Use agenix for secrets

2025-07-02 00:13:24 -07:00 · 2025-07-02 00:13:24 -07:00 · 11dfa3cc1a
commit 11dfa3cc1a
parent e6ad5687d0
9 changed files with 124 additions and 28 deletions
--- a/backup.nix
+++ b/backup.nix
@ -1,4 +1,4 @@
-{ pkgs, config, secrets, ... }: {
+{ pkgs, config, ... }: {
  systemd.services = {
    notify-backup-b2-failed = {
      description = "Notify on failed backup to B2";
@ -16,27 +16,25 @@
    restic-backups-b2 = { onFailure = [ "notify-backup-b2-failed.service" ]; };
  };

-  environment.etc = {
-    "restic-env".text = ''
-      B2_ACCOUNT_ID="${secrets.b2.accountId}"
-      B2_ACCOUNT_KEY="${secrets.b2.accountKey}"
-    '';
-    "restic-password".text = secrets.restic.password;
+  age.secrets = {
+    restic-env.file = ./secrets/restic-env.age;
+    restic-password.file = ./secrets/restic-password.age;
  };

  services.restic.backups = {
    b2 = {
      initialize = true;
-      environmentFile = "/etc/restic-env";
+      environmentFile = config.age.secrets.restic-env.path;
+      passwordFile = config.age.secrets.restic-password.path;
      repository = "b2:marauder-backup";
-      passwordFile = "/etc/restic-password";
-      paths = [
-        "${config.users.users.nettika.home}/Artwork"
-        "${config.users.users.nettika.home}/Documents"
-        "${config.users.users.nettika.home}/Music"
-        "${config.users.users.nettika.home}/Pictures"
-        "${config.users.users.nettika.home}/Projects"
-        "${config.users.users.nettika.home}/Videos"
+      paths = let home = config.users.users.nettika.home;
+      in [
+        "${home}/Artwork"
+        "${home}/Documents"
+        "${home}/Music"
+        "${home}/Pictures"
+        "${home}/Projects"
+        "${home}/Videos"
      ];
      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" ];
    };