password-less ssh for torus and kestrel for backups

2025-02-18 10:47:31 -08:00 · 2024-09-13 18:40:05 -07:00 · 2024-09-13 18:40:05 -07:00 · dcd4f8fb46
commit dcd4f8fb46
parent 9e255080d4
20 changed files with 57 additions and 46 deletions
--- a/home/dot_config/borgmatic.d/private_torus.yaml
+++ b/home/dot_config/borgmatic.d/private_torus.yaml
@ -1,18 +1,28 @@
 source_directories:
-    - .
+    - /engi/apps # Docker containers and data
+    #- /engi/backup # Static files and service dumps
+    #- /home/tstarr/Sync # Syncthing files on Torus

 exclude_patterns:
    - 'code-server/config/*'
    - 'code-server/workspace/*'
    - 'immich/library/*'

-archive_name_format: 'apps-{now}'
+archive_name_format: 'borg-torus-{now}'
 repositories:
    #- path: ssh://user@backupserver/./sourcehostname.borg
    #  label: backupserver
    - path: /engi/backup/borg/borg-apps
      label: local

+before_backup:
+  - echo "Running pre-backup scripts! $(date)" >> /engi/test/test.txt
+  - tree /engi > /engi/backup/tree.txt
+  - stop-docker-containers
+  #- sudo -u gitea backup-dump-gitea
+
+after_backup:
+  - restore-docker-containters
    
 keep_daily: 7
 keep_weekly: 4
--- a/provision/hosts/default/backup.nix
+++ b/provision/hosts/default/backup.nix
@ -1,11 +1,5 @@
 { config, pkgs, user, lib, ... }:
 {
-  # Password-less logins for backup
-  users.users."${user}".openssh.authorizedKeys.keyFiles = [
-    config.age.secrets."ssh/kestrel/id_ed25519.pub".path
-    config.age.secrets."ssh/torus/id_ed25519.pub".path
-  ];
-
  services.borgmatic.enable = true;
  environment.systemPackages = with pkgs; [
    borgbackup # Deduplicating backup program 
--- a/provision/hosts/kestrel/backup.nix
+++ b/provision/hosts/kestrel/backup.nix
@ -0,0 +1,8 @@
+{ config, pkgs, user, lib, ... }:
+{
+  # Password-less logins for backup
+  users.users."${user}".openssh.authorizedKeys.keyFiles = [
+    config.age.secrets."ssh/torus/id_ed25519.pub".path
+  ];
+}
+          
--- a/provision/hosts/torus/backup.nix
+++ b/provision/hosts/torus/backup.nix
@ -0,0 +1,8 @@
+{ config, pkgs, user, lib, ... }:
+{
+  # Password-less logins for backup
+  users.users."${user}".openssh.authorizedKeys.keyFiles = [
+    config.age.secrets."ssh/kestrel/id_ed25519.pub".path
+  ];
+}
+          
--- a/provision/hosts/torus/configuration.nix
+++ b/provision/hosts/torus/configuration.nix
@ -9,6 +9,7 @@
    ./home-assistant
    ./gitea.nix
    ./nextcloud.nix
+    ./backup.nix
  ];

