move encrypted secrets near relevant files

This commit is contained in:
Noah Masur
2025-03-09 17:09:33 +00:00
parent f59ac536a2
commit 37d1d7724a
60 changed files with 27 additions and 94 deletions

View File

@ -0,0 +1,17 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyAvWi9T
NnFzUnlKUGord21NUy9OT1NDRjhIbFB6MUc3TzgwVzY3OHpFSlN3CmhuNFY1L1FB
VFBHY1lNNjFYdFZyeHoxZUZyTFdpVHhqM1JqMUM3YWljVUUKLT4gc3NoLWVkMjU1
MTkgWXlTVU1RIFI4aGU5Z2NUeGNSNmEzNFk0anBBbUw0NUtHTE55WmgxOUN0T1p1
QUZyR2cKeTNack0vMVVsNTFMbmFSUXdUUkw2MTlnSzhRajVSWXJvZmV2QjlFcUZY
QQotPiBzc2gtZWQyNTUxOSBuanZYNUEgc01kWFdYS3BBay96Uzd5cG1MMlNMNXhQ
NTV4NVpvc2lLZkpLWkhZZlRrVQo0SXJhWUVMVUtYb1hEOEtJUnJoY2t0OUlpQVY2
UUZYdHpBcWRvUU0yRHlvCi0+IHNzaC1lZDI1NTE5IENxSU9VQSB2NTZHWUd2c3o1
c0NKTThaMkgyeG54Nmw1dHZBQkZoYmJkOTZNcnVyMUJVCldzQ1NHNk8vTGRMNHlM
eU0yYmltMkhlUjY2NWxhdHQ2N3BMUjdzTk9PMFkKLT4gc3NoLWVkMjU1MTkgejFP
Y1p3IHh3OEEzTmIrQXhtSTE2REFUV1loVE5vNTRUbEJmNEE4YmhBckRmZGpwVXMK
OEo5RXdwU1JuY3FPQnJNQ1hMdHJxcE4xVnVVWVVLREROYjNsZkN3ZzV2cwotLS0g
aXMrandHZTJzME95VFRuUDRzWDQ5Z3N5RGxVOUUxQ1FGNGpvN3Y4SllSNApAOIi/
0iP9cccbkUqLZJicpIlKAP+QsYM8Bfb/wYyaQPnh4vlKqil4LpQEfFW+/J82DIti
8o/ddK8YDlLg3lwyiZ2dUm3O87jA7KEgd/g=
-----END AGE ENCRYPTED FILE-----

View File

@ -0,0 +1,61 @@
{ config, lib, ... }:
let
cfg = config.nmasur.presets.services.restic;
in
{
options.nmasur.presets.services.restic = {
enable = lib.mkEnableOption "Restic backup service";
resticPassword = lib.mkOption {
type = lib.types.nullOr lib.types.path;
description = "Password file path for Restic backups";
default = ./restic.age;
};
s3 = {
endpoint = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "S3 endpoint for Restic backups";
default = "s3.us-east-1.amazonaws.com";
};
bucket = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "S3 bucket for Restic backups";
default = "noahmasur-restic";
};
accessKeySecretPair = lib.mkOption {
type = lib.types.nullOr lib.types.path;
description = "Path to file containing S3 access and secret key for Restic backups";
default = ./s3-glacier.age;
};
};
};
config = lib.mkIf (cfg.enable) {
secrets.restic-s3-creds = {
source = cfg.s3.accessKeySecretPair;
dest = "${config.secretsDirectory}/restic-s3-creds";
};
secrets.restic = {
source = cfg.resticPassword;
dest = "${config.secretsDirectory}/restic";
};
services.restic.backups = {
default = {
repository = "s3:${cfg.s3.endpoint}/${cfg.s3.bucket}/restic";
paths = [ ];
environmentFile = config.secrets.restic-s3-creds.dest;
passwordFile = config.secrets.restic.dest;
pruneOpts = [
"--keep-daily 14"
"--keep-weekly 6"
"--keep-monthly 12"
"--keep-yearly 100"
];
};
};
};
}

View File

@ -0,0 +1,18 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBuQTZM
TTg0ai9yNi9Ia3pFNW0vb3JQczZtVEVyNkFNVzBlUVpVd3ZBbndrCklqdS8zeGky
WEN0YW5xck5sSXpXeFZCbHY0NHhDMU5SeGlaYmN4Szc0b1EKLT4gc3NoLWVkMjU1
MTkgWXlTVU1RIGJVZTZBdERTNUt6d0sxeGVOcnRtNmdCSlRKWUNjRHByMkZucUlz
Nm5FMTQKbHFtNnM4ZCtzdFNTa214ZVRkaFdmZnFYOCs1Z25YTDVVKzloYUVHVlg1
cwotPiBzc2gtZWQyNTUxOSBuanZYNUEgOXFwSzByaUdidFRWbE5seFNEVDYxRWtq
OXZURnEzVWphM0VoVnJvSURoUQpGbEt4YmcraDZOcXRTQUF1ekw4RTRCN2JRR1NK
QlRQaGRZd1RIMWNiRWpjCi0+IHNzaC1lZDI1NTE5IENxSU9VQSBzTTVsbnVjWUxt
L0hyM21RS2w2a2NIY2xvSmZ0OUdDWGFVcG5IYlNhUFNzClY1bmdNUkRYR2QyYVFW
VHF3enZqUlZqUWlvZlI2aHZrREdwZGUwdzdXUHMKLT4gc3NoLWVkMjU1MTkgejFP
Y1p3IDN4cThQRjdvTWJ2S2FaMjZ0RHlDeElDc1BuU0JDSzlpcFdzT2ZhLzA1QmcK
TjlFMkgzOFhKbkdvUWt2SGhaUUJXdjBxK2hUeE1sSzBsNWJyNG8rUlZRbwotLS0g
SGw4VmpCMktjQ0ZpUExnWUtsOHhHS0tZckoxeTdtZXMyVXpWT09Ea1NUMAoRRzA+
0rbfJ+eVeccDaulmqh+Wv3T1/+SQQJYD5trume3vSzXgRxJYeXR/BespsDzWJ3yg
McHYNvEK76stD3vopKvpDU3Nk861xp++SavJtrIVKon6YJl6a6Ox+GxhrNk0+5f9
xgDWhIHwzHLPvyseYNjRFy8GsYaP2tT9TGMrQHFTAKeuvA==
-----END AGE ENCRYPTED FILE-----