From e91f417a29f96f7c3969aa62b5a74dfbcdab6c18 Mon Sep 17 00:00:00 2001 From: Gonne Date: Tue, 2 Apr 2024 18:33:50 +0200 Subject: [PATCH 1/3] Move secrets to machine config --- nixos/machines/bragi/configuration.nix | 9 ++++++++- nixos/modules/borgbackup.nix | 6 ------ 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/nixos/machines/bragi/configuration.nix b/nixos/machines/bragi/configuration.nix index f74fbb9..dd2ecdc 100644 --- a/nixos/machines/bragi/configuration.nix +++ b/nixos/machines/bragi/configuration.nix @@ -1,4 +1,4 @@ -{ +{config, ...}: { imports = [ ./hardware-configuration.nix ../../roles @@ -12,4 +12,11 @@ # System configuration here networking.hostName = "bragi"; system.stateVersion = "23.11"; + + sops.secrets.backupKey = { + sopsFile = ./backupKey.yaml; + owner = config.users.users.fsaccount.name; + inherit (config.users.users.fsaccount) group; + mode = "0400"; + }; } diff --git a/nixos/modules/borgbackup.nix b/nixos/modules/borgbackup.nix index b5cbe40..ca81cc2 100644 --- a/nixos/modules/borgbackup.nix +++ b/nixos/modules/borgbackup.nix @@ -161,11 +161,5 @@ in { } ]; }; - sops.secrets.backupKey = { - sopsFile = ../machines/bragi/backupKey.yaml; - owner = config.users.users.fsaccount.name; - inherit (config.users.users.fsaccount) group; - mode = "0400"; - }; }; } -- 2.39.5 From 7bc8261cb64ea251e8ef3aea39a8d7a8958965fe Mon Sep 17 00:00:00 2001 From: Gonne Date: Tue, 2 Apr 2024 18:34:16 +0200 Subject: [PATCH 2/3] Also sync deletion of files from fsaccount before taking the backup --- nixos/modules/borgbackup.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/borgbackup.nix b/nixos/modules/borgbackup.nix index ca81cc2..784981c 100644 --- a/nixos/modules/borgbackup.nix +++ b/nixos/modules/borgbackup.nix @@ -121,7 +121,7 @@ in { jobs.fsaccount = { preHook = '' mkdir -p /home/fsaccount/sicherung # Create if it does not exist - ${pkgs.rsync}/bin/rsync -e 'ssh -i /run/secrets/backupKey' -r fachschaft@gw1.mathematik.tu-darmstadt.de:/home/fachschaft/* /home/fsaccount/sicherung + ${pkgs.rsync}/bin/rsync --rsh='ssh -i /run/secrets/backupKey' --recursive --delete fachschaft@gw1.mathematik.tu-darmstadt.de:/home/fachschaft/* /home/fsaccount/sicherung ''; paths = "/home/fsaccount/sicherung"; encryption.mode = "none"; # Otherwise the key is next to the backup or we have human interaction. -- 2.39.5 From e69c8c6efbcaccc1cb002ffe5710823d848eb300 Mon Sep 17 00:00:00 2001 From: Gonne Date: Tue, 2 Apr 2024 18:46:41 +0200 Subject: [PATCH 3/3] Remove obsolete DNS resolver --- nixos/machines/bragi/network.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nixos/machines/bragi/network.nix b/nixos/machines/bragi/network.nix index b113b50..af70cb7 100644 --- a/nixos/machines/bragi/network.nix +++ b/nixos/machines/bragi/network.nix @@ -10,6 +10,7 @@ } ]; defaultGateway = "192.168.1.137"; - nameservers = ["130.83.2.22" "130.83.56.60" "130.83.22.60" "130.82.22.63"]; + # https://www.hrz.tu-darmstadt.de/services/it_services/nameserver_dns/index.de.jsp + nameservers = ["130.83.22.63" "130.83.22.60" "130.83.56.60"]; }; } -- 2.39.5