diff --git a/flake.nix b/flake.nix index a5b90d9..680c30b 100644 --- a/flake.nix +++ b/flake.nix @@ -61,7 +61,7 @@ pkgs = import nixpkgs { inherit system; config.allowUnfree = true; - overlays = [ nur.overlays.default ]; + overlays = [ nur.overlays.default agenix.overlays.default ]; }; pkgs-unstable = import nixpkgs-unstable { inherit system; @@ -105,12 +105,6 @@ "tchristensen@beocat" = mkHomeConfiguration { hostname = "beocat"; }; - "millironx@harmony" = mkHomeConfiguration { - hostname = "harmony"; - arch = "aarch64"; - desktop = true; - }; - "millironx@odyssey" = mkHomeConfiguration { hostname = "odyssey"; desktop = true; diff --git a/homes/common.nix b/homes/common.nix index 2b452dd..61ba3f1 100644 --- a/homes/common.nix +++ b/homes/common.nix @@ -31,6 +31,7 @@ in { }; }; packages = with pkgs; [ + agenix btop cowsay figlet @@ -86,14 +87,6 @@ in { }; sessionPath = [ "$HOME/.local/bin" ]; activation = { - recordHmGitHash = lib.hm.dag.entryAfter [ "writeBoundary" ] '' - cd "$HOME/.config/home-manager" || exit 1 - if [ -z "$(${pkgs.git}/bin/git status --porcelain --untracked-files=no)" ]; then - run echo "$(${pkgs.git}/bin/git rev-parse HEAD)" | tee $HOME/.cache/hm-git-hash - else - run echo '*' | tee $HOME/.cache/hm-git-hash - fi - ''; installRunic = lib.hm.dag.entryAfter [ "writeBoundary" ] '' run ${pkgs.julia-bin}/bin/julia --project=@runic --startup-file=no -e 'using Pkg; Pkg.add(name="Runic", version="${runic_version}")' ''; diff --git a/homes/harmony.nix b/homes/harmony.nix deleted file mode 100644 index 2e48431..0000000 --- a/homes/harmony.nix +++ /dev/null @@ -1,95 +0,0 @@ -{ config, lib, pkgs, pkgs-unstable, ... }: { - # harmony is an Asahi Fedora box - # I don't use NixOS, so there are some programs that don't interact well with - # the base system (or won't even install) when installed from Nix. - # There is no uniform way to trigger dnf package installs from Nix, so I'm - # just going to list my packages here. I hope to create a custom script that - # mimics the ideas of a Brewfile someday - # TODO: Create a Brewfile equivalent for dnf - - # dnf repos: - # https://github.com/terrapkg/packages?tab=readme-ov-file - # https://pkgs.tailscale.com/stable/fedora/tailscale.repo - # https://packagecloud.io/filips/FirefoxPWA - - # copr repos: - # iucar/rstudio - - # dnf packages: - # apptainer - # chromium - # firefoxpwa - The nix version installs an "immutable" runtime, which simply launches extra browser windows on non-NixOS - # inkscape - # kate - # kdiff3 - # krita - # lutris - # musescore - # nextcloud-client - # nextcloud-client-dolphin - # obs-studio - # podman-compose - # podman-docker - # qownnotes - # qt - # rssguard - # rstudio-desktop - # steam - # supertuxkart - # tailscale - # thunderbird - # vlc - # vorta - The vorta package is aarch64 compatible, but you cannot see any icons, and it cannot access local ssh keys, so we have to