WIP: per-machine kopia secrets.

Cleanup unused kopia VM config.

.sops.yaml

@@ -7,7 +7,7 @@ keys:
   - &server_c2 age1gekmz8kc8r2lc2x6d4u63s2lnpmres4hu9wulxh29ch74ud7wfksq56xam
   - &server_c3 age1zjgqu3zks5kvlw6hvy6ytyygq7n25lu0uj2435zlf30smpxuy4hshpmfer
 creation_rules:
-  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+  - path_regex: secrets/common\.yaml
     key_groups:
       - age:
         - *admin_ppetru
@@ -17,4 +17,28 @@ creation_rules:
         - *server_c1
         - *server_c2
         - *server_c3
+  - path_regex: secrets/zippy\.yaml
+    key_groups:
+      - age:
+        - *server_zippy
+  - path_regex: secrets/chilly\.yaml
+    key_groups:
+      - age:
+        - *server_chilly
+  - path_regex: secrets/alo-cloud-1\.yaml
+    key_groups:
+      - age:
+        - *server_alo_cloud_1
+  - path_regex: secrets/c1\.yaml
+    key_groups:
+      - age:
+        - *server_c1
+  - path_regex: secrets/c2\.yaml
+    key_groups:
+      - age:
+        - *server_c2
+  - path_regex: secrets/c3\.yaml
+    key_groups:
+      - age:
+        - *server_c3
 

common/global/sops.nix

@@ -1,10 +1,16 @@
+{ config, ... }:
 {
   sops = {
-    defaultSopsFile = ./../../secrets/secrets.yaml;
     # sometimes the impermanence bind mount is stopped when sops needs these
     age.sshKeyPaths = [
       "/persist/etc/ssh/ssh_host_ed25519_key"
       "/persist/etc/ssh/ssh_host_rsa_key"
     ];
+    defaultSopsFile = ./../../secrets/common.yaml;
+    secrets = {
+      kopia = {
+        sopsFile = ./../../secrets/${config.networking.hostName}.yaml;
+      };
+    };
   };
 }

flake.nix

@@ -116,7 +116,6 @@
         alo-cloud-1 = mkHMNixos "aarch64-linux" [ ./hosts/alo-cloud-1 ];
         zippy = mkHMNixos "x86_64-linux" [ ./hosts/zippy ];
         chilly = mkHMNixos "x86_64-linux" [ ./hosts/chilly ];
-        kopia = mkNixos "x86_64-linux" [ ./hosts/kopia ];
       };
 
       deploy = {

hosts/kopia/default.nix

@@ -1,10 +0,0 @@
-{ pkgs, ... }:
-{
-  imports = [
-    ../../common/global
-    ../../common/container-node.nix
-  ];
-  networking.hostName = "kopia";
-
-  environment.systemPackages = with pkgs; [ kopia ];
-}

secrets/alo-cloud-1.yaml

@@ -0,0 +1,21 @@
+kopia: ENC[AES256_GCM,data:s9X51A==,iv:ebrSNh3EVSt3jZWmShOazM8ZKiy25CWcu7xjlH92Flk=,tag:oNO0THW3T4Q8XHbSSVVUUw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1w5w4wfvtul3sge9mt205zvrkjaeh3qs9gsxhmq7df2g4dztnvv6qylup8z
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrRUZSZ1BuangxK3hsTTJX
+            elpQRjEwOElLUk9ueW1nU2U3Wm0yc3ZselI0Cno0aWMyODZZNnVOWDZUbGgwbFcx
+            WGFzaldMYzg1cmZiSUJDbGxoS2ZaYkkKLS0tIHNmdW0yRXFYYmQ0QVgzVnlJRDdY
+            aXR2eGE4K3lJMVRDM1B4UmV5VlpzL2cKzrkB0JvXi5Gk1SvSkVl5IORItdMFLJ71
+            78znEfPuKeV7zL5KAQA88VBm5zrR2EMl+rDPJpCv4kxERM3MMNhCcQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-03-11T16:02:15Z"
+    mac: ENC[AES256_GCM,data:zb6A+SafE6zUsyBvNqGH4gOukuVnscNKuDk4IGvsZW0SwYkysf/oRv33wmgM/jyKiANRlera85Jg2Q5PD4Z4G7fSQu0DbniPtXIeZ0sOY1By1aQMRX6Hx5fB9CjtP1sVjw2DCigMmHcnxGBFcZXMV83C6UZeUSkF/mXWfa4SaTU=,iv:cHwrYO2TRZ6frpMnxF5nRhOwkqwzQUUEhAu9Pxj3S9Y=,tag:ZyIf9qyGZyygBkxcM6he3A==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4