  # Use normal kernel
--- a/provision/modules/system/backup.nix
+++ b/provision/modules/system/backup.nix
@ -1,9 +0,0 @@
-{ config, lib, pkgs, user, ... }:
-
-let cfg = config.modules.system.backup;
-in {
-  options.modules.system.backup.enable = lib.mkEnableOption "backup";
-  config = lib.mkIf cfg.enable {
-  };
-
-}
--- a/provision/modules/system/default.nix
+++ b/provision/modules/system/default.nix
@ -1,4 +1,4 @@
 { ... }:
 {
-  imports = [ ./nipr.nix ./secrets.nix ./ssh.nix ./backup.nix ./terminal.nix ./wireguard-client.nix ];
+  imports = [ ./nipr.nix ./secrets.nix ./ssh.nix ./terminal.nix ./wireguard-client.nix ];
 }
--- a/provision/secrets/emu/switch/prod.keys.age
+++ b/provision/secrets/emu/switch/prod.keys.age
--- a/provision/secrets/emu/switch/title.keys.age
+++ b/provision/secrets/emu/switch/title.keys.age
--- a/provision/secrets/git/gitea-runner-1.age
+++ b/provision/secrets/git/gitea-runner-1.age
@ -1,10 +1,9 @@
 age-encryption.org/v1
-> ssh-ed25519 Fz/sQw VMO7Bf8TC+D8W8+NdPFMixkcU2b4uz4DSf6Zx9aU4iU
-DzvAcsQvylSrTLDOfKppfPz5nWIobeKSJpU4F16s1L8
-> ssh-ed25519 47GzQA 2rBejKxWVg+epKWeIpfiQOFmeX+7AGXVLccLtJYDHwk
-dQiRj9XXxalBtypbLBB5h3zht22FTpWAGtUt8sfW+Vo
-> ssh-ed25519 wcI7nQ ZRNWo76nAjRB4uXL+53nigH0AcoC8PoK4swkECOQBDo
-EchMzDePnEc1gEBBJOWfySem1GMKTQxZ7ZOQPlM9kGg
--- 2SXiHLzyN/kLfeuju2Sv37lZ6ZSOc1rBsE44zioTo70
-‚Ž'đ-Ńč¤ź‡5ˇ`î3GMłhCHőŔÔU+?ŠP'‰>~Ž&“j}•ą
-ŇßÔ‡ŽőîüFtąźÄsź˘˛&7"
+-> ssh-ed25519 Fz/sQw eWmbN5fQHK2Af4PsSY24Yo4rviqcMc1841KZEdn/ezQ
+/N3I6mOuUShNlzr2c/TnB6ax6TtkrFJQxFIaJ4STrXQ
+-> ssh-ed25519 47GzQA 7ut3vn6lXxz58Tj/OXWuueqaxRGckhpVj4Z/N8b34XU
+SBecD52O2UsCOOLQrxA/+E7VcXOj88Sdg0yA+i7bQ7s
+-> ssh-ed25519 wcI7nQ isqztqV9KZjY/CUW4+I2yHfCeZmo2IKG9g5lfQkB/V4
+ppd2WJLTLyoEp5bS+oP6bT2gVkc+J3e7tlInx5326d4
+--- 4n4s3HSUR089Q2VqEmoxUnqrhlZ+cSvl9FXvrwTAkqc
+Ççc)¼ù?à‹÷ÿ7»2,g‘õ™Ñ… Mc’1ü&éûÍH’€–—_‹®!¶g.[»•eTs%’ÅóløFÐ´®]
--- a/provision/secrets/git/github_personal.age
+++ b/provision/secrets/git/github_personal.age
--- a/provision/secrets/nextcloud/password.age
+++ b/provision/secrets/nextcloud/password.age
--- a/provision/secrets/secrets.nix
+++ b/provision/secrets/secrets.nix
@ -18,8 +18,8 @@ in
  "git/gitea-runner-1.age".publicKeys = systems;
  "nextcloud/password.age".publicKeys = systems;
  "ssh/kestrel/id_ed25519.age".publicKeys = [ tstarr_kestrel ] ++ systems;
-  "ssh/kestrel/id_ed25519.pub.age".publicKeys = [ tstarr_kestrel ] ++ systems;
+  "ssh/kestrel/id_ed25519.pub.age".publicKeys = users ++ systems;
  "ssh/torus/id_ed25519.age".publicKeys = [ tstarr_torus ] ++ systems;
-  "ssh/torus/id_ed25519.pub.age".publicKeys = [ tstarr_torus ] ++ systems;
+  "ssh/torus/id_ed25519.pub.age".publicKeys = users ++ systems;
 }

