From cd715f1a03174a08ef66aabc8c099837fa8747c7 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Tue, 5 Mar 2024 05:07:46 +0100 Subject: [PATCH] talos: setup restic backups --- hosts/talos/default.nix | 43 ++++++++++++++++++ hosts/talos/secrets.nix | 4 +- .../restic-backup/talos-credentials.age | 7 +++ .../secrets/restic-backup/talos-password.age | Bin 0 -> 387 bytes modules/secrets/secrets.nix | 2 + 5 files changed, 54 insertions(+), 2 deletions(-) create mode 100644 modules/secrets/restic-backup/talos-credentials.age create mode 100644 modules/secrets/restic-backup/talos-password.age diff --git a/hosts/talos/default.nix b/hosts/talos/default.nix index ccce527..4fee350 100644 --- a/hosts/talos/default.nix +++ b/hosts/talos/default.nix @@ -75,6 +75,49 @@ }; pipewire.enable = true; + + restic-backup = { + enable = true; + repo = "b2:talos-backup"; + passwordFile = config.age.secrets."restic-backup/talos-password".path; + environmentFile = config.age.secrets."restic-backup/talos-credentials".path; + + timerConfig = { + OnCalendar = "*-*-* 13:00:00"; # laptop only gets used during the day + }; + + paths = [ + "/home/alarsyo" + ]; + exclude = [ + "/home/alarsyo/Downloads" + + # Rust builds using half my storage capacity + "/home/alarsyo/**/target" + "/home/alarsyo/work/rust/build" + + # don't backup nixpkgs + "/home/alarsyo/work/nixpkgs" + + "/home/alarsyo/go" + + # C build crap + "*.a" + "*.o" + "*.so" + + ".direnv" + + # test vms + "*.qcow2" + + # secrets stay offline + "/home/alarsyo/**/secrets" + + # ignore all dotfiles as .config and .cache can become quite big + "/home/alarsyo/.*" + ]; + }; }; my.gui.enable = true; diff --git a/hosts/talos/secrets.nix b/hosts/talos/secrets.nix index 387f511..e5fae61 100644 --- a/hosts/talos/secrets.nix +++ b/hosts/talos/secrets.nix @@ -13,8 +13,8 @@ // attrs; in lib.mapAttrs toSecret { - #"restic-backup/hephaestus-credentials" = {}; - #"restic-backup/hephaestus-password" = {}; + "restic-backup/talos-credentials" = {}; + "restic-backup/talos-password" = {}; "users/alarsyo-hashed-password" = {}; "users/root-hashed-password" = {}; diff --git a/modules/secrets/restic-backup/talos-credentials.age b/modules/secrets/restic-backup/talos-credentials.age new file mode 100644 index 0000000..967a671 --- /dev/null +++ b/modules/secrets/restic-backup/talos-credentials.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 k2gHjw WWJQxqfxQzLmBFPpTzuKBMhAl+ZxnQdvnaDvfpwxR00 +tEsf6xSw/MP/qJnr/SyLlkEEf/LaI7IxjVzaxRwh5FI +-> ssh-ed25519 nh0dAQ yRu0VZqx+DuB3SSQaVtg+txuRu9OyJDfLDNCKg9XYk0 +xTpucapaejG2EMrZLIDt46JD3QYM4XXT1Y2F77HPQO8 +--- uZjO0dDIFesU2B/GkjpqrOJas1+K6hGbQAdFV/t1GOk +BV͵\ 8 ۑ[%l^>9\E5j(6g;(I7CS4v6iSXC`OT\;Iݜ6_ky-qKlKӠh?t \ No newline at end of file diff --git a/modules/secrets/restic-backup/talos-password.age b/modules/secrets/restic-backup/talos-password.age new file mode 100644 index 0000000000000000000000000000000000000000..244ab8dc30fcae543ab25652ad3581ff651d49f3 GIT binary patch literal 387 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7HcI!%Dp&9_cP=O_ zEH^I>({|RkC{A^C3P{qf3dz!rG;`7qOApI-DK-o9Nj5IXP3H2?kF*HRFe=WiD2&K6 z)i=uY^h)wKuXN9LF)Ft3cg&9pGRiK<4azXoPe->cFT)_kF;Jl>H^MPB*Cf;>D%~)o zI4>kSprkCU(9S79Zk&rurpqcI|Qd+3ppq^sX*itSSA% zHd;H>i|>}v8qv2>yonFO|9BLu3VQBYSKTx*@?lV4!m2!rz#KuH>xY*;-}$;|QLmiz VgbQ+~<%_lzEKm=$4{2nu0szn!iy8m` literal 0 HcmV?d00001 diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix index 2496adb..f9c389c 100644 --- a/modules/secrets/secrets.nix +++ b/modules/secrets/secrets.nix @@ -35,6 +35,8 @@ in { "restic-backup/hades-credentials.age".publicKeys = [alarsyo hades]; "restic-backup/hephaestus-password.age".publicKeys = [alarsyo hephaestus]; "restic-backup/hephaestus-credentials.age".publicKeys = [alarsyo hephaestus]; + "restic-backup/talos-password.age".publicKeys = [alarsyo talos]; + "restic-backup/talos-credentials.age".publicKeys = [alarsyo talos]; "users/root-hashed-password.age".publicKeys = machines ++ [alarsyo]; "users/alarsyo-hashed-password.age".publicKeys = machines ++ [alarsyo];