secrets/c1.yaml

@@ -0,0 +1,21 @@
+kopia: ENC[AES256_GCM,data:UIw6qjizSJQ63wG8Elmat8giiiw=,iv:+Z0nHxIEajvx87ek8GmK/IjezPb9dVlV5sALT/MqKrY=,tag:VCvfr/qCRH7rfNN9i6w9eA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1wwufz86tm3auxn6pn27c47s8rvu7en58rk00nghtaxsdpw0gya6qj6qxdt
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKdS8wZFJ4R2RRZnFmamFm
+            dGRabytVV0FsUmlqdEJMWG45WmxtekdpK1U0CjhkeXlaVFRZcjQrUnU2S2FVV0JS
+            bG9FWDNQSjV1WHNvUmpkZ21mblBhVDQKLS0tIHZtVDAxYXJSOXZidHA0czVIZkRI
+            Y0tiRVVPSExJYk8yY0J2VlNoNGFJZ3MKsV7ni0wZWpJaRPpzYJVTjOsPdFf6rc0Z
+            LMJyNLHSL36RVC2tORYSI6siw8ON4qO9hBj9PHQpLmUiy8bUmfY6fw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-03-11T15:54:45Z"
+    mac: ENC[AES256_GCM,data:Dg16bi/GyLOiAb+NPMxAt75IVjkv4jZuNiBY+RtqIhLD1jXR6Cwf9Zc0xLKo0Kxfmw1tLjVhJ1dJOwRFFaIW8C9bP6l0ScLepqafhQNnXZq0uKg/Tp/9WogdI2xLpEuySt1npBMDdAQtE9vGHdmknb1E3gPolLhzvhmxWtGcE3g=,iv:92m5KeVUUx4s7RurHUyT3v+CDm7Vki7HfqJx6WjUGBU=,tag:3FmtsxchuvsTNRbMjLK8cQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4

secrets/c2.yaml

@@ -0,0 +1,21 @@
+kopia: ENC[AES256_GCM,data:VUiwHg==,iv:WzY1wm81jDlh/aZW6LA+FE+8cJ227AJlJkGOa0iQzjA=,tag:PV11AQe4rV6/tdeNboA+Cw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1gekmz8kc8r2lc2x6d4u63s2lnpmres4hu9wulxh29ch74ud7wfksq56xam
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2VTR1eUJCVFdFcWRXdDRV
+            Y3FkU0VrOGs3QmlyNTVkUmY3bitjUTcvY3kwCjJBYUtIVElENW1rWVc0bDBQb1pp
+            UWovbzhUendjd0tJS0pob3MwdTMwWFUKLS0tIDhxMGtRZ25BcmF2U3ZhdzB1MG5Z
+            dzJpTGQvTThQd3ZVSzdOREJaa0JUUDAKfTnxfhcAxWmn+IpkOOzJOV8Wo8RsbRMp
+            3LNdSzc/Zcmkb3Y2GpbxDZe0kFLNTR1qzyfRoigg6DUEZBSkkYuuvA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-03-11T16:01:53Z"
+    mac: ENC[AES256_GCM,data:1mpsjwylu7NKktw0vJEQ+384WyQ1CE0InTFpn65iB6geTOaVVHGll0bhfIUznuCyc1V9RDVa4Uga+PJLDi7gTcLvIsgezGdfBRtIKkl13JN0P7F/eNqMGijHdL4f02Q5PCt23RPS2lY8ti8nlKbO4U5a4TXRqvI3ChpjbkmOpG8=,iv:ETOy2kdrJoNRVZI6dtUjzzAqb88IYPQgtSuiETHoACw=,tag:4iN3SJxlT3sP1ia96D0icQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4

