password-less ssh for torus and kestrel for backups

home/dot_config/borgmatic.d/private_torus.yaml

@@ -1,18 +1,28 @@
 source_directories:
-    - .
+    - /engi/apps # Docker containers and data
+    #- /engi/backup # Static files and service dumps
+    #- /home/tstarr/Sync # Syncthing files on Torus
 
 exclude_patterns:
     - 'code-server/config/*'
     - 'code-server/workspace/*'
     - 'immich/library/*'
 
-archive_name_format: 'apps-{now}'
+archive_name_format: 'borg-torus-{now}'
 repositories:
     #- path: ssh://user@backupserver/./sourcehostname.borg
     #  label: backupserver
     - path: /engi/backup/borg/borg-apps
       label: local
 
+before_backup:
+  - echo "Running pre-backup scripts! $(date)" >> /engi/test/test.txt
+  - tree /engi > /engi/backup/tree.txt
+  - stop-docker-containers
+  #- sudo -u gitea backup-dump-gitea
+
+after_backup:
+  - restore-docker-containters
     
 keep_daily: 7
 keep_weekly: 4

provision/hosts/default/backup.nix

@@ -1,11 +1,5 @@
 { config, pkgs, user, lib, ... }:
 {
-  # Password-less logins for backup
-  users.users."${user}".openssh.authorizedKeys.keyFiles = [
-    config.age.secrets."ssh/kestrel/id_ed25519.pub".path
-    config.age.secrets."ssh/torus/id_ed25519.pub".path
-  ];
-
   services.borgmatic.enable = true;
   environment.systemPackages = with pkgs; [
     borgbackup # Deduplicating backup program 

provision/hosts/kestrel/backup.nix

@@ -0,0 +1,8 @@
+{ config, pkgs, user, lib, ... }:
+{
+  # Password-less logins for backup
+  users.users."${user}".openssh.authorizedKeys.keyFiles = [
+    config.age.secrets."ssh/torus/id_ed25519.pub".path
+  ];
+}
+          

provision/hosts/torus/backup.nix

@@ -0,0 +1,8 @@
+{ config, pkgs, user, lib, ... }:
+{
+  # Password-less logins for backup
+  users.users."${user}".openssh.authorizedKeys.keyFiles = [
+    config.age.secrets."ssh/kestrel/id_ed25519.pub".path
+  ];
+}
+          

provision/hosts/torus/configuration.nix

@@ -9,6 +9,7 @@
     ./home-assistant
     ./gitea.nix
     ./nextcloud.nix
+    ./backup.nix
   ];
 
   # Use normal kernel

provision/modules/system/backup.nix

@@ -1,9 +0,0 @@
-{ config, lib, pkgs, user, ... }:
-
-let cfg = config.modules.system.backup;
-in {
-  options.modules.system.backup.enable = lib.mkEnableOption "backup";
-  config = lib.mkIf cfg.enable {
-  };
-
-}

provision/modules/system/default.nix

@@ -1,4 +1,4 @@
 { ... }:
 {
-  imports = [ ./nipr.nix ./secrets.nix ./ssh.nix ./backup.nix ./terminal.nix ./wireguard-client.nix ];
+  imports = [ ./nipr.nix ./secrets.nix ./ssh.nix ./terminal.nix ./wireguard-client.nix ];
 }

provision/secrets/git/gitea-runner-1.age

@@ -1,10 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 Fz/sQw VMO7Bf8TC+D8W8+NdPFMixkcU2b4uz4DSf6Zx9aU4iU
+-> ssh-ed25519 Fz/sQw eWmbN5fQHK2Af4PsSY24Yo4rviqcMc1841KZEdn/ezQ
-DzvAcsQvylSrTLDOfKppfPz5nWIobeKSJpU4F16s1L8
+/N3I6mOuUShNlzr2c/TnB6ax6TtkrFJQxFIaJ4STrXQ
--> ssh-ed25519 47GzQA 2rBejKxWVg+epKWeIpfiQOFmeX+7AGXVLccLtJYDHwk
+-> ssh-ed25519 47GzQA 7ut3vn6lXxz58Tj/OXWuueqaxRGckhpVj4Z/N8b34XU
-dQiRj9XXxalBtypbLBB5h3zht22FTpWAGtUt8sfW+Vo
+SBecD52O2UsCOOLQrxA/+E7VcXOj88Sdg0yA+i7bQ7s
--> ssh-ed25519 wcI7nQ ZRNWo76nAjRB4uXL+53nigH0AcoC8PoK4swkECOQBDo
+-> ssh-ed25519 wcI7nQ isqztqV9KZjY/CUW4+I2yHfCeZmo2IKG9g5lfQkB/V4
-EchMzDePnEc1gEBBJOWfySem1GMKTQxZ7ZOQPlM9kGg
+ppd2WJLTLyoEp5bS+oP6bT2gVkc+J3e7tlInx5326d4
---- 2SXiHLzyN/kLfeuju2Sv37lZ6ZSOc1rBsE44zioTo70
+--- 4n4s3HSUR089Q2VqEmoxUnqrhlZ+cSvl9FXvrwTAkqc
-‚Ž'đ-Ń褟‡5ˇ`î3GMłhCHőŔÔU+?ŠP'‰>~Ž&“j}•­ą
+Ççc)¼ù?à‹÷ÿ7»2,g‘õ™Ñ… Mc’1ü&éûÍH’€–—_‹®!¶g.[»•eTs%’Åó­løFд®]
-ŇßÔ‡ŽőîüFtąźÄsź˘˛&7"

