diff --git a/flake.lock b/flake.lock index 47f07ce..d10cb28 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,50 @@ { "nodes": { + "agenix": { + "inputs": { + "agenix": "agenix_2", + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ], + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1677625082, + "narHash": "sha256-62xmRPfjZgDn8AgEhb6eRoJrTxGeM8HfhfF+PkJokok=", + "owner": "yaxitech", + "repo": "ragenix", + "rev": "6f2dacf3d6af36228a8fad3b136990a6b6dfe30b", + "type": "github" + }, + "original": { + "owner": "yaxitech", + "repo": "ragenix", + "type": "github" + } + }, + "agenix_2": { + "inputs": { + "darwin": "darwin", + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1677126346, + "narHash": "sha256-4s+PPGC1M07QsPyeye5drc2JLa1lhDnCV3XAsG8+pH4=", + "owner": "ryantm", + "repo": "agenix", + "rev": "c2a71c83c70844c5e31db69347e86af080bcdad0", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "alejandra": { "inputs": { "fenix": "fenix", @@ -57,6 +102,29 @@ "type": "github" } }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1673295039, + "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "87b9d090ad39b25b2400029c64825fc2a8868943", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "devshell": { "flake": false, "locked": { @@ -148,6 +216,21 @@ "type": "github" } }, + "flake-utils": { + "locked": { + "lastModified": 1676283394, + "narHash": "sha256-XX2f9c3iySLCw54rJ/CZs+ZK6IQy7GXNY4nSOyu2QG4=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "3db36a8b464d0c4532ba1c7dda728f4576d6d073", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "flake-utils-pre-commit": { "locked": { "lastModified": 1644229661, @@ -219,11 +302,11 @@ "utils": "utils" }, "locked": { - "lastModified": 1675935446, - "narHash": "sha256-WajulTn7QdwC7QuXRBavrANuIXE5z+08EdxdRw1qsNs=", + "lastModified": 1678729503, + "narHash": "sha256-j+h4Bdqbe+qjzhxdhkRmVgSx2lxJ8HnKeYcAhhnd1zM=", "owner": "nix-community", "repo": "home-manager", - "rev": "2dce7f1a55e785a22d61668516df62899278c9e4", + "rev": "24c1a6335e3da6a3ecf82f33ac50c2ad66aee346", "type": "github" }, "original": { @@ -265,11 +348,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1676110339, - "narHash": "sha256-kOS/L8OOL2odpCOM11IevfHxcUeE0vnZUQ74EOiwXcs=", + "lastModified": 1678654296, + "narHash": "sha256-aVfw3ThpY7vkUeF1rFy10NAkpKDS2imj3IakrzT0Occ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e5530aba13caff5a4f41713f1265b754dc2abfd8", + "rev": "5a1dc8acd977ff3dccd1328b7c4a6995429a656b", "type": "github" }, "original": { @@ -359,6 +442,7 @@ }, "root": { "inputs": { + "agenix": "agenix", "home-manager": "home-manager", "nixpkgs": "nixpkgs", "webcord": "webcord" @@ -381,13 +465,38 @@ "type": "github" } }, + "rust-overlay": { + "inputs": { + "flake-utils": [ + "agenix", + "flake-utils" + ], + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1676687290, + "narHash": "sha256-DP0CJ7qtUXf+mmMglJL1yANizzV1O4UfQ9NrKgy7O04=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "bdccd5e973d45159f7d13f7c65a4271dc02cf6d4", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "utils": { "locked": { - "lastModified": 1667395993, - "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "lastModified": 1676283394, + "narHash": "sha256-XX2f9c3iySLCw54rJ/CZs+ZK6IQy7GXNY4nSOyu2QG4=", "owner": "numtide", "repo": "flake-utils", - "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "rev": "3db36a8b464d0c4532ba1c7dda728f4576d6d073", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index eab8a29..4d124e2 100644 --- a/flake.nix +++ b/flake.nix @@ -4,6 +4,11 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + agenix = { + url = "github:yaxitech/ragenix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + home-manager = { url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; @@ -12,7 +17,7 @@ webcord.url = "github:fufexan/webcord-flake"; }; - outputs = { nixpkgs, home-manager, webcord, ... }@inputs: { + outputs = { nixpkgs, agenix, home-manager, webcord, ... }@inputs: { # colmena colmena = { meta = { @@ -27,6 +32,7 @@ imports = [ ./hosts/${name}/configuration.nix home-manager.nixosModules.home-manager + agenix.nixosModules.default ]; home-manager = { useGlobalPkgs = true; diff --git a/hosts/neodymium/configuration.nix b/hosts/neodymium/configuration.nix index 3d08a12..83e91f4 100644 --- a/hosts/neodymium/configuration.nix +++ b/hosts/neodymium/configuration.nix @@ -154,6 +154,8 @@ in { nixfmt + borgbackup + gnome.nautilus jmtpfs @@ -658,6 +660,45 @@ in { options = "--delete-older-than 30d"; }; + age.secrets.borgbackup = { + file = "/home/laurent/infrastructure/secrets/borgbackup.age"; + owner = "laurent"; + group = "users"; + }; + age.identityPaths = [ "/home/laurent/.ssh/id_ed25519" ]; + + services.borgbackup.jobs.home = { + paths = "/home/laurent/"; + repo = "/mnt/home_backup"; + exclude = [ + # Largest cache dirs + ".cache" + ".compose-cache" + "*/cache" + "*/cache2" # firefox + "*/Cache" + "*/Code Cache" + ".config/Slack/logs" + ".config/Code/CachedData" + ".container-diff" + ".npm/_cacache" + # Work related dirs + "*/node_modules" + "*/bower_components" + "*/build" + "*/_build" + "*/.tox" + "*/venv" + "*/.venv" + ]; + encryption = { + mode = "repokey"; + passCommand = "cat ${config.age.secrets.borgbackup.path}"; + }; + compression = "auto,zstd"; + startAt = [ ]; + }; + # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/secrets/borgbackup.age b/secrets/borgbackup.age new file mode 100644 index 0000000..a9f97a1 --- /dev/null +++ b/secrets/borgbackup.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 kZEpWw OQ8zlnVzqIh3FSryVBmqKzPDOatKrzDSR1Zm3BGL60E +FtbNNvnoskcgLO4XIREMmV+HY1YNgmavSKCKiVpLtUw +-> ;MI-grease +ArHYI+eu0R2GQyabN2Mr8nHC4LBU0xNZSl0hljMagNBtUGlwsTHvRBzTSVm6kcak +c2Rbqz9/Zg +--- t1Xtn3Wg7yC30usQ+dSbwBlBcd0mMiWUeraj2HTZ9PQ +B̐qKrD1Z6x:IV՘)\YtI(=b1JQReV}vfn(U|iB>AXȀv\X,&3 Onle4p"-{; \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..193fa70 --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,4 @@ +let + neodymium = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINTvwXCT99s1EwOCeGQ28jyCAH/RBoLZza9k5I7wWdEu laurent@neodymium"; +in { "borgbackup.age".publicKeys = [ neodymium ]; }