diff --git a/machines/deedee/configuration.nix b/machines/deedee/configuration.nix index 2f90fdd..946898d 100644 --- a/machines/deedee/configuration.nix +++ b/machines/deedee/configuration.nix @@ -34,18 +34,22 @@ _: rec { local = { enable = true; location = "/mnt/backup"; + passFileSopsSecret = "backups/restic/local/password"; }; remotes = [ { name = "borgbase-eu"; - repositoryFileSopsSecret = "backups/restic/repo-borgbase-eu"; + location = "rest:https://pyif3th7.repo.borgbase.com"; + envFileSopsSecret = "backups/restic/repo-borgbase-eu/env"; + passFileSopsSecret = "backups/restic/repo-borgbase-eu/password"; } { name = "borgbase-us"; - repositoryFileSopsSecret = "backups/restic/repo-borgbase-us"; + location = "rest:https://p51to40o.repo.borgbase.com"; + envFileSopsSecret = "backups/restic/repo-borgbase-us/env"; + passFileSopsSecret = "backups/restic/repo-borgbase-us/password"; } ]; - passFileSopsSecret = "backups/restic/password"; }; disks = { diff --git a/machines/deedee/secrets.sops.yaml b/machines/deedee/secrets.sops.yaml index 2f727fd..3927fce 100644 --- a/machines/deedee/secrets.sops.yaml +++ b/machines/deedee/secrets.sops.yaml @@ -3,9 +3,14 @@ alerts: env: ENC[AES256_GCM,data:rVa16yLOOc+bJyBNSe+FpuC0+OJrQSjr6duIHQ88XWxpZN4/4mgfu4g78NyTELAEmv1qKrXCXjVhltqU/1gY809lGB14Y62x4gaKKqiXHZzJIfejwRaXUalYHD6zp58WVA==,iv:NIiov8DHS99ML4kY+6uyMOxSM6jgCrqIicYm/E0Fb7A=,tag:cj5lcNJT9n1Y34I+gKsgbw==,type:str] backups: restic: - password: ENC[AES256_GCM,data:YrJJQi7v4OIuQjJX3FebRsDKm5hrKbRjWqUeWBvk2oKpjWpS7svjvQ==,iv:dLOe0HezZDdSd2OFgu/jH14JTP6Y02VlIM1VUkR5XMI=,tag:LDfBmTJOKdsTYF8q5Q6kfQ==,type:str] - repo-borgbase-eu: ENC[AES256_GCM,data:YKk09bwUOfIkvmh/2+VIFkns3LbP/uGhJT7HVlOYiV3SljSWXsZAia3WOIKwzEgLKd7GOofs6VGDVLvg0cZugqo=,iv:57K5mzs7fscimmeDF4qRq1qIF/yD12ZDat6kY3BLkbA=,tag:k/A8f1/3lMDl5S8DtEw5ew==,type:str] - repo-borgbase-us: ENC[AES256_GCM,data:7NYfU03rKk0+rS7naXBpIALdb0z/lv9GgQ5JfsNDlQp11CGl8cS6/2qFIZquytUjlyMFYub/BU/3asz9wrhZJ/g=,iv:s1PnGz1zXhSO5Mfrwg6CIj/C1dhIq9p6ECTljiPO3HE=,tag:gbMklOOJmb4PKACDv3l+FQ==,type:str] + local: + password: ENC[AES256_GCM,data:IZ2XMBv1OzOLtmuie78WuxUk6c/l1IJ95YOlfZ/VjsgVgD9dtMY7hw==,iv:8YzImyu6/VzMVL0sCupRYm1AahkO1v/KVKwX8LzY8Bo=,tag:yOkdnA4GvsvHwodKNHRCtw==,type:str] + repo-borgbase-eu: + password: ENC[AES256_GCM,data:cnw4mvjDo28REbUAotxfNBbVR18NemXoUz2bBiUd275bE6M2WSgxzQ==,iv:llyLuGfl8KQqXGnasbSYlO1dGlhp6+zxcweiAH4FIRY=,tag:iNw8riEIZ8PFNovRwKsPHA==,type:str] + env: ENC[AES256_GCM,data:Qj7HipyHBVqicL5SVhlEdxzyXh8ikUaVOIflsBuwl0DvV98c19ZRzHR0eZMskpGlEw2t42V2RLnt/f7Cx0E+DOyrzmE=,iv:BDvljzj4TU/ulTeXEDfSh0ANxIwISK32wEKKsxWV6iU=,tag:BgXleTABhgy1p5ZoZs0f9Q==,type:str] + repo-borgbase-us: + password: ENC[AES256_GCM,data:YYlKf8OG2OiRiiHpGynSp1qW0bcdI61LmyH0Le/QJjf5l80fYbV+Aw==,iv:wLi6ABP8PXCwOIoyqMDiqqhmHYGWKv6BFvFEP3p2goI=,tag:zr1YTnwbPJK6v3bAGnErbA==,type:str] + env: ENC[AES256_GCM,data:2B8oEKfW5CwnLbzTtO5VEI5qlbAFqDVZMFsc7NwpntEAcYqaJA6Y/SpS9EgH9d0WoYvjIdbpI5CvA3VYb4MzcssuY60=,iv:dmWNwpdRnUztKD1v+BlUe5o6a7j8JBzOzcjJBF6u0SI=,tag:ACaOTd9dWjX8qPRA5QpuAg==,type:str] credentials: github: access-token-nix-config: ENC[AES256_GCM,data:etHhyYvskH3UgviTjOzmdCxRytfMNG5k7XujVWDB8xuv+eW7OLmqJfk+ptjFCX8/kIArWNZYMA20shGiO68Z11oDhzkT+BLKoxs5DjAgVJSV+Us+XhgWTS7z5PlfZmYbvkTom5Awai0ZcyZXf9V25QaOGAlQ6/Kb,iv:F3sjnEa5K6jGDVotoe4y3UcLvkgTeEyby1ms28gCS8g=,tag:cnQepz88qWRgQ3FgT/sykQ==,type:str] @@ -111,8 +116,8 @@ sops: c3FoaFNzbjJubzlBckdDb2lNOUZtOGMKRbHxa1B3QAdredBMTd7W7g3kRz6l8uyV bBclsA8Gm7p+6ndV39sN+Daqm5MyggY1Prwv/Ukdd5Q+1C+XsEW6OQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-10-27T21:39:43Z" - mac: ENC[AES256_GCM,data:6V9pkQ5LOIOjbosi4lwLRMoXj/aJz04F4HWXY6HeBWdp/OLI6o5IvYJaQcKWPnClvffTUOwQyo0KgkcNPRFxVJO7AVb9l6vzRXz1cdIlxd8Bst9KEO8vswAHY8tEj9LwvE0PqBhCuveIrlKZjeU89GKnQOikTVCx7kvUcqdAf+U=,iv:6BnO0ty6V0n7Osh/vJJ7Ega12/itISw5T3c0utRurcg=,tag:qC/JO6H/3W7n5SeQkGTFOg==,type:str] + lastmodified: "2024-10-28T17:41:51Z" + mac: ENC[AES256_GCM,data:W2USP96yAxaDFl/pTcA/3Ma3ASIaU9UInCDsZ/A6TrjWl+sMAWTphfEfkNy4mh8O3YjwxNGhABLR5CjQsgYmsyfzjR5h2OOZeVlXCG0AofD8ATVZN2mtAGAaX5oyKYBZ/HllzR2z4GTC4BayJFETpGsOgLDWKo9Ebur6f5XYg5U=,iv:58Vsas7dACW7EU0Wet4uBKuT1fA4UdpEtOA+3iVVzz4=,tag:TbAT20VTvrtC1AI4S9zdyg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/modules/system/backup.nix b/modules/system/backup.nix index 7410267..d30fa9c 100644 --- a/modules/system/backup.nix +++ b/modules/system/backup.nix @@ -15,6 +15,10 @@ in type = lib.types.str; description = "Location for local backups."; }; + passFileSopsSecret = lib.mkOption { + type = lib.types.str; + description = "Sops secret name containing local restic backups password."; + }; }; remotes = lib.mkOption { type = lib.types.listOf ( @@ -24,9 +28,17 @@ in type = lib.types.str; description = "Remote repository alias for restic."; }; - repositoryFileSopsSecret = lib.mkOption { + location = lib.mkOption { + type = lib.types.str; + description = "Location for remote backups."; + }; + envFileSopsSecret = lib.mkOption { + type = lib.types.str; + description = "Sops secret name containing remote restic repository envs."; + }; + passFileSopsSecret = lib.mkOption { type = lib.types.str; - description = "Sops secret name containing remote restic repository url."; + description = "Sops secret name containing remote restic backups password."; }; }; } @@ -37,10 +49,6 @@ in description = "Location for snapshot mount."; default = "/mnt/backup-snapshot"; }; - passFileSopsSecret = lib.mkOption { - type = lib.types.str; - description = "Sops secret name containing restic backups password."; - }; }; config = lib.mkIf (cfg.local.enable || (builtins.length cfg.remotes > 0)) { @@ -58,11 +66,17 @@ in sops.secrets = { - "${cfg.passFileSopsSecret}" = { }; + "${cfg.local.passFileSopsSecret}" = { }; } // builtins.listToAttrs ( builtins.map (remote: { - name = remote.repositoryFileSopsSecret; + name = remote.passFileSopsSecret; + value = { }; + }) cfg.remotes + ) + // builtins.listToAttrs ( + builtins.map (remote: { + name = remote.envFileSopsSecret; value = { }; }) cfg.remotes ); diff --git a/modules/system/containers/firefly-iii/default.nix b/modules/system/containers/firefly-iii/default.nix index 42078d6..229a7a9 100644 --- a/modules/system/containers/firefly-iii/default.nix +++ b/modules/system/containers/firefly-iii/default.nix @@ -93,7 +93,7 @@ in host = "firefly"; proxyPass = "http://firefly-iii.docker:8080"; }; - postgresqlBackup = lib.mkIf cfg.backup { databases = [ "firefly-iii" ]; }; + postgresqlBackup = lib.mkIf cfg.backup { databases = [ "firefly" ]; }; }; systemd = { diff --git a/modules/system/containers/mail-archive/dovecot.nix b/modules/system/containers/mail-archive/dovecot.nix index 953d326..cf5828a 100644 --- a/modules/system/containers/mail-archive/dovecot.nix +++ b/modules/system/containers/mail-archive/dovecot.nix @@ -28,6 +28,7 @@ in extraOptions = [ "--cap-add=CAP_CHOWN" "--cap-add=CAP_FSETID" + "--cap-add=CAP_KILL" "--cap-add=CAP_SETGID" "--cap-add=CAP_SETUID" "--cap-add=CAP_SYS_CHROOT" diff --git a/modules/system/containers/paperless-ngx/paperless-ngx.nix b/modules/system/containers/paperless-ngx/paperless-ngx.nix index 393ff8b..a2c4431 100644 --- a/modules/system/containers/paperless-ngx/paperless-ngx.nix +++ b/modules/system/containers/paperless-ngx/paperless-ngx.nix @@ -91,7 +91,7 @@ in object-src 'self'; ''; }; - postgresqlBackup = lib.mkIf cfg.backup { databases = [ "paperless-ngx" ]; }; + postgresqlBackup = lib.mkIf cfg.backup { databases = [ "paperless" ]; }; restic.backups = lib.mkIf cfg.backup ( svc.mkRestic { name = "paperless-ngx"; diff --git a/modules/system/lib.nix b/modules/system/lib.nix index a2dac2e..93bea6f 100644 --- a/modules/system/lib.nix +++ b/modules/system/lib.nix @@ -201,7 +201,6 @@ # ${lib.getExe pkgs.restic} unlock --remove-all || true ''; - passwordFile = config.sops.secrets."${config.mySystem.backup.passFileSopsSecret}".path; # Move the path to the zfs snapshot path includePaths = map (path: "${config.mySystem.backup.snapshotMountPath}/${path}") paths; @@ -214,11 +213,11 @@ timerConfig initialize backupPrepareCommand - passwordFile ; paths = includePaths; exclude = excludePaths; + passwordFile = config.sops.secrets."${config.mySystem.backup.local.passFileSopsSecret}".path; repository = "${config.mySystem.backup.local.location}/${name}"; }; @@ -233,12 +232,13 @@ timerConfig initialize backupPrepareCommand - passwordFile ; paths = includePaths; exclude = excludePaths; - repositoryFile = config.sops.secrets."${remote.repositoryFileSopsSecret}".path; + passwordFile = config.sops.secrets."${remote.passFileSopsSecret}".path; + repository = "${remote.location}/${name}"; + environmentFile = config.sops.secrets."${remote.envFileSopsSecret}".path; }; }) config.mySystem.backup.remotes );