diff --git a/flake.lock b/flake.lock index 8b3e6e9..530481c 100644 --- a/flake.lock +++ b/flake.lock @@ -53,11 +53,11 @@ "pre-commit-hooks": "pre-commit-hooks" }, "locked": { - "lastModified": 1696078264, - "narHash": "sha256-NF5G9CHaVWDD6DY0TP8z0cx30dAL1ciFYcVidVvb+NA=", + "lastModified": 1705278709, + "narHash": "sha256-CNJSc6tp12UZKAprviztJ509yAblteK4GiWwKewWEPQ=", "owner": "oddlama", "repo": "agenix-rekey", - "rev": "e529da8197f024c0069c4fde6237505e305b8d0a", + "rev": "e02a57e08224422934974f19853d4d70ed7eaaaa", "type": "github" }, "original": { @@ -981,11 +981,11 @@ "pre-commit-hooks": "pre-commit-hooks_3" }, "locked": { - "lastModified": 1704999567, - "narHash": "sha256-Whj1PFPomS/f97OD30CRrETTH/dmnUJdjEevDLJG4MM=", + "lastModified": 1705279209, + "narHash": "sha256-Lfd9gpDcsF5EaBdHNVrSQtXqs1B7wx1lXiW4nKvxrQw=", "owner": "oddlama", "repo": "nixos-extra-modules", - "rev": "4744a2844cd74ca9b122fbaaae5ae97159c0d30e", + "rev": "a776d7c47663029588aec52fb7ac941fa8bbd8bd", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 96cf412..0ea19ca 100644 --- a/flake.nix +++ b/flake.nix @@ -160,7 +160,11 @@ ; } // flake-utils.lib.eachDefaultSystem (system: rec { - apps.setupHetznerStorageBoxes = import ./nix/setup-hetzner-storage-boxes.nix self; + apps.setupHetznerStorageBoxes = import (nixos-extra-modules + "/apps/setup-hetzner-storage-box.nix") { + inherit pkgs; + nixosConfigurations = self.nodes; + decryptIdentity = builtins.head self.secretsConfig.masterIdentities; + }; pkgs = import nixpkgs { inherit system; diff --git a/hosts/sire/guests/samba.nix b/hosts/sire/guests/samba.nix index 1e9c9c7..0c2c601 100644 --- a/hosts/sire/guests/samba.nix +++ b/hosts/sire/guests/samba.nix @@ -223,7 +223,7 @@ in { enable = true; inherit (box) mainUser; inherit (box.users.samba) subUid path; - sshPrivateKeyFile = config.age.secrets.restic-ssh-privkey.path; + sshPrivateKeyFile = config.age.secrets.restic-ssh-privkey.rekeyFile; }; user = "root"; diff --git a/modules/default.nix b/modules/default.nix index d8c96bb..337663b 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -34,7 +34,6 @@ ./oauth2-proxy.nix ./promtail.nix ./provided-domains.nix - ./restic.nix ./secrets.nix ./telegraf.nix ./wireguard-proxy.nix diff --git a/modules/restic.nix b/modules/restic.nix deleted file mode 100644 index ab1697d..0000000 --- a/modules/restic.nix +++ /dev/null @@ -1,57 +0,0 @@ -{lib, ...}: let - inherit - (lib) - mkEnableOption - mkIf - mkOption - types - ; -in { - options.services.restic.backups = { - type = types.attrsOf (types.submodule ({config}: { - options.hetznerStorageBox = { - enable = mkEnableOption "Automatically configure this backup to use the given hetzner storage box. Will use SFTP via SSH."; - - mainUser = mkOption { - type = types.str; - description = '' - The main user. While not technically required for restic, we still use it to - derive the subuser name and it is required for the automatic setup script - that creates the users. - ''; - }; - - subUid = mkOption { - type = types.int; - description = "The id of the subuser that was allocated on the hetzner server for this backup."; - }; - - path = mkOption { - type = types.str; - description = '' - The remote path to backup into. While not technically required for restic - (since the subuser is chrooted on the remote), we'll still use it to set - a sane repository and it is required for the automatic setup script that - creates the users. - ''; - }; - - sshPrivateKeyFile = { - type = types.path; - description = "The path to the ssh private key to use for uploading backups. Don't use a path from the nix store!"; - }; - }; - - config = let - subUser = "${config.hetznerStorageBox.mainUser}-sub${toString config.hetznerStorageBox.subUid}"; - url = "${subUser}@${subUser}.your-storagebox.de"; - in - mkIf config.hetznerStorageBox.enable { - repository = "sftp://${url}:23${config.hetznerStorageBox.path}"; - extraOptions = [ - "sftp.command='ssh -s sftp -p 23 -i ${config.hetznerStorageBox.sshPrivateKeyFile} ${url}'" - ]; - }; - })); - }; -} diff --git a/nix/setup-hetzner-storage-boxes.nix b/nix/setup-hetzner-storage-boxes.nix deleted file mode 100644 index c39f4cd..0000000 --- a/nix/setup-hetzner-storage-boxes.nix +++ /dev/null @@ -1,12 +0,0 @@ -self: system: let - pkgs = self.pkgs.${system}; -in { - type = "app"; - drv = pkgs.writeShellApplication { - name = "setup-hetzner-storage-boxes"; - text = '' - set -euo pipefail - - ''; - }; -} diff --git a/secrets/generated/sire-samba/restic-encryption-password.age b/secrets/generated/sire-samba/restic-encryption-password.age new file mode 100644 index 0000000..8eb5d95 Binary files /dev/null and b/secrets/generated/sire-samba/restic-encryption-password.age differ diff --git a/secrets/generated/sire-samba/restic-ssh-privkey.age b/secrets/generated/sire-samba/restic-ssh-privkey.age new file mode 100644 index 0000000..62705eb --- /dev/null +++ b/secrets/generated/sire-samba/restic-ssh-privkey.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> X25519 0K6SeoPQ4PZEq1wtc/G8b7i1Yt058S9AAmOsq2PcNS8 ++nAjk48dcVmB+Hq176YIfIt3tLGJ6iNpu5JLqmUCtpk +-> piv-p256 xqSe8Q A9UeuVP5wOGWEIKsNv6W2ph7IyKbeGL+wpIUs7EgJ+YK +ZPPXzqPBqZrWOS9PTbwDOj/j7jdVx+lLaatWy6A80gs +-> o&IA4Bk-grease +BYDzN8CfuLcHoE5qwego27meyCd/JwHoJroG585ZCEKc7gefGZL1xnCI8AvZUoeI +/Q4CQpOmdFGCFDsTv17qIvt/EsBMU7b48EEgRg +--- X7tInW7b9ibkZpVVGD4+Y4q7b+ymjQCwpt/lUF/W1BA + ;Ze +\S~T47sg@(i(!\ V 6_.{$teWF&68ZWN̒=>2qX6To :p2GuMP,Uip߹v#VN8 \ No newline at end of file diff --git a/users/myuser/secrets/user.nix.age b/users/myuser/secrets/user.nix.age index 3fc0b5f..025279d 100644 Binary files a/users/myuser/secrets/user.nix.age and b/users/myuser/secrets/user.nix.age differ