From 6439a32c6e15f34ddd73b22a69279dce55df4cb6 Mon Sep 17 00:00:00 2001 From: Jack O'Sullivan Date: Sun, 6 Aug 2023 16:24:36 +0100 Subject: [PATCH] nixos/vaultwarden: Add backup --- .keys/zh2855.rsync.net.pub | 3 + lib/default.nix | 1 + .../vms/shill/containers/vaultwarden.nix | 33 +++++++- secrets/vaultwarden/backup-pass.txt.age | 13 +++ secrets/vaultwarden/backup-ssh.key.age | 81 +++++++++++++++++++ .../config.env.age} | 0 6 files changed, 129 insertions(+), 2 deletions(-) create mode 100644 .keys/zh2855.rsync.net.pub create mode 100644 secrets/vaultwarden/backup-pass.txt.age create mode 100644 secrets/vaultwarden/backup-ssh.key.age rename secrets/{vaultwarden.env.age => vaultwarden/config.env.age} (100%) diff --git a/.keys/zh2855.rsync.net.pub b/.keys/zh2855.rsync.net.pub new file mode 100644 index 0000000..c0072c8 --- /dev/null +++ b/.keys/zh2855.rsync.net.pub @@ -0,0 +1,3 @@ +zh2855.rsync.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJtclizeBy1Uo3D86HpgD3LONGVH0CJ0NT+YfZlldAJd +zh2855.rsync.net ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLR2uz+YLn2KiQK0Luu8rhfWS6LHgUfGAWB1j8rM2MKn4KZ2/LhIX1CYkPKMTPxHr6mzayeL1T1hyJIylxXv0BY= +zh2855.rsync.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPgHxQyaDaVxUefoUJZO/lITh0Gp0sqbP7HejQcCfZi7gAcuM6/IAuUXLHFImefCHh52x6T/cHxgL1qz26GKgdxykl06WRXlRIuE45QFSy/cd9JKr6l58fKq30ApmXRsCNwFrMlFPoEpCTqxzddZ9cLXs1Yt9dRxvFlQVEuAzw7ayvt8DE6RP9/CHYVp54wbbvUToECGwu70sxY1vFg51K+vNpvJ3J0t5j3s4c1Wls4BrIwqi2U8kqCq9Nj2CUIQqjM+93CSqEacR3qOGvG/6QMzd733wzpJ/iZee+lcyTYzA0YNMosnaF01hrv7NMwtZ6xRFLlJZtMZ7JpfySrOBr diff --git a/lib/default.nix b/lib/default.nix index 783745f..97e8fc4 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -260,5 +260,6 @@ rec { sshKeyFiles = { me = ../.keys/me.pub; deploy = ../.keys/deploy.pub; + rsyncNet = ../.keys/zh2855.rsync.net.pub; }; } diff --git a/nixos/boxes/colony/vms/shill/containers/vaultwarden.nix b/nixos/boxes/colony/vms/shill/containers/vaultwarden.nix index 58d9661..456cb05 100644 --- a/nixos/boxes/colony/vms/shill/containers/vaultwarden.nix +++ b/nixos/boxes/colony/vms/shill/containers/vaultwarden.nix @@ -36,7 +36,11 @@ in secrets = { key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFP2mF50ENpnJnr+VTnG9P+JFPjgwvoIxCLyJPzXRpVy"; - files."vaultwarden.env" = {}; + files = { + "vaultwarden/config.env" = {}; + "vaultwarden/backup-pass.txt" = {}; + "vaultwarden/backup-ssh.key" = {}; + }; }; firewall = { @@ -57,6 +61,10 @@ in network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal; }; + programs.ssh.knownHostsFiles = [ + lib.my.sshKeyFiles.rsyncNet + ]; + services = { vaultwarden = { enable = true; @@ -86,7 +94,28 @@ in PUSH_ENABLED = true; }; - environmentFile = config.age.secrets."vaultwarden.env".path; + environmentFile = config.age.secrets."vaultwarden/config.env".path; + }; + + borgbackup.jobs.vaultwarden = { + paths = [ vwData ]; + repo = "zh2855@zh2855.rsync.net:borg/vaultwarden2"; + doInit = true; + environment = { + BORG_REMOTE_PATH = "borg1"; + BORG_RSH = ''ssh -i ${config.age.secrets."vaultwarden/backup-ssh.key".path}''; + }; + compression = "zstd,10"; + encryption = { + mode = "repokey"; + passCommand = ''cat ${config.age.secrets."vaultwarden/backup-pass.txt".path}''; + }; + prune.keep = { + within = "1d"; + daily = 7; + weekly = 4; + monthly = -1; + }; }; }; } diff --git a/secrets/vaultwarden/backup-pass.txt.age b/secrets/vaultwarden/backup-pass.txt.age new file mode 100644 index 0000000..9a9fc37 --- /dev/null +++ b/secrets/vaultwarden/backup-pass.txt.age @@ -0,0 +1,13 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEhKL0o3QSBsZVF5 +cXR6L0ptT2tYTHgreHN3TDVpWjlMQ0twR2RwWGg2TU13SGcwZzFzCkRxazBtNW9X +clNMNVRkd0NFa29OOHlSa0F6YWpldnZacHNEblo0a2VGSFEKLT4gWDI1NTE5IDd5 +RG1WNEF4bXVsT1loRnVIMW9kZHJRSkQ3MGtlL1pXTk9GeXlDYzBVSFUKY3pBNmJn +Z3BwaWt5bC9IbUtJY3dvU2dnOEs5YlFWbkg1U0JZQVBNdHQ5TQotPiBwWE1DJl0+ +LWdyZWFzZSBLQWorMWdsIHRLLXgtWlQKSHI4SDIvOWkxc0p4K1dJQWJkS2dBY2th +VmdFTGZCSmN0MXdhWmdSYXZjQ2F6RnpFZzFwZmdDZTczZEZRQStiVAprU1IwNXpB +MmwyVENnZEY1QWxubXVFZ25yN0ZEMjY2bWlSUHo5aERYZUVDY3Nvbi9TalhlL2ow +ZVg0azIKLS0tIGZRREMxbzNJMS9lcmxHc2h0R0Q4RE0ydCs5UllVd2E2VEZsWGhC +TzNQVjgKG6a4HjO/hBX3LAwPgNS0vlS8gWONV+4QUn6uGu3kRY5oSurEhXygVGHT +5Zqa84828A== +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/vaultwarden/backup-ssh.key.age b/secrets/vaultwarden/backup-ssh.key.age new file mode 100644 index 0000000..a7091de --- /dev/null +++ b/secrets/vaultwarden/backup-ssh.key.age @@ -0,0 +1,81 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEhKL0o3QSA0c0dI +ZStSMHRncFlOaG92U0t3OFc2OE9xWWZ4UjZ0bVh0TFZtbTE5aFVrCi9lVGxPTmhx +QjhZUHVlVGk3ZUMycmkwZDZrMmpWV2UwVEwrTUlWZ1FsSHMKLT4gWDI1NTE5IGJi +ZmJacDFhVVJVdklJZUpnUFg0b0RDbVZqN0hLQUtqOWEvbVEyOUtUWDQKZzhOR3da +TUpvTHVFbXpXLy9jRDZyNHRWbWgrRkVMMHZmZUZFTm9KSGwxZwotPiA/Z203LWdy +ZWFzZSBPVFgoCk9DaDFyRm1jMDhqc1laUGRPT2VtK1k5eWxkZHBzQXNOMnM5WkxC +WjBoWm01blloV3NSawotLS0gd05iVmUwd3V4cXp4NHduQmw3U2FOcEU0NWp6RGZ1 +WjdiQ1Y1a25nYXI0WQp97YzYsNIViuyI7Mp4AFiDn4Uwi8b5IdH8tTqCLRo6Yrqx +DgJQ1DEkBYq9EWXKI6zczfCWS9FfK73KK9TKcI8XcZxgNTArNiFv6c4eL+I8dfdn ++Yuthm5oV2w7mQyfOkiT4VWrKPphk7GD1qUXoxIVtjxPyUYcYSoJBqI/HD+oA24m +kqxTX/FS6rA9rfXZsXB81G2KXHMVXd0wnOKikQN9gUL8u0WAKkkYbHO83GynWuui +riYCTM5gK8mjRf5ZTMTbFOY0iRup+5jmSRwKtwR/umjPYniZ5cyQMOc2fioDfC5B +5nD2Vg8kec81wkKck4a405hBdcehSSGpPrSSFUeXIzewckecpmMw82Bs2U4O9lnI +oUhCFsrnFTkZHHSyeaKvhjC1MXZgo/OFnF2k/fWJXQeiRhl+S3H9G9z++8ogcsj+ +HKaWkg1bD9EiTTeLxKithagx4RoTqZP8i3PB5KbY5wh5CUxd5+8SS1JjsDWfQBvf +xhIc7ecp415hp4qU5f+Z4t+v+EXffFt3INs3II4R0vB1B3GdIsco85yazQFBwbT0 +T13jlWT8BQBCW+xxhqb34nRblYgNYCT35XgOd58+VVh27bzoeItr9B4axbXWbQp9 +tgmFM9qVPqO+PBOScqsgBHUmpNJhOEkithTORr66rvgve2dya3E6C+QhKLQQKP/S +cwJCuC3Y/uqFfY+RURrlgAIYszSNdmvWs4rSe4q5gJKOKhyrWU27Opqn82wzPTWz +GdlpBR0QDb2tbmdRvcaVdV1oeJjrtY5vlVIoGJOpBManADMKwgiaH6Hkb8pLYM9o +793NEYB5TEiblb16bLDQYxn9bZo4p5yAzqL1mbbj+Y5ikvWJ+HLqA5w4a8wjioPD +SxjI2zqDnYQjVW6f9ZZONnbBM8oOkqxyBaIIn4Kh+BPr16TQYT12SQKIY2OL4OnD +2etsjTEuoANd1U0l4+i3Tc34lMai6DQbIUc4sHROo8GAarCcrybYKi+XoRh3twGJ +nKsdCsTW6Jq1eUwAiWvdNz2wuFUEWZnAdYHw0dr6q+8voWefUoUwfn2RcxK0Ix3G +zQbxqv7FZntlx9oyzheJwKZ04Au/xYmeFVvxxuAgz+8/mXOUn8qhdaIf89DLnLmE +vJRYVTdHl9/zcKeQIthwCi27VUXIMe7uOsGqvdRSuMDq4whBV/ZiEIRuR8QJp0rT +EMODc0DVHyiq9cAxb3AQ4geQw/wHzUTULY80JmNW+0UJfKwL7pYNsYNFMaf96Hz4 +9GAK/NVPcaPh1XJ97Jk/Iojhm9z8jSYhQ9+Br33MKT+YqJmn0jwBcOTsR9rCyBcD +0a3plF2BE/soLO23Hk4ZheL2VNHqqxUIQqIjm+CB762ONn4QHOJaqL21haYsweZ3 +XgNOg4gMonJkFye2TDZeCXnxjgHllu5915JiCTtK+ZhaMx/+wR5/iHgdKIxSTR0I +tMrpwmNgB5fM66M1iOx4GLTTsMEhTjIRegGI6fcnWKq+AsMOAa2BreiXq10afFn1 +mQar08aN6Jya5SeUls8VvEzjtb9DDcWVVP/k1/WhicwUkaeF94XBKNrHmsd3Vagm +oHXUx2Sej9f4UxYOVUWA12DLxdRV6cAkOSti17pYWbhMSeUsel+2qvwqn5X37EYe +E5nobgfkE8lNy8mEDgEegvInui8TOpLHUWXgyYnaSTFMDV39bSRuQ1OCoCJ3Mgmk +e72XwnECyaxYHWbqriTo+JoK811/FuEHTyEuOzNHAqho8EO26FewGiK+mswS+QKx +JCANQ5dZ+jVVyj4cp5PTyt+KTDToT1ckrbvV0q+FK5/1cIvYVM3Av/jMnm0oR2J8 +MHzBA/zgmdR+xI3ienOuytAH9douAvcrVx0bFUm8CuTE8WjP9xK8rc8iLV8A0I62 +Y0PLlLQDL5B2y2Nog1IBbJEv4rbDDMx0XiGRjOQ5AukeDdK+wN2+eizGczBe19lP +gJsm5w20mbLgyQMlV2+iZ9qVV0kM7mYIIHQ1s5mMZyaQRtI2YWP/QmIfAB/pVcEm +fTdLM/xtYhblKsPll+Z5LJtwzx5/kJYEZnKtUFz8F7JWt3fsul0yPVSHeoDJibn3 +CbLONJSDFMCVGHUesBhmjiNbYhghr3oi31pRywWOpYtqSQ6jgJLPDRXN9eXPmuid +GQXzyDOT9z8o6CHk5YvOcdSnjHKQR4DGj0V9qOeu6gf2bMMZPgHg49R52Zm/flhU +YhdFbi5jXjWV44vukE1k8y3vylHg14CBBzJlNZz71+Mk1iahw5XbhFdYUnucnVhz +dd24XKIfsUcMtObb7YEM+JkEzET3D+QjULuZe7puwCFoeFR8JCesrQx+MGHmshVz +WBLpUY4lW6gaiojwx55o4zd0bVcEEFkJOaOImWql8XARya5vkokipanunpk1dPQ4 +cxvhEOPc5blSVghs2hFSpxVhOCPbRNQV3fh5WAJGJFR9rw7JvGeKzGLAwx3fpf/9 +EcDLOSbdFOx7lupJOv7EmkbJBmKf68zowCnq2WkRDBkiwErwKvymEpMCbIMo9/Ci +4DSzBwHwuCAQnReGBerTWHF3qrxcuwBp5pRzjYW2Rgorn+n7mZAAokJ4LE4nkzE5 +TlKJP6Gn9/3T/vnLmBPwuBtDwqa1CyDJc4VfIodhjiKiDghnKPQGTAWqqwX8qZQ4 +JW3BWcTIdxO4mcHzoIeEdEIF4A8or8s3AxK35FMWu3ZHRpT8U7A3f0R0sTQDeBjK +ke4qfDy6F28SYX1v22fg7B1eBX3PT8YE3OyFs2xkNOanV0KAPVGdJlKd4JhqlFUT +uABCNlvixzMzR2JqJPvBQhltl2OiSbaqmlV5ot818D+qZQj03wg0oqWJivBzR3FQ +++31SUkN/SgbiEtAtfpnIDBIeUlZh3W1oIUth6zmn/WawAk0sdpx+KxkLVr96vMX +EG0bcOr0jZ7ENwCBmlm6bHrI0e+Z4iYAtH5dR8VL9lCwuR0ITioGIR8HOKLG9DWt +qxZI/I/peccj5AO0gHQtPC+OCsCoSvGORtaZoIaj+BGLmK9IePhFCULOWakYXxvE +l41nyr9dGwdwKFRLKt1Ovc6AmTKYh3IxPs0Lbr/rKayM7w4WfpMZa9tKbLr7WRC6 +zogyEZpt8kwFs2GivcBwHIVeAOHqVSP1IUxZFBeWRSyjlQLE5+yOVw990tgONxSe +flzTNE9/wkQIYjqLK9UTtJJ0pbuegzyYipQWUdOKjdMI9bm+yvfgHcQS+bI9R2Ul +hJg/ixP3FxxJ4yWNtf6ooHH943w8IYd5oSkL3yPXyGQ8iWEFakvekf8478IGIV9k +ry/JKf+qEMPxmWIfUiHlOAW2y45jYWGp9bHfurvuF0yehsRagpFxeugnEQtbV33i +rXuJEZ/k1SJQ//wXuFlY4S4QSY3DxbhOD3gmo8YQSpCNgy5UjbPcHrElyJ+M5psj +Epzb4Fq/nnOwX/lB1EqWvGpfJsgwPOP6YH6X9smsC2y/ck1M+Au7q1ybiTDiqKs0 +5wMKxlnlM99fE5g/p7JmWGNuCmpV2SZl/TaYwMGYGYqi7w+tJS7ChiHX8vjCBVl6 +e+r5gu7eDPRMznmwPcie/lc3kryTYGg/phsR/g8kBPpRW/fkDQoA4vv0UIRoARCe +CPYjPafLiozI5ji3rhTcsvejzjJWX5MOMLSUKZ4Wz37K8ygQZ2bGnI9rVCVc9Jl+ +cVkHvwk3rxbQivLgdmctDLZiMVc8++dW2J3CfGwcZpri3MsDEiprEWn6dp/WT95c +vBXsg1xwL6ouuRRHI1l1l2nzTrU7uWetvOovyJisB03GszmW8VtGzJvB2Hg4thMX +ZNrxQqq/9Wz7d9Txmd0QTRBL7vXQ01P/Lu/LN2QZMJC7vMKvuz+uoM7tJ8Vgz3hR +ybwcm1BtzrnGwfisyTwWPe6pnHjW/dkRzvC70uy8wwrRxMWdPKHOIQSWgKbTyXGd +UvHEo4fySnLPttP6bZ5xVXPjMb67vS8i+b0rbA2k2yDWc5mGdbSkmmH12CupRiuU +KoSdUQXlFzhih/3vKJwpq0X5GGdG9zXlAtCl480kWyaIOe0QEQrvJPL55T6JDBK8 +Jn5DkPyqx+espYS6LcfsXCTo5pGsZYNRexHYdglyRZo/EPw9uLmHrYWLLwt3iAma +FGRfNtY4OEK8Jx8baMhrs2xeVJLIPLyhrFtyfCIGwfUmzOap+Z0SWS+kxfXxOWek +IhwlbkCwpuvy1VrSdRgwZx0K94NZcUcsoLolV9q+HVCejhIKq88zvCNYri9wlh69 +/0w5/oI1CD7ONwMkCU4EkzvdItTEg9lA/zZmF5rxEDptZ1QXa37kw73LvRwNz5zO +NMMaCAF8AbplPo8CnuPMItgsIbX3g+eULZUQoBcRW5WngnIOhRmL26t9MYZCNwHn +y3dZICDl9WjmbWEYEv4j9eUJclKyLO+jwbGBCQXy9EiHw+Rb3N7EOtWtter2Lwhm +kQhKrKTQUhkMLBNiPGOxvInYjy2i3IFOM6rdh5PFMbJ9GTlXDLygWtcXEiwabYT1 +aQnyOD1SkZHIe4fYtyyNrpfWGQ== +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/vaultwarden.env.age b/secrets/vaultwarden/config.env.age similarity index 100% rename from secrets/vaultwarden.env.age rename to secrets/vaultwarden/config.env.age