDs2L+Y5hho6WiTdm7INuz6HEB7qYXzrmx93hlcuLZA7fDfyMO9F4APZFUqefcUIEyDI2b+Q/8Q2/rliT2PoC69XLVlj7HyVhfgKsOnopwBDNF3rRcJ6zz4WICPM18i4ZCmfoDTL/cFr5c41Lan1X7wS5wR root@fginfo-git" ];
+        authorizedKeys = admins.dadada.keys;
+        path = "${cfg.path}/fginfo-git";
+        quota = "10G";
+      };
+    };
+
+    systemd.tmpfiles.rules = [
+      "d ${cfg.path} 0750 ${config.users.users.borg.name} ${config.users.users.borg.group} - -"
+    ];
+  };
+}
--- a/nixos/modules/default.nix
+++ b/nixos/modules/default.nix
@ -1,6 +1,7 @@
 { ... } @ inputs: {
  admin = import ./admin.nix;
  backup = import ./backup.nix;
+  borgServer = import ./borg-server.nix;
  ddns = import ./ddns.nix;
  element = import ./element.nix;
  fido2 = import ./fido2.nix;
--- a/nixos/modules/profiles/backup.nix
+++ b/nixos/modules/profiles/backup.nix
@ -0,0 +1,11 @@
+{ config, secretsPath, ... }:
+{
+  dadada.backupClient.bs = {
+    enable = true;
+    passphrasePath = config.age.secrets."${config.networking.hostName}-backup-passphrase.path";
+    sshIdentityFile = config.age.secrets."${config.networking.hostName}-backup-ssh-key.path";
+  };
+
+  age.secrets."${config.networking.hostName}-backup-passphrase".file = "${toString secretsPath}/${config.networking.hostName}-backup-passphrase.age";
+  age.secrets."${config.networking.hostName}-backup-ssh-key".file = "${toString secretsPath}/${config.networking.hostName}n-backup-ssh-key.age";
+}
--- a/nixos/modules/profiles/laptop.nix
+++ b/nixos/modules/profiles/laptop.nix
@ -4,10 +4,16 @@
 , ...
 }:
 with lib; {
+  imports = [
+    ./backup.nix
+  ];
+
  networking.domain = mkDefault "dadada.li";

  services.fwupd.enable = mkDefault true;

+  age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
  fonts.fonts = mkDefault (with pkgs; [
    source-code-pro
  ]);
--- a/nixos/modules/profiles/server.nix
+++ b/nixos/modules/profiles/server.nix
@ -1,9 +1,16 @@
 { config
+, admins
 , pkgs
 , lib
 , ...
 }:
 with lib; {
+  imports = [
+    ./backup.nix
+  ];
+
+  dadada.admin.users = admins;
+
  networking.domain = mkDefault "dadada.li";
  networking.tempAddresses = "disabled";

--- a/nixos/pruflas/configuration.nix
+++ b/nixos/pruflas/configuration.nix
@ -103,6 +103,7 @@ with lib; {
  };

  networking.domain = "dadada.li";
+  networking.tempAddresses = "disabled";

  users.mutableUsers = true;