From 9bec6270ef0562342ada4d8912f7b41d4065f100 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Fri, 1 Dec 2023 22:22:43 +0800 Subject: [PATCH] calcite: add restic --- machines/calcite/configuration.nix | 18 +++++++++--- machines/calcite/secrets.yaml | 31 ++++++++++++++++++++ machines/restic.nix | 47 ++++++++++++++++++++++++++++++ machines/secrets.yaml | 4 +-- machines/sops.nix | 3 ++ 5 files changed, 97 insertions(+), 6 deletions(-) create mode 100644 machines/restic.nix diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index 7fec3e2..d19bcd0 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -7,6 +7,7 @@ ./hardware-configuration.nix ./network.nix ../sops.nix + ../restic.nix ]; # Bootloader. @@ -174,9 +175,9 @@ android-studio # Gnome tweaks - gnomeExtensions.dash-to-dock - gnomeExtensions.tray-icons-reloaded gnomeExtensions.paperwm + gnomeExtensions.search-light + gnomeExtensions.tray-icons-reloaded gnome.gnome-tweaks gthumb @@ -235,11 +236,20 @@ nix.extraOptions = '' !include "${config.sops.secrets.github_public_token.path}" ''; - sops = { - secrets.github_public_token = { + + sops.secrets = { + restic_repo_calcite_password = { owner = "xin"; + sopsFile = ./secrets.yaml; + }; + restic_repo_calcite = { + owner = "xin"; + sopsFile = ./secrets.yaml; }; }; + custom.restic.repositoryFile = config.sops.secrets.restic_repo_calcite.path; + custom.restic.passwordFile = config.sops.secrets.restic_repo_calcite_password.path; + # MTP support services.gvfs.enable = true; diff --git a/machines/calcite/secrets.yaml b/machines/calcite/secrets.yaml index e69de29..8e918b4 100644 --- a/machines/calcite/secrets.yaml +++ b/machines/calcite/secrets.yaml @@ -0,0 +1,31 @@ +restic_repo_calcite_password: ENC[AES256_GCM,data:9ALTQULAMyLY4FIxuVztf9r3,iv:fObBBeqpHAVYl8YUopz9fZd3YWB+0sc8l+sR12rmxb4=,tag:l3xDc2/cpQr38X/cd7qMXA==,type:str] +restic_repo_calcite: ENC[AES256_GCM,data:+m9cjMXrZoCPg/S+/wV4WFBmg6pbFpqJ7JOdwOX0Z37bgoQXh4wcVPKK3CLd7G/iQjpO8SXaqJ1/d8r4Ydk21Gp1WqkB8g==,iv:DweDUujXp6i5XwwxeFjUsLDOJQJlRIT6GKPPxABNWiY=,tag:hdBHIjAcDQ1Ky/8hIv3+Ow==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQMDdkc2RUVlR5aEFtZ01l + d3EzaG9RNFd1QTVrNFIrZlJmOXNVWG1jRFJNCnFqL2VrUFljdGdGMW02RnJkNGxm + dmhUS0pMOURyWWkyVlp1UDQ5ZG11U2cKLS0tIDBiNnI0Qm5QN04zQ3NpTVMzNGpY + eFlOKzdGa0FRZ0R5Um12bUE2T0ZzbHMK62B0QniOnaUKLGrrRV934PqbCbUKtK3u + hN+53kRiitkL1gmaGqRbfu4FMns9VPKdoyfECcJ39HyScl9ZEj8mMw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBycTBkMWlWMncybUFraS9R + ZWFjOGdDRlFLV2RlZHVFSEhMdExaekJWMFQwCk5hbFJhQ3cvbG9qdERnbFhLTnFs + NXQvcndjNHBMdk1XOTYydVlDMzk0Y0UKLS0tIGpLM20zTnREdllxRlc1SnJEVFBZ + WGlLdXVoZlp3bEFXZjlMdG1VOUZDNUkKQ2NNTE3OsNUr2pOI7qeNFSCVkUIVRS+g + FG5FbJJcFihXqr+Qo0nZkq+xq07vIia7mKoqyoIfkKwweiVzDKyrkQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-11-30T16:43:19Z" + mac: ENC[AES256_GCM,data:U3TilLQvxM01gwIkBM4vT53JRBiE4VBOC0T6dxLjZ9btVMEhGp3MNQMRK0I06JP/vm532/oOTh/No/AwdzOpXxlfNY/hxxij03v83cZraSy8eT53uFV2TfU9HELVmmItqV2rJ96jBvCIzZJ+uif1OwIefcU+ii/MC333sW5DL1A=,iv:9pKUp08MPtECxUE3gxud/4220RsJ/d+xOFljntOdxfo=,tag:vvFpZRDoIz4NGll5XxRhAg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/machines/restic.nix b/machines/restic.nix new file mode 100644 index 0000000..1e8c763 --- /dev/null +++ b/machines/restic.nix @@ -0,0 +1,47 @@ +{ config, pkgs, lib, ... }: +let + cfg = config.custom.restic; +in +{ + options = { + custom.restic = { + repositoryFile = lib.mkOption { + type = lib.types.str; + default = ""; + }; + passwordFile = lib.mkOption { + type = lib.types.str; + default = ""; + }; + }; + }; + config = { + services.restic.backups = { + remotebackup = { + repositoryFile = cfg.repositoryFile; + passwordFile = cfg.passwordFile; + paths = [ + "/home" + "/var/lib" + ]; + exclude = [ + "/home/*/.cache" + "/home/*/.cargo" + "/home/*/.local/share/Steam" + "/home/*/.local/share/flatpak" + ]; + timerConfig = { + OnCalendar = "00:05"; + RandomizedDelaySec = "5h"; + }; + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 5" + "--keep-monthly 12" + "--keep-yearly 75" + ]; + }; + }; + }; +} + diff --git a/machines/secrets.yaml b/machines/secrets.yaml index 57fbeb6..d868166 100644 --- a/machines/secrets.yaml +++ b/machines/secrets.yaml @@ -49,8 +49,8 @@ sops: TGJVMUhjTEZ5YjZvM29QaWZ2UnBLcWcKmswAHhND9LlMaAXQYRQCx0BT7QE2Tmnb naiZyFNCcwnEjcEvEC0V/D1WnkLKtKqFa2pXZyIVBia4tafbxW4Yig== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-11-25T11:52:08Z" - mac: ENC[AES256_GCM,data:Qfz/3UP6ZDOZZupdkass7+Lv2ssgXwMW5mZ3w1mGpmo4Fq+8yQbNnQTLi78+R79bn+ntonexf51WUo0uwfYGtt+9YbbDSYxO7iaFhJ/e3sroo2tVO5gbkKByEMSYx/zkz8SYpg9fwGvjLl/8YurSnuyrI1mppkcu4AY75jeo9Iw=,iv:iPKUHm1Ui9MIhtrddskBX9pMna0y1w5gASbtsOY0LKc=,tag:03M0N7mWD6zSG2tSh7jffQ==,type:str] + lastmodified: "2023-11-30T16:23:27Z" + mac: ENC[AES256_GCM,data:TMy8toui6/DbFpyc+K7r+DN6Q21W9XKNxZeB44hJ+Sw3i+z46/m+lNJYbFVn/l/g7KykWMCi0UP8bgQtRrf6ARqyZkgXX/2H3FRyC1WXY9IJFXib05TtvXQQCkqscyWjEjkGBR8VREkVGCKEZAKdHqXFve70FrlxiWZgDv6QrIM=,iv:ukv1Mo6bwrTjsLnKzOesZiT1z5k6nvg7F8dk4fUsDUI=,tag:JM/iCdj+broRn1AxD2tQTg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/machines/sops.nix b/machines/sops.nix index 96ac399..21a89c2 100644 --- a/machines/sops.nix +++ b/machines/sops.nix @@ -6,6 +6,9 @@ # TODO: How to generate this key when bootstrap? age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; secrets = { + github_public_token = { + owner = "xin"; + }; clash_subscription_link = { owner = "root"; };