feat: agenix (ragenix)

feat: borgbackup chore: upgrade flake
2023-03-14 14:12:21 +01:00 · 2023-03-14 14:12:21 +01:00 · 443b888462
parent 172f5c1d32
commit 443b888462
5 changed files with 178 additions and 10 deletions
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,50 @@
 {
  "nodes": {
+    "agenix": {
+      "inputs": {
+        "agenix": "agenix_2",
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "rust-overlay": "rust-overlay"
+      },
+      "locked": {
+        "lastModified": 1677625082,
+        "narHash": "sha256-62xmRPfjZgDn8AgEhb6eRoJrTxGeM8HfhfF+PkJokok=",
+        "owner": "yaxitech",
+        "repo": "ragenix",
+        "rev": "6f2dacf3d6af36228a8fad3b136990a6b6dfe30b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "yaxitech",
+        "repo": "ragenix",
+        "type": "github"
+      }
+    },
+    "agenix_2": {
+      "inputs": {
+        "darwin": "darwin",
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1677126346,
+        "narHash": "sha256-4s+PPGC1M07QsPyeye5drc2JLa1lhDnCV3XAsG8+pH4=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "c2a71c83c70844c5e31db69347e86af080bcdad0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
    "alejandra": {
      "inputs": {
        "fenix": "fenix",
@ -57,6 +102,29 @@
        "type": "github"
      }
    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1673295039,
+        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
    "devshell": {
      "flake": false,
      "locked": {
@ -148,6 +216,21 @@
        "type": "github"
      }
    },
+    "flake-utils": {
+      "locked": {
+        "lastModified": 1676283394,
+        "narHash": "sha256-XX2f9c3iySLCw54rJ/CZs+ZK6IQy7GXNY4nSOyu2QG4=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "3db36a8b464d0c4532ba1c7dda728f4576d6d073",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
    "flake-utils-pre-commit": {
      "locked": {
        "lastModified": 1644229661,
@ -219,11 +302,11 @@
        "utils": "utils"
      },
      "locked": {
-        "lastModified": 1675935446,
-        "narHash": "sha256-WajulTn7QdwC7QuXRBavrANuIXE5z+08EdxdRw1qsNs=",
+        "lastModified": 1678729503,
+        "narHash": "sha256-j+h4Bdqbe+qjzhxdhkRmVgSx2lxJ8HnKeYcAhhnd1zM=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "2dce7f1a55e785a22d61668516df62899278c9e4",
+        "rev": "24c1a6335e3da6a3ecf82f33ac50c2ad66aee346",
        "type": "github"
      },
      "original": {
@ -265,11 +348,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1676110339,
-        "narHash": "sha256-kOS/L8OOL2odpCOM11IevfHxcUeE0vnZUQ74EOiwXcs=",
+        "lastModified": 1678654296,
+        "narHash": "sha256-aVfw3ThpY7vkUeF1rFy10NAkpKDS2imj3IakrzT0Occ=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "e5530aba13caff5a4f41713f1265b754dc2abfd8",
+        "rev": "5a1dc8acd977ff3dccd1328b7c4a6995429a656b",
        "type": "github"
      },
      "original": {
@ -359,6 +442,7 @@
    },
    "root": {
      "inputs": {
+        "agenix": "agenix",
        "home-manager": "home-manager",
        "nixpkgs": "nixpkgs",
        "webcord": "webcord"
@ -381,13 +465,38 @@
        "type": "github"
      }
    },
+    "rust-overlay": {
+      "inputs": {
+        "flake-utils": [
+          "agenix",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1676687290,
+        "narHash": "sha256-DP0CJ7qtUXf+mmMglJL1yANizzV1O4UfQ9NrKgy7O04=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "bdccd5e973d45159f7d13f7c65a4271dc02cf6d4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
    "utils": {
      "locked": {
-        "lastModified": 1667395993,
-        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+        "lastModified": 1676283394,
+        "narHash": "sha256-XX2f9c3iySLCw54rJ/CZs+ZK6IQy7GXNY4nSOyu2QG4=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+        "rev": "3db36a8b464d0c4532ba1c7dda728f4576d6d073",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -4,6 +4,11 @@
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";

