From 14de625776481b47c499055e9f7b1cb7a91a1951 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Motiejus=20Jak=C5=A1tys?= <motiejus@jakstys.lt>
Date: Tue, 25 Nov 2025 01:13:16 +0200
Subject: [PATCH] rotate borg creds

---
 hosts/fra1-c/configuration.nix          |   2 +-
 hosts/fwminex/configuration.nix         |   2 +-
 hosts/vno3-nk/configuration.nix         |   2 +-
 secrets.nix                             |  11 ++++++---
 secrets/fra1-c/borgbackup-password.age  |  14 +++++++++++
 secrets/fwminex/borgbackup-password.age |  31 ++++++++++--------------
 secrets/vno3-nk/borgbackup-password.age | Bin 0 -> 637 bytes
 7 files changed, 37 insertions(+), 25 deletions(-)
 create mode 100644 secrets/fra1-c/borgbackup-password.age
 create mode 100644 secrets/vno3-nk/borgbackup-password.age

diff --git a/hosts/fra1-c/configuration.nix b/hosts/fra1-c/configuration.nix
index 206386d..593c91c 100644
--- a/hosts/fra1-c/configuration.nix
+++ b/hosts/fra1-c/configuration.nix
@@ -13,7 +13,7 @@ in
   age.secrets = {
     motiejus-server-passwd-hash.file = ../../secrets/motiejus_server_passwd_hash.age;
     root-server-passwd-hash.file = ../../secrets/root_server_passwd_hash.age;
-    borgbackup-password.file = ../../secrets/fwminex/borgbackup-password.age;
+    borgbackup-password.file = ../../secrets/${config.networking.hostName}/borgbackup-password.age;
     sasl-passwd.file = ../../secrets/postfix_sasl_passwd.age;
     ssh8022-server = {
       file = ../../secrets/ssh8022.age;
diff --git a/hosts/fwminex/configuration.nix b/hosts/fwminex/configuration.nix
index b7fbf58..04fb9da 100644
--- a/hosts/fwminex/configuration.nix
+++ b/hosts/fwminex/configuration.nix
@@ -19,7 +19,7 @@ in
     motiejus-server-passwd-hash.file = ../../secrets/motiejus_server_passwd_hash.age;
     root-server-passwd-hash.file = ../../secrets/root_server_passwd_hash.age;
     sasl-passwd.file = ../../secrets/postfix_sasl_passwd.age;
-    borgbackup-password.file = ../../secrets/fwminex/borgbackup-password.age;
+    borgbackup-password.file = ../../secrets/${config.networking.hostName}/borgbackup-password.age;
     letsencrypt-account-key.file = ../../secrets/letsencrypt/account.key.age;
     vaultwarden-secrets-env.file = ../../secrets/vaultwarden/secrets.env.age;
     synapse-jakstys-signing-key.file = ../../secrets/synapse/jakstys_lt_signing_key.age;
diff --git a/hosts/vno3-nk/configuration.nix b/hosts/vno3-nk/configuration.nix
index 8030469..6a4487a 100644
--- a/hosts/vno3-nk/configuration.nix
+++ b/hosts/vno3-nk/configuration.nix
@@ -18,7 +18,7 @@ in
     motiejus-server-passwd-hash.file = ../../secrets/motiejus_server_passwd_hash.age;
