Fachschaft/nixConfig
6
2
Fork 2
Code Issues 10 Pull requests 2 Projects Wiki Activity

Use sops for private key distribution

Browse source
This commit is contained in:
Gonne 2024-03-21 17:50:25 +01:00
parent e340a7eb75
commit 1bf59168fb
3 changed files with 55 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

20
nixos/modules/borgbackup.nix
View file

@ -116,12 +116,12 @@ in {
jobs.fsaccount = {
preHook = ''
mkdir -p /home/fsaccount/sicherung # Create if it does not exist
${pkgs.rsync}/bin/rsync -e 'ssh -i /home/fsaccount/.ssh/fsaccount' -r fachschaft@gw1.mathematik.tu-darmstadt.de:/home/fachschaft/* /home/fsaccount/sicherung
${pkgs.rsync}/bin/rsync -e 'ssh -i /run/secrets/backupKey' -r fachschaft@gw1.mathematik.tu-darmstadt.de:/home/fachschaft/* /home/fsaccount/sicherung
'';
paths = "/home/fsaccount/sicherung";
encryption.mode = "none";
environment = {
BORG_RSH = "ssh -i /home/fsaccount/.ssh/fsaccount";
BORG_RSH = "ssh -i /run/secrets/backupKey";
BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes";
};
repo = "borg@localhost:fsaccount";
@ -132,13 +132,23 @@ in {
};
};
environment.persistence.${config.impermanence.name} = {
users.fsaccount.directories = [
users.fsaccount.files = [
{
directory = ".ssh"; # SSH Key with access to FS Account and known_hosts
mode = "u=rwx,g=,o=";
file = ".ssh/known_hosts";
parentDirectory = {
mode = "u=rwx,g=,o=";
user = "fsaccount";
group = "users";
};
}
];
};
sops.secrets.backupKey = {
sopsFile = ../machines/bragi/backupKey.yaml;
owner = config.users.users.fsaccount.name;
inherit (config.users.users.fsaccount) group;
mode = "0400";
};
# Extra user for FS account backup
users.users = {
fsaccount = {