use the dnf package instead - # yakuake - # zed - # zsh - # R - # https://downloads.sourceforge.net/project/mscorefonts2/rpms/msttcore-fonts-installer-2.6-1.noarch.rpm - home = { - username = "millironx"; - homeDirectory = "/home/millironx"; - # Signal desktop is not available in any other package repository for aarch64 linux - # Similarly, Bitwarden is non-functional in all other forms using a 16k page size - packages = with pkgs; [ - trayscale - veracrypt - pkgs-unstable.signal-desktop - pkgs.bitwarden-desktop - ]; - }; - programs = { - git = { - signing = { - key = "0x37A3041D1C8C4524!"; - signByDefault = true; - }; - }; - }; - services = { - gpg-agent = { sshKeys = [ "207D13371E19752A67AA2686C16354D9963821DB" ]; }; - }; - xdg = { - configFile = { - "nextflow.config".text = '' - params { - config_profile_description = 'harmony Asahi Linux local profile' - config_profile_contact = 'Thomas A. Christensen II <25492070+MillironX@users.noreply.github.com>' - config_profile_url = null - - max_memory = 12.GB - max_cpus = 12 - max_time = 7.d - } - - apptainer { - enabled = true - autoMounts = true - } - - process { - executor = 'local' - } - ''; - }; - }; -} diff --git a/inventory.yaml b/inventory.yaml index ba53698..63f1f3c 100644 --- a/inventory.yaml +++ b/inventory.yaml @@ -3,20 +3,13 @@ ungrouped: hosts: localhost: ansible_connection: local - harmony: - ansible_connection: local odyssey: ansible_connection: local -asahi: - hosts: - harmony: - amd64: hosts: odyssey: fedora: hosts: - harmony: odyssey: diff --git a/playbooks/config.yaml b/playbooks/config.yaml index 4aa2dd4..156dc63 100644 --- a/playbooks/config.yaml +++ b/playbooks/config.yaml @@ -11,7 +11,7 @@ mode: "755" - name: Create Firefox DNS policy ansible.builtin.template: - src: "{{ playbook_dir }}/../templates/policies.json" + src: "policies.json" dest: /etc/firefox/policies/policies.json mode: "644" diff --git a/playbooks/nix.yaml b/playbooks/nix.yaml index 672725f..50d9952 100644 --- a/playbooks/nix.yaml +++ b/playbooks/nix.yaml @@ -45,7 +45,8 @@ register: home_manager_exists - name: Init home-manager ansible.builtin.shell: | - /nix/var/nix/profiles/default/bin/nix run home-manager -- switch --flake git+https://code.millironx.com/millironx/nix-dotfiles#{{ ansible_user_id }}@{{ ansible_hostname }} + /nix/var/nix/profiles/default/bin/nix run home-manager -- switch \ + --flake git+https://code.millironx.com/millironx/nix-dotfiles#{{ ansible_user_id }}@{{ ansible_hostname }} when: not home_manager_exists.stat.exists register: home_manager_init changed_when: home_manager_init.rc == 0 diff --git a/playbooks/packages.yaml b/playbooks/packages.yaml index 612acde..b3d0947 100644 --- a/playbooks/packages.yaml +++ b/playbooks/packages.yaml @@ -1,55 +1,9 @@ --- -# These are repos and packages that are useless or unavailable on Asahi Linux, -# or have completely separate install procedures. -- name: Configure amd64-specific dnf packages - hosts: amd64 - become: true - tasks: - - name: Install x86-specific dnf packages - ansible.builtin.dnf: - name: - - libdvdcss - - mkvtoolnix - - mpv - - protontricks - - x264 - - x264-libs - state: present - - name: Install VeraCrypt - ansible.builtin.dnf: - name: https://launchpad.net/veracrypt/trunk/1.26.20/+download/veracrypt-1.26.20-Fedora-40-x86_64.rpm - state: present - disable_gpg_check: true - -- name: Configure amd64-specific Flatpaks - hosts: amd64 - become: false - tasks: - - name: Install x86-specific Flatpaks - community.general.flatpak: - name: - - com.bitwarden.desktop - - com.slack.Slack - - dev.deedles.Trayscale - - org.signal.Signal - state: latest - method: user - remote: flathub - -- name: Configure Asahi Linux-specific dnf packages - hosts: asahi - become: true - tasks: - - name: Install aarch64-specific dnf packages - ansible.builtin.dnf: - name: - - veracrypt - -- name: Configure common (all arch) dnf packages +- name: Configure dnf packages hosts: fedora become: true tasks: - - name: Install common (all arch) dnf packages + - name: Install dnf packages ansible.builtin.dnf: name: - chromium @@ -64,15 +18,19 @@ - kdenlive - kdiff3 - krita + - libdvdcss - libjpeg-devel - libpng-devel - libtiff-devel - libwebp-devel + - mkvtoolnix + - mpv - musescore - nextcloud-client - nextcloud-client-dolphin - obs-studio - onedrive + - protontricks - qownnotes - qt - rssguard @@ -82,6 +40,8 @@ - thunderbird - vlc - vorta + - x264 + - x264-libs - yakuake - zed - zsh @@ -92,6 +52,11 @@ name: https://downloads.sourceforge.net/project/mscorefonts2/rpms/msttcore-fonts-installer-2.6-1.noarch.rpm state: present disable_gpg_check: true + - name: Install VeraCrypt + ansible.builtin.dnf: + name: https://launchpad.net/veracrypt/trunk/1.26.20/+download/veracrypt-1.26.20-Fedora-40-x86_64.rpm + state: present + disable_gpg_check: true - name: Install rig (R installation manager) ansible.builtin.dnf: name: https://github.com/r-lib/rig/releases/download/latest/r-rig-latest-1.{{ ansible_architecture }}.rpm @@ -109,19 +74,23 @@ name: "*" state: latest # noqa: package-latest -- name: Configure common (all arch) Flatpaks +- name: Configure Flatpaks hosts: fedora become: false tasks: - - name: Install common (all arch) Flatpaks + - name: Install Flatpaks community.general.flatpak: name: + - com.bitwarden.desktop - com.github.tchx84.Flatseal - com.logseq.Logseq + - com.slack.Slack + - dev.deedles.Trayscale - io.freetubeapp.FreeTube - io.github.alainm23.planify - io.github.dweymouth.supersonic - io.openrct2.OpenRCT2 + - org.signal.Signal - org.zulip.Zulip - net.ankiweb.Anki state: latest diff --git a/playbooks/repos.yaml b/playbooks/repos.yaml index b771518..36b2eb0 100644 --- a/playbooks/repos.yaml +++ b/playbooks/repos.yaml @@ -1,6 +1,6 @@ --- -- name: Configure amd64-specific package repositories - hosts: amd64 +- name: Configure dnf package repositories + hosts: fedora become: true tasks: - name: Install RPM Fusion free repository @@ -20,31 +20,6 @@ - name: Install Zotero COPR repository community.general.copr: name: "mozes/zotero7" - -# Asahi Linux comes with its own strange version of RPMFusion installed, so -# RPMFusion is installed only on amd64 systems. In addition, VeraCrypt and -# Zotero *are* available via COPR, but from different repos than their amd64 -# counterparts. -# Also, Asahi has its own version string, so we have to manually specify the -# chroot for COPR repos added via Ansible. This is handled automatically when -# using `dnf copr enable ...`, but not via Ansible. -- name: Configure Asahi Linux-specific package repositories - hosts: asahi - become: true - tasks: - - name: Install Zotero COPR repository - community.general.copr: - name: "isaksamsten/Zotero" - chroot: "fedora-{{ ansible_distribution_major_version }}-aarch64" - - name: Install VeraCrypt COPR repository - community.general.copr: - name: "architektapx/veracrypt" - chroot: "fedora-{{ ansible_distribution_major_version }}-aarch64" - -- name: Configure common (all arch) package repositories - hosts: fedora - become: true - tasks: - name: Install Tailscale repo ansible.builtin.yum_repository: name: tailscale-stable @@ -110,7 +85,7 @@ register: terra_priority changed_when: terra_priority.rc != 0 -- name: Configure Flathub remote +- name: Configure Flatpack remotes hosts: fedora become: false tasks: diff --git a/templates/policies.json b/playbooks/templates/policies.json similarity index 100% rename from templates/policies.json rename to playbooks/templates/policies.json diff --git a/secrets.nix b/secrets.nix index c0d5047..15c2329 100644 --- a/secrets.nix +++ b/secrets.nix @@ -6,28 +6,30 @@ let "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIxTfeg+GZsfmG8TuEV1xW1gXknAIKzZ3UjZ3guRY+EW root@nixos"; bosephus-millironx = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKaDPqRJHoqgY2pseh/mnhjaGWXprHk2s5I52LhHpHcF millironx@bosephus"; - odyssey-millironx = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN9Aj7BtQp1Roa0tgopDrUo7g2am5WJ43lO1d1fDUz45 millironx@odyssey"; corianne-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHKKkucebeb1GcerOZAAs5GQsgTS8kXw5W41b9Fy9+hp root@corianne.local"; corianne-millironx = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgL2lO9RJBdQYANoxGyWXcNKi5/NZkRHHo/rNqaYMc/ millironx@corianne"; - harmony-millironx = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFBYxsCkw+ObDzIvU8z/rSlYcQx0JIt1bCVxKcDxeNNZ millironx@harmony"; - + mcentire-host = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINT51tQgsKzTIQc9WSQj01h/gPRvAD3k9jRhXppY7xmd root@nixos"; + odyssey-millironx = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN9Aj7BtQp1Roa0tgopDrUo7g2am5WJ43lO1d1fDUz45 millironx@odyssey"; system-administrators = [ anderson-millironx