feat(vps): add additional authorized SSH keys

chore(secrets): update sops secret for restic
feat(vps): add restic
2025-12-10 03:49:44 +00:00 · 2025-11-01 14:19:41 +00:00 · 2025-11-01 23:11:19 +09:00 · 2025-11-01 16:34:34 +09:00
4 changed files with 45 additions and 5 deletions
--- a/hosts/vps/modules/services/default.nix
+++ b/hosts/vps/modules/services/default.nix
@ -7,5 +7,6 @@
    ./caddy.nix
    ./forgejo.nix
    ./trilium-server.nix
    ./restic.nix
  ];
 }
--- a/hosts/vps/modules/services/restic.nix
+++ b/hosts/vps/modules/services/restic.nix
@ -0,0 +1,32 @@
 { config, ... }:
 {
  sops.secrets = {
    "restic/password" = {};
    "restic/env" = {};
  };
  services.restic.backups.b2 = {
    initialize = true;
    inhibitsSleep = true;
    passwordFile = config.sops.secrets."restic/password".path;
    paths = [
      "/var/lib/zipline"
      "/var/lib/postgresql"
      "/var/lib/forgejo"
      "/var/lib/trilium"
      "/var/lib/bitwarden_rs"
    ];
    repository = "s3:https://s3.us-east-005.backblazeb2.com/restic-backups-vps";
    environmentFile = config.sops.secrets."restic/env".path;
    pruneOpts = [
      "--keep-daily 7"
      "--keep-weekly 3"
      "--keep-monthly 3"
    ];
    timerConfig = {
      OnCalendar = "daily";
      Persistent = true;
    };
  };
 }
--- a/hosts/vps/modules/users.nix
+++ b/hosts/vps/modules/users.nix
@ -1,8 +1,15 @@
 let
  authorizedKeys = [
    ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOyVXtny3ca64wdJAwcUro+U4sY4r6v97ypIXdedOuhc toast@nixos'' 
    ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ8finfQLaXSqxB16XjsVogN8NRAkNj3Un7JTXlLiLYj u0_a173@localhost''
    ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOiWeuDQdMc7EUT60GAg18t6dOQrIFok0HcbuZSBP+9o android@y2q''
  ];
 in
 {
  users.users.toast = {
    isNormalUser = true;
    extraGroups = [ "wheel" ];
-    openssh.authorizedKeys.keys = [ ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOyVXtny3ca64wdJAwcUro+U4sY4r6v97ypIXdedOuhc toast@nixos'' ];
+    openssh.authorizedKeys.keys = authorizedKeys;
  };
-  users.users.root.openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOyVXtny3ca64wdJAwcUro+U4sY4r6v97ypIXdedOuhc toast@nixos'' ];
+  users.users.root.openssh.authorizedKeys.keys = authorizedKeys;
 }
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@ -5,7 +5,7 @@ openrouter_api_key: ENC[AES256_GCM,data:c0GHwhX5S4cfOXs6iR8TWVwhW90bvehWdy8lJBmb
 context7_api_key: ENC[AES256_GCM,data:3fvSGzii2MqlfMCFYIUcC8Fa18KBh2K91rYPtXe04+UzNb/ElBEVMoH4Gw==,iv:4cZlsYZVum/Ui3MNAzSMb8JxOCNchUzuwlh890Lc4vo=,tag:RDjeujPxDQC5eRqDcKfbvA==,type:str]
 restic:
