diff --git a/.sops.yaml b/.sops.yaml index 98ee64f..5b04a72 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -5,7 +5,7 @@ creation_rules: key_groups: - age: - age1c8cqpw6gnlrf82ewm2vj0yalzszvtzd0mmk5yzr4nfpqqseynq7q86f3sq - - path_regex: \.sops\.conf$ + - path_regex: \.sops\.(conf|crt|key)$ key_groups: - age: - age1c8cqpw6gnlrf82ewm2vj0yalzszvtzd0mmk5yzr4nfpqqseynq7q86f3sq diff --git a/Containerfile.storage b/Containerfile.storage index 52c34f9..ae4c287 100644 --- a/Containerfile.storage +++ b/Containerfile.storage @@ -43,8 +43,8 @@ COPY apps/traefik/config.sops.env /usr/share/traefik/config.sops.env COPY apps/traefik/config/storage.yaml /usr/etc/traefik/traefik.yaml # Apps - Zrepl -COPY apps/zrepl/storage.yml /usr/etc/zrepl/zrepl.yml - +COPY apps/zrepl /tmp/apps/zrepl +COPY systemd/zrepl-secrets.service /etc/systemd/system/ COPY systemd/ucore-update* /etc/systemd/system/ COPY systemd/ucore-firewalld-setup-storage.service /etc/systemd/system/ diff --git a/Containerfile.storage-remote b/Containerfile.storage-remote index 0058749..9185eaf 100644 --- a/Containerfile.storage-remote +++ b/Containerfile.storage-remote @@ -11,16 +11,17 @@ COPY apps/scrutiny-collector/storage-remote.sops.env /usr/share/scrutiny-collect # Apps - Wireguard COPY apps/wireguard/wg0-client.sops.conf /usr/share/wireguard/wg0-client.sops.conf +COPY systemd/wg0-client.service /etc/systemd/system/ # Apps - Zrepl -COPY apps/zrepl/storage-remote.yml /usr/etc/zrepl/zrepl.yml +COPY apps/zrepl /tmp/apps/zrepl +COPY systemd/zrepl-secrets.service /etc/systemd/system/ COPY systemd/ucore-update* /etc/systemd/system/ COPY systemd/ucore-firewalld-setup-storage-remote.service /etc/systemd/system/ COPY systemd/ucore-zfs-kernel.service /etc/systemd/system/ COPY systemd/brew* /etc/systemd/system/ -COPY systemd/wg0-client.service /etc/systemd/system/ COPY scripts /tmp/ diff --git a/README.md b/README.md index dc8c9c1..847b759 100644 --- a/README.md +++ b/README.md @@ -40,3 +40,11 @@ sudo passwd core ``` 3. Deploy [dotfiles](https://github.com/auricom/dotfiles/tree/main) + +```bash +set -U fish_user_paths /home/linuxbrew/.linuxbrew/bin/ $fish_user_paths +brew install chezmoi +mkdir -p /home/core/.config/sops/age +nano /home/core/.config/sops/age/chezmoi.txt +chezmoi init --apply auricom +``` diff --git a/apps/zrepl/storage-remote.sops.crt b/apps/zrepl/storage-remote.sops.crt new file mode 100644 index 0000000..199344b --- /dev/null +++ b/apps/zrepl/storage-remote.sops.crt @@ -0,0 +1,20 @@ +{ + "data": "ENC[AES256_GCM,data:hCG6dNTX61aRdILkfScz031Kk7uN9NOZOmaHxXANfS+oHjHEY7nkDIyxYqBP6s4fPAA3p5pYqhZtxmYZAflgO+BpXaCHcve5AFY3oQHtFROZh8BdthGNwUqA5TTIRBZ4G5iv5x8UOoRW6lrxzubPM5LiK6lj6HD/o830PfGQnuRQP2HVqnr/1/Q0fM5755KkfvRETR5hVpEDELW2G4UhHdgABSmxrNRpP2ODLEDC832yMWbh0HsKqABswH2BucVGhzR0Q7Q0BoKf5bqH7aMSMtvRlwhBMegnz3XH85vQE2PUBMIDBoKkjr6fpwKf3B1H4hGThbKjy1OwzgHtMH2CaesCE/5yXUlciLd9ydgaR7SUgFj1+wyNEl1NJ1sBxwwjxxG/4SyrM17I6wjY9Hrl0U/BAGylUh8CfzrCymK2zVP/IKWmdfkqS5Vptogs4ECA85/lCOB3/1YXl71EHfveaBwkhXR/DcE6yUuWC4b2SVDna1bkhXSLNnBgLVIFp9VBKHBOtvn0fy1zQ3/nKDa8op+53qG/rb1YeUNowAkMqKMa9DQ8AOEyb5S2ZdXXjMyG8Xwc7E2/CLwi5PjbV4xe+7/xd5THyMpoTcvvRWOyfebdJWKmEQ99NBIV0wwKaSgoCDNE0ffWoYAmJMyHpjfeSBgl2gNfc+4l7ls2x1tk7T3FPl2DuJHu54KuTTw/0hYiqcx5Nh/qOXB26aFOl2w180Dh1dwngF4jJSXVljggczOLE1gimiMWArLQZmEjvFMY/t7y6xz82Q2rnl015SmXjeKJL4mm5nPkd3HemAfzYa3og3zvL0CvlufZGno54jroKqi8sh08w+AvzehpDh+xC7/uH0PGaMIHn66fZc8N2B2K/