diff --git a/nixos/common/global/secrets/rekeyed/viridian/baf095ad1a114007e5c55aa2871fe105-borgbackup.age b/nixos/common/global/secrets/rekeyed/viridian/baf095ad1a114007e5c55aa2871fe105-borgbackup.age new file mode 100644 index 0000000..96cec22 --- /dev/null +++ b/nixos/common/global/secrets/rekeyed/viridian/baf095ad1a114007e5c55aa2871fe105-borgbackup.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 KTkZog 5sg/hpf/62ScHhTff9oK26rKUHOOIOkaEvz6azRbIFs +8YDQXQULAwfzazasdUqr+DhBMm0p4957vywLCmbsPOQ +-> ^)fem:-grease ,C tq3PQ#" +Dp5AeElkIQ9RTy0qPV91kur2jWvk2uJTgSRqk1gwoM8vUJM/BbpdqsimUCI0PFxG +Dd507GmCEWDrmovhpAIBS1lAqlY +--- +Xft4rCt53z0qwZsydGBaUanbAxv06yRHgJeDw6yUAI +$KǂK@j]lfNV* jmCm"ށDnTwܟ[ \ No newline at end of file diff --git a/nixos/viridian/hardware-configuration.nix b/nixos/viridian/hardware-configuration.nix index 8f59566..e30e398 100644 --- a/nixos/viridian/hardware-configuration.nix +++ b/nixos/viridian/hardware-configuration.nix @@ -3,9 +3,7 @@ lib, pkgs, ... -}: let - hostname = config.networking.hostName; -in { +}: { imports = [ # Our ephemeral system. Wipe root on reboot. ../common/optional/ephemeral-btrfs.nix @@ -71,12 +69,6 @@ in { options = ["subvol=services" "compress=zstd"]; }; - fileSystems."/srv/backup" = { - device = "/dev/disk/by-label/data"; - fsType = "btrfs"; - options = ["subvol=backup" "compress=zstd"]; - }; - fileSystems."/srv/shares" = { device = "/dev/disk/by-label/data"; fsType = "btrfs"; diff --git a/nixos/viridian/services/borgbackup/default.nix b/nixos/viridian/services/borgbackup/default.nix index d2a226f..142feae 100644 --- a/nixos/viridian/services/borgbackup/default.nix +++ b/nixos/viridian/services/borgbackup/default.nix @@ -1,33 +1,33 @@ -{...}: { - services.borgbackup.jobs = { - containers = { - paths = [ - "/srv/containers" - ]; - encryption.mode = "none"; - repo = "/srv/backup/containers"; - compression = "auto,zstd"; - startAt = "daily"; - }; +{config, ...}: { + age.secrets.borgbackup = { + rekeyFile = ./passphrase.age; + }; - services = { - paths = [ - "/srv/services" - ]; - encryption.mode = "none"; - repo = "/srv/backup/services"; - compression = "auto,zstd"; - startAt = "daily"; - }; + services.borgbackup.jobs."borgbase" = { + paths = [ + # Shares + "/srv/shares/sajenim" + # Services + "/srv/services/forgejo" + "/srv/services/immich" + "/srv/services/minecraft" + "/srv/services/paperless-ngx" + # Containers + "/srv/containers/jellyfin" + "/srv/containers/lidarr" + "/srv/containers/prowlarr" + "/srv/containers/qbittorrent" + "/srv/containers/radarr" + "/srv/containers/sonarr" + ]; - shares = { - paths = [ - "/srv/shares" - ]; - encryption.mode = "none"; - repo = "/srv/backup/shares"; - compression = "auto,zstd"; - startAt = "daily"; + repo = "o93k24r6@o93k24r6.repo.borgbase.com:repo"; + encryption = { + mode = "repokey-blake2"; + passCommand = "cat ${config.age.secrets.traefik.path}"; }; + environment.BORG_RSH = "ssh -i /etc/ssh/ssh_host_ed25519_key"; + compression = "auto,lzma"; + startAt = "daily"; }; } diff --git a/nixos/viridian/services/borgbackup/passphrase.age b/nixos/viridian/services/borgbackup/passphrase.age new file mode 100644 index 0000000..91f3acb Binary files /dev/null and b/nixos/viridian/services/borgbackup/passphrase.age differ