From 39ca2631dd82d8f8d67fb9c7abc57642b65661e5 Mon Sep 17 00:00:00 2001 From: Hunter Haugen Date: Mon, 29 Dec 2025 22:10:59 -0800 Subject: [PATCH] Add known hosts for syncoid --- hosts/cryochamber/configuration.nix | 18 +++++++++++++----- hosts/cryochamber/secrets/config.yaml | 5 +++-- 2 files changed, 16 insertions(+), 7 deletions(-) diff --git a/hosts/cryochamber/configuration.nix b/hosts/cryochamber/configuration.nix index 9344c7a..2443741 100644 --- a/hosts/cryochamber/configuration.nix +++ b/hosts/cryochamber/configuration.nix @@ -170,23 +170,30 @@ group = "syncoid"; mode = "0400"; }; + sops.secrets.zimaKnownHosts = { + owner = "syncoid"; + group = "syncoid"; + mode = "0444"; + }; services.syncoid = { enable = true; #user = "backup"; sshKey = config.sops.secrets.syncoidSshKey.path; - #commonArgs = [ - # #"--sshoption=StrictHostKeyChecking=off" - # "--sshoption=UserKnownHostsFile=/var/lib/syncoid/.ssh/known_hosts" - # "--sshoption=IdentitiesOnly=yes" - #]; + commonArgs = [ + #"--no-sync-snap" + #"--sshoption=StrictHostKeyChecking=off" + "--sshoption=UserKnownHostsFile=${config.sops.secrets.zimaKnownHosts.path}" + "--sshoption=IdentitiesOnly=yes" + ]; commands."zima-bitrot" = { source = "root@zima:bitrot"; target = "tank/backups/zima/bitrot"; recursive = true; service.serviceConfig.BindReadOnlyPaths = [ config.sops.secrets.syncoidSshKey.path + config.sops.secrets.zimaKnownHosts.path ]; }; commands."zima-rpool-safe" = { @@ -195,6 +202,7 @@ recursive = true; service.serviceConfig.BindReadOnlyPaths = [ config.sops.secrets.syncoidSshKey.path + config.sops.secrets.zimaKnownHosts.path ]; }; }; diff --git a/hosts/cryochamber/secrets/config.yaml b/hosts/cryochamber/secrets/config.yaml index d0097da..40009ea 100644 --- a/hosts/cryochamber/secrets/config.yaml +++ b/hosts/cryochamber/secrets/config.yaml @@ -1,5 +1,6 @@ hashedPassword: ENC[AES256_GCM,data:iUN2iaC2RPDa/vq6H7Xp2KqHYcHfQHU6IhZ2FWXEuaNhByFzpyMbJC7N2bmbDUD3ERLudHg686Uqt6XJV2PevQoXa1iYhv9cLw==,iv:ekGMzP2TXSrxLkqZVclHgN1NQIv6OqtsVLHdvsTgXQc=,tag:RRSZCHjmhn8ClrUTYteWWA==,type:str] syncoidSshKey: ENC[AES256_GCM,data:tfNUtOa40qTuoE/Ge5wBhQOTqBcYHvjlyhyBclFyqcbWSTSjZzh0WbkZaM5002YHO0izWD5V4TrK2lTgEYRq3wrMyWhkKgHj51LIBqJmw08Gk1+JQ9+hfRoM2ql6GtJLzUb0bOewPzY5aqDBNVNUrMPF5NyqYFDOoUfAbwWy3yOYdXVOsYwUnGMH+g8MnXdvnBT7RYVGZYLp8Kfj2qi6a+WDQh8qBwaJDKeNhVFOy3Ft00e8ykT5koK4pHSK5D8g5xNXzbMibB3CtGW90wTS2D/o1Ybxkh2ZjcescxD+U/NMIHhRuYdzv/1yiiu1IWnDYjcHCnLUfAiVac5IoCtu0IMmC+jy76Z1lxYmhQt6PINAeh4LHTrtp+5+RGKW+XIzVYguwTcH1WSJGOkHCe7a3VKyI0CrUkD9mhgEjvSLKPVOPgmU+vNggbqu9HrGUlCz53acvdYN8GQP9xKOZLjDgYk5d/zRW5NMj3H7PPW+eLpT/P9i+nISui0WDZQVnFo2IEiElRHkDu2pbENNUvKxDIMkb0nCR8BE+a2e,iv:okNdm2cKrP4DDPflGaN5XRZh/OMFhl30sdTdbbvqsGQ=,tag:O9fv2X1nAf9Ed0FN3xlV3A==,type:str] +zimaKnownHosts: ENC[AES256_GCM,data:7osQI01DJ8OQBEOIYXt0HO1ZZg1iDW6dTfxEyo3luJ5er5DlgZqvxXHuiiHT6tMzjP+uyQCiN0SnQgDBjFP7lp4i7SIToF+4aAkGLbhCoTND4BjwtoBn4t+nbYgAgPkSFvvqhXgaKhdTYPUZBdxp0d8yUd+EA798mZwsS1k2rJYXcq0D1Dn2D7JmGAD1vD4GC76VP5L8XJC3Wc0MVYOTUeftqLHZQ7H5qCIu+QEFwlQw4CPt7IiClN0u2yx+y2yOwFkw6A3+F5/BqGzEh1KsxBXF+THDuzJpipLiCYzjnK04OZa9x/LR7r0A7XZrDkTMD+NSCLsoZzQOv+9cNw4+6qIYKBvarjAOIdZpP/EHiXrDYy53jrOeG3SU+P/NggL0ryq9aHEjUhX+idAXfspYl5EklrlXYw0JjZE8T6NbGP7706VPrcHzGoB1YjAvnAmQP8846ZH99yw8wWDuEoG6i8O0VaY0Q+RVfPZgKbUVqd0L936VMMN6t8jXSPvtOFCjviqgGCfTC9mcciQ2C83G+j9YWi0rM9/dX04m6a6eOBFtTAp4ryKRI6zoSn7Wh+nF1I3M8Yd+qUE7iVJpDOFb4IjJLNy6E+Xw/mTNlIRBET+2Pqmem+pcqmlr8opg4X0Rn2jp23PzDmH5mBrTJpfs/trPaOZLAZ5N+JKX1WLsKIZdT0AK4AVcs7CCj2FSIVicnrR8H9mwgVCY6HDHJvk7E460bo1Jg0YFYsauvd7FeNpCTk3VnFjsloR7WcXj9jrlkcSoR3d/AuelNreXT2XupVU5pHOHDYPd2fvqTd3i0ZEIhSm71p6Ely6HVONwUU9HHMwrnuXccW3YZyD2VsZKJ61AeG01WRSbOF/fPExSpsU1wiIqMrImD13Sh2je0gmznbJGvm+muvknUCUYprH7WORK0ib5mihfwYalPAnwLNHuECQJt+EdIRQJyGay8Ju5brA+N9o7ImeRWtG5ITdTCZba5QvJGN8+Cdkv1WpFkKnEXihdFBwnd/fuswkNGA04m5YSkg2JBstEKDkDIOq9yICtDfPVMi4H7obqbhJ3GAbQ2O6sPLt3NF4i1ib+TiH6,iv:thh4YjrSjpAdBtQgyW/M6fU3V3Sa/5X5EYKwPoJazn8=,tag:5VYDipu5iMnsI+qp0xNSTg==,type:str] sops: age: - recipient: age17sdp0gguexd88qel74fa4zeckxh93gqpkayz366fz6yvjauw7vcq7w6y45 @@ -20,7 +21,7 @@ sops: NDJWOEMyU1hwcHRXMUh6RkEzOFhndG8KY/fCz/+MfGQlnLC3Kzo5hYOmd0fRakDQ JjVD+zxHFqN5b3U03iS9WIsdjF3hRFqqnZMOeXTUDezDfTNPdmUuMg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-30T05:34:50Z" - mac: ENC[AES256_GCM,data:HipS7m52pB37vwkPEinN89ZcCZoj0vvaKvtMv701C4SYJjRi6wcH/qDdvY8OuiYrNZrXTTjRb+DKXoE0X7R0PutQErybbBbzRfeN/jOUYIsGo5h3bHCYjXvT08VxB2qnF4fMjZ6GmXCbhf+aw7Ens+ebCZHtIxIeEORdifqDRbE=,iv:ERapQGu/BCUT1BMNl+rESxj0mMorfiL9TyQO99ATqy4=,tag:Z5zHpMg6nFJhi+LBUt1xKg==,type:str] + lastmodified: "2025-12-30T06:09:33Z" + mac: ENC[AES256_GCM,data:1Rwi9cvkH2aWmbkX4ZcvUu1MRPMgX5ZVFQ29pJ/q8RGBtYe+yH8c5ODqWkkvlO3Ok1gFg/8fPIoXfJ2il39MTdnt/jbng+z9TupK6raYsIonWcYEMz6hY0imASgF4m8OtS5GcVelRUUOPuYBVdQa9+VCRd1L3tM8HYt6AgiumHI=,iv:Dp0WVo3otn9BKKujtbILAqvdM/79ENum8QVgwSJpSmw=,tag:8+QhXLeDd3maSHj7ip34gg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0