root/flake
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

encrypt all borg backups

Browse source
This commit is contained in:
root 2025-11-08 19:39:54 +00:00
parent 9231d08176
commit b674bc6e1a
13 changed files with 49 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

1
README.md
View file

@ -7,6 +7,7 @@ TBC
## TODO's ## TODO's
### In Progress ### In Progress
- Encrypt Backups
- Root on `tmpfs` - Root on `tmpfs`
### Urgent ### Urgent

13
secrets/borg_pass Normal file
View file

@ -0,0 +1,13 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9QUHhXdyB5U2Nv
THdsMERoNE9mOHBFMkUzT3JOTzBXcXJSdnVEYkMzVFoyTlRaVWdvCkpOQlR3Zk9M
T1FkT0NsdEZZRzRKb0JjT2xBM0JQck1Hem5vTVZ0QnZOMFEKLT4gc3NoLWVkMjU1
MTkgYU8xbC9BIGprMmF4c3dETHE1RGR2WVlWY3RieHFOS3FEK2JaMHU1TEZobUFi
T3R2aXcKdnJ0ZjMrYjV6UkZLL1R6SzBhU284ajgrb1RDcHQ5dWRYWlVJZ1lSQml4
ZwotPiBfL0hdQkUjLWdyZWFzZSBodHJKYC09XQpWajgrcFFHY0ZrelQ3ZGE3cnFj
MFUrc0ZEbkdBZlZ3TDY3Wi8vSjh2Yyt1RGFSaTVVenA1QzRCa2JmcjN6dmhJCjBC
cVJaRldoeSsxeW90cmdyRVR6QlEKLS0tICtiTTUyUzhrNHRzOUliL3BCeTBuOE8w
aVUvYWY5UGZGbWUwSnJnSkk1ZDAKkpGkJxtdmegXyVFuVRTLvWNgVIqnDzf7dB6D
ApbZj2GC4xLKMWOp7SgQaKKth3SDbZpQLPiFiffdzKfyAlL/OirDhwDTnpLGsPw9
zG7TjAHQW14Jg7JVH9JrJ2ge5DcceA==
-----END AGE ENCRYPTED FILE-----

1
secrets/secrets.nix
View file

@ -12,6 +12,7 @@ in {
"prosody.env".publicKeys = all; "prosody.env".publicKeys = all;
"vaultwarden.env".publicKeys = all; "vaultwarden.env".publicKeys = all;
"borg_ed25519".publicKeys = all; "borg_ed25519".publicKeys = all;
"borg_pass".publicKeys = all;
"hidden_service/akkoma".publicKeys = all; "hidden_service/akkoma".publicKeys = all;
"hidden_service/forgejo".publicKeys = all; "hidden_service/forgejo".publicKeys = all;

5
services/akkoma.nix
View file

@ -49,7 +49,10 @@ in {
"/var/lib/akkoma" "/var/lib/akkoma"
"/var/backup/postgres/akkoma.sql" "/var/backup/postgres/akkoma.sql"
]; ];
encryption.mode = "none"; encryption = {
mode = "passkey";
passCommand = "cat ${config.age.secrets."borg_pass".path}";
};
compression = "auto,lzma"; compression = "auto,lzma";
startAt = "daily"; startAt = "daily";
prune.keep = { prune.keep = {

1
services/borg.nix
View file

@ -1,3 +1,4 @@
{ {
age.secrets."borg_ed25519".file = ../secrets/borg_ed25519; age.secrets."borg_ed25519".file = ../secrets/borg_ed25519;
age.secrets."borg_pass".file = ../secrets/borg_pass;
} }

2
services/default.nix
View file

@ -15,8 +15,8 @@
./lldap.nix ./lldap.nix
./mailserver.nix ./mailserver.nix
./nextcloud.nix ./nextcloud.nix
./prosody.nix
./paste.nix ./paste.nix
./prosody.nix
./vaultwarden.nix ./vaultwarden.nix
]; ];
} }

5
services/forgejo.nix
View file

@ -24,7 +24,10 @@ in {
paths = [ paths = [
"/var/lib/forgejo" "/var/lib/forgejo"
]; ];
encryption.mode = "none"; encryption = {
mode = "passkey";
passCommand = "cat ${config.age.secrets."borg_pass".path}";
};
compression = "auto,lzma"; compression = "auto,lzma";
startAt = "daily"; startAt = "daily";
prune.keep = { prune.keep = {

5
services/lldap.nix
View file

@ -23,7 +23,10 @@ in {
paths = [ paths = [
"/var/lib/lldap" "/var/lib/lldap"
]; ];
encryption.mode = "none"; encryption = {
mode = "passkey";
passCommand = "cat ${config.age.secrets."borg_pass".path}";
};
compression = "auto,lzma"; compression = "auto,lzma";
startAt = "daily"; startAt = "daily";
prune.keep = { prune.keep = {

5
services/mailserver.nix
View file

@ -24,7 +24,10 @@
paths = [ paths = [
"/var/vmail/ldap" "/var/vmail/ldap"
]; ];
encryption.mode = "none"; encryption = {
mode = "passkey";
passCommand = "cat ${config.age.secrets."borg_pass".path}";
};
compression = "auto,lzma"; compression = "auto,lzma";
startAt = "daily"; startAt = "daily";
prune.keep = { prune.keep = {

5
services/nextcloud.nix
View file

@ -50,7 +50,10 @@ in {
"/var/lib/nextcloud" "/var/lib/nextcloud"
"/var/backup/postgres/nextcloud.sql" "/var/backup/postgres/nextcloud.sql"
]; ];
encryption.mode = "none"; encryption = {
mode = "passkey";
passCommand = "cat ${config.age.secrets."borg_pass".path}";
};
compression = "auto,lzma"; compression = "auto,lzma";
startAt = "daily"; startAt = "daily";
prune.keep = { prune.keep = {

5
services/paste.nix
View file

@ -23,7 +23,10 @@ in {
paths = [ paths = [
"/var/lib/microbin" "/var/lib/microbin"
]; ];
encryption.mode = "none"; encryption = {
mode = "passkey";
passCommand = "cat ${config.age.secrets."borg_pass".path}";
};
compression = "auto,lzma"; compression = "auto,lzma";
startAt = "daily"; startAt = "daily";
prune.keep = { prune.keep = {

5
services/prosody.nix
View file

@ -54,7 +54,10 @@
paths = [ paths = [
"/var/lib/prosody" "/var/lib/prosody"
]; ];
encryption.mode = "none"; encryption = {
mode = "passkey";
passCommand = "cat ${config.age.secrets."borg_pass".path}";
};
compression = "auto,lzma"; compression = "auto,lzma";
startAt = "daily"; startAt = "daily";
prune.keep = { prune.keep = {

5
services/vaultwarden.nix
View file

@ -23,7 +23,10 @@ in {
paths = [ paths = [
"/var/lib/vaultwarden" "/var/lib/vaultwarden"
]; ];
encryption.mode = "none"; encryption = {
mode = "passkey";
passCommand = "cat ${config.age.secrets."borg_pass".path}";
};
compression = "auto,lzma"; compression = "auto,lzma";
startAt = "daily"; startAt = "daily";
prune.keep = { prune.keep = {