From d54d7bac5a61a11c10c142bc3a7042474719604b Mon Sep 17 00:00:00 2001
From: Hunter Haugen <hunter@haugen.email>
Date: Mon, 29 Dec 2025 21:35:25 -0800
Subject: [PATCH] Add sops syncoid key

---
 hosts/cryochamber/configuration.nix   | 54 +++++++++++----------------
 hosts/cryochamber/secrets/config.yaml |  5 ++-
 2 files changed, 24 insertions(+), 35 deletions(-)

diff --git a/hosts/cryochamber/configuration.nix b/hosts/cryochamber/configuration.nix
index 6f7fc18..9344c7a 100644
--- a/hosts/cryochamber/configuration.nix
+++ b/hosts/cryochamber/configuration.nix
@@ -164,52 +164,40 @@
       gnupg
     ];
   };
-  users.users.backup = {
-    isNormalUser = true;
-    description = "Backup replication user";
-    shell = pkgs.bash;
-    packages = with pkgs; [
-      sanoid
-    ];
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDtgW+cxPjo70k6dkYPqzP0FR5G9zvbArp/85ZHRrMRL backup@cryochamber"
-    ];
+
+  sops.secrets.syncoidSshKey = {
+    owner = "syncoid";
+    group = "syncoid";
+    mode = "0400";
   };
 
+
   services.syncoid = {
     enable = true;
-    user = "backup";
-    sshKey = "/var/lib/syncoid/.ssh/id_ed25519";
-    commonArgs = [
-      #"--sshoption=StrictHostKeyChecking=off"
-      "--sshoption=UserKnownHostsFile=/var/lib/syncoid/.ssh/known_hosts"
-      "--sshoption=IdentitiesOnly=yes"
-    ];
+    #user = "backup";
+    sshKey = config.sops.secrets.syncoidSshKey.path;
+    #commonArgs = [
+    #  #"--sshoption=StrictHostKeyChecking=off"
+    #  "--sshoption=UserKnownHostsFile=/var/lib/syncoid/.ssh/known_hosts"
+    #  "--sshoption=IdentitiesOnly=yes"
+    #];
     commands."zima-bitrot" = {
-      source = "backup@zima:bitrot";
+      source = "root@zima:bitrot";
       target = "tank/backups/zima/bitrot";
       recursive = true;
+      service.serviceConfig.BindReadOnlyPaths = [
+        config.sops.secrets.syncoidSshKey.path
+      ];
     };
     commands."zima-rpool-safe" = {
-      source = "backup@zima:rpool/safe";
+      source = "root@zima:rpool/safe";
       target = "tank/backups/zima/rpool-safe";
       recursive = true;
+      service.serviceConfig.BindReadOnlyPaths = [
+        config.sops.secrets.syncoidSshKey.path
+      ];
     };
   };
-  #systemd.services.syncoid-zima-rpool-safe.serviceConfig = {
-  #  Environment = [
-  #    "HOME=/var/lib/syncoid"
-  #    "SSH_AUTH_SOCK="
-  #  ];
-  #  ExecStartPre = [
-  #    "+${pkgs.coreutils}/bin/mkdir -p /var/lib/syncoid/.ssh"
-  #    "+${pkgs.coreutils}/bin/cp /home/backup/.ssh/id_ed25519 /var/lib/syncoid/.ssh/"
-  #    "+${pkgs.coreutils}/bin/cp /home/backup/.ssh/known_hosts /var/lib/syncoid/.ssh/"
-  #    "+${pkgs.coreutils}/bin/chown -R backup:syncoid /var/lib/syncoid/.ssh"
-  #    "+${pkgs.coreutils}/bin/chmod 700 /var/lib/syncoid/.ssh"
-  #    "+${pkgs.coreutils}/bin/chmod 600 /var/lib/syncoid/.ssh/id_ed25519"
-  #  ];
-  #};
 
