nixcfg/cluster/prod/app/backup/secrets.toml

# Cryptpad backup

[secrets."backup/cryptpad/backup_restic_password"]
type = 'user'
description = 'Restic password to encrypt backups'

[secrets."backup/cryptpad/backup_aws_secret_access_key"]
type = 'user'
description = 'Backup AWS secret access key'

[secrets."backup/cryptpad/backup_restic_repository"]
type = 'user'
description = 'Restic repository'
example = 's3:https://s3.garage.tld'

[secrets."backup/cryptpad/backup_aws_access_key_id"]
type = 'user'
description = 'Backup AWS access key ID'


# Consul backup

[secrets."backup/consul/backup_restic_password"]
type = 'user'
description = 'Restic password to encrypt backups'

[secrets."backup/consul/backup_aws_secret_access_key"]
type = 'user'
description = 'Backup AWS secret access key'

[secrets."backup/consul/backup_restic_repository"]
type = 'user'
description = 'Restic repository'
example = 's3:https://s3.garage.tld'

[secrets."backup/consul/backup_aws_access_key_id"]
type = 'user'
description = 'Backup AWS access key ID'


# Postgresql backup

[secrets."backup/psql/aws_secret_access_key"]
type = 'user'
description = 'Minio secret key'

[secrets."backup/psql/aws_access_key_id"]
type = 'user'
description = 'Minio access key'

[secrets."backup/psql/crypt_public_key"]
type = 'user'
description = 'A public key to encypt backups with age'

[secrets."backup/psql/crypt_private_key"]
type = 'user'
description = 'a private key to decript backups from age'


# SSH target config (do we still use this?)

[secrets."backup/target_ssh_host"]
type = 'user'
description = 'Hostname of the backup target host'

[secrets."backup/target_ssh_port"]
type = 'user'
description = 'SSH port number to connect to the target host'

[secrets."backup/target_ssh_dir"]
type = 'user'
description = 'Directory where to store backups on target host'

[secrets."backup/target_ssh_user"]
type = 'user'
description = 'SSH username to log in as on the target host'

[secrets."backup/target_ssh_fingerprint"]
type = 'user'
description = 'SSH fingerprint of the target machine (format: copy here the corresponding line from your known_hosts file)'

[secrets."backup/id_ed25519"]
type = 'user'
multiline = true
description = 'Private ed25519 key of the container doing the backup'

[secrets."backup/id_ed25519.pub"]
type = 'user'
description = 'Public ed25519 key of the container doing the backup (this key must be in authorized_keys on the backup target host)'
Migrate prod cluster secrets to new format 2022-12-25 21:31:18 +00:00			`# Cryptpad backup`

			`[secrets."backup/cryptpad/backup_restic_password"]`
			`type = 'user'`
			`description = 'Restic password to encrypt backups'`

			`[secrets."backup/cryptpad/backup_aws_secret_access_key"]`
			`type = 'user'`
			`description = 'Backup AWS secret access key'`

			`[secrets."backup/cryptpad/backup_restic_repository"]`
			`type = 'user'`
			`description = 'Restic repository'`
			`example = 's3:https://s3.garage.tld'`

			`[secrets."backup/cryptpad/backup_aws_access_key_id"]`
			`type = 'user'`
			`description = 'Backup AWS access key ID'`


			`# Consul backup`

			`[secrets."backup/consul/backup_restic_password"]`
			`type = 'user'`
			`description = 'Restic password to encrypt backups'`

			`[secrets."backup/consul/backup_aws_secret_access_key"]`
			`type = 'user'`
			`description = 'Backup AWS secret access key'`

			`[secrets."backup/consul/backup_restic_repository"]`
			`type = 'user'`
			`description = 'Restic repository'`
			`example = 's3:https://s3.garage.tld'`

			`[secrets."backup/consul/backup_aws_access_key_id"]`
			`type = 'user'`
			`description = 'Backup AWS access key ID'`


			`# Postgresql backup`

			`[secrets."backup/psql/aws_secret_access_key"]`
			`type = 'user'`
			`description = 'Minio secret key'`

			`[secrets."backup/psql/aws_access_key_id"]`
			`type = 'user'`
			`description = 'Minio access key'`

			`[secrets."backup/psql/crypt_public_key"]`
			`type = 'user'`
			`description = 'A public key to encypt backups with age'`

			`[secrets."backup/psql/crypt_private_key"]`
			`type = 'user'`
			`description = 'a private key to decript backups from age'`


			`# SSH target config (do we still use this?)`

			`[secrets."backup/target_ssh_host"]`
			`type = 'user'`
			`description = 'Hostname of the backup target host'`

			`[secrets."backup/target_ssh_port"]`
			`type = 'user'`
			`description = 'SSH port number to connect to the target host'`

			`[secrets."backup/target_ssh_dir"]`
			`type = 'user'`
			`description = 'Directory where to store backups on target host'`

			`[secrets."backup/target_ssh_user"]`
			`type = 'user'`
			`description = 'SSH username to log in as on the target host'`

			`[secrets."backup/target_ssh_fingerprint"]`
			`type = 'user'`
			`description = 'SSH fingerprint of the target machine (format: copy here the corresponding line from your known_hosts file)'`

			`[secrets."backup/id_ed25519"]`
			`type = 'user'`
			`multiline = true`
			`description = 'Private ed25519 key of the container doing the backup'`

			`[secrets."backup/id_ed25519.pub"]`
			`type = 'user'`
			`description = 'Public ed25519 key of the container doing the backup (this key must be in authorized_keys on the backup target host)'`