tjH+BbUhcDU0NsToPHmtdxUx88iMWDhzRmzb9/McmuTVrXNyClOrws0OfhuYIVrI1kDL1hI/pVXNNHxIUqfYSewcHE8gdoLUdd6nwwScn+pIp+J9V6tgccykswu/Uwg0dNNx1BJZ1gPH7N5p18CxwCBNlPoH2rgY9C9zjz+wurGRb8tmdZALc3K4AH+XyiwEeX/m4xWrfNGWYO4bphaG1OWoJVfnDb0WXQl66eIhp350enQcVPTGq4sot9yo+qafctub/yuXfhyc6DxfineuD4+WZQyY88F47ykQMfoNmlWz2U8j4Q1iRq7uZ+fPlt5daD1EJjC0N8JZf7ywJEXfrlMh5I13o+W6ukdg5S7HmqRJWtI6sZI9P/0+lM48egojVHpp1Kjt9vRZ5Fbf/fvtxB3xWl/6VvWAcBbcNL5mNCnsOhlSdkfj0JG0/k2fqqIN8EnVf71Jm5MyYRSgpTFFLaDzC/2dlz9CBl+f2vGm6Gc5+8WtsgyZFz3JpS2PWgnuJ85Krzb4lB9/m2eDS8Qi7nSevXfkDIy4y6x7uYjMahUpo+pyBx4QvKCa3FMvOzANdJQBA4ODg0+5VqXwYq0Ooy7SDCJ+m9HLrRz2UqGNa92lFt3tmc+LLUycxbuLDejbf6i9KAW5aJsDhH8Rjqc2zo3yfu9roPXhRWghHjspI9j5IbePzlFdWWki10xA78qjMqCBoQcRMtpdXdscrfpyOXJ88GHGnHwKoy70mpB+FYVbQN+4ByHVIP8an4VlWQK4MTz4HHTyNSv0pp9f9OD/P78XkfmTUteQEvJvbs7Zc7BXUFHVzPKLVgnoZ9jpdK+I/oEuAeeOc+qqqX4ezw7ambG4661CKP3OKIL98GtWJaLnEJ+P+2C7G/G3uLZXsHSjwBqZdtgsrbJyFs3F9CuvrRJ0XDe+7EztZvYo4dscyNpdocFnVpiL+zhkQ+jVr03Tz+Nm+lMRTltWIvnlREmzz2WA27JZwYQ9gMsNTSJBhcHbA+w5s9BNvveWDfyRTGyTtqSwbF7gSQvN//SSGQ64Oh6NHYqE1V/tY3gg3+lT7h0kdTtGVxM5iGhmAiCgpC4Xf7hL1Tw0HYKEmu9VPC+gad+ujvfE6GkWjm/a4AANVkjfz2KwDIywd4oBjjVYZCUgFTCAb2wWLsT7X6EUipVHHV57kzeyeCQwj4kjwDD0hydminnd0B1JfSQbrl4f6Zf1VPxv0tegKK4xWq4UegYNejj9CbTGjK1vC6D8aSNdrbO08Zzf/dJgrkIXIdF7Y0XIBeteKC0zfZqrZvQ64gVhG6ESDz8d8cNAR6hcWbIr98GjVhnXYAE0dPMFqvLCCy7zMrJqaFXyxMX92pfWXNqDOP8cEAOJ64swgTm2yS6+xnEIRESmgX9yL0oKU5QNyj9ZS1q6sA68FMdcXEjYsS0XTMXfgsQjY4cDvwCFeuK1wDLLV9PIyU/yNCTnO8wT7Aj292miNp+WXJh3LrK/fN7G2dXK4P9r9ntTWOx3wvaDsbmcnzKfHbiFGEo88F02tcORGJ/adZcQi464iqb7dd5qHWq17glvS7Y7ZYhxas/9Dlqs+h3bBXtQL+BnMsSViK/nw==,iv:QPt92L47poXKjCEqx5gF2etXysIKUsz8VIxVyOjoncI=,tag:oHjKnLoZhlJS8CD1/H4IEw==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1c8cqpw6gnlrf82ewm2vj0yalzszvtzd0mmk5yzr4nfpqqseynq7q86f3sq", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4aHlET3RZbEZ5anQ5RURm\nZldVMHpGRkhCVUlpRk9BUFlETGVJY0xONXh3CnpmN2MwMTgzOHpsUE9ka0hydFha\nNG81VDFhMVIzd1hwOS9CRU5Lalh6SWcKLS0tIE8vTFdBSkJ3VHJoQnhyOHVxMlFu\nem56UEhyaGExeHJvS244TDBtVUpqVlkKlkPhQL/XCQhKr74RCQQ0ARMnFv2E8RBk\ng3hXBWYK+/kaDjpBCqWOyqHbfWU0oaowTPPQKnV0N3B7E3HJNuFs7g==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-06-22T12:04:47Z", + "mac": "ENC[AES256_GCM,data:WP/KujDP1d1YZzMXfBzWarr5IL5NoTjYQkiGzwEcF/TayvH4UCLEZWFv/S13Xuq5IeEXqikkss7GQsJW+EEEVHldJHyyquK0ylIn/op+fPpGDKCsEAFpKYUOHMJPGFTFhp0JSnvGm2c2qgrFc5GEVayGuckUuCu+Z4FPv+v6pvA=,iv:5Ts2NAkQVgVIxCdj+P47rg8z7tmiCreFKzENTiE0KaY=,tag:wzAlKEufgEl6SZXuhQXeqw==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file diff --git a/apps/zrepl/storage-remote.sops.key b/apps/zrepl/storage-remote.sops.key new file mode 100644 index 0000000..c952912 --- /dev/null +++ b/apps/zrepl/storage-remote.sops.key @@ -0,0 +1,20 @@ +{ + "data": "ENC[AES256_GCM,data:y9TLuaj8JPtCeqm4VkfE7rm03Y6vHapz7KjXuRKTfdMCZkKB7uXepsCljqcpZJgX+kn5SLm6maS4Y2z4Rkb2F2TyfS4bX28Hztn3BNFlYDiIvysTfzlI3j/kV2B4wWZUG7MT1EUzlmRS3cj//By2AVoNXCVV0YEljZqVnEcidEra5AmckSo6S0eP6MZJp3Qscf6TdRF72TqhsPMcVz7G8JVwnvslS/Ycii1OjOxrHrN84Fb427pjtJ8PODKhn8by0dPFnaXUao0L0OnsTL+4x5EnqGS41EPbz3zZfH7IFa6SV5+0e6HvG2+B8KI1pF4dOwRu5XC8lw9Rq/GE0FHyafGLDToea2rQ9OcxMwxHz2zxBKeIcpGb19uNFWTH4j34f68wiGNnvMIgRxDAzD9CZgu/QfD3rH5N9S2/FeD7pvwQOzYO00JnJRjPknhPnGRKTefgXYb4YiYNKj93d8gAnC989tCQU1a3UAQ9CzhzK1lASj92MxZM3jt/bIh1pczHcF8r8UKF7N3Ig/ylBMp+qOPwgSPlVFTQ/2MrwBojw0l1qG+K6vy5p++dY+qknGKYhZbgrVlQeKvq88S1JCNvnITDSgt0LjY5+/S5UgV/qB7txq10pUDYH6