Introduce agenix secrets management

2023-05-01 11:37:33 +02:00
parent ce766a8f90
commit 09b043c26c
8 changed files with 86 additions and 1 deletions
--- a/hosts/clerie-backup/configuration.nix
+++ b/hosts/clerie-backup/configuration.nix
@@ -6,6 +6,8 @@
      ./hardware-configuration.nix
      ../../configuration/proxmox-vm

+      ./secrets
+
      ./restic-server.nix
    ];

--- a/hosts/clerie-backup/restic-server.nix
+++ b/hosts/clerie-backup/restic-server.nix
@@ -8,6 +8,15 @@
    listenAddress = "[::1]:43242";
  };

+  # restic rest server does not support --htpasswd-file in the current version of nixpkgs
+  # until then we copy the secrets to the common location
+  age.secrets.restic-server-cyan-htpasswd = {
+    path = "/mnt/clerie-backup/cyan/.htpasswd";
+    symlink = false;
+    owner = "restic";
+    group = "restic";
+  };
+
  services.nginx.virtualHosts."cyan.backup.clerie.de" = {
    enableACME = true;
    forceSSL = true;
--- a/hosts/clerie-backup/secrets/default.nix
+++ b/hosts/clerie-backup/secrets/default.nix
@@ -0,0 +1,5 @@
+{ ... }:
+
+{
+  age.secrets.restic-server-cyan-htpasswd.file = ./restic-server-cyan-htpasswd.age;
+}
--- a/hosts/clerie-backup/secrets/restic-server-cyan-htpasswd.age
+++ b/hosts/clerie-backup/secrets/restic-server-cyan-htpasswd.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 HwR33w zPP2GxmlabgLkMMW9DqpdAiMUXTPTwZ8Y1aHAKoOUU4
+oqGSUZMztWoercL/DD/Qagn8VE4U8KPzPrjmLXHGb5I
+-> ssh-ed25519 ILP4Ew cLYC1UCOo1XSvnViQZfXKUClDkO9SZZZsHR2yxGm2Dc
+1cyw/j8XQk/ztE6fEtZtjQ8cX4mkF5FrAWgZfyENV4c
+-> P-grease uB// Mn0<WD U%HyAy#v
+X5sX6sC2qXAKtRCcLA0TMmpSoVCoCYlcz+efVNPfala+Yh+z3kXjZIoVohtBc8Bi
+Jy8fizfJEv6u7bPhdoytSEoQtMiTMw
+--- /ymN2GqfIuI/2cqu7PFU0oO6RYfp3ZX1b9AX/YA2xJs
+<08>fh<66>7<EFBFBD><37><EFBFBD>f`<60><>:ȗUJ<>JXZ<58><5A><EFBFBD>(<11><><EFBFBD>꺯A<EABAAF>_<EFBFBD>a<EFBFBD>kiS<01><><EFBFBD>gK<67>esO<73><4F>)<29><>6ncQFH<46><48>r<EFBFBD><72>P<EFBFBD><29<06><><EFBFBD>{<7B>:<3A>9