From 79f62258e29c01f882badc9133ef2f5530696440 Mon Sep 17 00:00:00 2001 From: Christoph Schmatzler Date: Sun, 4 Jan 2026 20:47:35 +0100 Subject: [PATCH] secret 2 --- hosts/michael/secrets.nix | 4 +-- profiles/gitea.nix | 10 +++--- ...el-litestream => michael-gitea-litestream} | 6 ++-- secrets/michael-restic-gitea-env | 31 +++++++++++++++++++ secrets/michael-restic-gitea-password | 30 ++++++++++++++++++ 5 files changed, 70 insertions(+), 11 deletions(-) rename secrets/{michael-litestream => michael-gitea-litestream} (81%) create mode 100644 secrets/michael-restic-gitea-env create mode 100644 secrets/michael-restic-gitea-password diff --git a/hosts/michael/secrets.nix b/hosts/michael/secrets.nix index 3ed2810..686a3c2 100644 --- a/hosts/michael/secrets.nix +++ b/hosts/michael/secrets.nix @@ -1,6 +1,6 @@ {...}: { - sops.secrets.litestream = { - sopsFile = ../../secrets/michael-litestream; + sops.secrets.gitea-litestream = { + sopsFile = ../../secrets/michael-gitea-litestream; format = "binary"; }; diff --git a/profiles/gitea.nix b/profiles/gitea.nix index e8f7145..a5169d0 100644 --- a/profiles/gitea.nix +++ b/profiles/gitea.nix @@ -53,7 +53,7 @@ services.litestream = { enable = true; - environmentFile = "/run/secrets/litestream"; + environmentFile = "/run/secrets/gitea-litestream"; settings = { dbs = [ { @@ -61,7 +61,7 @@ replicas = [ { type = "s3"; - bucket = "gitea-litestream"; + bucket = "michael-gitea-litestream"; path = "gitea"; endpoint = "s3.eu-central-003.backblazeb2.com"; } @@ -92,15 +92,13 @@ }; services.restic.backups.gitea = { - repository = "s3:s3.eu-central-003.backblazeb2.com/gitea-restic"; + repository = "s3:s3.eu-central-003.backblazeb2.com/michael-gitea-repositories"; paths = ["/var/lib/gitea"]; exclude = [ - # Database is backed up via Litestream + "/var/lib/gitea/log" "/var/lib/gitea/data/gitea.db" "/var/lib/gitea/data/gitea.db-shm" "/var/lib/gitea/data/gitea.db-wal" - # Logs aren't needed in backups - "/var/lib/gitea/log" ]; passwordFile = "/run/secrets/restic-gitea-password"; environmentFile = "/run/secrets/restic-gitea-env"; diff --git a/secrets/michael-litestream b/secrets/michael-gitea-litestream similarity index 81% rename from secrets/michael-litestream rename to secrets/michael-gitea-litestream index c58a8a4..c6d0689 100644 --- a/secrets/michael-litestream +++ b/secrets/michael-gitea-litestream @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:YrqKBq2eIlYQcXZJ660/IPDULjudhjuBVYY9y7rIIFLwuL2n7ZxgdyRu/tBuK6RpAjZJKvXLC3dCMzhFfopUUxLXYrG6PTTfdnax2snSD8x7Ph4IRPbOKqM+iyP5nREs4G6hEWe7Pl9VT4oTWQ255g==,iv:sswA9TNXE+8X53xHMwQ6Kq1tl1LAccsyxe22D8sYOUc=,tag:Tu0m6pkn1DFDuDoYfrHxsQ==,type:str]", + "data": "ENC[AES256_GCM,data:NuyR/Nu6sYO28qWso5veT4cSwC/ZLVNS0qUvaqrj0ubB2gkUV1hM1vAxk5HQco8BEi6x4CIiFKXlxsVEvzk7VE3DaXj4WU9xCvG6qLmN3zcdxRtjbdh8nctCfhY2s7RPa+GWYceydGhyqm7CkaoyCw==,iv:bSI6I5zZQ5wJqMi5AMG2kCsZqmgUkcR2zxhBIfg5284=,tag:A4xqVmu0qx/Da9cM7QzK7A==,type:str]", "sops": { "age": [ { @@ -23,8 +23,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnbisrSmNMYzBnSUdHbWRr\nUzBJbVp4TEc4V20yVWRnMnkxNEloVE5BaUUwCnlwQzljd2hDMm5lR3BQMllaaGNk\nWEhDYklFRkRzdXRSR3MyVFlzNFV3bzgKLS0tIEtKU2p1TXJ0V21hQVM1VDgzOHo5\nNGVzTHVxYmg4WGFDZU9XOFl3ckhmRFEKIUelcIV6U+wpWie3rurg4LnpEjHIsaEG\nNiN9nILQGdD0pyDuA3zAybuakKK0ou/yTiXTP2uuLGujPlFD9BaCAA==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-12-17T16:09:07Z", - "mac": "ENC[AES256_GCM,data:iH1rpteK1WaO1OREm5Ze1Gy00u67KFKIQZwqjIJFhmy8CHOsG45ExltkIb41kM+zPE8ofxy3PGBvrqbMTtAh5rM676VMpRPQtTSt5uRHBJ+5uJBlIY/CRcOPkuT3TZRj2/zoNM0nzBsuOjuM7vpp0FDOlR6OaaB73HopfMemlh4=,iv:Uvw1UQtIHMq4mm5I62p23pt20D9kRfYe8ixBbXYAK0k=,tag:Vpdlr7PZZRPNiLVqGRZQpA==,type:str]", + "lastmodified": "2026-01-04T19:45:21Z", + "mac": "ENC[AES256_GCM,data:iiqkI0oXgsKuFabmYKj/45/Oau88TOOdhcfkwb3thfh/UgXE5wLo/9NbWlpvyG+d9BXP4iP9uy7LRfjoIDh1Snv+u5g1mkwiW/Ke0phC2II6zFRpdPmrXEU4DLijJsWL7lGGs42XTW/9CbJ394HY0g1dOf1BfWn0kXF2iLcUP94=,iv:0MDy65aTN2bYjeOGzcA38uFqrUQjrxJfsYs39jmOKg4=,tag:wQ0NT66oLy4rHHoUZdNyPA==,type:str]", "unencrypted_suffix": "_unencrypted", "version": "3.11.0" } diff --git a/secrets/michael-restic-gitea-env b/secrets/michael-restic-gitea-env new file mode 100644 index 0000000..c122480 --- /dev/null +++ b/secrets/michael-restic-gitea-env @@ -0,0 +1,31 @@ +{ + "data": "ENC[AES256_GCM,data:NfUvXTZiegMiJdLNvcc6rvQYc5Y0yMrkWbg2e96fhI8Cxvpt2Wf7IMm9hHJJmZi0Uec5dik4hkwXk7cB0RcoQjHc2qQ7cr+12mGyGBxZawlgGdYpBwj/TrPN5nEZFbBb3bg=,iv:tQ/1d2SZKZXOiQrRSR6L5sG+cdGk3jKTLvSTy+v3Kfk=,tag:GHrLtX6IokXJbMPwIJ7juA==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1njjegjjdqzfnrr54f536yl4lduqgna3wuv7ef6vtl9jw5cju0grsgy62tm", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvWkpuSGlremFoTS91amxa\nV3FaVW9LN3haSjZkbWZWUDI3ZkhVaFQ3K1VjCnhINERWTldNYm5FelZKZTk0eTFq\nUEkrV1Q1ME1IVENmYlMyZjBlTGd3eVkKLS0tIG9XbXdWR3dMNVJ4cXV4N0lhUGRQ\nWEJaZlBJMmxPRG9ianMxc29uWXlKWG8Kaa4EBDyJDKu+ijvDlAf3OmQwN5j1K6ZP\ng15r1BhCB0SzFTXbtC7eQo1QP5x578Dxa1ygFqprC9HeExeXVv7OWg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age187jl7e4k9n4guygkmpuqzeh0wenefwrfkpvuyhvwjrjwxqpzassqq3x67j", