encrypt all borg backups

2025-11-08 19:39:54 +00:00 · 2025-11-08 19:39:54 +00:00 · b674bc6e1a
commit b674bc6e1a
parent 9231d08176
13 changed files with 49 additions and 9 deletions
--- a/services/akkoma.nix
+++ b/services/akkoma.nix
@ -49,7 +49,10 @@ in {
        "/var/lib/akkoma"
        "/var/backup/postgres/akkoma.sql"
      ];
-      encryption.mode = "none";
+      encryption = {
+        mode = "passkey";
+        passCommand = "cat ${config.age.secrets."borg_pass".path}";
+      };
      compression = "auto,lzma";
      startAt = "daily";
      prune.keep = {
--- a/services/borg.nix
+++ b/services/borg.nix
@ -1,3 +1,4 @@
 {
  age.secrets."borg_ed25519".file = ../secrets/borg_ed25519;
+  age.secrets."borg_pass".file = ../secrets/borg_pass;
 }
--- a/services/default.nix
+++ b/services/default.nix
@ -15,8 +15,8 @@
    ./lldap.nix
    ./mailserver.nix
    ./nextcloud.nix
-    ./prosody.nix
    ./paste.nix
+    ./prosody.nix
    ./vaultwarden.nix
  ];
 }
--- a/services/forgejo.nix
+++ b/services/forgejo.nix
@ -24,7 +24,10 @@ in {
      paths = [
        "/var/lib/forgejo"
      ];
-      encryption.mode = "none";
+      encryption = {
+        mode = "passkey";
+        passCommand = "cat ${config.age.secrets."borg_pass".path}";
+      };
      compression = "auto,lzma";
      startAt = "daily";
      prune.keep = {
--- a/services/lldap.nix
+++ b/services/lldap.nix
@ -23,7 +23,10 @@ in {
      paths = [
        "/var/lib/lldap"
      ];
-      encryption.mode = "none";
+      encryption = {
+        mode = "passkey";
+        passCommand = "cat ${config.age.secrets."borg_pass".path}";
+      };
      compression = "auto,lzma";
      startAt = "daily";
      prune.keep = {
--- a/services/mailserver.nix
+++ b/services/mailserver.nix
@ -24,7 +24,10 @@
    paths = [
      "/var/vmail/ldap"
    ];
-    encryption.mode = "none";
+    encryption = {
+      mode = "passkey";
+      passCommand = "cat ${config.age.secrets."borg_pass".path}";
+    };
    compression = "auto,lzma";
    startAt = "daily";
    prune.keep = {
--- a/services/nextcloud.nix
+++ b/services/nextcloud.nix
@ -50,7 +50,10 @@ in {
        "/var/lib/nextcloud"
        "/var/backup/postgres/nextcloud.sql"
      ];
-      encryption.mode = "none";
+      encryption = {
+        mode = "passkey";
+        passCommand = "cat ${config.age.secrets."borg_pass".path}";
+      };
      compression = "auto,lzma";
      startAt = "daily";
      prune.keep = {
--- a/services/paste.nix
+++ b/services/paste.nix
@ -23,7 +23,10 @@ in {
      paths = [
        "/var/lib/microbin"
      ];
-      encryption.mode = "none";
+      encryption = {
+        mode = "passkey";
+        passCommand = "cat ${config.age.secrets."borg_pass".path}";
+      };
      compression = "auto,lzma";
      startAt = "daily";
      prune.keep = {
--- a/services/prosody.nix
+++ b/services/prosody.nix
@ -54,7 +54,10 @@
      paths = [
        "/var/lib/prosody"
      ];
-      encryption.mode = "none";
+      encryption = {
+        mode = "passkey";
+        passCommand = "cat ${config.age.secrets."borg_pass".path}";
+      };
      compression = "auto,lzma";
      startAt = "daily";
      prune.keep = {
--- a/services/vaultwarden.nix
+++ b/services/vaultwarden.nix
@ -23,7 +23,10 @@ in {
      paths = [
        "/var/lib/vaultwarden"
      ];
-      encryption.mode = "none";
+      encryption = {
+        mode = "passkey";
+        passCommand = "cat ${config.age.secrets."borg_pass".path}";
+      };
      compression = "auto,lzma";
      startAt = "daily";
      prune.keep = {