   #systemd.services.syncoid-replication = {
   #  description = "ZFS syncoid replication";
diff --git a/hosts/cryochamber/secrets/config.yaml b/hosts/cryochamber/secrets/config.yaml
index b91e4e2..d0097da 100644
--- a/hosts/cryochamber/secrets/config.yaml
+++ b/hosts/cryochamber/secrets/config.yaml
@@ -1,4 +1,5 @@
 hashedPassword: ENC[AES256_GCM,data:iUN2iaC2RPDa/vq6H7Xp2KqHYcHfQHU6IhZ2FWXEuaNhByFzpyMbJC7N2bmbDUD3ERLudHg686Uqt6XJV2PevQoXa1iYhv9cLw==,iv:ekGMzP2TXSrxLkqZVclHgN1NQIv6OqtsVLHdvsTgXQc=,tag:RRSZCHjmhn8ClrUTYteWWA==,type:str]
+syncoidSshKey: ENC[AES256_GCM,data:tfNUtOa40qTuoE/Ge5wBhQOTqBcYHvjlyhyBclFyqcbWSTSjZzh0WbkZaM5002YHO0izWD5V4TrK2lTgEYRq3wrMyWhkKgHj51LIBqJmw08Gk1+JQ9+hfRoM2ql6GtJLzUb0bOewPzY5aqDBNVNUrMPF5NyqYFDOoUfAbwWy3yOYdXVOsYwUnGMH+g8MnXdvnBT7RYVGZYLp8Kfj2qi6a+WDQh8qBwaJDKeNhVFOy3Ft00e8ykT5koK4pHSK5D8g5xNXzbMibB3CtGW90wTS2D/o1Ybxkh2ZjcescxD+U/NMIHhRuYdzv/1yiiu1IWnDYjcHCnLUfAiVac5IoCtu0IMmC+jy76Z1lxYmhQt6PINAeh4LHTrtp+5+RGKW+XIzVYguwTcH1WSJGOkHCe7a3VKyI0CrUkD9mhgEjvSLKPVOPgmU+vNggbqu9HrGUlCz53acvdYN8GQP9xKOZLjDgYk5d/zRW5NMj3H7PPW+eLpT/P9i+nISui0WDZQVnFo2IEiElRHkDu2pbENNUvKxDIMkb0nCR8BE+a2e,iv:okNdm2cKrP4DDPflGaN5XRZh/OMFhl30sdTdbbvqsGQ=,tag:O9fv2X1nAf9Ed0FN3xlV3A==,type:str]
 sops:
     age:
         - recipient: age17sdp0gguexd88qel74fa4zeckxh93gqpkayz366fz6yvjauw7vcq7w6y45
@@ -19,7 +20,7 @@ sops:
             NDJWOEMyU1hwcHRXMUh6RkEzOFhndG8KY/fCz/+MfGQlnLC3Kzo5hYOmd0fRakDQ
             JjVD+zxHFqN5b3U03iS9WIsdjF3hRFqqnZMOeXTUDezDfTNPdmUuMg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-12-29T20:30:43Z"
-    mac: ENC[AES256_GCM,data:4tBtaoDxLrLIyIXi51TKB2U5eP9kkEpz1UaW2eBTGXkdmn+k/oiouQ4spigQ8O0dKvdy4SmvOSksCC7TSDeZ0ToKbyorqFrTbnhvUdACjw6O6I8WJ8daaOGuvKHjiYk1CWhn8zdC+QTa/gpjVoQhTfiEFuPXgFMMoI24h7000XE=,iv:6taR8qzv/liCLAeqkYnUV+9D0b9z0zCOPHsOo+JMXnw=,tag:TUg6Z9GQLPLnyvW6lCHFpw==,type:str]
+    lastmodified: "2025-12-30T05:34:50Z"
+    mac: ENC[AES256_GCM,data:HipS7m52pB37vwkPEinN89ZcCZoj0vvaKvtMv701C4SYJjRi6wcH/qDdvY8OuiYrNZrXTTjRb+DKXoE0X7R0PutQErybbBbzRfeN/jOUYIsGo5h3bHCYjXvT08VxB2qnF4fMjZ6GmXCbhf+aw7Ens+ebCZHtIxIeEORdifqDRbE=,iv:ERapQGu/BCUT1BMNl+rESxj0mMorfiL9TyQO99ATqy4=,tag:Z5zHpMg6nFJhi+LBUt1xKg==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0