encrypt backups by default

2024-02-22 14:50:07 +01:00
parent a1e2a4f64a
commit 81fc60eef8
3 changed files with 41 additions and 13 deletions
--- a/clanModules/borgbackup.nix
+++ b/clanModules/borgbackup.nix
@@ -37,7 +37,6 @@ in
        exclude = [ "*.pyc" ];
        repo = dest.repo;
        environment.BORG_RSH = dest.rsh;
-        encryption.mode = "none";
        compression = "auto,zstd";
        startAt = "*-*-* 01:00:00";
        persistentTimer = true;
@@ -45,6 +44,11 @@ in
          set -x
        '';

+        encryption = {
+          mode = "repokey";
+          passCommand = "cat ${config.clanCore.secrets.borgbackup.secrets."borgbackup.repokey".path}";
+        };
+
        prune.keep = {
          within = "1d"; # Keep all archives from the last day
          daily = 7;
@@ -57,10 +61,12 @@ in
    clanCore.secrets.borgbackup = {
      facts."borgbackup.ssh.pub" = { };
      secrets."borgbackup.ssh" = { };
-      generator.path = [ pkgs.openssh pkgs.coreutils ];
+      secrets."borgbackup.repokey" = { };
+      generator.path = [ pkgs.openssh pkgs.coreutils pkgs.xkcdpass ];
      generator.script = ''
        ssh-keygen -t ed25519 -N "" -f "$secrets"/borgbackup.ssh
        mv "$secrets"/borgbackup.ssh.pub "$facts"/borgbackup.ssh.pub
+        xkcdpass -n 4 -d - > "$secrets"/borgbackup.repokey
      '';
    };