    password: ENC[AES256_GCM,data:LhO9evxJ1jO+/jVefT1ImRB7mdQB6VWxMdXPzAX4v9ICy5V+QlPDHdug3fKgZfzZ2EJtxy0LeQqHhyACKvPACA==,iv:Ag5BXn7gViL2J7qALn6WoQ1zwS69/NkjU9iP7pw2g0U=,tag:nUSCMkojdSA3+aJ4OKM8rw==,type:str]
-    env: ENC[AES256_GCM,data:1FJTGyT115aL0kZWUE52wqLbLYJ3ArrM9+Xm8DvtWzjzJAM5UdRzN0LZtToxFE6jn7Z3DmCQT4lI08EeVtHgcEABteDyk40v2Z6PFq0EjWS/Y13iOi507yE1NsiHKAF3Ew==,iv:OuKSnQDVLJVtrXe7nNlU8vG5cJr2NiToC0/dGfZ+iW0=,tag:nWI6gjfawt8OWHyPX3d+eQ==,type:str]
+    env: ENC[AES256_GCM,data:ZqQ+0b/Wd8NRodjksdMNvl1bRIPfLPiw4NRDtG8tc8pVp9w/Je5WXePIB/8QQ33K2Uagqzfb0Y/pTbo4vQRLBXVWO4uofQ7YKxdiK4efTPr8Ic/uX3NuGyT+Q9hvawkICg==,iv:S9XcbSZewjEty35N0fSksTMT3q8Nnmy0HmgIF7oQ1cU=,tag:12ThSBX5qEIoW9Sp0IrKzA==,type:str]
 zipline:
    env: ENC[AES256_GCM,data:HOcqrzXnu+BcpZYgv1yzPOTV4ydJiVa0oIXQWMUNt/X6q2TUGPOTwWg/dOgzoi6jGzFxm+wJzugO4lLQurUV0DiWIWLDSm/PK+zW34yLYwMrwK1bRaF9yl7usAN6BEmpLw==,iv:9IZDQRT2JoXNTuyPZrwRSr2m3SnXaLmJcafpkraCFWA=,tag:+7EoCTiY9f0/C5jgvPQknA==,type:str]
    token: ENC[AES256_GCM,data:Ke+cJQ6Up5RUGqe/3tG7Nk40PoOQ1Vq1jN5QN4N5LXOFgclXpzN7sjx0bumFVEcgg4B7UkHmjHzjRAPtWheFu+1PaN02aQVLMGzYXgujqmccC+6roxYt4vdN0CLzf0Ii7k5KUwX3QdOV+lrVwyoBjgQyTD839YnODI7zavf+aDMlrE4+BlFjjV8MUQHsJ5G017xN0XLKOBIQsGpMl40YsvVXFrNwkZ+DkN7bXCZBiHI41W44snB1C3wkYOO+a0g4JzVjIhcHXalYgOW4Unuyyah8yDoXRxuSq7aZpQ+/AHRiuIuaHSrE5BUJu/9bJdjojNuk6VTsaLFtngViSjtyztcqMAIHFFq/KXAog8tg16dJH/V6PomrWXY=,iv:H/EcD/oNSw1mIwxsqyMeSRPsY7lnzEzTNJs6OPNfPw4=,tag:FgH9Nwxnq62uhCd/Av2kAA==,type:str]
@ -21,7 +21,7 @@ sops:
            Z0crWElZcVFMVUd0VytoTHFqbkRDck0KY8nsRThk1hCA/yDNy5JJ0T6pTUwRZhYW
            j8grD6JYvauuYa+3tSIwqy2RPiKltx696n9nXy9iPnFUO0QY/rQGVg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-10-11T05:38:04Z"
+    lastmodified: "2025-11-01T14:10:16Z"
-    mac: ENC[AES256_GCM,data:U4xLqOc+J8T7s5B2a8Sq/KG5Lr0ubx3GIG8fH3J+b2g4+EJPzVOLnd9jg8BR2+YYqkGI9RAvf6J2hcej7zAZcovXF1t66kaHWoExqEJCkQxs1cZccBMRjlml3OVqMuXI6NINuv+SWTWtUKfxAmjqhgXjY8zUR0pOxWrLXhPs5p4=,iv:Qjt25LF2ygYO4rVTCIIHpo9j19NVTf5UE0gCLfB9l3w=,tag:GP+hE082E8VGbmbxHOspcw==,type:str]
+    mac: ENC[AES256_GCM,data:RIT8zBxzwhnpS5b2Q7lc35JB5OYmKoMIBWvpMnB/YhpBcAUWHiY0zRdg7vgWZ1cWvpbbA0b9O9yFgo3NB6NwnaCR8x/3wNEfTDfx295/5Ix9qTYiS4FEQ8bngEZ/VfI9jDi9CmVuLpOisxA4bisSl57OZwtDZgIFjOJdma3tDF4=,iv:xxGCrMhuQGDMnkhL+mSCh7mLT7XE+3bK+QmzBRbBEM8=,tag:w1Y7w2ei8zotp8lrVJbk0w==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.2
Author	SHA1	Message	Date
lightly-toasted	4a61ec71bd	feat(vps): add additional authorized SSH keys	2025-11-01 14:19:41 +00:00
lightly-toasted	dca4e884ba	chore(secrets): update sops secret for restic	2025-11-01 23:11:19 +09:00
lightly-toasted	7de23d3b04	feat(vps): add restic	2025-11-01 16:34:34 +09:00