From 5d15007c52686a9d25514da9e68ba9b003e67370 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patrick=20Gro=C3=9Fmann?= Date: Mon, 15 Jan 2024 01:55:12 +0100 Subject: [PATCH] fix: agenix secrets runtime path --- README.md | 2 +- apps/setup-hetzner-storage-boxes.nix | 5 ++++- modules/restic.nix | 20 ++++++++++++-------- 3 files changed, 17 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 3fbb161..8066526 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ EFI/BIOS boot config | Module | [Link](./modules/boot.nix) | - | - | Allows you Nginx recommended options | Module | [Link](./modules/nginx.nix) | - | agenix | Sets many recommended settings for nginx with a single switch plus some opinionated defaults. Also adds a switch for setting recommended security headers on each location. Node options | Module | [Link](./modules/node.nix) | - | - | A module that stores meta information about your nodes (hosts). Required for some other modules that operate across nodes. Guests (MicroVMs & Containers) | Module | [Link](./modules/guests) | zfs, node options | - | This module implements a common interface to use guest systems with microvms or nixos-containers. -Restic hetzner storage box setup | Module | [Link](./modules/restic.nix) | - | - | This module exposes new options for restic backups that allow a simple setup of hetzner storage boxes. There's [an app](./apps/setup-hetzner-storage-boxes.nix) that you should expose on your flake to automate remote setup. +Restic hetzner storage box setup | Module | [Link](./modules/restic.nix) | agenix, agenix-rekey | - | This module exposes new options for restic backups that allow a simple setup of hetzner storage boxes. There's [an app](./apps/setup-hetzner-storage-boxes.nix) that you should expose on your flake to automate remote setup. #### Home Manager Modules diff --git a/apps/setup-hetzner-storage-boxes.nix b/apps/setup-hetzner-storage-boxes.nix index 5151b52..4b75af8 100644 --- a/apps/setup-hetzner-storage-boxes.nix +++ b/apps/setup-hetzner-storage-boxes.nix @@ -28,7 +28,10 @@ hostCfg: flip map (attrValues hostCfg.config.services.restic.backups) ( backupCfg: - optional backupCfg.hetznerStorageBox.enable backupCfg.hetznerStorageBox + optional backupCfg.hetznerStorageBox.enable ( + backupCfg.hetznerStorageBox + // {sshPrivateKeyFile = hostCfg.config.age.secrets.${backupCfg.sshAgeSecret}.rekeyFile;} + ) ) ) ); diff --git a/modules/restic.nix b/modules/restic.nix index 6af5d9b..4f855e5 100644 --- a/modules/restic.nix +++ b/modules/restic.nix @@ -1,4 +1,8 @@ -{lib, ...}: let +{ + lib, + config, + ... +}: let inherit (lib) mkEnableOption @@ -8,7 +12,7 @@ ; in { options.services.restic.backups = mkOption { - type = types.attrsOf (types.submodule ({config, ...}: { + type = types.attrsOf (types.submodule (submod: { options.hetznerStorageBox = { enable = mkEnableOption "Automatically configure this backup to use the given hetzner storage box. Will use SFTP via SSH."; @@ -35,20 +39,20 @@ in { ''; }; - sshPrivateKeyFile = mkOption { - type = types.path; - description = "The path to the ssh private key to use for uploading backups. Don't use a path from the nix store!"; + sshAgeSecret = mkOption { + type = types.str; + description = "The name of the agenix secret containing the ssh private key for accesing the storage box."; }; }; config = let - subuser = "${config.hetznerStorageBox.mainUser}-sub${toString config.hetznerStorageBox.subUid}"; + subuser = "${submod.config.hetznerStorageBox.mainUser}-sub${toString submod.config.hetznerStorageBox.subUid}"; url = "${subuser}@${subuser}.your-storagebox.de"; in - mkIf config.hetznerStorageBox.enable { + mkIf submod.config.hetznerStorageBox.enable { repository = "sftp://${url}:23/"; extraOptions = [ - "sftp.command='ssh -s sftp -p 23 -i ${config.hetznerStorageBox.sshPrivateKeyFile} ${url}'" + "sftp.command='ssh -s sftp -p 23 -i ${config.age.secrets.${submod.config.hetznerStorageBox.sshAgeSecret}.path} ${url}'" ]; }; }));