From ceac41132e1e0ef8b11d42bff61239525d4dbaec Mon Sep 17 00:00:00 2001
From: Antoine Martin <antoine@alarsyo.net>
Date: Fri, 21 Jan 2022 00:29:44 +0100
Subject: [PATCH] boreal: get rid of git crypt secrets for this host

Also move to restic-backup
---
 .github/workflows/cachix.yaml                 |   1 +
 hosts/boreal/default.nix                      |  18 +++++-------------
 .../restic-backup/boreal-credentials.age      |  10 ++++++++++
 .../secrets/restic-backup/boreal-password.age | Bin 0 -> 542 bytes
 modules/secrets/secrets.nix                   |   2 ++
 secrets/borg-backup/boreal-repo.secret        | Bin 63 -> 0 bytes
 secrets/borg-backup/default.nix               |   1 -
 7 files changed, 18 insertions(+), 14 deletions(-)
 create mode 100644 modules/secrets/restic-backup/boreal-credentials.age
 create mode 100644 modules/secrets/restic-backup/boreal-password.age
 delete mode 100644 secrets/borg-backup/boreal-repo.secret

diff --git a/.github/workflows/cachix.yaml b/.github/workflows/cachix.yaml
index accf269..b9bebfb 100644
--- a/.github/workflows/cachix.yaml
+++ b/.github/workflows/cachix.yaml
@@ -45,6 +45,7 @@ jobs:
     strategy:
       matrix:
         name:
+        - boreal
         - zephyrus
 
     steps:
diff --git a/hosts/boreal/default.nix b/hosts/boreal/default.nix
index 8116755..9175f92 100644
--- a/hosts/boreal/default.nix
+++ b/hosts/boreal/default.nix
@@ -3,9 +3,6 @@
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
 { config, lib, pkgs, ... }:
-let
-  secrets = config.my.secrets;
-in
 {
   imports =
     [ # Include the results of the hardware scan.
@@ -46,17 +43,12 @@ in
 
   # List services that you want to enable:
   my.services = {
-    borg-backup = {
+    restic-backup = {
       enable = true;
-      repo = secrets.borg-backup.boreal-repo;
-      # for a workstation, having backups spanning the last month should be
-      # enough
-      prune = {
-        keep = {
-          daily = 7;
-          weekly = 4;
-        };
-      };
+      repo = "b2:boreal-backup";
+      passwordFile = config.age.secrets."restic-backup/boreal-password".path;
+      environmentFile = config.age.secrets."restic-backup/boreal-credentials".path;
+
       paths = [
         "/home/alarsyo"
       ];
diff --git a/modules/secrets/restic-backup/boreal-credentials.age b/modules/secrets/restic-backup/boreal-credentials.age
new file mode 100644
index 0000000..e7827ac
--- /dev/null
+++ b/modules/secrets/restic-backup/boreal-credentials.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 YWMQkg B5tQXcUdu751YYA4Y8uRH/DgGDi24AsXEAKkCVfg+Ro
+21Gz0MsMCtWzUdVuaWdNwEU9Ts8lOQWCd7Ejf2tkxks
+-> ssh-ed25519 k2gHjw NIG04WnNgq5bnSl9KmvFyvpGdFlmOFtXzuYtrsFOKXM
+ZYZVyIM0jnhguRmfIpRtFg0StgYTlu/P9bgxBy9dbOg
+-> u5-grease
+MTgqDb6tqCuvdlXj9c2Y3XX1X7JfrdeKLM0EQ75ZJe+Hrntnpvn4fSlBr8QoOahm
+fg
+--- VzgNZ3/IBQVeYfOMGjnHPDRKoBDdxHth61pevk5+fLw
+���D��	�&�<Q�+�����JoT�;US9.��u'v��,��@���QKc��z�>v���N1��t��8�w<���w��d��>s:�G_��ƚy��u,��%@J�h�"�Ev��X
\ No newline at end of file
diff --git a/modules/secrets/restic-backup/boreal-password.age b/modules/secrets/restic-backup/boreal-password.age
new file mode 100644
index 0000000000000000000000000000000000000000..95176eefa2010d461ca5cdf1b774c0b1931b9cd0
GIT binary patch
literal 542
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCTS4EGJpPFHY>EG*M^
z@(p&(FUj(8DUH%j(Kc{133E#c^(hZX^K;8iFG~!~GV~8}D(1=yD>v}Ba4k2`H;(YG
zGE8zRam>!}E;lQ*%*yo0_Hqu$O7(M3D$gsebVRo;+bG>5t6U*ZKQE{_I6~jlv&gX0
z%{Sb`tt3CuBqYo&%q-bBKO!nM&nPI}Js=|4*paJJ+ch%BGb%MFC?G5|!rj86MBgwd
zFDxuFB}?Bp%+NV7I7HvI$S^EbKN)0Oq@lBFs&0BwYGQG!g0G=hxPfbNjY3jDyh4t3
zUA}fSmwQHvQB`KCVOBs;PL#KKwx^l4cXDx7j*q#Sx4%cSUvXA=Ms|p=caoP!NuWto
zg;#-lXh0yBuCA^^a&S?pwo!zcPe__+RB^F(a;`<DfroZwxp_cvSzb_4X;emblBtV9
zW^y{$xu1U0fBtOen_5-#Qo;G;{dV=_pU&HEZ`TOg*|BfYg33jL`)_yJtkUJ*f9R^1
zRwx(ytDNgR8r!xXoKPUVd2`F>X_q#H9r$b#%yA%fQv8d%`}Q$^Jf3yXN6hzltVy`Q
z_84>5S0`<5c=SnLk_g>Zvh(7CWydZE+R2DM{rJErzlUedtN9WI%O1Qh5IWep<NM^r
Xvp)P?H1Rh>(>6in)BUw~s#SOap8d_v

literal 0
HcmV?d00001

diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix
index 0a0d1cd..5e3fec2 100644
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@@ -11,6 +11,8 @@ let
   all = users ++ machines;
 in
 {
+  "restic-backup/boreal-password.age".publicKeys = [ alarsyo boreal ];
+  "restic-backup/boreal-credentials.age".publicKeys = [ alarsyo boreal ];
   "restic-backup/zephyrus-password.age".publicKeys = [ alarsyo zephyrus ];
   "restic-backup/zephyrus-credentials.age".publicKeys = [ alarsyo zephyrus ];
 
diff --git a/secrets/borg-backup/boreal-repo.secret b/secrets/borg-backup/boreal-repo.secret
deleted file mode 100644
index db1104e51ac95e4d24ff4db0562e7c546f2576b8..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 63
zcmV-F0KoqMM@dveQdv+`0L<dgF^IK5fA*DWinDZ8wex(xL|Fij#+zEu(zno`%P3Ox
VOM3=uih>y>zCf`-5)IUT^8K#l9=8Ah

diff --git a/secrets/borg-backup/default.nix b/secrets/borg-backup/default.nix
index b611715..e9a3e7a 100644
--- a/secrets/borg-backup/default.nix
+++ b/secrets/borg-backup/default.nix
@@ -5,6 +5,5 @@ let
   ;
 in
 {
-  boreal-repo = fileContents ./boreal-repo.secret;
   poseidon-repo = fileContents ./poseidon-repo.secret;
 }