Add sops syncoid key
This commit is contained in:
parent
80142a5052
commit
d54d7bac5a
GPG key ID:
EF99694AA599DDAD
2 changed files with 24 additions and 35 deletions
|
|
@ -164,52 +164,40 @@
|
||||||
gnupg
|
gnupg
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
users.users.backup = {
|
|
||||||
isNormalUser = true;
|
sops.secrets.syncoidSshKey = {
|
||||||
description = "Backup replication user";
|
owner = "syncoid";
|
||||||
shell = pkgs.bash;
|
group = "syncoid";
|
||||||
packages = with pkgs; [
|
mode = "0400";
|
||||||
sanoid
|
|
||||||
];
|
|
||||||
openssh.authorizedKeys.keys = [
|
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDtgW+cxPjo70k6dkYPqzP0FR5G9zvbArp/85ZHRrMRL backup@cryochamber"
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
services.syncoid = {
|
services.syncoid = {
|
||||||
enable = true;
|
enable = true;
|
||||||
user = "backup";
|
#user = "backup";
|
||||||
sshKey = "/var/lib/syncoid/.ssh/id_ed25519";
|
sshKey = config.sops.secrets.syncoidSshKey.path;
|
||||||
commonArgs = [
|
#commonArgs = [
|
||||||
#"--sshoption=StrictHostKeyChecking=off"
|
# #"--sshoption=StrictHostKeyChecking=off"
|
||||||
"--sshoption=UserKnownHostsFile=/var/lib/syncoid/.ssh/known_hosts"
|
# "--sshoption=UserKnownHostsFile=/var/lib/syncoid/.ssh/known_hosts"
|
||||||
"--sshoption=IdentitiesOnly=yes"
|
# "--sshoption=IdentitiesOnly=yes"
|
||||||
];
|
#];
|
||||||
commands."zima-bitrot" = {
|
commands."zima-bitrot" = {
|
||||||
source = "backup@zima:bitrot";
|
source = "root@zima:bitrot";
|
||||||
target = "tank/backups/zima/bitrot";
|
target = "tank/backups/zima/bitrot";
|
||||||
recursive = true;
|
recursive = true;
|
||||||
|
service.serviceConfig.BindReadOnlyPaths = [
|
||||||
|
config.sops.secrets.syncoidSshKey.path
|
||||||
|
];
|
||||||
};
|
};
|
||||||
commands."zima-rpool-safe" = {
|
commands."zima-rpool-safe" = {
|
||||||
source = "backup@zima:rpool/safe";
|
source = "root@zima:rpool/safe";
|
||||||
target = "tank/backups/zima/rpool-safe";
|
target = "tank/backups/zima/rpool-safe";
|
||||||
recursive = true;
|
recursive = true;
|
||||||
|
service.serviceConfig.BindReadOnlyPaths = [
|
||||||
|
config.sops.secrets.syncoidSshKey.path
|
||||||
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
#systemd.services.syncoid-zima-rpool-safe.serviceConfig = {
|
|
||||||
# Environment = [
|
|
||||||
# "HOME=/var/lib/syncoid"
|
|
||||||
# "SSH_AUTH_SOCK="
|
|
||||||
# ];
|
|
||||||
# ExecStartPre = [
|
|
||||||
# "+${pkgs.coreutils}/bin/mkdir -p /var/lib/syncoid/.ssh"
|
|
||||||
# "+${pkgs.coreutils}/bin/cp /home/backup/.ssh/id_ed25519 /var/lib/syncoid/.ssh/"
|
|
||||||
# "+${pkgs.coreutils}/bin/cp /home/backup/.ssh/known_hosts /var/lib/syncoid/.ssh/"
|
|
||||||
# "+${pkgs.coreutils}/bin/chown -R backup:syncoid /var/lib/syncoid/.ssh"
|
|
||||||
# "+${pkgs.coreutils}/bin/chmod 700 /var/lib/syncoid/.ssh"
|
