From b674bc6e1aa80b1039763031af84039238a373d4 Mon Sep 17 00:00:00 2001 From: Administrator Date: Sat, 8 Nov 2025 19:39:54 +0000 Subject: [PATCH] encrypt all borg backups --- README.md | 1 + secrets/borg_pass | 13 +++++++++++++ secrets/secrets.nix | 1 + services/akkoma.nix | 5 ++++- services/borg.nix | 1 + services/default.nix | 2 +- services/forgejo.nix | 5 ++++- services/lldap.nix | 5 ++++- services/mailserver.nix | 5 ++++- services/nextcloud.nix | 5 ++++- services/paste.nix | 5 ++++- services/prosody.nix | 5 ++++- services/vaultwarden.nix | 5 ++++- 13 files changed, 49 insertions(+), 9 deletions(-) create mode 100644 secrets/borg_pass diff --git a/README.md b/README.md index 34933bc..0cc5bff 100644 --- a/README.md +++ b/README.md @@ -7,6 +7,7 @@ TBC ## TODO's ### In Progress +- Encrypt Backups - Root on `tmpfs` ### Urgent diff --git a/secrets/borg_pass b/secrets/borg_pass new file mode 100644 index 0000000..109315c --- /dev/null +++ b/secrets/borg_pass @@ -0,0 +1,13 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9QUHhXdyB5U2Nv +THdsMERoNE9mOHBFMkUzT3JOTzBXcXJSdnVEYkMzVFoyTlRaVWdvCkpOQlR3Zk9M +T1FkT0NsdEZZRzRKb0JjT2xBM0JQck1Hem5vTVZ0QnZOMFEKLT4gc3NoLWVkMjU1 +MTkgYU8xbC9BIGprMmF4c3dETHE1RGR2WVlWY3RieHFOS3FEK2JaMHU1TEZobUFi +T3R2aXcKdnJ0ZjMrYjV6UkZLL1R6SzBhU284ajgrb1RDcHQ5dWRYWlVJZ1lSQml4 +ZwotPiBfL0hdQkUjLWdyZWFzZSBodHJKYC09XQpWajgrcFFHY0ZrelQ3ZGE3cnFj +MFUrc0ZEbkdBZlZ3TDY3Wi8vSjh2Yyt1RGFSaTVVenA1QzRCa2JmcjN6dmhJCjBC +cVJaRldoeSsxeW90cmdyRVR6QlEKLS0tICtiTTUyUzhrNHRzOUliL3BCeTBuOE8w +aVUvYWY5UGZGbWUwSnJnSkk1ZDAKkpGkJxtdmegXyVFuVRTLvWNgVIqnDzf7dB6D +ApbZj2GC4xLKMWOp7SgQaKKth3SDbZpQLPiFiffdzKfyAlL/OirDhwDTnpLGsPw9 +zG7TjAHQW14Jg7JVH9JrJ2ge5DcceA== +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/secrets.nix b/secrets/secrets.nix index e464c94..0cefbf0 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -12,6 +12,7 @@ in { "prosody.env".publicKeys = all; "vaultwarden.env".publicKeys = all; "borg_ed25519".publicKeys = all; + "borg_pass".publicKeys = all; "hidden_service/akkoma".publicKeys = all; "hidden_service/forgejo".publicKeys = all; diff --git a/services/akkoma.nix b/services/akkoma.nix index a23b321..eb0815e 100644 --- a/services/akkoma.nix +++ b/services/akkoma.nix @@ -49,7 +49,10 @@ in { "/var/lib/akkoma" "/var/backup/postgres/akkoma.sql" ]; - encryption.mode = "none"; + encryption = { + mode = "passkey"; + passCommand = "cat ${config.age.secrets."borg_pass".path}"; + }; compression = "auto,lzma"; startAt = "daily"; prune.keep = { diff --git a/services/borg.nix b/services/borg.nix index 715ae37..ab5dbaa 100644 --- a/services/borg.nix +++ b/services/borg.nix @@ -1,3 +1,4 @@ { age.secrets."borg_ed25519".file = ../secrets/borg_ed25519; + age.secrets."borg_pass".file = ../secrets/borg_pass; } diff --git a/services/default.nix b/services/default.nix index bb21095..0be227a 100644 --- a/services/default.nix +++ b/services/default.nix @@ -15,8 +15,8 @@ ./lldap.nix ./mailserver.nix ./nextcloud.nix - ./prosody.nix ./paste.nix + ./prosody.nix ./vaultwarden.nix ]; } diff --git a/services/forgejo.nix b/services/forgejo.nix index 2d7fd0b..29e10e9 100644 --- a/services/forgejo.nix +++ b/services/forgejo.nix @@ -24,7 +24,10 @@ in { paths = [ "/var/lib/forgejo" ]; - encryption.mode = "none"; + encryption = { + mode = "passkey"; + passCommand = "cat ${config.age.secrets."borg_pass".path}"; + }; compression = "auto,lzma"; startAt = "daily"; prune.keep = { diff --git a/services/lldap.nix b/services/lldap.nix index f231af8..94ea9d7 100644 --- a/services/lldap.nix +++ b/services/lldap.nix @@ -23,7 +23,10 @@ in { paths = [ "/var/lib/lldap" ]; - encryption.mode = "none"; + encryption = { + mode = "passkey"; + passCommand = "cat ${config.age.secrets."borg_pass".path}"; + }; compression = "auto,lzma"; startAt = "daily"; prune.keep = { diff --git a/services/mailserver.nix b/services/mailserver.nix index 67c868b..e8353f6 100644 --- a/services/mailserver.nix +++ b/services/mailserver.nix @@ -24,7 +24,10 @@ paths = [ "/var/vmail/ldap" ]; - encryption.mode = "none"; + encryption = { + mode = "passkey"; + passCommand = "cat ${config.age.secrets."borg_pass".path}"; + }; compression = "auto,lzma"; startAt = "daily"; prune.keep = { diff --git a/services/nextcloud.nix b/services/nextcloud.nix index 0347723..1ad7cae 100644 --- a/services/nextcloud.nix +++ b/services/nextcloud.nix @@ -50,7 +50,10 @@ in { "/var/lib/nextcloud" "/var/backup/postgres/nextcloud.sql" ]; - encryption.mode = "none"; + encryption = { + mode = "passkey"; + passCommand = "cat ${config.age.secrets."borg_pass".path}"; + }; compression = "auto,lzma"; startAt = "daily"; prune.keep = { diff --git a/services/paste.nix b/services/paste.nix index 0a53462..19a39b8 100644 --- a/services/paste.nix +++ b/services/paste.nix @@ -23,7 +23,10 @@ in { paths = [ "/var/lib/microbin" ]; - encryption.mode = "none"; + encryption = { + mode = "passkey"; + passCommand = "cat ${config.age.secrets."borg_pass".path}"; + }; compression = "auto,lzma"; startAt = "daily"; prune.keep = { diff --git a/services/prosody.nix b/services/prosody.nix index d9abcdc..5de363a 100644 --- a/services/prosody.nix +++ b/services/prosody.nix @@ -54,7 +54,10 @@ paths = [ "/var/lib/prosody" ]; - encryption.mode = "none"; + encryption = { + mode = "passkey"; + passCommand = "cat ${config.age.secrets."borg_pass".path}"; + }; compression = "auto,lzma"; startAt = "daily"; prune.keep = { diff --git a/services/vaultwarden.nix b/services/vaultwarden.nix index 6033d8c..067c2af 100644 --- a/services/vaultwarden.nix +++ b/services/vaultwarden.nix @@ -23,7 +23,10 @@ in { paths = [ "/var/lib/vaultwarden" ]; - encryption.mode = "none"; + encryption = { + mode = "passkey"; + passCommand = "cat ${config.age.secrets."borg_pass".path}"; + }; compression = "auto,lzma"; startAt = "daily"; prune.keep = {