     root-server-passwd-hash.file = ../../secrets/root_server_passwd_hash.age;
     sasl-passwd.file = ../../secrets/postfix_sasl_passwd.age;
-    borgbackup-password.file = ../../secrets/fwminex/borgbackup-password.age;
+    borgbackup-password.file = ../../secrets/${config.networking.hostName}/borgbackup-password.age;
     timelapse.file = ../../secrets/timelapse.age;
     syncthing-key.file = ../../secrets/vno3-nk/syncthing/key.pem.age;
     syncthing-cert.file = ../../secrets/vno3-nk/syncthing/cert.pem.age;
diff --git a/secrets.nix b/secrets.nix
index b501ba3..b5288c4 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -46,6 +46,7 @@ in
 // mk ([ vno3-nk ] ++ motiejus) [
   "secrets/vno3-nk/syncthing/key.pem.age"
   "secrets/vno3-nk/syncthing/cert.pem.age"
+  "secrets/vno3-nk/borgbackup-password.age"
 ]
 // mk ([ sqq1-desk2 ] ++ motiejus) [
   "secrets/sqq1-desk2/syncthing/key.pem.age"
@@ -54,6 +55,10 @@ in
 // mk ([ vno1-gdrx ] ++ motiejus) [
   "secrets/vno1-gdrx/syncthing/key.pem.age"
   "secrets/vno1-gdrx/syncthing/cert.pem.age"
+
+  "secrets/vno3-nk/borgbackup-password.age"
+  "secrets/fwminex/borgbackup-password.age"
+  "secrets/fra1-c/borgbackup-password.age"
 ]
 //
   mk
@@ -94,16 +99,14 @@ in
   "secrets/fwminex/syncthing/key.pem.age"
   "secrets/fwminex/syncthing/cert.pem.age"
   "secrets/fwminex/up.jakstys.lt.env.age"
+  "secrets/fwminex/borgbackup-password.age"
 ]
 // mk (
   [
-    fwminex
-    vno1-gdrx
-    vno3-nk
     fra1-c
   ]
   ++ motiejus
-) [ "secrets/fwminex/borgbackup-password.age" ]
+) [ "secrets/fra1-c/borgbackup-password.age" ]
 // mk (systems ++ motiejus) [
   "secrets/motiejus_passwd_hash.age"
   "secrets/root_passwd_hash.age"
diff --git a/secrets/fra1-c/borgbackup-password.age b/secrets/fra1-c/borgbackup-password.age
new file mode 100644
index 0000000..2488286
--- /dev/null
+++ b/secrets/fra1-c/borgbackup-password.age
@@ -0,0 +1,14 @@
+age-encryption.org/v1
+-> ssh-ed25519 dJyjXQ whSar7Kg61SNSRRXbmMjjz1Vqj9jOB+0vjoRtZt76x4
+p0ijsfSueuEF3mh60z0im2jfTgL8KNE/vSVFOfMVLuQ
+-> X25519 Q8EOYJ5/7QNQ5FKp0ylbCpDsGShjyZKlj3x/aL4can0
+ySZ6JoH1rL8Gvr7fsJoQzhIy5MaGF9hb1KHmKLF2zuw
+-> X25519 2yogae6JOMnxImfXR4Dk/vz+sf2NkuzFuS3d4Op7w14
+3xz0BSLGAbbpxplb0vGxU15ykLPCagU+s/SIk5BoPJs
+-> piv-p256 +y2G/w A3wZv7w/ZRMhSVMmaTtY4zGGHANw2qShcyqp1WRTPaWB
+e2OIEwdnZgjrFlG4ysfb9EktkBL6IFJUd7Fg5nQt5jo
+-> piv-p256 jNqd3A AuEcw++WwlnLh3hZCVQpIe6ipLb1KFOYqVIvT1dOOk5T
+TD8YyMaFwoxrQAcofOEIuoaYmYjoZiUfv+JIOpu38ew
+--- iKq7MPj9llDLuxwo0dgUfa+qJDf9bG3+U3nwAXN2cY0
+J˜
+M½1>ohCæ™lýù]†–ãÑ\d¨?s2šXÃ×‹¬™Y®GH}ó®
\ No newline at end of file