bosephus-millironx odyssey-millironx corianne-millironx - harmony-millironx ]; in { + "secrets/ansible-vault-password.age".publicKeys = system-administrators; + "secrets/borgmatic-passphrase.age".publicKeys = system-administrators + ++ [ mcentire-host ]; + "secrets/borgmatic-ssh-config.age".publicKeys = system-administrators + ++ [ mcentire-host ]; + "secrets/darwin-policies-json.age".publicKeys = system-administrators + ++ [ corianne-host ]; "secrets/network-information.age".publicKeys = system-administrators ++ [ bosephus-host ]; "secrets/pihole.age".publicKeys = system-administrators ++ [ bosephus-host ]; - "secrets/ansible-vault-password.age".publicKeys = system-administrators; - "secrets/darwin-policies-json.age".publicKeys = system-administrators - ++ [ corianne-host ]; } diff --git a/secrets/ansible-vault-password.age b/secrets/ansible-vault-password.age index d833716..9234dd3 100644 --- a/secrets/ansible-vault-password.age +++ b/secrets/ansible-vault-password.age @@ -1,13 +1,11 @@ age-encryption.org/v1 --> ssh-ed25519 il3lzQ 8BY+QUEGqILKLs6ROw7llEOhx0GgrfFeKDcEgHePUFw -SPiG48tkp5ewFc6/uNj+541B6YJODGmDFEbET2BfoZ0 --> ssh-ed25519 1g/xww HyUG/jNJgHCceV/9vaaoSHc681x6Gg/uY+RIfQxIBxU -6XVufQ4A9r8HPU9QLZ/idx3NjDf+UeKVMhtk9+Awy4E --> ssh-ed25519 +kBihw XjhEk6TF6M5OalqVQNpAemlmgMIJnfuH6M600DnJql0 -3zQPJZcsfnbUqRf5XWTJNbyqMb/rsSBIkS7YlYsyMcs --> ssh-ed25519 dbKeHw nIG5Z+XdJ3dyMxFOxyFMHw5sUkRJ2dsooJbIScNwlxM -brJoiOSQcwgs3vNSk8eK6dzH3zfQGFNdEWj3jjMM5e0 --> ssh-ed25519 Svnssw +VFbKj457mYT3GXQSacQ13J8MSkYe6A26ssNbqh8LAQ -rJzIG170BcRlsLERhnfaqgRFeAL4Yw7zvtb1gGvUkCU ---- ebIxmIBuNqNgfVWvOJc/0OpFBf3Q7pmApGgHYjrtJI8 -AeO:(7_x0׷ jfV /D.8⿀1ߠ[qf!7ht0Y \ No newline at end of file +-> ssh-ed25519 il3lzQ WthM+rK9ntTt0GkP6Z7kuFeOCMkYdY5OkoxtIY8xnk8 +howoRiqpwVW+K4ybhHngRfqobGOqSlye6da6+QJg2xU +-> ssh-ed25519 1g/xww 7iNs/T1MXDvZTtbz3s9Dx8CERfL4TBpn4fwhSv8j+yQ +cHXWpo3FEmkD2867IhdCpG4Pkq+LRkvi54OvTeSQA8s +-> ssh-ed25519 +kBihw HXgixNdqoB102vJDQ74UhC2wUIpYNv21ZvfFRgPmyX4 +09wYp8mUSl0ixLbtbK3E+u/7KVx8bYXTAwbzWN9TX/k +-> ssh-ed25519 dbKeHw PhePJgvp9fRMEJdtYwq3MV+CfNbEs1xJrQefJPQtl3Y +muMZYzYC8aHJBq96Z12pvxA32Cs4KFcG/0YHVT6tX8o +--- lunvYfBDg4+g00hMQJc6ZHQiBQ9k/qubJBYQ+p6aXhc +Ϛ:VnߛTFW=r TvM_=!՟Ǧ~N0 IPem̮.3/T[ \ No newline at end of file diff --git a/secrets/borgmatic-passphrase.age b/secrets/borgmatic-passphrase.age new file mode 100644 index 0000000..31b7e97 --- /dev/null +++ b/secrets/borgmatic-passphrase.age @@ -0,0 +1,15 @@ +age-encryption.org/v1 +-> ssh-ed25519 il3lzQ NZt+Qn166/k1xA8H+0i40Nf0QUcNoo/mPB4xEsbc52g +WDnvHlN0EAM3kcH4P0w9Fl6LaPYFLK9uhbL2C/asXkQ +-> ssh-ed25519 1g/xww 607VONmCuvQWVfbXOwtW36OrLDSmC1b3FJfcXG8coVk +aKmWBrjrk3cUfGJuEwmuzgiMfeqaDM4sFA9lSEyXb2A +-> ssh-ed25519 +kBihw mUCQloe1iMe4TupQmQRV/SsvDl7GYAy9qNgd/9QuRVs +pl5NvOjZpOmslTm34qhyIY8ihbGfvi5TUMNIN+KftQA +-> ssh-ed25519 dbKeHw mDRPmYMHU/U39xGm+cPt/DDX1VFwJR9q7Ej393eygjc +sneArlOp/HU1N9aXQjGunmcL2lSJ+uUfnLUKJrfuwWY +-> ssh-ed25519 +C0WRg +swZ49g3n/MdCXcaVVN+oJppbhVOeYyVhJBA/0O+zFI +PleOEzaPcOWCQKSULfZ1V8MIcuzS7W0J6KoqSQWuM44 +--- RtNvvt/RSfurXkC29xKp02PWD5+8Ikrdh3JJHzcUECM +r +ǔj &(F-WlEϮ3~K@BO,hJ-^ ,#yڦBn#qִr39PjsgdiÆв?o><^+E4< )K7;/xߎؔ +bh \ No newline at end of file diff --git a/secrets/borgmatic-ssh-config.age b/secrets/borgmatic-ssh-config.age new file mode 100644 index 0000000..cae035c --- /dev/null +++ b/secrets/borgmatic-ssh-config.age @@ -0,0 +1,15 @@ +age-encryption.org/v1 +-> ssh-ed25519 il3lzQ +g4/yAloij23EO70Lwv3NHdzUlI3yM17V+GZVet+DB4 +KoJqTEeF5ol4q+ZwcO+bWsP+hKszCMAUrok0yU+L6WU +-> ssh-ed25519 1g/xww aGc6VKpwoGQyjsPxc4hFPqc5sTzpOx/p7AJL2otF3QE +u5gZXqSUKLMxKsekgixy5h57GZVmIXChnxOTq5iFv9o +-> ssh-ed25519 +kBihw FESLL/bEja1rrQm4V2VIFM9pEuP8ydNSiHgatiEqWDk +Y5D1RoMCKuX3HxUpebwNUgJFQJnJR0GILNeg2DOPaDs +-> ssh-ed25519 dbKeHw EiccNUjhFewzAI+OWDrZnGNZbY1uoP99EJhvDn3AKyw +QQohrq0jZJIwXGkycvn7Q4JFJmkhUwxXZEB5HN217Tg +-> ssh-ed25519 +C0WRg rbfEQSHbKDIvm6p2o9CiJIMNRFWlKaQE7TALCdgauzs +6NWlDEKfWnYHFwleqOF6fSOzjxNkjdBFeFRl1Cj1L9A +--- E6T4y6crIEiWxE3G9OOQDrRky4919i7FM0zDnPiqUH4 +d bt=p(Wwx9r }&l +g`ep~kP$vUH"-,4&Nh#%8]@(I BJY 4eQs"wNr-Cmqx +!q \ No newline at end of file diff --git a/secrets/darwin-policies-json.age b/secrets/darwin-policies-json.age index eabc269..258d0b2 100644 Binary files a/secrets/darwin-policies-json.age and b/secrets/darwin-policies-json.age differ diff --git a/secrets/network-information.age b/secrets/network-information.age index bccc467..a1394fe 100644 --- a/secrets/network-information.age +++ b/secrets/network-information.age @@ -1,15 +1,15 @@ age-encryption.org/v1 --> ssh-ed25519 il3lzQ X/F7G7EJbo6QTCGBSp2irApe2qkFUmj2OytrpOVVQ2w -yjitkwkxhNJLxSK4zF25o2lhZO6drBkjwHYykcPnoIw --> ssh-ed25519 1g/xww HriK0yZF3EEh2mB8RpVWBGzuPiK1DB80BeXZAt5Runo -8ke05EDxykN/tu5wEzL3RvRnleBeWKpblm/iXb0pJ8U --> ssh-ed25519 +kBihw bG3XH77yhvMR+HsJMwi1WsXo4aSm5ez80gRlgkTosSo -/WhUI2gKt94naWkeDrXvxnc2fsJvqmcARJnnhrU9sjw --> ssh-ed25519 dbKeHw Bugbp/ovWaODwR6msKnGB3D/dT/ZMmFyr6Za0VAJqBQ -+FfFa1w5/Ok8rIhp+NOBxfqoGFFlGwt8hPhxzibAVf8 --> ssh-ed25519 Svnssw xpuVCV4OJi8G8R5vuSMio9hoRWmufOsCaEyhLMKarh0 -/82i3ZFwQtMonTj4wfa9KPig9qUIJomVYk3QlpB4rJk --> ssh-ed25519 jb0ALQ cbnyjqANs0f/CsiD/peCuJuMJfuaNKIIzbd/87OEV2Y -iQmJxEOQuharrlkiaOdQXnTSUcsq+b7BzSo+G35QJIw ---- eDJuMw4WC33Ihy5OBr2gkeewAFBpCa3gO3CYehr5bOo -VR@X[6gȣl ʑm.P4MiYt̾~ x\Y㒊UMGd܏{'mB,@[e]{NbN] a!*ͬ`YQn95 'q5]-6:FYL$} \ No newline at end of file +-> ssh-ed25519 il3lzQ DhOVslXJ/kZmHvfCLw3rPiRrR1NxTC6zV6Di9WOUY1o +i+OTfk7LWc3rT+T8yFGlPabsgVkddPAr3D6oc5hpe/Y +-> ssh-ed25519 1g/xww xiWVbXWJXtgPLnPWC5bRCvdgceKuY/7wrAbWGlBmZWA +C7rwIOD0xGzTpGRgAycHlspsGaLLwFG6j+6/vPkVtkI +-> ssh-ed25519 +kBihw E2rOacH/0J3YWuplB01z51r/MW3jF36l1C+QeqY6zls +162dh2KpWV71727zPZ2fpS7btQsQ/IL43kuViypZwWc +-> ssh-ed25519 dbKeHw k4ZekrotAzMlC6+RifphXj108iEra0AH4DrCxOSI/gg ++9eibvHzF88lm9Qi/FCfW87D9BW25+zkzQbnhe/F3Rw +-> ssh-ed25519 jb0ALQ Z8WYL7/D990/IWBHGKZInn3Rffol0jnraGQyQbqCdWE +LQa3mmMrA6Qx8wChzlWmB3M2OAtjVep5ryOZH3oZOMA +--- avI87pf1OwXk3BW8w9jW95NK4U/vfUg0pJoqjQ6eCS4 +75l7gϹNU%*-^$z1,4G԰@:~,Se@7p += >H0㭅m7mUW +W-y EÎ8+gM/- z 펈5%l0l صΙ|JEz y=a1jpIQfܝ3 \ No newline at end of file diff --git a/secrets/pihole.age b/secrets/pihole.age index dfe146e..3e0bcc9 100644 Binary files a/secrets/pihole.age and b/secrets/pihole.age differ diff --git a/secrets_harmony.enc b/secrets_harmony.enc deleted file mode 100644 index e91177d..0000000 --- a/secrets_harmony.enc +++ /dev/null @@ -1,6 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -38383539613238613864336630316433666436623334313334393762396536663530336264306661 -3338616565316138616666343862366638643134343931320a633366363539326461346636373738 -66393138653463663536313065623332383166386332303564323939336630333163623637386434 -6538393966633731660a616437356233643234363562366433663437383439326161353330356331 -63346432663036353332303266343361346266396437396131376531303265356233 diff --git a/services/borgmatic.nix b/services/borgmatic.nix new file mode 100644 index 0000000..28b1b45 --- /dev/null +++ b/services/borgmatic.nix @@ -0,0 +1,37 @@ +{ pkgs, config, ... }: { + + # We don't want to expose the location where borg backups are going, so we + # will setup an encrypted ssh config that references the host/username + # combo as simply 'borgserver' + age.secrets = { + borgmatic-ssh-config = { file = ./../secrets/borgmatic-ssh-config.age; }; + borgmatic-passphrase = { file = ./../secrets/borgmatic-passphrase.age; }; + }; + + services.borgmatic = { + enable = true; + + # This is the bare-bones way to get Borgmatic up and running. Other services + # are expected to declare their stateful directories by adding to + # `services.borgmatic.configurations."${config.networking.hostName}".source_directories` + # and to add their databases to + # `services.borgmatic.configurations."${config.networking.hostName}".[mariadb|postgresql|etc]_databases` + + configurations."${config.networking.hostName}" = { + source_directories = [ "/home" "/root" ]; + repositories = [{ + label = "${config.networking.hostName}-default"; + path = "ssh://borgserver/./repo"; + }]; + ssh_command = + "${pkgs.openssh}/bin/ssh -F ${config.age.secrets.borgmatic-ssh-config.path}"; + encryption_passcommand = + "${pkgs.coreutils}/bin/cat ${config.age.secrets.borgmatic-passphrase.path}"; + retention = { + keep_daily = 7; + keep_weekly = 4; + keep_monthly = 6; + }; + }; + }; +} diff --git a/systems/linux/mcentire.nix b/systems/linux/mcentire.nix index 07135d1..60fd158 100644 --- a/systems/linux/mcentire.nix +++ b/systems/linux/mcentire.nix @@ -4,6 +4,7 @@ imports = [ # Include the results of the hardware scan. ./hardware-configuration/mcentire.nix ./../../services/nixos-update.nix + ./../../services/borgmatic.nix ./../../services/crowdsec.nix ];