+    agenix = {
+      url = "github:yaxitech/ragenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
    home-manager = {
      url = "github:nix-community/home-manager";
      inputs.nixpkgs.follows = "nixpkgs";
@ -12,7 +17,7 @@
    webcord.url = "github:fufexan/webcord-flake";
  };

-  outputs = { nixpkgs, home-manager, webcord, ... }@inputs: {
+  outputs = { nixpkgs, agenix, home-manager, webcord, ... }@inputs: {
    # colmena
    colmena = {
      meta = {
@ -27,6 +32,7 @@
        imports = [
          ./hosts/${name}/configuration.nix
          home-manager.nixosModules.home-manager
+          agenix.nixosModules.default
        ];
        home-manager = {
          useGlobalPkgs = true;
--- a/hosts/neodymium/configuration.nix
+++ b/hosts/neodymium/configuration.nix
@ -154,6 +154,8 @@ in {

      nixfmt

+      borgbackup
+
      gnome.nautilus
      jmtpfs

@ -658,6 +660,45 @@ in {
    options = "--delete-older-than 30d";
  };

+  age.secrets.borgbackup = {
+    file = "/home/laurent/infrastructure/secrets/borgbackup.age";
+    owner = "laurent";
+    group = "users";
+  };
+  age.identityPaths = [ "/home/laurent/.ssh/id_ed25519" ];
+
+  services.borgbackup.jobs.home = {
+    paths = "/home/laurent/";
+    repo = "/mnt/home_backup";
+    exclude = [
+      # Largest cache dirs
+      ".cache"
+      ".compose-cache"
+      "*/cache"
+      "*/cache2" # firefox
+      "*/Cache"
+      "*/Code Cache"
+      ".config/Slack/logs"
+      ".config/Code/CachedData"
+      ".container-diff"
+      ".npm/_cacache"
+      # Work related dirs
+      "*/node_modules"
+      "*/bower_components"
+      "*/build"
+      "*/_build"
+      "*/.tox"
+      "*/venv"
+      "*/.venv"
+    ];
+    encryption = {
+      mode = "repokey";
+      passCommand = "cat ${config.age.secrets.borgbackup.path}";
+    };
+    compression = "auto,zstd";
+    startAt = [ ];
+  };
+
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
--- a/secrets/borgbackup.age
+++ b/secrets/borgbackup.age
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 kZEpWw OQ8zlnVzqIh3FSryVBmqKzPDOatKrzDSR1Zm3BGL60E
+FtbNNvnoskcgLO4XIREMmV+HY1YNgmavSKCKiVpLtUw
+-> ;MI-grease
+ArHYI+eu0R2GQyabN2Mr8nHC4LBU0xNZSl0hljMagNBtUGlwsTHvRBzTSVm6kcak
+c2Rbqz9/Zg
+--- t1Xtn3Wg7yC30usQ+dSbwBlBcd0mMiWUeraj2HTZ9PQ
+„±BÌ<EFBFBD>q«¤Kr‡Ž¤D±1ZßË6‘½x:IèáVàÿêúø÷¯ÀÃÕ˜)Ê\YÝtI(=ù˜†bÍ1JŸ¡QÀR”eVó}êÖv˜›fn(°U½|ÔiB>ýºAXÈ€v\X,²†¹&3OnleÞ4›îpá"ä-{ÁÞ;þ°®
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -0,0 +1,4 @@
+let
+  neodymium =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINTvwXCT99s1EwOCeGQ28jyCAH/RBoLZza9k5I7wWdEu laurent@neodymium";
+in { "borgbackup.age".publicKeys = [ neodymium ]; }