--- a/provision/secrets/ssh/kestrel/id_ed25519.age
+++ b/provision/secrets/ssh/kestrel/id_ed25519.age
--- a/provision/secrets/ssh/kestrel/id_ed25519.pub.age
+++ b/provision/secrets/ssh/kestrel/id_ed25519.pub.age
--- a/provision/secrets/ssh/torus/id_ed25519.age
+++ b/provision/secrets/ssh/torus/id_ed25519.age
--- a/provision/secrets/ssh/torus/id_ed25519.pub.age
+++ b/provision/secrets/ssh/torus/id_ed25519.pub.age
--- a/provision/secrets/wireguard/bulwark.age
+++ b/provision/secrets/wireguard/bulwark.age
@ -1,10 +1,9 @@
 age-encryption.org/v1
-> ssh-ed25519 Fz/sQw iahBnonr/ERKTaFJtfCCZMRyFGl1IkXkROjk8Pz5A1s
-TSgBmEB4WNl48drZwBU22oN8+rtFBroFn0sjRjEcd9I
-> ssh-ed25519 47GzQA U3FTe966MQRbXEygRGrsX02oIPHoo8WZR8ZKMxReklU
-YPJLdklpM7ruHes7rJbdvNWoajR9ae/DWiAd5x0OP7g
-> ssh-ed25519 wcI7nQ b8xHvJrZ7DGaPLI0Z+JEgWxRJRLI8y8BR90xCI5fazk
-Fx1kHtWXQ5Z+teARWKoRpN8QtPBbrhACc1WEhOisgBs
--- hbYewYLVVD3sY1BGgc7IRn2SegmQJdQU2uIc8vkUdgA
-]×f5‘{‹9ãjö9©œŠÀO¨ -É¬l×4ÎÞÎå…ûÍã¡1óÃe#šSÈÊ‹ö‘¬ÜT[ºÉ(h[@sÈ÷&™¿
-›^pU
+-> ssh-ed25519 Fz/sQw ahzp1uO9sWV9W3OACxPd4tN6SRpJi9PbKbdzruPFvxA
+OeKlZx5L8EEUpKb6kxS33cwTIxwskNiajvSYV1PVzXY
+-> ssh-ed25519 47GzQA adIA4CJ5oswd6MODdR5LSQ9uHI+aD6wyxoRueK5Wrk0
+21CvXBrll3Lw+VTMpdxUePr58XjZQH0h6W9U2zKZ6DM
+-> ssh-ed25519 wcI7nQ f3p3SYJM3pTqYMz2NoajEHqUqKmKs+FM+taI1rpqqzM
+PmeupVlX1nRFt3DkPMrx6o2oEtWoc+si2Flwd22D0Vw
+--- dxk5xXqB72nPhxw46T6rChktRllWaPqJp4XTTi3IBpU
+K ].‡ç©ƒY„,‰Ùâ} ¸Áxÿâfˆ…Ò²!f”×Ú´G½#˜¯*EòÎ‘6l;cMp.¯âí<C3A2>q˜þ½Ÿ÷AW‰8¨éEFñ
--- a/provision/secrets/wireguard/kestrel.age
+++ b/provision/secrets/wireguard/kestrel.age
--- a/provision/secrets/wireguard/torus.age
+++ b/provision/secrets/wireguard/torus.age
@ -1,9 +1,10 @@
 age-encryption.org/v1
-> ssh-ed25519 Fz/sQw AXkkcwVYwCwvjyDqWhXtSQSepgVJmboLyXkOfpL5QA4
-kLMo6pp+8gvatCkIWRrRDxAIvPsFe5S79K3bb2gG/LA
-> ssh-ed25519 47GzQA FCQoB9UG6NoTzPWh8W0YtE3MpP5TYLirH/WtZYCxnTs
-YuFjvJybPaI4mflQc8vxIfEoswbXG1s8CPD9rgmJ0ZA
-> ssh-ed25519 wcI7nQ PXgOnNP1HAZ5cEtZbxs6SFhqfqN1NLKMsuh4gMPEkzI
-xZqOgjDSqqWQNz+hXT9jExKTXJqhDNB2rxmHj47Bue4
--- GNwc1tnzwsYP6WPTCzMtyYJySfdXONBjAd0eFlZrEQg
-Q!S.kl÷jńfH¶ź‘feM+.	R[yäe$›ŚµńĐní(>Ř„š#©\5ńŢ
,,EŞo¦çe =—Áŕóţ+•ęK«@ĂË
+-> ssh-ed25519 Fz/sQw sTJYlfFdSBl+xqi0+Yysl6NNWH8IABznrbF1MLi8p0c
+xp0OvKeTPOK7CEUlPJOF9ZT3G55jYzGx/KI311YXzIM
+-> ssh-ed25519 47GzQA Dc5kR+oUGLMcL5V+ul8NQTw4xr/ihd4qItpwlVDcLj8
+RZFPMVRFxBaosGvXRLcJA8gLIeaI8i2QIWflcsHY8uQ
+-> ssh-ed25519 wcI7nQ 1lgpi/CuZpYLgjEnWYBD/2x5EMfPLfyR+9xJVqbfGEc
+wmzNKHObcWs9tbU8nIZ6/iP3cJKusAIRwsoPnszxdbM
+--- BAh4R0xMUi7v8eoI6R9aW5YHbGULsZR+lBw6JnGKsbQ
+
+魺稩3<E7A8A9>S脍镶H璇|v贩假际鴎稾斩l舖ㄈ<E88896>廭b<>V圁C湉gM廤i蕜z;狢|鞄詧桘琓}?fr