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLR0xLT1dvaXBsNzVNdmp4\nVWxPckZlc3lwZVZxMHpRQ1FFajNlUnNGN0NjCnhQVE1WSDB3STd0VytobUJQNWsr\nTzRNMm9rSVRpRS9CVFdzQ1J4WCtjbmcKLS0tIDNBMkI2MmdLOXJTQXRmTDRCVHZo\nbjNLNDgzNFlIVFVpQ3B3WkNIay8zNFEKgvfmctBeJZGBRHWFxa5+glrDQrQQjuOi\nAJruP2S/76899HR2RaMIi5SGKbzBGN7AOw52hLF2sFklksp0ehc0eA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1dqt3znmzcgghsjjzzax0pf0eyu95h0p7kaf5v988ysjv7fl7lumsatl048", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBVjFwYnVFSHBEbXhmU1NZ\nbURUaXgrWE9DT1dhYkJ5djgzVllKeWhUYkhJCitWV1Z5am0vNUJTMzcxVnoxZHdI\nVVFXbDdUaVNuTXFPdFJUSVN3UXF2bzQKLS0tIGE3bVFNZTFCUGVzRWxVMi9PQ0N5\nYjM0ZmdiOXozUm0rUHVZN1dKSkFlaDQKYD03tlAlsUQ+mIue1EcvAK1mslv7J/Nx\nOAxVTEWZC3tjuJpJfnwEGDKKf0Zw24Ytqy429gLL4QFKFIZNTSjzvA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1ez6j3r5wdp0tjy7n5qzv5vfakdc2nh2zeu388zu7a80l0thv052syxq5e2", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmUDlTZGFJVlE5T2VuMG5I\nMEJSQ25DZFpmSFArbXpVeFlncGhZY0pVcldnCisyTlVmbzhwWkVDbXFJcXRNdFRZ\nNTFtNE9JcWdzdzNiaFdkbUxtcjVXdzgKLS0tIFdySDJUVnZFQmtYVlBvNitYY0FV\nb0xjbStobk0yTXhxNWcyRk9aWjJYMUkKMyPmCXSqCuWYV65ey38N7vu4CqT43My9\nHU0H4MEi8LRNHcqzs2dJFRC2a6gmV4+ca4Uleze4rOiJX8g2DDwDAQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1tlymdmaukhwupzrhszspp26lgd8s64rw4vu9lwc7gsgrjm78095s9fe9l3", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxcUdZeDY2UzkvK0srMmhP\nTDlPVFFSaVhqVjJLMjBWdVdNVkt1TlZhRlQ4CldYTm10Z0o0alRKeUVqVmU3RG0x\nbTI4UlJLaE9ETzFmcmtHZTZYdzVTSDQKLS0tIHFPazJsVTRlRm9LU1FYalphVWU4\nbEJMa3ZRZjVNMVoyOTVWbXdYY01wUjQKuVG4rQ+BSIRuBb0NVua0ZCRi2KQmz+k1\ntSFckzBr3Rs4GjzZctznmTYcIS5euNAAkaZUcdbm9rFp634FwnppKA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-01-04T19:47:06Z", + "mac": "ENC[AES256_GCM,data:dD9rNZRzmVdtLjkPv0V0zjGGcoX91Jcdrzpp6t7JcolINv0Hg21RIaEC7S9DRI1vBHAjlhVSqYksALsB9c4v6yjI4HKzID6Ao+SyOMLSbdLI1iHIviPkV8LTagM62vea2IWSL7/sWHoYJtk585lEHyxyM5p58yHnfxjXifMs1Wg=,iv:6xgjc/kw7CcI1iGpF6g9dZqgO4gRfOj4s8Mq6DRLEjs=,tag:GK3JWeoTPcXV9Jq3j7I4Hw==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.11.0" + } +} diff --git a/secrets/michael-restic-gitea-password b/secrets/michael-restic-gitea-password new file mode 100644 index 0000000..16573fb --- /dev/null +++ b/secrets/michael-restic-gitea-password @@ -0,0 +1,30 @@ +{ + "data": "ENC[AES256_GCM,data:mZsEULW28vLpV+Z0u/TjtuoNNJwmWT15pNMObTJa5aQcZeDLvr1MdUgIg8ccBOzNbJ/uVPN2Oz+OIGYQe//lY7g=,iv:PsNOa0aUXSKXwg7HoETxtsSa9gpYveTZAOyBG0gXlWA=,tag:RUHiDvt2npc6V06/FQcBEQ==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1njjegjjdqzfnrr54f536yl4lduqgna3wuv7ef6vtl9jw5cju0grsgy62tm", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjOXEzc0FhMXJ0djNyTk03\nUG96SW1sWFpPWjVuVkZuTWlWVlpLUXFwTkZNCnNQTXlkQ3hQaXljQXdibmZ5NUwv\nd1VQUUd6UXUrNndldFJiSktFcnM3NzgKLS0tIGFGSHdlY3ExQjlmYjAxU1VLSVVt\nOXdoUWl1SFpwa211UE1FbzkvVXZ6eTgKunPqEeM8LvnsxhTtPBMvCtzcF8/3Zs1s\nqLl5Quz1eS1mJnbMvCwQsHpYS8V5IvZH5fEzu9GqJjC2CFJsKm2dkA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age187jl7e4k9n4guygkmpuqzeh0wenefwrfkpvuyhvwjrjwxqpzassqq3x67j", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVeElIeTNIdmlPbTA3SjdI\nZXRjNDdtZ1Y0dTZ5WkFNdHd5MWFqM1lySnprCmdzRGR4bXVtZ0V6TVBZVFpObytO\nWmJUREgrdVhVQUt6eU45c1lWWWxZSEEKLS0tIDI5Tm1YOXFueHRrdXFmU1UyOGRC\nNTJPZmhjdE9IVzJicW5jRE16MEhiMkUKRSQofAI1fHWPJInD2ag4Wx7K9ucBxa/G\n7lwpBMu2Fr9F/9ac+0sBToyKBOm/vNYFOsXn4ukP4FvmLYgtsJGVsw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1dqt3znmzcgghsjjzzax0pf0eyu95h0p7kaf5v988ysjv7fl7lumsatl048", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKZWIzemZQbEZvWnEvOU1a\nSTJDWUxrZ3Q2bXNYVEMreG9OUDBnOGhabEZZCkJFYm5pbWtKNXFPVWYvVFFCN2JO\nUnBheUFDMytTUVZ5QUVMR3Z4WHBZNnMKLS0tIHk5cXJuNWR6NUpBMFFZeER0R3R5\nbGhPUktybUZLSUo4OEhlQkRuSGlwK1UKwwcSTVWxp2M8Fi0nGYBPSe/niWC2ypFR\nmJoXFfLKfNWJDRNn4VkYHNMunpxQh5OKo2xILvbNDywrFJMZhQ0wsw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1ez6j3r5wdp0tjy7n5qzv5vfakdc2nh2zeu388zu7a80l0thv052syxq5e2", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSZ20rVDNib21qKzJsTkp3\nbGVIWHlXQVUwSnNpU1AvRm0vdTc1d3Y2M0Q4CkFGV2VNbSsyVVY3M1grWHdZdUlH\nV0UreWVUdURiUFVzWUdyV21jSlBFWWMKLS0tIGRFSUFmaUQxOW9wY0U1MEErL2ow\naWdlNFJRRWh3OE0rRnV3RGJQblJCMGcKbiCxlAqeRLSI9GXPSVO/KBxPi2qsTGcq\nHoEw8WxruwUlpJVNudlB9+k1RkJr0ARudEDxhJtZGLB2x1yaDZqJyw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1tlymdmaukhwupzrhszspp26lgd8s64rw4vu9lwc7gsgrjm78095s9fe9l3", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxM0RWcFRIQzh3Q2F4OTdq\nNVlWQWZjTmJVb0Jwb1dRdXd4UWxRUlNPNVVjCkN3MGFjajZ6TkdkMzQ0TFRSUkdI\nUVFWMkhHSFcyUDlpV3ZVaWdVU1BST1kKLS0tIG4xdE9pVk9rbmlmN3M4V1lDcjRr\nY29BcHc1eS81SXgwdFkxTzFXNUc4STgKmiFwqCcP6OX+3PzAi/jqa3x8p4NCfhHM\nVJh8EX7E3IH61XudzODcUmKoN4vY4LkpAmnRZCO4e6BEw+DfMicmWw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-01-04T19:44:05Z", + "mac": "ENC[AES256_GCM,data:utjekNdQg8gBzHjTjfB2cfIcDdDGgVcZpNT9INHvxW4mq0hY21kEwocLqsRyYwyoxefxuCJw3ZZddCf64FmXuJfEqWWmH0etR0VnxIRBtU9UHkyjZlDDPJi4o1+U70xYgXK+fcxnscd89+guyrHS0SbM66C/jzTSRBzirPGxONM=,iv:YibuMU7zqPGiSsmTIOLxQalczmGuMs2/X5MaSjxWJT4=,tag:c3PBMU4TGcBPjJGW7rkDzw==,type:str]", + "version": "3.11.0" + } +}