diff options
| author | Profpatsch <mail@profpatsch.de> | 2021-02-13 12:18:54 +0100 |
|---|---|---|
| committer | Profpatsch <mail@profpatsch.de> | 2021-02-13 12:19:51 +0100 |
| commit | 5b73fbf6989b48e5c4f35f671338d880acece2d0 (patch) | |
| tree | 0d00aaddc14256d91e6ed0a5427831ba0d54253e /machines/profpatsch/legosi.nix | |
| parent | 208066adaea15a4e5351a54c9cca1a9cf8fa0045 (diff) | |
feat(machines/legosi): initial duplicity setup
This should backup every service in `/var/lib` and anything I add in the future that I might have missed.
Diffstat (limited to 'machines/profpatsch/legosi.nix')
| -rw-r--r-- | machines/profpatsch/legosi.nix | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/machines/profpatsch/legosi.nix b/machines/profpatsch/legosi.nix index a0dd56f4..e4edc660 100644 --- a/machines/profpatsch/legosi.nix +++ b/machines/profpatsch/legosi.nix @@ -6,6 +6,13 @@ let hostname = "legosi"; + gpgPublicKeyring = pkgs.runCommandLocal "keyring" {} '' + export GNUPGHOME=. + ${pkgs.gnupg}/bin/gpg --import ${../../pkgs/profpatsch/profpatsch.de/key.asc} + cp ./pubring.kbx $out + ''; + gpgPublicKeyId = "4ACFD7592710266E18CEBB28C5CFD08B22247CDF"; + myKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNMQvmOfon956Z0ZVdp186YhPHtSBrXsBwaCt0JAbkf/U/P+4fG0OROA++fHDiFM4RrRHH6plsGY3W6L26mSsCM2LtlHJINFZtVILkI26MDEIKWEsfBatDW+XNAvkfYEahy16P5CBtTVNKEGsTcPD+VDistHseFNKiVlSLDCvJ0vMwOykHhq+rdJmjJ8tkUWC2bNqTIH26bU0UbhMAtJstWqaTUGnB0WVutKmkZbnylLMICAvnFoZLoMPmbvx8efgLYY2vD1pRd8Uwnq9MFV1EPbkJoinTf1XSo8VUo7WCjL79aYSIvHmXG+5qKB9ed2GWbBLolAoXkZ00E4WsVp9H philip@nyx"; in { @@ -64,6 +71,43 @@ in { }; }; + services.duplicity = { + enable = true; + + root = "/"; + # exclude all the system-related dirs + exclude = [ + "/bin" + "/boot" + "/dev" + "/nix" + "/proc" + "/run" + "/sys" + "/tmp" + "/usr" + # /var/lib is what we want because it contains all services, + # but let’s be generous and keep everthing in /var except log + "/var/log" + ]; + + targetUrl = "b2://000efe88f7148a00000000003@profpatsch-legosi/"; + + # this uses the internal stateDirectory of the duplicity module + # Has to be set manually once of course. + secretFile = "/var/lib/duplicity/secrets"; + + extraFlags = [ + "--verbosity" "notice" + "--full-if-older-than" "60D" + "--num-retries" "3" + # I hate GPG from the bottom of my heart + "--encrypt-key" gpgPublicKeyId + "--gpg-options" "--keyring ${gpgPublicKeyring} --trust-model always" + ]; + + }; + users.users = { root.openssh.authorizedKeys.keys = [ myKey ]; |