encrypt all borg backups

README.md

@@ -7,6 +7,7 @@ TBC
 ## TODO's
 
 ### In Progress
+- Encrypt Backups
 - Root on `tmpfs`
 
 ### Urgent

secrets/borg_pass

@@ -0,0 +1,13 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9QUHhXdyB5U2Nv
+THdsMERoNE9mOHBFMkUzT3JOTzBXcXJSdnVEYkMzVFoyTlRaVWdvCkpOQlR3Zk9M
+T1FkT0NsdEZZRzRKb0JjT2xBM0JQck1Hem5vTVZ0QnZOMFEKLT4gc3NoLWVkMjU1
+MTkgYU8xbC9BIGprMmF4c3dETHE1RGR2WVlWY3RieHFOS3FEK2JaMHU1TEZobUFi
+T3R2aXcKdnJ0ZjMrYjV6UkZLL1R6SzBhU284ajgrb1RDcHQ5dWRYWlVJZ1lSQml4
+ZwotPiBfL0hdQkUjLWdyZWFzZSBodHJKYC09XQpWajgrcFFHY0ZrelQ3ZGE3cnFj
+MFUrc0ZEbkdBZlZ3TDY3Wi8vSjh2Yyt1RGFSaTVVenA1QzRCa2JmcjN6dmhJCjBC
+cVJaRldoeSsxeW90cmdyRVR6QlEKLS0tICtiTTUyUzhrNHRzOUliL3BCeTBuOE8w
+aVUvYWY5UGZGbWUwSnJnSkk1ZDAKkpGkJxtdmegXyVFuVRTLvWNgVIqnDzf7dB6D
+ApbZj2GC4xLKMWOp7SgQaKKth3SDbZpQLPiFiffdzKfyAlL/OirDhwDTnpLGsPw9
+zG7TjAHQW14Jg7JVH9JrJ2ge5DcceA==
+-----END AGE ENCRYPTED FILE-----

secrets/secrets.nix

@@ -12,6 +12,7 @@ in {
   "prosody.env".publicKeys = all;
   "vaultwarden.env".publicKeys = all;
   "borg_ed25519".publicKeys = all;
+  "borg_pass".publicKeys = all;
 
   "hidden_service/akkoma".publicKeys = all;
   "hidden_service/forgejo".publicKeys = all;

services/akkoma.nix

@@ -49,7 +49,10 @@ in {
         "/var/lib/akkoma"
         "/var/backup/postgres/akkoma.sql"
       ];
-      encryption.mode = "none";
+      encryption = {
+        mode = "passkey";
+        passCommand = "cat ${config.age.secrets."borg_pass".path}";
+      };
       compression = "auto,lzma";
       startAt = "daily";
       prune.keep = {

services/borg.nix

@@ -1,3 +1,4 @@
 {
   age.secrets."borg_ed25519".file = ../secrets/borg_ed25519;
+  age.secrets."borg_pass".file = ../secrets/borg_pass;
 }

services/default.nix

@@ -15,8 +15,8 @@
     ./lldap.nix
     ./mailserver.nix
     ./nextcloud.nix
-    ./prosody.nix
     ./paste.nix
+    ./prosody.nix
     ./vaultwarden.nix
   ];
 }

services/forgejo.nix

@@ -24,7 +24,10 @@ in {
       paths = [
         "/var/lib/forgejo"
       ];
-      encryption.mode = "none";
+      encryption = {
+        mode = "passkey";
+        passCommand = "cat ${config.age.secrets."borg_pass".path}";
+      };
       compression = "auto,lzma";
       startAt = "daily";
       prune.keep = {

services/lldap.nix

@@ -23,7 +23,10 @@ in {
       paths = [
         "/var/lib/lldap"
       ];
-      encryption.mode = "none";
+      encryption = {
+        mode = "passkey";
+        passCommand = "cat ${config.age.secrets."borg_pass".path}";
+      };
       compression = "auto,lzma";
       startAt = "daily";
       prune.keep = {

services/mailserver.nix

@@ -24,7 +24,10 @@
     paths = [
       "/var/vmail/ldap"
     ];
-    encryption.mode = "none";
+    encryption = {
+      mode = "passkey";
+      passCommand = "cat ${config.age.secrets."borg_pass".path}";
+    };
     compression = "auto,lzma";
     startAt = "daily";
     prune.keep = {

services/nextcloud.nix

@@ -50,7 +50,10 @@ in {
         "/var/lib/nextcloud"
         "/var/backup/postgres/nextcloud.sql"
       ];
-      encryption.mode = "none";
+      encryption = {
+        mode = "passkey";
+        passCommand = "cat ${config.age.secrets."borg_pass".path}";
+      };
       compression = "auto,lzma";
       startAt = "daily";
       prune.keep = {

services/paste.nix

@@ -23,7 +23,10 @@ in {
       paths = [
         "/var/lib/microbin"
       ];
-      encryption.mode = "none";
+      encryption = {
+        mode = "passkey";
+        passCommand = "cat ${config.age.secrets."borg_pass".path}";
+      };
       compression = "auto,lzma";
       startAt = "daily";
       prune.keep = {

services/prosody.nix

@@ -54,7 +54,10 @@
       paths = [
         "/var/lib/prosody"
       ];
-      encryption.mode = "none";
+      encryption = {
+        mode = "passkey";
+        passCommand = "cat ${config.age.secrets."borg_pass".path}";
+      };
       compression = "auto,lzma";
       startAt = "daily";
       prune.keep = {

services/vaultwarden.nix

@@ -23,7 +23,10 @@ in {
       paths = [
         "/var/lib/vaultwarden"
       ];
-      encryption.mode = "none";
+      encryption = {
+        mode = "passkey";
+        passCommand = "cat ${config.age.secrets."borg_pass".path}";
+      };
       compression = "auto,lzma";
       startAt = "daily";
       prune.keep = {