boreal: get rid of git crypt secrets for this host

Also move to restic-backup
This commit is contained in:
Antoine Martin 2022-01-21 00:29:44 +01:00
parent 38fb614309
commit ceac41132e
7 changed files with 18 additions and 14 deletions

View file

@ -45,6 +45,7 @@ jobs:
strategy:
matrix:
name:
- boreal
- zephyrus
steps:

View file

@ -3,9 +3,6 @@
# and in the NixOS manual (accessible by running nixos-help).
{ config, lib, pkgs, ... }:
let
secrets = config.my.secrets;
in
{
imports =
[ # Include the results of the hardware scan.
@ -46,17 +43,12 @@ in
# List services that you want to enable:
my.services = {
borg-backup = {
restic-backup = {
enable = true;
repo = secrets.borg-backup.boreal-repo;
# for a workstation, having backups spanning the last month should be
# enough
prune = {
keep = {
daily = 7;
weekly = 4;
};
};
repo = "b2:boreal-backup";
passwordFile = config.age.secrets."restic-backup/boreal-password".path;
environmentFile = config.age.secrets."restic-backup/boreal-credentials".path;
paths = [
"/home/alarsyo"
];

View file

@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 YWMQkg B5tQXcUdu751YYA4Y8uRH/DgGDi24AsXEAKkCVfg+Ro
21Gz0MsMCtWzUdVuaWdNwEU9Ts8lOQWCd7Ejf2tkxks
-> ssh-ed25519 k2gHjw NIG04WnNgq5bnSl9KmvFyvpGdFlmOFtXzuYtrsFOKXM
ZYZVyIM0jnhguRmfIpRtFg0StgYTlu/P9bgxBy9dbOg
-> u5-grease
MTgqDb6tqCuvdlXj9c2Y3XX1X7JfrdeKLM0EQ75ZJe+Hrntnpvn4fSlBr8QoOahm
fg
--- VzgNZ3/IBQVeYfOMGjnHPDRKoBDdxHth61pevk5+fLw
ŒÙúDíï° ´&…<QØ+¨úþéJoTÇ;US9.©âu'v¸œ,‘Ä@“úÿQKcëÛzÑ>v¢€ÃN1±tòÚ8w<˜Îò“w­°d<C2B0><64>>sG_øæÆšyø„u,þÅ%@J hñ"†Ev‡ÙX

Binary file not shown.

View file

@ -11,6 +11,8 @@ let
all = users ++ machines;
in
{
"restic-backup/boreal-password.age".publicKeys = [ alarsyo boreal ];
"restic-backup/boreal-credentials.age".publicKeys = [ alarsyo boreal ];
"restic-backup/zephyrus-password.age".publicKeys = [ alarsyo zephyrus ];
"restic-backup/zephyrus-credentials.age".publicKeys = [ alarsyo zephyrus ];

View file

@ -5,6 +5,5 @@ let
;
in
{
boreal-repo = fileContents ./boreal-repo.secret;
poseidon-repo = fileContents ./poseidon-repo.secret;
}