feat: add restic backup to hetzner storage box

flake.lock

@@ -53,11 +53,11 @@
         "pre-commit-hooks": "pre-commit-hooks"
       },
       "locked": {
-        "lastModified": 1696078264,
-        "narHash": "sha256-NF5G9CHaVWDD6DY0TP8z0cx30dAL1ciFYcVidVvb+NA=",
+        "lastModified": 1705278709,
+        "narHash": "sha256-CNJSc6tp12UZKAprviztJ509yAblteK4GiWwKewWEPQ=",
         "owner": "oddlama",
         "repo": "agenix-rekey",
-        "rev": "e529da8197f024c0069c4fde6237505e305b8d0a",
+        "rev": "e02a57e08224422934974f19853d4d70ed7eaaaa",
         "type": "github"
       },
       "original": {
@@ -981,11 +981,11 @@
         "pre-commit-hooks": "pre-commit-hooks_3"
       },
       "locked": {
-        "lastModified": 1704999567,
-        "narHash": "sha256-Whj1PFPomS/f97OD30CRrETTH/dmnUJdjEevDLJG4MM=",
+        "lastModified": 1705279209,
+        "narHash": "sha256-Lfd9gpDcsF5EaBdHNVrSQtXqs1B7wx1lXiW4nKvxrQw=",
         "owner": "oddlama",
         "repo": "nixos-extra-modules",
-        "rev": "4744a2844cd74ca9b122fbaaae5ae97159c0d30e",
+        "rev": "a776d7c47663029588aec52fb7ac941fa8bbd8bd",
         "type": "github"
       },
       "original": {

flake.nix

@@ -160,7 +160,11 @@
         ;
     }
     // flake-utils.lib.eachDefaultSystem (system: rec {
-      apps.setupHetznerStorageBoxes = import ./nix/setup-hetzner-storage-boxes.nix self;
+      apps.setupHetznerStorageBoxes = import (nixos-extra-modules + "/apps/setup-hetzner-storage-box.nix") {
+        inherit pkgs;
+        nixosConfigurations = self.nodes;
+        decryptIdentity = builtins.head self.secretsConfig.masterIdentities;
+      };
 
       pkgs = import nixpkgs {
         inherit system;

hosts/sire/guests/samba.nix

@@ -223,7 +223,7 @@ in {
       enable = true;
       inherit (box) mainUser;
       inherit (box.users.samba) subUid path;
-      sshPrivateKeyFile = config.age.secrets.restic-ssh-privkey.path;
+      sshPrivateKeyFile = config.age.secrets.restic-ssh-privkey.rekeyFile;
     };
 
     user = "root";

modules/default.nix

@@ -34,7 +34,6 @@
     ./oauth2-proxy.nix
     ./promtail.nix
     ./provided-domains.nix
-    ./restic.nix
     ./secrets.nix
     ./telegraf.nix
     ./wireguard-proxy.nix

modules/restic.nix

@@ -1,57 +0,0 @@
-{lib, ...}: let
-  inherit
-    (lib)
-    mkEnableOption
-    mkIf
-    mkOption
-    types
-    ;
-in {
-  options.services.restic.backups = {
-    type = types.attrsOf (types.submodule ({config}: {
-      options.hetznerStorageBox = {
-        enable = mkEnableOption "Automatically configure this backup to use the given hetzner storage box. Will use SFTP via SSH.";
-
-        mainUser = mkOption {
-          type = types.str;
-          description = ''
-            The main user. While not technically required for restic, we still use it to
-            derive the subuser name and it is required for the automatic setup script
-            that creates the users.
-          '';
-        };
-
-        subUid = mkOption {
-          type = types.int;
-          description = "The id of the subuser that was allocated on the hetzner server for this backup.";
-        };
-
-        path = mkOption {
-          type = types.str;
-          description = ''
-            The remote path to backup into. While not technically required for restic
-            (since the subuser is chrooted on the remote), we'll still use it to set
-            a sane repository and it is required for the automatic setup script that
-            creates the users.
-          '';
-        };
-
-        sshPrivateKeyFile = {
-          type = types.path;
-          description = "The path to the ssh private key to use for uploading backups. Don't use a path from the nix store!";
-        };
-      };
-
-      config = let
-        subUser = "${config.hetznerStorageBox.mainUser}-sub${toString config.hetznerStorageBox.subUid}";
-        url = "${subUser}@${subUser}.your-storagebox.de";
-      in
-        mkIf config.hetznerStorageBox.enable {
-          repository = "sftp://${url}:23${config.hetznerStorageBox.path}";
-          extraOptions = [
-            "sftp.command='ssh -s sftp -p 23 -i ${config.hetznerStorageBox.sshPrivateKeyFile} ${url}'"
-          ];
-        };
-    }));
-  };
-}

nix/setup-hetzner-storage-boxes.nix

@@ -1,12 +0,0 @@
-self: system: let
-  pkgs = self.pkgs.${system};
-in {
-  type = "app";
-  drv = pkgs.writeShellApplication {
-    name = "setup-hetzner-storage-boxes";
-    text = ''
-      set -euo pipefail
-
-    '';
-  };
-}

secrets/generated/sire-samba/restic-ssh-privkey.age

@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> X25519 0K6SeoPQ4PZEq1wtc/G8b7i1Yt058S9AAmOsq2PcNS8
++nAjk48dcVmB+Hq176YIfIt3tLGJ6iNpu5JLqmUCtpk
+-> piv-p256 xqSe8Q A9UeuVP5wOGWEIKsNv6W2ph7IyKbeGL+wpIUs7EgJ+YK
+ZPPXzqPBqZrWOS9PTbwDOj/j7jdVx+lLaatWy6A80gs
+-> o&IA4Bk-grease
+BYDzN8CfuLcHoE5qwego27meyCd/JwHoJroG585ZCEKc7gefGZL1xnCI8AvZUoeI
+/Q4CQpOmdFGCFDsTv17qIvt/EsBMU7b48EEgRg
+--- X7tInW7b9ibkZpVVGD4+Y4q7b+ymjQCwpt/lUF/W1BA
+Ý ’;Zÿûòeþ
+Ã\S–~ìT47ºsêg®@¶(®i(Š!\V‡ß6ó_.°{$Æte¡<q_,¼È9[Vô\-¡Þ¿|&D¿";üÄu<&""´³ÎN4ü1ݨƒ#]Q½g¦!hÕÞV‚=îNp%ãµ
ª–ô�§çëið;Ê$•�kÀÅé+(}AL³—°=zª@¼SiLuã¨ý.Æ»ù/�¥øòø¤:O¯µ¯Á0�§KÓä¿—ü˜?ƒ3oz@7Áý!Eðö„^“žã^µï;ÇRx”Î
8êORWt?d3G(�S†àJn%*O‰/ú«M/p]ÝV¥¿m*äÑ[ÿ&.ÀÀçûYã[ÄãðÉ][ˆªÃÇÏ£;þbD£kÙ¸v{QºÂ�j…÷¬Dý(½©Ä×,²Xvd¬ÏKàì"GÇ:îSq¨YÑíxÿ1Ò! —%ÎÁ7‰¬ÀÄ¥£©>WFõ&Ó6ý8äZ“…WNÞÌ’³­Çõ=>ˆ²Ç2òq¡XÑ6íTo	…��:Êpú‹¬‡™ü÷ðî2GÄuM¨PÞ,UâiÇp”Çß¹v“¿#ÔVN8°ü