diff --git a/checks/backups/flake-module.nix b/checks/backups/flake-module.nix index c5eb638f4..4ebecbfdd 100644 --- a/checks/backups/flake-module.nix +++ b/checks/backups/flake-module.nix @@ -46,6 +46,25 @@ in users.users.root.openssh.authorizedKeys.keyFiles = [ ../lib/ssh/pubkey ]; + + systemd.tmpfiles.settings."vmsecrets" = { + "/etc/secrets/borgbackup.ssh" = { + C.argument = "${../lib/ssh/privkey}"; + z = { + mode = "0400"; + user = "root"; + }; + }; + "/etc/secrets/borgbackup.repokey" = { + C.argument = builtins.toString (pkgs.writeText "repokey" "repokey12345"); + z = { + mode = "0400"; + user = "root"; + }; + }; + }; + clanCore.secretStore = "vm"; + environment.systemPackages = [ self.packages.${pkgs.system}.clan-cli ]; environment.etc."install-closure".source = "${closureInfo}/store-paths"; nix.settings = { @@ -58,10 +77,7 @@ in clanCore.state.test-backups.folders = [ "/var/test-backups" ]; clan.borgbackup = { enable = true; - destinations.test_backup_server = { - repo = "borg@server:."; - rsh = "ssh -i /root/.ssh/id_ed25519 -o StrictHostKeyChecking=no"; - }; + destinations.test_backup_server.repo = "borg@server:."; }; }; }; diff --git a/checks/borgbackup/default.nix b/checks/borgbackup/default.nix index b366e67ea..5c466cc17 100644 --- a/checks/borgbackup/default.nix +++ b/checks/borgbackup/default.nix @@ -1,7 +1,7 @@ (import ../lib/test-base.nix) ({ ... }: { name = "borgbackup"; - nodes.machine = { self, ... }: { + nodes.machine = { self, pkgs, ... }: { imports = [ self.clanModules.borgbackup self.nixosModules.clanCore @@ -18,21 +18,27 @@ clanCore.clanDir = ./.; clanCore.state.testState.folders = [ "/etc/state" ]; environment.etc.state.text = "hello world"; - systemd.tmpfiles.settings = { - "ssh-key"."/root/.ssh/id_ed25519" = { + systemd.tmpfiles.settings."vmsecrets" = { + "/etc/secrets/borgbackup.ssh" = { C.argument = "${../lib/ssh/privkey}"; z = { mode = "0400"; user = "root"; }; }; + "/etc/secrets/borgbackup.repokey" = { + C.argument = builtins.toString (pkgs.writeText "repokey" "repokey12345"); + z = { + mode = "0400"; + user = "root"; + }; + }; }; + clanCore.secretStore = "vm"; + clan.borgbackup = { enable = true; - destinations.test = { - repo = "borg@localhost:."; - rsh = "ssh -i /root/.ssh/id_ed25519 -o StrictHostKeyChecking=no"; - }; + destinations.test.repo = "borg@localhost:."; }; } ]; diff --git a/clanModules/borgbackup.nix b/clanModules/borgbackup.nix index 1af10349c..123b84b3f 100644 --- a/clanModules/borgbackup.nix +++ b/clanModules/borgbackup.nix @@ -37,7 +37,6 @@ in exclude = [ "*.pyc" ]; repo = dest.repo; environment.BORG_RSH = dest.rsh; - encryption.mode = "none"; compression = "auto,zstd"; startAt = "*-*-* 01:00:00"; persistentTimer = true; @@ -45,6 +44,11 @@ in set -x ''; + encryption = { + mode = "repokey"; + passCommand = "cat ${config.clanCore.secrets.borgbackup.secrets."borgbackup.repokey".path}"; + }; + prune.keep = { within = "1d"; # Keep all archives from the last day daily = 7; @@ -57,10 +61,12 @@ in clanCore.secrets.borgbackup = { facts."borgbackup.ssh.pub" = { }; secrets."borgbackup.ssh" = { }; - generator.path = [ pkgs.openssh pkgs.coreutils ]; + secrets."borgbackup.repokey" = { }; + generator.path = [ pkgs.openssh pkgs.coreutils pkgs.xkcdpass ]; generator.script = '' ssh-keygen -t ed25519 -N "" -f "$secrets"/borgbackup.ssh mv "$secrets"/borgbackup.ssh.pub "$facts"/borgbackup.ssh.pub + xkcdpass -n 4 -d - > "$secrets"/borgbackup.repokey ''; };