Add known hosts for syncoid

2025-12-29 22:10:59 -08:00 · 2025-12-29 22:10:59 -08:00 · 39ca2631dd
commit 39ca2631dd
parent d54d7bac5a
2 changed files with 16 additions and 7 deletions
--- a/hosts/cryochamber/configuration.nix
+++ b/hosts/cryochamber/configuration.nix
@ -170,23 +170,30 @@
    group = "syncoid";
    mode = "0400";
  };
+  sops.secrets.zimaKnownHosts = {
+    owner = "syncoid";
+    group = "syncoid";
+    mode = "0444";
+  };


  services.syncoid = {
    enable = true;
    #user = "backup";
    sshKey = config.sops.secrets.syncoidSshKey.path;
-    #commonArgs = [
-    #  #"--sshoption=StrictHostKeyChecking=off"
-    #  "--sshoption=UserKnownHostsFile=/var/lib/syncoid/.ssh/known_hosts"
-    #  "--sshoption=IdentitiesOnly=yes"
-    #];
+    commonArgs = [
+      #"--no-sync-snap"
+      #"--sshoption=StrictHostKeyChecking=off"
+      "--sshoption=UserKnownHostsFile=${config.sops.secrets.zimaKnownHosts.path}"
+      "--sshoption=IdentitiesOnly=yes"
+    ];
    commands."zima-bitrot" = {
      source = "root@zima:bitrot";
      target = "tank/backups/zima/bitrot";
      recursive = true;
      service.serviceConfig.BindReadOnlyPaths = [
        config.sops.secrets.syncoidSshKey.path
+        config.sops.secrets.zimaKnownHosts.path
      ];
    };
    commands."zima-rpool-safe" = {
@ -195,6 +202,7 @@
      recursive = true;
      service.serviceConfig.BindReadOnlyPaths = [
        config.sops.secrets.syncoidSshKey.path
+        config.sops.secrets.zimaKnownHosts.path
      ];
    };
  };
--- a/hosts/cryochamber/secrets/config.yaml
+++ b/hosts/cryochamber/secrets/config.yaml
@ -1,5 +1,6 @@
 hashedPassword: ENC[AES256_GCM,data:iUN2iaC2RPDa/vq6H7Xp2KqHYcHfQHU6IhZ2FWXEuaNhByFzpyMbJC7N2bmbDUD3ERLudHg686Uqt6XJV2PevQoXa1iYhv9cLw==,iv:ekGMzP2TXSrxLkqZVclHgN1NQIv6OqtsVLHdvsTgXQc=,tag:RRSZCHjmhn8ClrUTYteWWA==,type:str]
 syncoidSshKey: ENC[AES256_GCM,data:tfNUtOa40qTuoE/Ge5wBhQOTqBcYHvjlyhyBclFyqcbWSTSjZzh0WbkZaM5002YHO0izWD5V4TrK2lTgEYRq3wrMyWhkKgHj51LIBqJmw08Gk1+JQ9+hfRoM2ql6GtJLzUb0bOewPzY5aqDBNVNUrMPF5NyqYFDOoUfAbwWy3yOYdXVOsYwUnGMH+g8MnXdvnBT7RYVGZYLp8Kfj2qi6a+WDQh8qBwaJDKeNhVFOy3Ft00e8ykT5koK4pHSK5D8g5xNXzbMibB3CtGW90wTS2D/o1Ybxkh2ZjcescxD+U/NMIHhRuYdzv/1yiiu1IWnDYjcHCnLUfAiVac5IoCtu0IMmC+jy76Z1lxYmhQt6PINAeh4LHTrtp+5+RGKW+XIzVYguwTcH1WSJGOkHCe7a3VKyI0CrUkD9mhgEjvSLKPVOPgmU+vNggbqu9HrGUlCz53acvdYN8GQP9xKOZLjDgYk5d/zRW5NMj3H7PPW+eLpT/P9i+nISui0WDZQVnFo2IEiElRHkDu2pbENNUvKxDIMkb0nCR8BE+a2e,iv:okNdm2cKrP4DDPflGaN5XRZh/OMFhl30sdTdbbvqsGQ=,tag:O9fv2X1nAf9Ed0FN3xlV3A==,type:str]