secrets/c3.yaml

@@ -0,0 +1,21 @@
+kopia: ENC[AES256_GCM,data:8F4FyA==,iv:9BvqQnfkr98H56rUw/NBrBrHac2beVZZWCFWNUtu4vs=,tag:3w9ppNh06q87T0LCGcFfpA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1zjgqu3zks5kvlw6hvy6ytyygq7n25lu0uj2435zlf30smpxuy4hshpmfer
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrQ3J1eHA2WW5BQnhZeUNN
+            YVlPamVvcmFTbWtPTGpMNFRUS0FTVitrdDEwCk1seVQ1dWZCZVVkNmZwWFNTaUpP
+            TVVzVVNZdXpsU0liMnFqc285SXl0bkkKLS0tIGxRcEw0OVBqWUtPZElKMVAvVnNG
+            czNjNmF0TkNqdC82Y0Z3ZzBQRFZSTVEKdKGWSH/6vKkapKXoEeKzVEpUfSEit6Z0
+            BIC1FP4mwwUMnyh6X7RFprluH+X2oRjN10VNXL3KLjQDIuimIBLfJg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-03-11T16:01:59Z"
+    mac: ENC[AES256_GCM,data:NRQDc0V/Seao7ErltJS9QkZs1tpcHYhvL8CYwI0B4AkDWCYcU8Mk/Xae8TBKj3XKr0WTJM05QStZfEtQk5Z1MWj4xLEWir+uhCDjGx/Mt2mRjdo7xsEo8rHRogVrJyeNqBMXK6Yh8xDFasQF2TDaoKie8jrNY7lhnPL3fegWwwo=,iv:KhPmDBU6KT9zV/s8o2mYUO5oMvGaVWjp46ec8mO6F3s=,tag:zZzVEGsiL1Xofv+0ya69BQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4

secrets/chilly.yaml

@@ -0,0 +1,21 @@
+kopia: ENC[AES256_GCM,data:4BIdhw==,iv:vU1FZgDnGTQ5uncGyntrRmoqxRWRDqGHPfyu7YFrAdM=,tag:VWZZHWmxxqQGLIZ7+bHhhg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age16yqffw4yl5jqvsr7tyd883vn98zw0attuv9g5snc329juff6dy3qw2w5wp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhaldxbkhEbHdrRWJweW5D
+            Zmx0SlVNVFZkL2hTa2loQ2xoeHptbks4UFFzClIrVGxiUzZNTk9MWWVpWmFyZ3py
+            TzNENDEzTkVvTEtrODVuNjB2UkUyVXMKLS0tIDVCNEFkOVpIQldvcUkxZ2ZSZ3E3
+            WTRtZGZkMEoxWkZtNlZzNXhNMHpOc2MKQ4sRqZwKJDyZB4tbuLyUWyWZVWGn2Jab
+            qfwxKjVaCsknLytEyFYjxPqzXA8nIcxIjLkcmikpPTypCpfR3jggGA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-03-11T16:02:07Z"
+    mac: ENC[AES256_GCM,data:BLM6wJTksRFknXW5Fuq+QBsq0qUX2bkr9Jxl2vCoQYOaX19yWtg64z12pxJAaq/ARYMvIOidnYmfbm0YvDSia+r7+blz2IWzioSb/bjVrPMSghqWJiwb33HozDzVPtBUFKck5P1E/g95yP5olYMVNfyyhKJddowHQXaEyq/Muhs=,iv:n9RRgkySsOZO/r2av0gVLtcCUX+iif7h7hc+HrXA+l4=,tag:3Ot35hasq2oADLES1FHy2Q==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4