sCBoEjiQJt/QnLeXvs1NSwLuYMoWM3a2oYyXj/dmqujos92iLObW6FOCxFdzROfUZ3+RrPwQJ7MhOl9tOazUW/iTx2QCpqrTzPhD3YivGqy8mTy/lKoiw0OghFzPWOjlOEKLXiubF+Fbs+5E2ZVGcTR8NIdS217Mi1J3H0tqTYg2tpJB8awfxOwIR9n4y7AX4Jmgc/61qj8yoxG88yBKBSUsNkfpSHLoPa19EDEnTfn7JRH4+ndNhYwof46B7DYK4uNSTz6KRHoJ1S+BJ4jaJJw5xnvWpttrNFwOHYsGRt3zH6Knsb1MyRQqOYWBgec8zYv2s13GpYMC+TaDadkhTqUsm5xNgES6F5Pp8rF/DfI7a4CxNfaUCpxSFz+pe2QjIGNcaw5Aso/UmWgIFXwmLhtg0PdjF/ggB7cumUNg6o0Tvb2EcH3TE1xOVaFquOT2oGSyJkDvLzGao0lyduhJaRXZeda0ojexjO/uIL/bqIlx4pg6K8o7TvkcF6ZQn51UJZEFn0LMHJeb3BGt25wDOGJG0U9WS1ZMwnfDaQ7K4bFuUpiYzpIOtY99l2FeYD7AgkANTZuy8xTAPz99fKP18I4zXdIA7ru1aHOTqW84tW06y03mlyN1xX2uIejxibZR8dRfYHesrdfY8RYgHsiIAdnFzot/shDhSwjQ9TZlxXQQkUpMs0K1w2UDJSzMEvg95QDDsG5Vt8Dq9vkuv+DHcbRfFBtcqWv9Nt985jW0CPN0kzjLXXftmGuUOGo2DqNSshNULCarGOYYxNDfEjGeHSM9IY+Me7YqqO1+8vdcQLx17ail+ReLxIotm4LNK2CTTM9acT3NIjhFSxLl+B03Mcg/MmWVxKiiXVilZQ1gVXDjaIKopZk9o7/rSLmb65tm/nJAogR/xEVqf/dW84eES+hkp8AqlpZMjgCez9DRliq/c5cXnDIs/YWU+hd4VVAgD91EVtzr3ZjVchpwQEumATUcyFGYDeXHrX0uR3n6vPyEv98txvLLcFVX8J200Gur1aC4sGRgQySMfg2+3pd08ayvB7ryY9yCQtvhTU129N2K8RxRwAVRkZ67EISCQPLmxXZC8wHQjWHRwtkKGtR5uYxcfXYn9aHTS7Jvg/6ZxnVRCRRWMuY38wOrV3btUIOq2SRASKGFaSADZODCIZ7r1c6mYrU0jhu0FfNVY+WwiiVdJLlxuy80b0nY5aISiSVOQ0C5WHI/Qz+rSJOrpSwmNHwAtZE4RTJ5NZ5RZy53zgoVhPCTHXK5wHagNvQK3qXmFxDttkdPIJUs3uxHFGnArcb3XAC0EaPPXfVzXYfNIfHTJdre99lr9cAvb8NGTxEwvrFuZ5PLsfzfVokYYIcoymeeJl20bVcn4XXZV5GEWhzY+cFwipbW/nolle4EyTwI694guH+4gLw9xfaIdMc/3Wsr6w4BvGRXxldoS8309Tt8Ps/Y9cO38+Q7tfNoPHm5AEGBKQYmSPHwAyXYkfzgJwO4zRyZZ/4XmlX3gMNFmHblJnpGfsTZHLsw58Fgyz6cKPaUepD1FAhKoV7DUQAZqaB6ELUqzFg6vwPvtwJioELklKgKu6CvG2MAEaoRykkEHgDZQMLUtnlBVtycXjV2G/0sP79fg7AG/CzCXnVR+XAwVG1YpARO18VSIVMCeOdh61Uzf++cx5ahwAsxnpn3ARtb/ncLJ7kPW4ulVyPGkj623CZmfdiV0bSAy4YTgLvDjOkqF/I9LQzirsubQZwTUZkHpWouQHzLhcuG5VccykM2wUjd8I8eRilteu6yGgz+WOt5JDFD1E72P6bxeVpGkPsPPLiZykPtvL0Q6FEMOPR5uUEMLoBMrqc9lkIdG63p4J0HUeoalIYPigSdrSY8g7UGEYc5399gTdyM/1GmH+Twf2rEBj6TMbYVt0mMzR5Z6H9SPccr3mN3G1WIhS6BRTqZ0ghj1uX2y3Lcv/ZzvjoNkoJiX4rnai5U+Frdo4z5lgtNqfej3dqtRGm8mIV0pfs1G+MgM/871oXVhnoHVU7faZqMIR7wo5AloPZ8tCWTeBsMvgTkN+FfNU2qGLAifz7bbZaOBa/lsF/kVrpNk6CWaQDMO74xbuB/Juuvmaqx9AR8ytSled4m8qggF7N908D4JH5wPW8VRD+bJ6E2Yo1CBnSBoHBQIY+GUNptlJOswjFhdUAQOAF0zH9yWVylFFSnlXECk2XmJR54+HdUsr2bL0p9VMzAKr+05DF64lT/8/VonUcom9GnoRhP29npfupF1WWIFEV1xUWxE+zBr6VOFBHbmiQmsKz30M42awIN0KENIDP++BBojQ5Exlab6FOGplMmLfaLBHoN6Iw2EXyb3RbcYkQ9TwXBfYzQ4h5DlvMVAkvV9VG9TWLbru7ugRjNAOvjI88aWnfn6xy1UskkJ2j0mI9gr7YTVxL7Yo4estnL4AFPL9f8yRqGs0RYsHG068QG62LdUySCqkpSCK51TI2PtwCHuM94GQkOYls5wIQzBVslqWuwstpjMoFf2gklH012yVYv01CQ96gg4KHlLESwsVB1F+vyYUQyjogBMrRzRmziAMyRn4168+B0vB6WbUx4erpLFNC7OfYylJnu/x7XfYequutdnG5aztcWgsln3DCuGokCB6wp3LYSHt68mnHu5S+BIsEQj72OCiXgE7AAEmDDwGkuzVW47aEKk7FfzPLu9lzVdAWeNXV63XJUB5LsD2PloVcI3Vvgpzqf29+m8NbZPr0itTL/BUMosCWIexCWpmxraASBoOFPXKEMQT1ILPwkA6DeZewsqhJ3Vcsd7BPs2pju0AsGFRm5sR3QtKKGfmP/1v/0mePInqUQyAS+CC18DdmYyksvnQWDEvjbI581tLLaozMnlAZ2V/zPTWBQBSRmAulS9NGifK3I2MBrTLUBIG1cFAPBqGI4QdbqDd974L1nG2iytl845giMNtJmyVpwomTGFd9bXsrUcB8n9UQ+LBhI5aaDbRPElqm0HCM+2fCvDMN1LF8KaVO3RhnN+7iRVStwjcP3k3ldUrrRr5eegb/vfwg2pKCRoGoe/GKJB4lgQ03O4u+F456IM0k6v0M50H7ioFA5uHHDKvOt/J1nT7+sqR8H101ksDToWyxSipRVYka2Ov8+8cm3Cz8Q9yRQ1a1aaJL4C1LBwQAFxvrxREB9CIuVAWJel61JBd/yJEnEO6Os0jkXmeimVVtDMgEPYIE975vvtQGOfxZBs3HLgfH7M59GVICVNR9eeYzbilDa4oV/RFfsS4nBRLDtvH5Cxff2nTuuewnztdOHCL+gsWuBQ6UHVDChS3DEf4FkxsNWI1O6zTtNMtxt8G4fgPJQo2pQ4CN3Q0oQRhMayofvmJF/bZr2foVsYVf7wEqSG1f6VKGN5AFcQnDHE