fix(secrets): fix permissions

Also moves key references into respective configs where they are used.
2022-05-06 03:16:17 +02:00 · 2022-05-06 03:16:17 +02:00 · 0dee8b4fa7
commit 0dee8b4fa7
parent 7f3a5317bd
15 changed files with 125 additions and 96 deletions
--- a/services/restic/common.nix
+++ b/services/restic/common.nix
@ -1,55 +1,6 @@
-{ config, lib, pkgs, ... }:
+{ config, pkgs, lib, ... }:

-# using the restic cli:
-# load credentials into shell via: export $(cat /path/to/credentials/file | xargs)
-# useful commands for analysing restic stats [snapshot-id], restic diff [s1] [s2],
-
-with lib;
-with builtins;
-let hasAnyAttr = flip (attrset: any (flip hasAttr attrset));
-in {
-  resticConfig = args@{ name, ripgrep ? false, paths ? [ ], ignorePatterns ? [ ]
-    , extraPruneOpts ? [ ], ... }:
-    assert !hasAnyAttr [
-      "initialize"
-      "repository"
-      "s3CredentialsFile"
-      "passwordFile"
-      "pruneOpts"
-    ] args;
-    assert (args ? paths);
-    assert (ripgrep || (!ripgrep && !(args ? ignorePatterns)));
-    {
-      initialize = true;
-      repository = "b2:felschr-backups:/${name}";
-      environmentFile = config.age.secrets.restic-b2.path;
-      passwordFile = config.age.secrets.restic-password.path;
-      timerConfig.OnCalendar = "daily";
-      paths = if ripgrep then null else paths;
-      dynamicFilesFrom = if ripgrep then
-        let
-          files = foldl (a: b: "${a} ${b}") "" paths;
-          ignoreFile = builtins.toFile "ignore"
-            (foldl (a: b: a + "\n" + b) "" ignorePatterns);
-        in ''
-          ${pkgs.ripgrep}/bin/rg \
-            --files ${files} \
-            --ignore-file ${ignoreFile} \
-            | sed "s/\[/\\\[/" | sed "s/\]/\\\]/"
-        ''
-      else
-        null;
-      pruneOpts = [
-        "--keep-daily 7"
-        "--keep-weekly 4"
-        "--keep-monthly 3"
-        "--keep-yearly 1"
-      ] ++ extraPruneOpts;
-    } // (removeAttrs args [
-      "name"
-      "ripgrep"
-      "paths"
-      "ignorePatterns"
-      "extraPruneOpts"
-    ]);
+{
+  age.secrets.restic-b2.file = ../../secrets/restic/b2.age;
+  age.secrets.restic-password.file = ../../secrets/restic/password.age;
 }
--- a/services/restic/home-pc.nix
+++ b/services/restic/home-pc.nix
@ -6,11 +6,13 @@

 with lib;
 with builtins;
-let common = import ./common.nix { inherit config lib pkgs; };
+let resticLib = import ./lib.nix { inherit config lib pkgs; };
 in {
+  imports = [ ./common.nix ];
+
  environment.systemPackages = with pkgs; [ restic ];

-  services.restic.backups.full = common.resticConfig {
+  services.restic.backups.full = resticLib.resticConfig {
    name = "home-pc";
    ripgrep = true;
    paths = [ "/etc/nixos" "/var/lib" "/home" ];
--- a/services/restic/lib.nix
+++ b/services/restic/lib.nix
@ -0,0 +1,55 @@
+{ config, lib, pkgs, ... }:
+
+# using the restic cli:
+# load credentials into shell via: export $(cat /path/to/credentials/file | xargs)
+# useful commands for analysing restic stats [snapshot-id], restic diff [s1] [s2],
+
+with lib;
+with builtins;
+let hasAnyAttr = flip (attrset: any (flip hasAttr attrset));
+in {
+  resticConfig = args@{ name, ripgrep ? false, paths ? [ ], ignorePatterns ? [ ]
+    , extraPruneOpts ? [ ], ... }:
+    assert !hasAnyAttr [
+      "initialize"
+      "repository"
+      "s3CredentialsFile"
+      "passwordFile"
+      "pruneOpts"
+    ] args;
+    assert (args ? paths);
+    assert (ripgrep || (!ripgrep && !(args ? ignorePatterns)));
+    {
+      initialize = true;
+      repository = "b2:felschr-backups:/${name}";
+      environmentFile = config.age.secrets.restic-b2.path;
+      passwordFile = config.age.secrets.restic-password.path;
+      timerConfig.OnCalendar = "daily";
+      paths = if ripgrep then null else paths;
+      dynamicFilesFrom = if ripgrep then
+        let
+          files = foldl (a: b: "${a} ${b}") "" paths;
+          ignoreFile = builtins.toFile "ignore"
+            (foldl (a: b: a + "\n" + b) "" ignorePatterns);
+        in ''
+          ${pkgs.ripgrep}/bin/rg \
+            --files ${files} \
+            --ignore-file ${ignoreFile} \
+            | sed "s/\[/\\\[/" | sed "s/\]/\\\]/"
+        ''
+      else
+        null;
+      pruneOpts = [
+        "--keep-daily 7"
+        "--keep-weekly 4"
+        "--keep-monthly 3"
+        "--keep-yearly 1"
+      ] ++ extraPruneOpts;
+    } // (removeAttrs args [
+      "name"
+      "ripgrep"
+      "paths"
+      "ignorePatterns"
+      "extraPruneOpts"
+    ]);
+}
--- a/services/restic/rpi4.nix
+++ b/services/restic/rpi4.nix
@ -6,12 +6,16 @@

 with lib;
 with builtins;
-let common = import ./common.nix { inherit config lib pkgs; };
+let resticLib = import ./lib.nix { inherit config lib pkgs; };
 in {
+  imports = [ ./common.nix ];
+
  environment.systemPackages = with pkgs; [ restic ];

-  services.restic.backups.full = common.resticConfig {
+  services.restic.backups.full = resticLib.resticConfig {
    name = "rpi4";
+    # TODO migrate old repository
+    # repository = "b2:felschr-rpi4-backup:/full";
    ripgrep = true;
    paths = [ "/etc/nixos" "/var/lib" "/home" ];
    ignorePatterns = [