secrets/common.yaml

@@ -1,6 +1,4 @@
 ppetru-password: ENC[AES256_GCM,data:ykxGdbwTLNGKGy7PI/6uLyeWzEyfTo6R7d56m8Lb7kyY6rF0ovDzMGv71ruBA3CwznIp5EaCopvKVXf35xIEyptpQJie++ireQ==,iv:ArWScjeDHp/4DurW+id6PLUiwnMVVwk7iD5S9Bzc8lc=,tag:uErsF74I5D1M86Yl78Gqlw==,type:str]
-kopia-c1: ENC[AES256_GCM,data:blR7sTzegbjIN+3WDn8ob9CVrm0=,iv:mkmKuE+1f1mAyxO9day7RLG/aCUWAwNQs5PoDVXlpzg=,tag:Y5UH0w39UQeEg1V51KJj5A==,type:str]
-kopia-zippy: ENC[AES256_GCM,data:UZmeMpQteqX4N6Q0Fto901vQTPQ=,iv:AvZjhd4+RthDLfSQjvmq4KlwKwI0UEKsDWwo6YwXRRc=,tag:ctkBJVdpPLRHOv3np/5/qg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -70,8 +68,8 @@ sops:
             UHZwRmc2NjNDUlJCdWN1V1dhS1RkelEKF1KiZLQvruEAfjwbW8lIyzvcCqeAMReI
             svl1uSaSaxPtCbnc9RA2nfo0vvCoz0a02dhr7CAy3syfQPLLZqRAIA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-03-10T18:23:09Z"
-    mac: ENC[AES256_GCM,data:aI7MI72Iza1fOA69FolDo1eLYB1xw0e7O2EisWi3KJCIyJs8HgcGszwovxAPK2gz6YC2pqu1bvEEw2CcJoaL7zFD+Lkbdw7OpG9gC6+lcDy2CVPoPBbjfG7vUge3qaIw9s9J9hNQm/L7QcpQAu+IksEsHq28tb3pxFr7UX9G9nA=,iv:sz0eVmjG7V0L/85C1wU6dbsCs9fAivbUS6nHmbjyp6M=,tag:KxB2O/2dEysqDUVPp7o8ow==,type:str]
+    lastmodified: "2025-03-11T15:54:47Z"
+    mac: ENC[AES256_GCM,data:GIHJcwKrRLBhTb3lj9pUza5Fyr9XcKbOMQAe+WETsyr5uHf7lNtlJOXjk1rjBIyJNUJDDnaGSUxCZ213xXIeNBJ92zN54kPheakOiLPOZN7N0YEsU6iENxsuVbQLvvDGvTY5t86DkV6vgClATKj/nqVpkPFAluh2zxLVbBeQrm0=,iv:rF8pesuNU3moerP0+wFuW02A6FYOTMyWWWWr90OB4Zc=,tag:ZXr/FAW37OynDBrGiksLLw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.4

secrets/zippy.yaml

@@ -0,0 +1,21 @@
+kopia: ENC[AES256_GCM,data:jgVX768tSgLx6bd1nZQ5vVN44e0=,iv:7ELVE5fnqODWlr0rJVDfrO9Dy+0e2WrC5mqiKHyPs08=,tag:5xxV78PbILawgt+PiGn7Vg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1gtyw202hd07hddac9886as2cs8pm07e4exlnrgfm72lync75ng9qc5fjac
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLeGpNUWNpbkdxdlN5dEVJ
+            N0I2bGhmcTlseEpCeVIrREk2ZGpBT0lva0hFCmtOcU84TVhad1ZxL2E5bDFiWSsv
+            eXlieXg3RU9oN1BEOTREQ1ZxU3NhMmsKLS0tIGhaNTl5RXYvQ2JWaUdIR1lVTlJ2
+            OXdDRk9DSkVEZWhnQzZSOWpqcXJlZzQKXMEEOEy5ok8r/027lz3Aqim3Et8qYko0
+            nTWh6LCBFb61Pfd/1Xv0SclcVTsi+Krj4BVwK/ZVR6l8zxhwcqFJmQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-03-11T15:54:25Z"
+    mac: ENC[AES256_GCM,data:QCtLbH/QK6AR2c2+n4EtnocqUY42klIZ8+qWVQfKI9u5uCGyLuQIXPnsIlIkom5NLs3zVktyR1je/bC/9l7PZcsfRW5SxDnizIg/RDjS7nzzv7uvLFlZOVcTGTng65xNSsmpuuVZAxKqCDYzhlgwctd92DTfrkyZDoWLDKyE/LI=,iv:Omci5iUxIMrhF0jIFDHKTpKgucalur0CyJS98Dfkyek=,tag:/BdQJb9YA5UIwenq847KQw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4

stateful-commands.txt

@@ -32,7 +32,7 @@ kopia repository server setup (on a non-NixOS host at the time):
   * kopia repository create filesystem --path /backup/persist
   * kopia repository connect filesystem --path=/backup/persist
   * kopia server user add root@zippy
-    then, add the password to secrets.yaml
+    then, add the password to secrets/zippy.yaml -- the key needs to be "kopia"
   * kopia server start --address 0.0.0.0:51515 --tls-cert-file ~/kopia-certs/kopia.cert --tls-key-file ~/kopia-certs/kopia.key --tls-generate-cert (first time)
   * kopia server start --address 0.0.0.0:51515 --tls-cert-file ~/kopia-certs/kopia.cert --tls-key-file ~/kopia-certs/kopia.key (subsequent)
 [TLS is mandatory for this]