+zimaKnownHosts: ENC[AES256_GCM,data:7osQI01DJ8OQBEOIYXt0HO1ZZg1iDW6dTfxEyo3luJ5er5DlgZqvxXHuiiHT6tMzjP+uyQCiN0SnQgDBjFP7lp4i7SIToF+4aAkGLbhCoTND4BjwtoBn4t+nbYgAgPkSFvvqhXgaKhdTYPUZBdxp0d8yUd+EA798mZwsS1k2rJYXcq0D1Dn2D7JmGAD1vD4GC76VP5L8XJC3Wc0MVYOTUeftqLHZQ7H5qCIu+QEFwlQw4CPt7IiClN0u2yx+y2yOwFkw6A3+F5/BqGzEh1KsxBXF+THDuzJpipLiCYzjnK04OZa9x/LR7r0A7XZrDkTMD+NSCLsoZzQOv+9cNw4+6qIYKBvarjAOIdZpP/EHiXrDYy53jrOeG3SU+P/NggL0ryq9aHEjUhX+idAXfspYl5EklrlXYw0JjZE8T6NbGP7706VPrcHzGoB1YjAvnAmQP8846ZH99yw8wWDuEoG6i8O0VaY0Q+RVfPZgKbUVqd0L936VMMN6t8jXSPvtOFCjviqgGCfTC9mcciQ2C83G+j9YWi0rM9/dX04m6a6eOBFtTAp4ryKRI6zoSn7Wh+nF1I3M8Yd+qUE7iVJpDOFb4IjJLNy6E+Xw/mTNlIRBET+2Pqmem+pcqmlr8opg4X0Rn2jp23PzDmH5mBrTJpfs/trPaOZLAZ5N+JKX1WLsKIZdT0AK4AVcs7CCj2FSIVicnrR8H9mwgVCY6HDHJvk7E460bo1Jg0YFYsauvd7FeNpCTk3VnFjsloR7WcXj9jrlkcSoR3d/AuelNreXT2XupVU5pHOHDYPd2fvqTd3i0ZEIhSm71p6Ely6HVONwUU9HHMwrnuXccW3YZyD2VsZKJ61AeG01WRSbOF/fPExSpsU1wiIqMrImD13Sh2je0gmznbJGvm+muvknUCUYprH7WORK0ib5mihfwYalPAnwLNHuECQJt+EdIRQJyGay8Ju5brA+N9o7ImeRWtG5ITdTCZba5QvJGN8+Cdkv1WpFkKnEXihdFBwnd/fuswkNGA04m5YSkg2JBstEKDkDIOq9yICtDfPVMi4H7obqbhJ3GAbQ2O6sPLt3NF4i1ib+TiH6,iv:thh4YjrSjpAdBtQgyW/M6fU3V3Sa/5X5EYKwPoJazn8=,tag:5VYDipu5iMnsI+qp0xNSTg==,type:str]
 sops:
    age:
        - recipient: age17sdp0gguexd88qel74fa4zeckxh93gqpkayz366fz6yvjauw7vcq7w6y45
@ -20,7 +21,7 @@ sops:
            NDJWOEMyU1hwcHRXMUh6RkEzOFhndG8KY/fCz/+MfGQlnLC3Kzo5hYOmd0fRakDQ
            JjVD+zxHFqN5b3U03iS9WIsdjF3hRFqqnZMOeXTUDezDfTNPdmUuMg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-12-30T05:34:50Z"
-    mac: ENC[AES256_GCM,data:HipS7m52pB37vwkPEinN89ZcCZoj0vvaKvtMv701C4SYJjRi6wcH/qDdvY8OuiYrNZrXTTjRb+DKXoE0X7R0PutQErybbBbzRfeN/jOUYIsGo5h3bHCYjXvT08VxB2qnF4fMjZ6GmXCbhf+aw7Ens+ebCZHtIxIeEORdifqDRbE=,iv:ERapQGu/BCUT1BMNl+rESxj0mMorfiL9TyQO99ATqy4=,tag:Z5zHpMg6nFJhi+LBUt1xKg==,type:str]
+    lastmodified: "2025-12-30T06:09:33Z"
+    mac: ENC[AES256_GCM,data:1Rwi9cvkH2aWmbkX4ZcvUu1MRPMgX5ZVFQ29pJ/q8RGBtYe+yH8c5ODqWkkvlO3Ok1gFg/8fPIoXfJ2il39MTdnt/jbng+z9TupK6raYsIonWcYEMz6hY0imASgF4m8OtS5GcVelRUUOPuYBVdQa9+VCRd1L3tM8HYt6AgiumHI=,iv:Dp0WVo3otn9BKKujtbILAqvdM/79ENum8QVgwSJpSmw=,tag:8+QhXLeDd3maSHj7ip34gg==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0