43DvDr1yCXFKh1B3iHOIlkKeZ+0n5Vgu7yZ5an9nOiKWJAZ1+DjjzLLlhq5wJXGbfJNB/UlZPNBLbMc0pH7zDdcdFiDwKKU5tdoHWo+zLxFX8pq0T8tQYLLpxOPrpF9CLjNxnPOxh8ZcN3tOdUENSYJ+Ctcm4MxYqRVeElRLjm9OQJPs5KwcTGAtxARHO77SWMxoSnNEOv71FEv2146S/b9RbKbwRCB5jwTxMIOG7PR+IZcJiADn9nVu2ETLlBfTfOflG3dRC8eY1wOyouZY+LmbXHk17+AYCHUQVpMNDrroG/ihrQ3Pl/s3j06WZxe7GsVkUJfPjUmVClb4=,iv:fRlJbhR8kduE7+xS0idgo2mpQ1cAQFAxS1tNTbiCcpA=,tag:2Yijo0TpcBLuxS/+EvVgMA==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1c8cqpw6gnlrf82ewm2vj0yalzszvtzd0mmk5yzr4nfpqqseynq7q86f3sq", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVKzV5eE1UUU00QXZuSi96\nb242Z1htamdNcXJxVnlsWFF3dzc3cE40WlFNCkRNQ2FmckZGMy9mbVNLaXVEYnhP\nS1EreE9rZ0VQak03TkpsWktWSUhTOVUKLS0tIDFDZ2lUbDhmVXFMZkJMTzg1Q2My\nblBhaUpza1l5cm55N1ZqSkVBbk5ZSG8KzS+IvpyaEeKIEcDl2sW+JrzyXTjGrhBc\naTbFfCikjCQBUdaZgZ9WgxK3XSXYewmXD5CAVo3nK1ORKLroRryU8g==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-06-22T12:04:44Z", + "mac": "ENC[AES256_GCM,data:DFxoxKbxckZ/g/hol2jzp1VT0K/jNOEs8UNtdpkNKgTgycMpdKCILr/4krqsVXLJNbDxu7eQbXmV2qqimiBE4diFXmnTL1yuUqgmQvvGWtvyfRG0SLvar9nkWp1fLdekS/A/DC4odgcngnI/n1wMjc+Kswrno1F1yakWtyOPY8E=,iv:fczX+fsh/hJL982ONWhqK6ZadVx2db66e9I/6DNSQ9E=,tag:kH30ex/v9fY3817LcXHheA==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file diff --git a/apps/zrepl/storage-remote.yml b/apps/zrepl/storage-remote.yml index 31913d2..2c30be8 100644 --- a/apps/zrepl/storage-remote.yml +++ b/apps/zrepl/storage-remote.yml @@ -7,36 +7,14 @@ global: - type: prometheus listen: :9811 jobs: -- name: snap_default - type: snap - filesystems: { - "vol1<": true, - "vol1/apps/minio<": false, - "vol1/video<": false, - } - snapshotting: - type: periodic - interval: 720m - prefix: zrepl_snap_default_ - timestamp_format: dense - pruning: - keep: - - type: grid - regex: ^zrepl_.* - grid: 1x1h(keep=all) | 24x1h | 35x1d | 6x30d -- name: snap_14d - type: snap - filesystems: { - "vol1/apps/minio<": true, - "vol1/video<": true, - } - snapshotting: - type: periodic - interval: 720m - prefix: zrepl_snap_14d_ - timestamp_format: dense - pruning: - keep: - - type: grid - regex: ^zrepl_snap_14d_.* - grid: 1x1h(keep=all) | 24x1h | 17x1d +- name: sink_storage + type: sink + serve: + type: tls + listen: :8888 + ca: /etc/zrepl/storage.crt + cert: /etc/zrepl/storage-remote.crt + key: /etc/zrepl/storage-remote.key + client_cns: + - storage + root_fs: vol1/storage \ No newline at end of file diff --git a/apps/zrepl/storage.sops.crt b/apps/zrepl/storage.sops.crt new file mode 100644 index 0000000..fef88d7 --- /dev/null +++ b/apps/zrepl/storage.sops.crt @@ -0,0 +1,20 @@ +{ + "data": "ENC[AES256_GCM,data:/RehgZ/AIyNyKqdqhmIiheQysGQ54Xy4wgUizwXwnBU7i1FLNyUOKLg5vZeOtVXLdpoqnoz0IiFUB51bLNREZ3iqeElHO4hH/VpxxsdQXVizPWv67piwsb6/HCdWc8IgFENNfNga6eN7PZBcY5UsruIHP5MGgG37fMYPR3OPCYfWX4EARxtlfgDHiN+MSkbdci6e/3S9J+PuxemdDmTTfPJK5k8zYN37kwPNAYum8n9C0dPn07GqHRJo6kR41ZtL45vRwa0cLz3iBgeNiQHEghXHSyfIF3B0Ukx0Tc41Z0GvFroM69lY8wveodMUGif/4XA1X6Ar/JISon477+VKLvUPjD2PLygVmexC8aaAoUei+WGoj88SSmYw9AeCzUCyyydRQ8ERaOSqsvmO5cazkwTY2+geIHXhrQlZN2slQwA01kmarKupbV3JxmUMTnZEDX/Z7qZeWSTrwzxPtYDoTsJGWacGDH6+PKyemtjouwThCp9OVOueN4UNKY9EFsmZtc1rolIGTWArUcgTW3lGJDQ8VmA+E258jjRsuH6+r4ZlhFM/d3P1/snm8ZKjeKjDlWb3S8DW0VVWDufwNm8LlX8WJw6zwuHg3D+A/GOIovK+OJeU+MWJvABWfL60UKZUVbcucvKFwtGVo92TsqUCifMg0otFpIpxdP2ZD3WFSz/uPN1IDJkOgabjLqE95fT6rEJIHpWEQIwdQ1Y790d63oXEbo7DZSBhUdEb/3ylyxhJOgAA/3KLG4uvxTVhnBO3e0BkpU64aBYFdQRKuJUWDuFHWb+eYdYp6cGcojdZaWjiwqQm6IaYxSnu9BgIs7feXbdgckHehIUoRW6PiltSaSsE0vrf28k4fvaMARpkTvdLEnl/DrkAKLuAVFqmi4X+pMyAV4i3YIjgTh7bNVD12KWwNtlXGWxR4VaI/hCzUIpyYmee9LEBX32eWiLMCQcWs7VBLkEuoNP+I3pPpdPNAWZb4HIyKqgDw2pccUuwb785r7/CTdAwGW/kwDgXPiSmbmZpI/s3sZAAfm4rLfwUnewgTwY42vPktfhBXdg9PcSYT3ELCh3XcSoqFMQugKzihhFU2Cga8wcbcgR54kbqHnGqcctBDToUAG4uQLNtn4Xmb7rMEgw5PZVtMbXcheX6tGEubyTLtrd9P7qbrcA8FIDarMrgkygmqeemwCHUXDuZMkwMCaDoQ86uGPAC6iQNNJ2wMpvCZbkM+QjwRgKZLABMK0PE5S0012Ic9IRKIewVJHdeXp++2vNZVhZ9AUFLs9unp89FYnHDNSHc8QnAHIzPsrjWFERTOTsHNuSO0S8jdSl1wSSNSWN28bMhAbb1FmzqET3CGT/ON6APKxOLESOlYW78l/hduBBaMOqec3tWFIH0XtDVpJF2VTl60tWx4hLCDX/iuv98kRZ0Ee8TvaAQcRHkoSkzpEjaBrOpLoJ10KnBnNzPEWH84iDLXqq0C487wfEEDPsW1hKS/vgxgIwlMqFjhDFNgOeo7VlMraW2szHpkSnSYSWwa+nl+6ennlPZgvUuuu1FC9pPaIrHXuFZVmrUihZF48LGD5l07sxL9t8BQyIQ3cn5EETIfHRocrScDUu2skiuESkayVuvD3MLdw+MJFkX08fEXUvDDrFMRlZ6Kc3ZUvCCwF+R6Rmsy56+2hqT6tyVnWeCyVbsd9v6y4AqfcxzRTNH3d46+DDJbsHRMA+qkdhbKtyRSzXJltfkDdSxPAilyDkL03i8ZS8F0l05JQ5ahhMSOl0CT8ksBsl6edgH6HfeDYbHVjfZpzUD1FRhvG/LsAjv9DnRTKjN4EgMXnhMU4Y6IR9XT6bA5R9XX5ueB/itn5ghXDF1hZ481SbY3cwG79ex6fsAgRuR8GnVL+asWw32V4tdtfHUcmmL756qmxGssWwNeqI7yL1+Y69D5TcsYH3Bl5aeXX7WE4L+jfZeCHio2Uyit1Gcnl95rvKAT5Zi3QC3t+fDyMS+i7ZZjYUqAYZctbl585QmjOf890d96j9KKfSoKbfRzUWsMgc64rvSA+kZiRpmQ6GKDkcrEAt1r/Vls2Ef6dvjXl+26T8vL4WkJ8G1d46Ut6oZ2NgAk6W1gwytQYIQx7MS52ykfCuO6B7kfvORzDFeL0+DSE9aZVjpCSG23JgndyELPzYqlWUpLPr1TtwlLTdMSCVczH/mchx++rC3Z6qU88JVcYQ3mLFrf9pdnokmly+3CCoXFfoKP8myjqJy/1mLHdCJ0ENUg4RDotjLpZvgm26hWs/+Ak6oGxG/WoFsMfSrvOP7h1dtzWwpt/HfBEzxP62CyRzlr4fQaPMz0qJN92Bx53Nyf17995axhd/uKo7VkBYyWRU3p8skKozPwFsOzw5efPWLMqzkimZitLarGbqrtXBvvu0XQ4/mw1LkTR8oZK6Ry/biO786+8SqMLOrH526,iv:FZVCi6DYDBqfCHCaq8re9TzzEuIuh3VLc4tMehf+Ae8=,tag:iHP51NmyaCzG7xEV8ylEdg==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1c8cqpw6gnlrf82ewm2vj0yalzszvtzd0mmk5yzr4nfpqqseynq7q86f3sq", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVcUlJekxMQmhQUy9oUDdw\nUGl4TkltdXhYY3pHZzhCSmpuaW51dWErQlRZCkozSEFiVUUyaERJTHByaER0NHJU\nT0xkbFVPT2FwOE5LWTYxa2QweDM1YUUKLS0tIEhNNE4xS3VRM0duTjN6dFZhN05h\ncXBnc21MS1VReitidFpYem16N2tBUjQKshCv6aZ/HMMusfvx/tX2vwgfsxgpmOmX\nrFhIib4Sb0GnF9ZrbGS/EeYb6WOprDAIbKUChMZDd+nI8KNXQE8qcA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-06-22T12:04:32Z", + "mac": "ENC[AES256_GCM,data:5Pj3FEBFwxOPSshUgWuZ0yNjee+4AtIcdXTYwp9qJenQjbd51N5lXEXf5V1D9s2oaiSAqiRK52DXfGBDdZ7oZUC0UHUAed7ra+uJNHzySCe1TwoaBQeED281SDqH1j0MgmUUCmnhSK5vqU6LQsSHtBaHETuxawLMAglfBY2wNY8=,iv:vLqtJQLzEySzcENDyBGAOukffmQTljlV2vqJdfZbQw8=,tag:yXNHtAeEKxaArpjUrUUq+w==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file diff --git a/apps/zrepl/storage.sops.key b/apps/zrepl/storage.sops.key new file mode 100644 index 0000000..494c091 --- /dev/null +++ b/apps/zrepl/storage.sops.key @@ -0,0 +1,20 @@ +{ + "data": "ENC[AES256_GCM,data:aEXpH3OHaohz4ajJ57DcFvuE2nyM/yA8AbUJdqwxrNqk7yGN0FP0dm32VOUrGJWup4XVWRda+BPSMygrO9QPjnu1o3Rebwq2xdy22epl1QRB8snpqXSnVyNnVEY5Gp8De6OHbXJb32fEXfDi+eiHNyynXYeoRF9yUaX60EpF7ec7WJ3UR3XGlJ+qATJqnxHuv8jTkoUW4DDGO0A63IJ3KgxqZqt3HdxwfOFUyIwKIs24ttpytGYCOSY3ZHPPl7kw/SoY4hjCgneN2fdnX5LfukWU7EqfFfE8tQoC9u6r4snXXtPaRJ6sCUaHHHRhVbzh0rrcjubiePGyhnuuEfA6YLgakdhqcxHySsqkIU0hLPKFdsQO2T8LX+ybSJqZiJ9yLvhg0Grv1BQKbz9awaUSwqjzpDg2opKXuWTT/PRALa2l819utkT2vtq6wXCHWofEU7/HBGZz7ydHUB3545sonTkZRcCuPvaZVdtPBtrS9yvtIQf2neWOOslPAhS9jvt1qqn3Q/4Aus4CYuV1jiZe00jhLNtm6bDiYZ3m8NpAVJw4pjiYfwDgFyHrEnGH5sQlz9Tj32b31ALgzsEEYinBmUpKWF/7JRSP5K4a1IgJ+LsfA2uDi3HVDRIivu9moTwN87DuY++9CGXAtJjFZ0jaUsu3+qQJNRpXdRAiLfhVtcjmhE5qKj3+kBZ1lz8j5uPMCqtDQIfpK2BOTglmUPB9YTdDwPEAC9AS5r9FR8Atpc8vXCpVPqOoDpdJPN7jfFlqxhny5dSDqHt2EUsq7QlJlqcmHsPPuOaud0RSCg2YZLtGKv2AtRhWy9QkaydZvUzG2ImIO4ei1u+OsERoB5+1Q/uikqbGs9Cm+mnapv9MZWrbUyrv7jIw22sUL/GuIl30ybNzC2JWX150yXJdXap7OZrZiTP4spTuxtRCgpGn3PB8MFyWfgYYO0n5usPS7Ckd00gxwV/A1KYS7DOFLfptxLTNCX2808+ERBYSjpwv5qdXvXRSbEzLBEEZkqJJpfLl0RRtRoQykKRYY+VTLNkS1neHU3cWaeINNLriz4SrqCNeQlmx1pCpXd1i+5+w9Ii3gL/JdcOwZq77vHs+p4i1AEU1CnbOqV78T5dydQzxJnak/o+Ux/WEdpob4rYH9nTXCwYGylxrNtFdMDlbiug0GsN7iIcv5WiChaTNVpOURSaTsp96bl7fMoaroETV+fI7bsCTZbgh4TniRy1pKYCTOWkndID129FoUMwiNuHeRj7P4QJbpDE4gIX2PGFKyKCbfrfKtXlSqDGC7OcW4V0eulxgj/6AciwZYwg4G9ywp5ogR9QkdlfWegzFRLPa7moS5ZlKiAK5NACe90EskeZOY/ifgmIB36te6YWVCA6sx+M9q5wMgVTG9/fpA1Jcd36ZNic7+dZDMnO+EhxmTQmLETcGpoN1mD4yz3PSUB9u/6Rj0th9/8xvos4UcKiWiWDbkyDE/mHfe7nDFem+snPpq61xDWVhRLZUS4uJCY7sKmRP7zc4eYsOkrophl/gDr6xdeqhffD1rvYuqZFfuBdBySaYvvoN2iNr3HIpU8WLpIASLCZIMVdlDJ2P5aCAty2AjjxcV63MhKJoK3NORnwi7kU0uP+QPellzXjB5Ja7e+G44yPMJ39rwaOsKr1NkULc2tuvYcTQev/EJHJUhfmK/QfYaQbI3BBj3Oe+lYebXUtGa5niJIrQKSG4fRb+8D9trW2p/V0fY7+6tAqFphUHS9A2IfEWvr2RZFF7RTOpEv4B3FTvIVBSg1PuZAiUmYCvNkE8gdSOz0rZyRliVFbavcgsjQMM2gR0Pdmz9RiSzZEloJ/lSZJ+pLtgy5koQQhR+w2FOPTzbR3CZxuIJbaa6BerPVfDIIDrnmN9eML0CbfZb8OdiMy9qIQeltnhCT7UqhdrWZ9lZXvSwwYUO+r60AAxGjHsaU/NKMhYejuN46jHlIfLGq7qgKHoPwbZKwJnDWSHsr7ThsyYNU3z71Wozfd74Iu9T7mHYSnH4loW/J/ShR+WbAriE9vt9I/v0qPNG+HhET4c9EVN9qz9Hp+RNf/A/L/APScLFSukKrD0GUbjI4oYAU5jViFBqGgZ5SPKkMchGFeuQkG94sFN33ulj9kTXus6f0UOYOl4z6g1RLZIe4W8o8FYmjpi2SksdVvfbQ0tiPxWJTtRtG2URAiAVfrifdT0rihEGn6izodeKMlnC4VLG0a7XXUHGeHB5NAfi+XwpzjYs357SJAqRUfKn86cC+LZZ6sglBKV6ihrsRpGtN+IAWyYAdJ1KBAGviyivKQiz8UVGSHTSKVnlk6wmDyp7wKzvrWJsyny7SwlqIZx5kpyrrzygfuMHENqUvgWFFQOJ+SSh4d1glu2iMdluc/OSLIcYjLCdDd0ejipUwPlO4uGY/304QRwVP72awCb3l2cnogHkFHKShUYGzrzSCzxCqBoF6aOyijH0wMpcN5ols7pWvPPMXk3dsEmCRIJ77rRXnOExzgGi2ECqciPa6nQmSt4CGF8z+klUF3zQ0j32ERINF12RXiPXT5/WV6UG4btIIeEylcZOCm2jeud+QioRJXSakv3h5YOl0BG9h6l/46SH5WR3XtrxS3WuB+g9ju8zOMR4hKNrSrk6Gwg3dsm11YrnIiFVkvDtW+djvmtDL9rL/kTmt8OKWp0XQnB8bddSq8+2+MF09X5TOOUCRzMjshXc4CzB+Fhp99j2Vm8QnKgL0BKPJfNTK0Ky2nr8XNvEe658szEFYyCDtayyDlJZ8lGKvGQxIJl5gB+qMjNDYKZdAjlBCD2gp6Gwxg2Uzq/SNAI8t7D0AiPQaWZ8a19fACh8VPVFF0Wpov4apobOC0V2jOigekMpDprKk9GNE0CQg213OI17M2+oiAJ9KUaZ2B4kCXuWQToWyzNr1ikJCcWvpac7K8Vm77Jmo+K27OWsL+mTzDoYLtSLiwe5ye2WHZrx5Xl8KfwhZv8GvsRZ+3fnff34Egro+p2wcecUJY0RpRRVuzCfeM22pTQrXDFMbin0Vhl00g4qZkhmy2PlIbfspC+n06Y/IFb+fiui3JN24vZl6gKje5ml86gN2F4enUgFxuvk2Ox1W2IVIoIN3tSK5cUuhsM3SPBlX6bOvOf726wPkW/CSZJBbC6VE1pE5XRbWMc2BYc0LjV1s7PYK3qAFiLy7K0VsjUvQpxJ0KyguPCAm3AQ0Qm/Qu+4SYqNp2f+nGCoIHA6TUPeV9pTPAsKzPrDikmgYTfXf/CSblGpuKPGKbftTcdINg7hZKm71YGHWdMci8lGk2A/uHzcQ/IfCAl8u2gOLCIwrvfZL5XBEOxFxov25mKRDtV7HU3AOkLL0oshbQ9Ui6Yuqg8+BYRjZT0dpKSh6NOR7nUoet8p8af0ZlzurxS0DhH7nXjaq7xnf9w7xPjzirSyIf+/y2HJ0pMNXexHCFYjPiZ5U5YCFOQBcCF3FgjTpCrW0flLUrN4MOJGcK/LZWBcYNPJhGz5bybBQWzyxOpL0/1iRMEKQjWO3Mq9+RIbPqc1sJgDLp2XLU19d65QhKXoqbxxV5Gzpmqb72Kw3o3bpEJDMnjtiNFuTsCUWtqgzyrgV8kvwHYwXiNyUyOUkWsiOra+n+zbbrvdm81ZjVNmCB2wJVaoCOu7QI/lWcwlaxXQZQYLhaJnCTccFclN4xTN7FggTLm2UQQzxbpKthVSJ2C+sCWfxhlZuNGac61/VD7V1lcGsamQYFLVmyNw4tzgGTMuRdE860cp/REgoCPQiSuEjtakUiXsi8wDGdWxlLsZeWvXfffgHCmpMWjgPP8PQ3iLRh9YYfCJnJupCCKOTbB+S0rrf55o8+WndL4xXPchEXw/+k9i5EuWCeV37cgJqEx2tLtnytq81m3qsP4RsTZRamP289qIG6bQvJZdCfFcDTSfHWmx9PIt7DmF+4wC2EPpKW5Ughx+FVEL2roEcoKcRaY5xD3bKeFeNMIgJqjMlrtmEscvlkQds8nKApR6neDFpfxDIBfa8sgv+a4jSuOBuLLZRHfeRDbvBSxcCc+IFN17LXLL2ylfSgdWxsjstDQzrGdj2r16E92Xf7srLt3WUg/Wx4WWfwRmTAoO1iisY2NUgQ1BgcJLg6IL9oJ1O7SqBvaAIxOHyqSeu1wgMLvf/L/kVgVFj0n5UDhiDSZUj/1atLBGpHuEzKG4UbK/gJuzelSQIodmlFBcPxPwIMoRZeWBK+8dfpNxvDCRvN5fJkTJLPdsklBm8fyi94bshb2A2M7+yAfig5nj2nL4BO/eBHzOcYvGAmo1fVAM8fi4EC+3Tr8UWrl22VZtivIjp76AN25K3AvIAI4/62YpCGChD3aHJL0B8w=,iv:7/cH7YXUD1SsIzYYjLnRdQgNZJb1iBIfTkJlLA/pidA=,tag:TvIVx8LR0lK5hP52iyX1vg==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1c8cqpw6gnlrf82ewm2vj0yalzszvtzd0mmk5yzr4nfpqqseynq7q86f3sq", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0cE11NFpmQ3F3QlA1S3F2\nQ3JwTUpmTWNiVDI5bXgvRFA1TTNZUGlGTFJzCkl2V3dBVGpvY3M3N1hBT3RFc1Nl\nZFo5cUk2NFNERXUyc0hTdllTTThPaTAKLS0tIHJEYVIwZmpWS1hFZjRtanl5VmNC\nOTcxcHV1Y1ZzZU93dU1zTkNxRlFTSmMKUOgCOlTVL63uSpUjHnJY19TLvB0ffOlx\nPgWtlQWjEJvVpMy8kWIT63ZFhvx/xlFbyn1TPxEF5iM1zj/+rbLzaw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-06-22T12:04:40Z", + "mac": "ENC[AES256_GCM,data:6Nulm117mKEYPnQtGedmbYcNhKFk4hrAmym4Vr8Ka9Vq0h8GldakODgDiz600HUkiEZvZSPyYRDGRxqpoSoAvMoE18YooiGXLfboyUlkT2CSVau7RC5CfADAet26qLYfPqk4ksEAdDzyl3P6ofF7Gce5xR06rGcjEG4PsqhvKTE=,iv:L0idkgzT9SNYlEDmFz0UXfMJCrRzifVzpf+8AIg6kVg=,tag:ldFqKd6+/DrEbYR0Pf2wOA==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file diff --git a/apps/zrepl/storage.yml b/apps/zrepl/storage.yml index 7a63ca4..029f5bb 100644 --- a/apps/zrepl/storage.yml +++ b/apps/zrepl/storage.yml @@ -7,36 +7,31 @@ global: - type: prometheus listen: :9811 jobs: -- name: snap_default - type: snap +- name: push_default + type: push + connect: + type: tls + address: storage-remote.feisar.ovh:8888 + ca: /etc/zrepl/storage-remote.crt + cert: /etc/zrepl/storage.crt + key: /etc/zrepl/storage.key + server_cn: storage-remote filesystems: { "vol1<": true, - "vol1/apps/minio<": false, "vol1/video<": false, + "vol2<": true, } snapshotting: type: periodic interval: 720m - prefix: zrepl_snap_default_ + prefix: zrepl_push_default_ timestamp_format: dense pruning: - keep: + keep_sender: + - type: not_replicated + - type: last_n + count: 15 + keep_receiver: - type: grid regex: ^zrepl_.* grid: 1x1h(keep=all) | 24x1h | 35x1d | 6x30d -# - name: snap_14d -# type: snap -# filesystems: { -# "vol2/apps/minio<": true, -# "vol1/video<": true, -# } -# snapshotting: -# type: periodic -# interval: 720m -# prefix: zrepl_snap_14d_ -# timestamp_format: dense -# pruning: -# keep: -# - type: grid -# regex: ^zrepl_snap_14d_.* -# grid: 1x1h(keep=all) | 24x1h | 17x1d diff --git a/scripts/apps/zrepl.sh b/scripts/apps/zrepl.sh index 47f8535..58943df 100755 --- a/scripts/apps/zrepl.sh +++ b/scripts/apps/zrepl.sh @@ -2,10 +2,37 @@ set -ouex pipefail +if [[ "$#" -ne 2 ]]; then + echo "Error: Two arguments are required." + echo "Usage: $0 arg1 arg2" + exit 1 +fi + +HOSTNAME=$1 +REMOTE_HOSTNAME=$2 + # renovate: datasource=github-releases depName=zrepl/zrepl ZREPL_VERSION=v0.6.1 + +echo "HOSTNAME 1: ${HOSTNAME}" +echo "REMOTE_HOSTNAME 2: ${REMOTE_HOSTNAME}" + RELEASE_INFO=$(curl -s "https://api.github.com/repos/zrepl/zrepl/releases/tags/${ZREPL_VERSION}") ASSET_FILENAME=$(echo "${RELEASE_INFO}" | grep -oP '"browser_download_url": "\K[^"]+' | grep 'x86_64\.rpm$') -rpm-ostree install "${ASSET_FILENAME}" \ No newline at end of file +rpm-ostree install "${ASSET_FILENAME}" + + +mkdir -p /etc/zrepl +mkdir -p /usr/share/zrepl + +cp "/tmp/apps/zrepl/${HOSTNAME}.yml" /etc/zrepl/zrepl.yml +cp "/tmp/apps/zrepl/${HOSTNAME}.sops.crt" "/usr/share/zrepl/${HOSTNAME}.sops.crt" +cp "/tmp/apps/zrepl/${HOSTNAME}.sops.key" "/usr/share/zrepl/${HOSTNAME}.sops.key" +cp "/tmp/apps/zrepl/${REMOTE_HOSTNAME}.sops.crt" "/usr/share/zrepl/${REMOTE_HOSTNAME}.sops.crt" + +sed -i "s@__HOSTNAME__@${HOSTNAME}@g" /etc/zrepl/zrepl.yml +sed -i "s@__REMOTE_HOSTNAME__@${REMOTE_HOSTNAME}@g" /etc/zrepl/zrepl.yml +sed -i "s@__HOSTNAME__@${HOSTNAME}@g" /etc/systemd/system/zrepl-secrets.service +sed -i "s@__REMOTE_HOSTNAME__@${REMOTE_HOSTNAME}@g" /etc/systemd/system/zrepl-secrets.service \ No newline at end of file diff --git a/scripts/install-storage-remote.sh b/scripts/install-storage-remote.sh index 3b6276d..1b4d2d3 100755 --- a/scripts/install-storage-remote.sh +++ b/scripts/install-storage-remote.sh @@ -3,4 +3,4 @@ set -ouex pipefail /tmp/apps/cockpit-ws-zfs.sh -/tmp/apps/zrepl.sh +/tmp/apps/zrepl.sh storage-remote storage diff --git a/scripts/install-storage.sh b/scripts/install-storage.sh index 8f70860..547cbd7 100755 --- a/scripts/install-storage.sh +++ b/scripts/install-storage.sh @@ -7,4 +7,4 @@ rpm-ostree install \ samba /tmp/apps/cockpit-ws-zfs.sh -/tmp/apps/zrepl.sh +/tmp/apps/zrepl.sh storage storage-remote diff --git a/scripts/post-install-storage-remote.sh b/scripts/post-install-storage-remote.sh index 014bad4..43ecc2a 100755 --- a/scripts/post-install-storage-remote.sh +++ b/scripts/post-install-storage-remote.sh @@ -8,6 +8,7 @@ systemctl enable wg0-client.service # ZFS systemctl enable ucore-zfs-kernel.service systemctl enable zrepl.service +systemctl enable zrepl-secrets.service # firwall rules systemctl enable ucore-firewalld-setup-storage-remote.service \ No newline at end of file diff --git a/scripts/post-install-storage.sh b/scripts/post-install-storage.sh index 45016f2..43deac7 100755 --- a/scripts/post-install-storage.sh +++ b/scripts/post-install-storage.sh @@ -5,6 +5,7 @@ set -ouex pipefail # ZFS systemctl enable ucore-zfs-kernel.service systemctl enable zrepl.service +systemctl enable zrepl-secrets.service # NFS systemctl enable nfs-server.service diff --git a/systemd/zrepl-secrets.service b/systemd/zrepl-secrets.service new file mode 100644 index 0000000..98c6ed0 --- /dev/null +++ b/systemd/zrepl-secrets.service @@ -0,0 +1,18 @@ +[Unit] +Description=Zrepl secrets +Wants=network-online.target +After=network-online.target +ConditionPathExists=/usr/share/zrepl/__REMOTE_HOSTNAME__.sops.crt +ConditionPathExists=/usr/share/zrepl/__HOSTNAME__.sops.crt +ConditionPathExists=/usr/share/zrepl/__HOSTNAME__.sops.key + +[Service] +Type=oneshot +Environment=SOPS_AGE_KEY_FILE=/root/.config/sops/age/keys.txt +ExecStart=/bin/sh -c 'test -f "${SOPS_AGE_KEY_FILE}" || exit 1' +ExecStart=/usr/bin/sops --config /usr/share/sops/.sops.yaml exec-file /usr/share/zrepl/__REMOTE_HOSTNAME__.sops.crt "cp {} /etc/zrepl/__REMOTE_HOSTNAME__.crt ; chmod 400 /etc/zrepl/__REMOTE_HOSTNAME__.crt" +ExecStart=/usr/bin/sops --config /usr/share/sops/.sops.yaml exec-file /usr/share/zrepl/__HOSTNAME__.sops.crt "cp {} /etc/zrepl/__HOSTNAME__.crt ; chmod 400 /etc/zrepl/__HOSTNAME__.crt" +ExecStart=/usr/bin/sops --config /usr/share/sops/.sops.yaml exec-file /usr/share/zrepl/__HOSTNAME__.sops.key "cp {} /etc/zrepl/__HOSTNAME__.key ; chmod 400 /etc/zrepl/__HOSTNAME__.key" + +[Install] +WantedBy=default.target multi-user.target \ No newline at end of file