provision/secrets/secrets.nix

@@ -18,8 +18,8 @@ in
   "git/gitea-runner-1.age".publicKeys = systems;
   "nextcloud/password.age".publicKeys = systems;
   "ssh/kestrel/id_ed25519.age".publicKeys = [ tstarr_kestrel ] ++ systems;
-  "ssh/kestrel/id_ed25519.pub.age".publicKeys = [ tstarr_kestrel ] ++ systems;
+  "ssh/kestrel/id_ed25519.pub.age".publicKeys = users ++ systems;
   "ssh/torus/id_ed25519.age".publicKeys = [ tstarr_torus ] ++ systems;
-  "ssh/torus/id_ed25519.pub.age".publicKeys = [ tstarr_torus ] ++ systems;
+  "ssh/torus/id_ed25519.pub.age".publicKeys = users ++ systems;
 }
 

provision/secrets/wireguard/bulwark.age

@@ -1,10 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 Fz/sQw iahBnonr/ERKTaFJtfCCZMRyFGl1IkXkROjk8Pz5A1s
+-> ssh-ed25519 Fz/sQw ahzp1uO9sWV9W3OACxPd4tN6SRpJi9PbKbdzruPFvxA
-TSgBmEB4WNl48drZwBU22oN8+rtFBroFn0sjRjEcd9I
+OeKlZx5L8EEUpKb6kxS33cwTIxwskNiajvSYV1PVzXY
--> ssh-ed25519 47GzQA U3FTe966MQRbXEygRGrsX02oIPHoo8WZR8ZKMxReklU
+-> ssh-ed25519 47GzQA adIA4CJ5oswd6MODdR5LSQ9uHI+aD6wyxoRueK5Wrk0
-YPJLdklpM7ruHes7rJbdvNWoajR9ae/DWiAd5x0OP7g
+21CvXBrll3Lw+VTMpdxUePr58XjZQH0h6W9U2zKZ6DM
--> ssh-ed25519 wcI7nQ b8xHvJrZ7DGaPLI0Z+JEgWxRJRLI8y8BR90xCI5fazk
+-> ssh-ed25519 wcI7nQ f3p3SYJM3pTqYMz2NoajEHqUqKmKs+FM+taI1rpqqzM
-Fx1kHtWXQ5Z+teARWKoRpN8QtPBbrhACc1WEhOisgBs
+PmeupVlX1nRFt3DkPMrx6o2oEtWoc+si2Flwd22D0Vw
---- hbYewYLVVD3sY1BGgc7IRn2SegmQJdQU2uIc8vkUdgA
+--- dxk5xXqB72nPhxw46T6rChktRllWaPqJp4XTTi3IBpU
-]×f5‘{‹9ãjö9©œŠÀO¨ -ɬl×4ÎÞÎå…ûÍã¡1óÃe#šSÈÊ‹ö‘¬ÜT[ºÉ(h[@sÈ÷&™¿
+K ].‡ç©ƒY„,‰Ùâ} ¸Áxÿâfˆ…Ò²!f”×Ú´G½#˜¯*EòΑ6l;cMp.¯âí<C3A2>q˜þ½Ÿ÷AW‰8¨éEFñ
-›^pU

provision/secrets/wireguard/torus.age

@@ -1,9 +1,10 @@
 age-encryption.org/v1
--> ssh-ed25519 Fz/sQw AXkkcwVYwCwvjyDqWhXtSQSepgVJmboLyXkOfpL5QA4
+-> ssh-ed25519 Fz/sQw sTJYlfFdSBl+xqi0+Yysl6NNWH8IABznrbF1MLi8p0c
-kLMo6pp+8gvatCkIWRrRDxAIvPsFe5S79K3bb2gG/LA
+xp0OvKeTPOK7CEUlPJOF9ZT3G55jYzGx/KI311YXzIM
--> ssh-ed25519 47GzQA FCQoB9UG6NoTzPWh8W0YtE3MpP5TYLirH/WtZYCxnTs
+-> ssh-ed25519 47GzQA Dc5kR+oUGLMcL5V+ul8NQTw4xr/ihd4qItpwlVDcLj8
-YuFjvJybPaI4mflQc8vxIfEoswbXG1s8CPD9rgmJ0ZA
+RZFPMVRFxBaosGvXRLcJA8gLIeaI8i2QIWflcsHY8uQ
--> ssh-ed25519 wcI7nQ PXgOnNP1HAZ5cEtZbxs6SFhqfqN1NLKMsuh4gMPEkzI
+-> ssh-ed25519 wcI7nQ 1lgpi/CuZpYLgjEnWYBD/2x5EMfPLfyR+9xJVqbfGEc
-xZqOgjDSqqWQNz+hXT9jExKTXJqhDNB2rxmHj47Bue4
+wmzNKHObcWs9tbU8nIZ6/iP3cJKusAIRwsoPnszxdbM
---- GNwc1tnzwsYP6WPTCzMtyYJySfdXONBjAd0eFlZrEQg
+--- BAh4R0xMUi7v8eoI6R9aW5YHbGULsZR+lBw6JnGKsbQ
-Q!S.kl÷jńfH¶ź‘feM+.	R[yäe$›ŚµńĐní(>Ř„š#©\5ńŢ
,,EŞo¦çe =—Áŕóţ+•ęK«@ĂË
+
+魺稩3<E7A8A9>S脍镶H璇|v贩假际鴎稾斩l舖ㄈ<E88896>廭b<>V圁C湉gM廤i蕜z;狢|鞄詧桘琓}?fr