|
||||||
# "+${pkgs.coreutils}/bin/chmod 600 /var/lib/syncoid/.ssh/id_ed25519"
|
|
||||||
# ];
|
|
||||||
#};
|
|
||||||
|
|
||||||
#systemd.services.syncoid-replication = {
|
#systemd.services.syncoid-replication = {
|
||||||
# description = "ZFS syncoid replication";
|
# description = "ZFS syncoid replication";
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,5 @@
|
||||||
hashedPassword: ENC[AES256_GCM,data:iUN2iaC2RPDa/vq6H7Xp2KqHYcHfQHU6IhZ2FWXEuaNhByFzpyMbJC7N2bmbDUD3ERLudHg686Uqt6XJV2PevQoXa1iYhv9cLw==,iv:ekGMzP2TXSrxLkqZVclHgN1NQIv6OqtsVLHdvsTgXQc=,tag:RRSZCHjmhn8ClrUTYteWWA==,type:str]
|
hashedPassword: ENC[AES256_GCM,data:iUN2iaC2RPDa/vq6H7Xp2KqHYcHfQHU6IhZ2FWXEuaNhByFzpyMbJC7N2bmbDUD3ERLudHg686Uqt6XJV2PevQoXa1iYhv9cLw==,iv:ekGMzP2TXSrxLkqZVclHgN1NQIv6OqtsVLHdvsTgXQc=,tag:RRSZCHjmhn8ClrUTYteWWA==,type:str]
|
||||||
|
syncoidSshKey: ENC[AES256_GCM,data:tfNUtOa40qTuoE/Ge5wBhQOTqBcYHvjlyhyBclFyqcbWSTSjZzh0WbkZaM5002YHO0izWD5V4TrK2lTgEYRq3wrMyWhkKgHj51LIBqJmw08Gk1+JQ9+hfRoM2ql6GtJLzUb0bOewPzY5aqDBNVNUrMPF5NyqYFDOoUfAbwWy3yOYdXVOsYwUnGMH+g8MnXdvnBT7RYVGZYLp8Kfj2qi6a+WDQh8qBwaJDKeNhVFOy3Ft00e8ykT5koK4pHSK5D8g5xNXzbMibB3CtGW90wTS2D/o1Ybxkh2ZjcescxD+U/NMIHhRuYdzv/1yiiu1IWnDYjcHCnLUfAiVac5IoCtu0IMmC+jy76Z1lxYmhQt6PINAeh4LHTrtp+5+RGKW+XIzVYguwTcH1WSJGOkHCe7a3VKyI0CrUkD9mhgEjvSLKPVOPgmU+vNggbqu9HrGUlCz53acvdYN8GQP9xKOZLjDgYk5d/zRW5NMj3H7PPW+eLpT/P9i+nISui0WDZQVnFo2IEiElRHkDu2pbENNUvKxDIMkb0nCR8BE+a2e,iv:okNdm2cKrP4DDPflGaN5XRZh/OMFhl30sdTdbbvqsGQ=,tag:O9fv2X1nAf9Ed0FN3xlV3A==,type:str]
|
||||||
sops:
|
sops:
|
||||||
age:
|
age:
|
||||||
- recipient: age17sdp0gguexd88qel74fa4zeckxh93gqpkayz366fz6yvjauw7vcq7w6y45
|
- recipient: age17sdp0gguexd88qel74fa4zeckxh93gqpkayz366fz6yvjauw7vcq7w6y45
|
||||||
|
|
@ -19,7 +20,7 @@ sops:
|
||||||
NDJWOEMyU1hwcHRXMUh6RkEzOFhndG8KY/fCz/+MfGQlnLC3Kzo5hYOmd0fRakDQ
|
NDJWOEMyU1hwcHRXMUh6RkEzOFhndG8KY/fCz/+MfGQlnLC3Kzo5hYOmd0fRakDQ
|
||||||
JjVD+zxHFqN5b3U03iS9WIsdjF3hRFqqnZMOeXTUDezDfTNPdmUuMg==
|
JjVD+zxHFqN5b3U03iS9WIsdjF3hRFqqnZMOeXTUDezDfTNPdmUuMg==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2025-12-29T20:30:43Z"
|
lastmodified: "2025-12-30T05:34:50Z"
|
||||||
mac: ENC[AES256_GCM,data:4tBtaoDxLrLIyIXi51TKB2U5eP9kkEpz1UaW2eBTGXkdmn+k/oiouQ4spigQ8O0dKvdy4SmvOSksCC7TSDeZ0ToKbyorqFrTbnhvUdACjw6O6I8WJ8daaOGuvKHjiYk1CWhn8zdC+QTa/gpjVoQhTfiEFuPXgFMMoI24h7000XE=,iv:6taR8qzv/liCLAeqkYnUV+9D0b9z0zCOPHsOo+JMXnw=,tag:TUg6Z9GQLPLnyvW6lCHFpw==,type:str]
|
mac: ENC[AES256_GCM,data:HipS7m52pB37vwkPEinN89ZcCZoj0vvaKvtMv701C4SYJjRi6wcH/qDdvY8OuiYrNZrXTTjRb+DKXoE0X7R0PutQErybbBbzRfeN/jOUYIsGo5h3bHCYjXvT08VxB2qnF4fMjZ6GmXCbhf+aw7Ens+ebCZHtIxIeEORdifqDRbE=,iv:ERapQGu/BCUT1BMNl+rESxj0mMorfiL9TyQO99ATqy4=,tag:Z5zHpMg6nFJhi+LBUt1xKg==,type:str]
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.11.0
|
version: 3.11.0
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue