From b294dd2851f3c60d157409098473d3f6a79685a3 Mon Sep 17 00:00:00 2001 From: Petru Paler Date: Tue, 11 Mar 2025 20:35:10 +0000 Subject: [PATCH] WIP: per-machine kopia secrets. Cleanup unused kopia VM config. --- .sops.yaml | 26 +++++++++++++++++++++++++- common/global/sops.nix | 8 +++++++- flake.nix | 1 - hosts/kopia/default.nix | 10 ---------- secrets/alo-cloud-1.yaml | 21 +++++++++++++++++++++ secrets/c1.yaml | 21 +++++++++++++++++++++ secrets/c2.yaml | 21 +++++++++++++++++++++ secrets/c3.yaml | 21 +++++++++++++++++++++ secrets/chilly.yaml | 21 +++++++++++++++++++++ secrets/{secrets.yaml => common.yaml} | 6 ++---- secrets/zippy.yaml | 21 +++++++++++++++++++++ stateful-commands.txt | 2 +- 12 files changed, 161 insertions(+), 18 deletions(-) delete mode 100644 hosts/kopia/default.nix create mode 100644 secrets/alo-cloud-1.yaml create mode 100644 secrets/c1.yaml create mode 100644 secrets/c2.yaml create mode 100644 secrets/c3.yaml create mode 100644 secrets/chilly.yaml rename secrets/{secrets.yaml => common.yaml} (87%) create mode 100644 secrets/zippy.yaml diff --git a/.sops.yaml b/.sops.yaml index 4c1ac48..ecb1f7e 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -7,7 +7,7 @@ keys: - &server_c2 age1gekmz8kc8r2lc2x6d4u63s2lnpmres4hu9wulxh29ch74ud7wfksq56xam - &server_c3 age1zjgqu3zks5kvlw6hvy6ytyygq7n25lu0uj2435zlf30smpxuy4hshpmfer creation_rules: - - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ + - path_regex: secrets/common\.yaml key_groups: - age: - *admin_ppetru @@ -17,4 +17,28 @@ creation_rules: - *server_c1 - *server_c2 - *server_c3 + - path_regex: secrets/zippy\.yaml + key_groups: + - age: + - *server_zippy + - path_regex: secrets/chilly\.yaml + key_groups: + - age: + - *server_chilly + - path_regex: secrets/alo-cloud-1\.yaml + key_groups: + - age: + - *server_alo_cloud_1 + - path_regex: secrets/c1\.yaml + key_groups: + - age: + - *server_c1 + - path_regex: secrets/c2\.yaml + key_groups: + - age: + - *server_c2 + - path_regex: secrets/c3\.yaml + key_groups: + - age: + - *server_c3 diff --git a/common/global/sops.nix b/common/global/sops.nix index ba0d2b6..a59e63e 100644 --- a/common/global/sops.nix +++ b/common/global/sops.nix @@ -1,10 +1,16 @@ +{ config, ... }: { sops = { - defaultSopsFile = ./../../secrets/secrets.yaml; # sometimes the impermanence bind mount is stopped when sops needs these age.sshKeyPaths = [ "/persist/etc/ssh/ssh_host_ed25519_key" "/persist/etc/ssh/ssh_host_rsa_key" ]; + defaultSopsFile = ./../../secrets/common.yaml; + secrets = { + kopia = { + sopsFile = ./../../secrets/${config.networking.hostName}.yaml; + }; + }; }; } diff --git a/flake.nix b/flake.nix index 7700302..52619de 100644 --- a/flake.nix +++ b/flake.nix @@ -116,7 +116,6 @@ alo-cloud-1 = mkHMNixos "aarch64-linux" [ ./hosts/alo-cloud-1 ]; zippy = mkHMNixos "x86_64-linux" [ ./hosts/zippy ]; chilly = mkHMNixos "x86_64-linux" [ ./hosts/chilly ]; - kopia = mkNixos "x86_64-linux" [ ./hosts/kopia ]; }; deploy = { diff --git a/hosts/kopia/default.nix b/hosts/kopia/default.nix deleted file mode 100644 index c9fdbda..0000000 --- a/hosts/kopia/default.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ pkgs, ... }: -{ - imports = [ - ../../common/global - ../../common/container-node.nix - ]; - networking.hostName = "kopia"; - - environment.systemPackages = with pkgs; [ kopia ]; -} diff --git a/secrets/alo-cloud-1.yaml b/secrets/alo-cloud-1.yaml new file mode 100644 index 0000000..2da63c7 --- /dev/null +++ b/secrets/alo-cloud-1.yaml @@ -0,0 +1,21 @@ +kopia: ENC[AES256_GCM,data:s9X51A==,iv:ebrSNh3EVSt3jZWmShOazM8ZKiy25CWcu7xjlH92Flk=,tag:oNO0THW3T4Q8XHbSSVVUUw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1w5w4wfvtul3sge9mt205zvrkjaeh3qs9gsxhmq7df2g4dztnvv6qylup8z + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrRUZSZ1BuangxK3hsTTJX + elpQRjEwOElLUk9ueW1nU2U3Wm0yc3ZselI0Cno0aWMyODZZNnVOWDZUbGgwbFcx + WGFzaldMYzg1cmZiSUJDbGxoS2ZaYkkKLS0tIHNmdW0yRXFYYmQ0QVgzVnlJRDdY + aXR2eGE4K3lJMVRDM1B4UmV5VlpzL2cKzrkB0JvXi5Gk1SvSkVl5IORItdMFLJ71 + 78znEfPuKeV7zL5KAQA88VBm5zrR2EMl+rDPJpCv4kxERM3MMNhCcQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-03-11T16:02:15Z" + mac: ENC[AES256_GCM,data:zb6A+SafE6zUsyBvNqGH4gOukuVnscNKuDk4IGvsZW0SwYkysf/oRv33wmgM/jyKiANRlera85Jg2Q5PD4Z4G7fSQu0DbniPtXIeZ0sOY1By1aQMRX6Hx5fB9CjtP1sVjw2DCigMmHcnxGBFcZXMV83C6UZeUSkF/mXWfa4SaTU=,iv:cHwrYO2TRZ6frpMnxF5nRhOwkqwzQUUEhAu9Pxj3S9Y=,tag:ZyIf9qyGZyygBkxcM6he3A==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4 diff --git a/secrets/c1.yaml b/secrets/c1.yaml new file mode 100644 index 0000000..bb73fe1 --- /dev/null +++ b/secrets/c1.yaml @@ -0,0 +1,21 @@ +kopia: ENC[AES256_GCM,data:UIw6qjizSJQ63wG8Elmat8giiiw=,iv:+Z0nHxIEajvx87ek8GmK/IjezPb9dVlV5sALT/MqKrY=,tag:VCvfr/qCRH7rfNN9i6w9eA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1wwufz86tm3auxn6pn27c47s8rvu7en58rk00nghtaxsdpw0gya6qj6qxdt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKdS8wZFJ4R2RRZnFmamFm + dGRabytVV0FsUmlqdEJMWG45WmxtekdpK1U0CjhkeXlaVFRZcjQrUnU2S2FVV0JS + bG9FWDNQSjV1WHNvUmpkZ21mblBhVDQKLS0tIHZtVDAxYXJSOXZidHA0czVIZkRI + Y0tiRVVPSExJYk8yY0J2VlNoNGFJZ3MKsV7ni0wZWpJaRPpzYJVTjOsPdFf6rc0Z + LMJyNLHSL36RVC2tORYSI6siw8ON4qO9hBj9PHQpLmUiy8bUmfY6fw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-03-11T15:54:45Z" + mac: ENC[AES256_GCM,data:Dg16bi/GyLOiAb+NPMxAt75IVjkv4jZuNiBY+RtqIhLD1jXR6Cwf9Zc0xLKo0Kxfmw1tLjVhJ1dJOwRFFaIW8C9bP6l0ScLepqafhQNnXZq0uKg/Tp/9WogdI2xLpEuySt1npBMDdAQtE9vGHdmknb1E3gPolLhzvhmxWtGcE3g=,iv:92m5KeVUUx4s7RurHUyT3v+CDm7Vki7HfqJx6WjUGBU=,tag:3FmtsxchuvsTNRbMjLK8cQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4 diff --git a/secrets/c2.yaml b/secrets/c2.yaml new file mode 100644 index 0000000..6031b0d --- /dev/null +++ b/secrets/c2.yaml @@ -0,0 +1,21 @@ +kopia: ENC[AES256_GCM,data:VUiwHg==,iv:WzY1wm81jDlh/aZW6LA+FE+8cJ227AJlJkGOa0iQzjA=,tag:PV11AQe4rV6/tdeNboA+Cw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1gekmz8kc8r2lc2x6d4u63s2lnpmres4hu9wulxh29ch74ud7wfksq56xam + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2VTR1eUJCVFdFcWRXdDRV + Y3FkU0VrOGs3QmlyNTVkUmY3bitjUTcvY3kwCjJBYUtIVElENW1rWVc0bDBQb1pp + UWovbzhUendjd0tJS0pob3MwdTMwWFUKLS0tIDhxMGtRZ25BcmF2U3ZhdzB1MG5Z + dzJpTGQvTThQd3ZVSzdOREJaa0JUUDAKfTnxfhcAxWmn+IpkOOzJOV8Wo8RsbRMp + 3LNdSzc/Zcmkb3Y2GpbxDZe0kFLNTR1qzyfRoigg6DUEZBSkkYuuvA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-03-11T16:01:53Z" + mac: ENC[AES256_GCM,data:1mpsjwylu7NKktw0vJEQ+384WyQ1CE0InTFpn65iB6geTOaVVHGll0bhfIUznuCyc1V9RDVa4Uga+PJLDi7gTcLvIsgezGdfBRtIKkl13JN0P7F/eNqMGijHdL4f02Q5PCt23RPS2lY8ti8nlKbO4U5a4TXRqvI3ChpjbkmOpG8=,iv:ETOy2kdrJoNRVZI6dtUjzzAqb88IYPQgtSuiETHoACw=,tag:4iN3SJxlT3sP1ia96D0icQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4 diff --git a/secrets/c3.yaml b/secrets/c3.yaml new file mode 100644 index 0000000..1d010e9 --- /dev/null +++ b/secrets/c3.yaml @@ -0,0 +1,21 @@ +kopia: ENC[AES256_GCM,data:8F4FyA==,iv:9BvqQnfkr98H56rUw/NBrBrHac2beVZZWCFWNUtu4vs=,tag:3w9ppNh06q87T0LCGcFfpA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1zjgqu3zks5kvlw6hvy6ytyygq7n25lu0uj2435zlf30smpxuy4hshpmfer + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrQ3J1eHA2WW5BQnhZeUNN + YVlPamVvcmFTbWtPTGpMNFRUS0FTVitrdDEwCk1seVQ1dWZCZVVkNmZwWFNTaUpP + TVVzVVNZdXpsU0liMnFqc285SXl0bkkKLS0tIGxRcEw0OVBqWUtPZElKMVAvVnNG + czNjNmF0TkNqdC82Y0Z3ZzBQRFZSTVEKdKGWSH/6vKkapKXoEeKzVEpUfSEit6Z0 + BIC1FP4mwwUMnyh6X7RFprluH+X2oRjN10VNXL3KLjQDIuimIBLfJg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-03-11T16:01:59Z" + mac: ENC[AES256_GCM,data:NRQDc0V/Seao7ErltJS9QkZs1tpcHYhvL8CYwI0B4AkDWCYcU8Mk/Xae8TBKj3XKr0WTJM05QStZfEtQk5Z1MWj4xLEWir+uhCDjGx/Mt2mRjdo7xsEo8rHRogVrJyeNqBMXK6Yh8xDFasQF2TDaoKie8jrNY7lhnPL3fegWwwo=,iv:KhPmDBU6KT9zV/s8o2mYUO5oMvGaVWjp46ec8mO6F3s=,tag:zZzVEGsiL1Xofv+0ya69BQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4 diff --git a/secrets/chilly.yaml b/secrets/chilly.yaml new file mode 100644 index 0000000..7cbfc44 --- /dev/null +++ b/secrets/chilly.yaml @@ -0,0 +1,21 @@ +kopia: ENC[AES256_GCM,data:4BIdhw==,iv:vU1FZgDnGTQ5uncGyntrRmoqxRWRDqGHPfyu7YFrAdM=,tag:VWZZHWmxxqQGLIZ7+bHhhg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age16yqffw4yl5jqvsr7tyd883vn98zw0attuv9g5snc329juff6dy3qw2w5wp + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhaldxbkhEbHdrRWJweW5D + Zmx0SlVNVFZkL2hTa2loQ2xoeHptbks4UFFzClIrVGxiUzZNTk9MWWVpWmFyZ3py + TzNENDEzTkVvTEtrODVuNjB2UkUyVXMKLS0tIDVCNEFkOVpIQldvcUkxZ2ZSZ3E3 + WTRtZGZkMEoxWkZtNlZzNXhNMHpOc2MKQ4sRqZwKJDyZB4tbuLyUWyWZVWGn2Jab + qfwxKjVaCsknLytEyFYjxPqzXA8nIcxIjLkcmikpPTypCpfR3jggGA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-03-11T16:02:07Z" + mac: ENC[AES256_GCM,data:BLM6wJTksRFknXW5Fuq+QBsq0qUX2bkr9Jxl2vCoQYOaX19yWtg64z12pxJAaq/ARYMvIOidnYmfbm0YvDSia+r7+blz2IWzioSb/bjVrPMSghqWJiwb33HozDzVPtBUFKck5P1E/g95yP5olYMVNfyyhKJddowHQXaEyq/Muhs=,iv:n9RRgkySsOZO/r2av0gVLtcCUX+iif7h7hc+HrXA+l4=,tag:3Ot35hasq2oADLES1FHy2Q==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4 diff --git a/secrets/secrets.yaml b/secrets/common.yaml similarity index 87% rename from secrets/secrets.yaml rename to secrets/common.yaml index b4ec1db..4f39327 100644 --- a/secrets/secrets.yaml +++ b/secrets/common.yaml @@ -1,6 +1,4 @@ ppetru-password: ENC[AES256_GCM,data:ykxGdbwTLNGKGy7PI/6uLyeWzEyfTo6R7d56m8Lb7kyY6rF0ovDzMGv71ruBA3CwznIp5EaCopvKVXf35xIEyptpQJie++ireQ==,iv:ArWScjeDHp/4DurW+id6PLUiwnMVVwk7iD5S9Bzc8lc=,tag:uErsF74I5D1M86Yl78Gqlw==,type:str] -kopia-c1: ENC[AES256_GCM,data:blR7sTzegbjIN+3WDn8ob9CVrm0=,iv:mkmKuE+1f1mAyxO9day7RLG/aCUWAwNQs5PoDVXlpzg=,tag:Y5UH0w39UQeEg1V51KJj5A==,type:str] -kopia-zippy: ENC[AES256_GCM,data:UZmeMpQteqX4N6Q0Fto901vQTPQ=,iv:AvZjhd4+RthDLfSQjvmq4KlwKwI0UEKsDWwo6YwXRRc=,tag:ctkBJVdpPLRHOv3np/5/qg==,type:str] sops: kms: [] gcp_kms: [] @@ -70,8 +68,8 @@ sops: UHZwRmc2NjNDUlJCdWN1V1dhS1RkelEKF1KiZLQvruEAfjwbW8lIyzvcCqeAMReI svl1uSaSaxPtCbnc9RA2nfo0vvCoz0a02dhr7CAy3syfQPLLZqRAIA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-03-10T18:23:09Z" - mac: ENC[AES256_GCM,data:aI7MI72Iza1fOA69FolDo1eLYB1xw0e7O2EisWi3KJCIyJs8HgcGszwovxAPK2gz6YC2pqu1bvEEw2CcJoaL7zFD+Lkbdw7OpG9gC6+lcDy2CVPoPBbjfG7vUge3qaIw9s9J9hNQm/L7QcpQAu+IksEsHq28tb3pxFr7UX9G9nA=,iv:sz0eVmjG7V0L/85C1wU6dbsCs9fAivbUS6nHmbjyp6M=,tag:KxB2O/2dEysqDUVPp7o8ow==,type:str] + lastmodified: "2025-03-11T15:54:47Z" + mac: ENC[AES256_GCM,data:GIHJcwKrRLBhTb3lj9pUza5Fyr9XcKbOMQAe+WETsyr5uHf7lNtlJOXjk1rjBIyJNUJDDnaGSUxCZ213xXIeNBJ92zN54kPheakOiLPOZN7N0YEsU6iENxsuVbQLvvDGvTY5t86DkV6vgClATKj/nqVpkPFAluh2zxLVbBeQrm0=,iv:rF8pesuNU3moerP0+wFuW02A6FYOTMyWWWWr90OB4Zc=,tag:ZXr/FAW37OynDBrGiksLLw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.4 diff --git a/secrets/zippy.yaml b/secrets/zippy.yaml new file mode 100644 index 0000000..6ce13bc --- /dev/null +++ b/secrets/zippy.yaml @@ -0,0 +1,21 @@ +kopia: ENC[AES256_GCM,data:jgVX768tSgLx6bd1nZQ5vVN44e0=,iv:7ELVE5fnqODWlr0rJVDfrO9Dy+0e2WrC5mqiKHyPs08=,tag:5xxV78PbILawgt+PiGn7Vg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1gtyw202hd07hddac9886as2cs8pm07e4exlnrgfm72lync75ng9qc5fjac + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLeGpNUWNpbkdxdlN5dEVJ + N0I2bGhmcTlseEpCeVIrREk2ZGpBT0lva0hFCmtOcU84TVhad1ZxL2E5bDFiWSsv + eXlieXg3RU9oN1BEOTREQ1ZxU3NhMmsKLS0tIGhaNTl5RXYvQ2JWaUdIR1lVTlJ2 + OXdDRk9DSkVEZWhnQzZSOWpqcXJlZzQKXMEEOEy5ok8r/027lz3Aqim3Et8qYko0 + nTWh6LCBFb61Pfd/1Xv0SclcVTsi+Krj4BVwK/ZVR6l8zxhwcqFJmQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-03-11T15:54:25Z" + mac: ENC[AES256_GCM,data:QCtLbH/QK6AR2c2+n4EtnocqUY42klIZ8+qWVQfKI9u5uCGyLuQIXPnsIlIkom5NLs3zVktyR1je/bC/9l7PZcsfRW5SxDnizIg/RDjS7nzzv7uvLFlZOVcTGTng65xNSsmpuuVZAxKqCDYzhlgwctd92DTfrkyZDoWLDKyE/LI=,iv:Omci5iUxIMrhF0jIFDHKTpKgucalur0CyJS98Dfkyek=,tag:/BdQJb9YA5UIwenq847KQw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4 diff --git a/stateful-commands.txt b/stateful-commands.txt index 5c5bcda..9089621 100644 --- a/stateful-commands.txt +++ b/stateful-commands.txt @@ -32,7 +32,7 @@ kopia repository server setup (on a non-NixOS host at the time): * kopia repository create filesystem --path /backup/persist * kopia repository connect filesystem --path=/backup/persist * kopia server user add root@zippy - then, add the password to secrets.yaml + then, add the password to secrets/zippy.yaml -- the key needs to be "kopia" * kopia server start --address 0.0.0.0:51515 --tls-cert-file ~/kopia-certs/kopia.cert --tls-key-file ~/kopia-certs/kopia.key --tls-generate-cert (first time) * kopia server start --address 0.0.0.0:51515 --tls-cert-file ~/kopia-certs/kopia.cert --tls-key-file ~/kopia-certs/kopia.key (subsequent) [TLS is mandatory for this]