diff --git a/secrets/fwminex/borgbackup-password.age b/secrets/fwminex/borgbackup-password.age
index 7413575..67e6613 100644
--- a/secrets/fwminex/borgbackup-password.age
+++ b/secrets/fwminex/borgbackup-password.age
@@ -1,19 +1,14 @@
 age-encryption.org/v1
--> ssh-ed25519 fqSa6A mpsAV2VQdSsC/+8kUKsvnys5ic2mQz0MEA2kl1FALj4
-xtUr9xAc7HlOzbew6iFNG4NCNr/GAMENGww7SUQitKg
--> ssh-ed25519 lDWJbA 6Ypr62TadaVv+0PeHpN4Bvg2fhg68dkJiF4e6d+UMF8
-XrZGFXOAhaJUiFuTsc96mYda4XjL573nLwAGzl3HR0M
--> ssh-ed25519 wPuT4Q O8SGmvCJrOMYi0O0qL68DAYZG6fIY1pv1n60v2OBEEE
-v4+XHM2gD6+ndDkkr2qu/KFKD2vGpQ94JCP6OcKpsV8
--> ssh-ed25519 dJyjXQ 8QfEpLbsMlTOfYNqs97GzdsgfDn1SwYulKTjRePv9XE
-bOuoXhm6CHJGGhrTNwIOddDRrhGZwU67VkVcQkBtTe8
--> X25519 0I6kW+PIH2CnIE5FY0eujwXowGkbROMbLKzgDHRBD3k
-t7eGmUp0xTiadu1DsH4jA7iuaQQSXTuQU9+RP3hvVgI
--> X25519 x++V4MIL4u/kv8MLIGUuMLHFesxo+9Kf32Q9nvDrZxg
-xxvltRbYNAzUrdx2ZIEhfkFzQXY/PDr4WzCnosTcS6Q
--> piv-p256 +y2G/w AsaphysYUxvaRo86bwBVKhqOOWzxO4zoDJ3PHzJkuiRU
-3xCVQAdi2n6OwxcJX3GXD3ug7WKggG1QOAE4wYm8bpg
--> piv-p256 jNqd3A A2/zhLyPoYU+2tfBukElXeuxoHycm5tcfSADDi+XOEuD
-pguxc2kH01hbkh7iHbiBWfEc+4d6XIMTUGx6zf+k2hs
---- yixFNTaKHDzCENJiK7XfM5mTDCu8BwVBOnhVNpM9DuU
-vuÁÀ_ß‡cvç"÷Ÿù§ågâ¦¬T¢¯°S!¬îÏXÒJøtÃ
\ No newline at end of file
+-> ssh-ed25519 fqSa6A Ex8M7+EZThscF7Gy+P4A/PyGdr1zsUqecrQFkr7nblQ
+tr8fxLOCPxuFOR6QtWkYJirUkrlickaXriqA/nRAzvU
+-> X25519 rftxb8qrjAQgOpRszm/07iON5dzagJ9FJFxfkIqikE4
+0P+72TYzfgtQ/nTZEZ2CDjf906iJjyoXoEJ6RrkHVGA
+-> X25519 4lbiq+9CgI3qYprwaQTrbmNcfBBK6sj+9s2+szkG2yY
+UHyDorYhIZFWRkiesjf8z/ih+BUuiOGBp6eElZGH4eo
+-> piv-p256 +y2G/w AnN2FXgrnCfn8mGp6uEBHA6xKhVh2k7olPnvQF5eiJWJ
+TxsN6WiQOtbbzgNCpMq/nQ+Q+e9elUK+PlnlitVmQSg
+-> piv-p256 jNqd3A A7Mt2FnBxrbjJWXmEpfqDEBFYtXqysd6GfavSoMlnHrH
+LS8lBP4la5jTNlc7qkoWvwX6sb5TbpzIUhtQPxKr/tA
+--- rtEm8+fINwi70YgNeV7j0L3wK5O6pG0ztq2kLyKzcCM
++.ìæà2ŸÙW:l}žÙÓdîº8¹ˆ÷À
+Z[%-ž†M¹U‡;Á|®|Yñ
\ No newline at end of file
diff --git a/secrets/vno3-nk/borgbackup-password.age b/secrets/vno3-nk/borgbackup-password.age
new file mode 100644
index 0000000000000000000000000000000000000000..8e36173a9ff5ad6da903a3fc03a2e52022326283
GIT binary patch
literal 637
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7aS8WIa#RRQaZYj!
z^Dxf!2oLfKFAa(C2+c4HvM>)V4Ua5ID^GUIPR~g4_i)k9E9VOL2ne$%4lA&9cha^@
zP4W%OEKjV6$}usCsEBa#NVCv(^-fAG^)m?2HUQZc0kO!-xZK4&FUiEK!X(==P21Tw
zE!8w4)7c=y)W_e@*eKb=*F`(0z}dJeqMR$aB)qUZD#<c3y{yP6*}Kxi*woh}II+My
zv@q4ksLC?mEFj3mB+JLy#1YAcG_$a@h`ew=ZS!z<*YdOqFHdK`^eF8L^HA?XOa1Jm
zfFkYktnB=v!pwXwztr?1gE9m2DECM|b5lR#Qm@E}5N)^6w8-onFMXHNQum?)S8dn4
zfXq;k4F#EHx&=n2W(wMsM(+CM3XVmAsb+yD`9W3YMZw;d#;%p=6&3~VS#H_}Ue2yT
znI;7#7A3xE$tkA!iCmRt=7!qIsUAk&iDAV-uHJc71z!F|&L*y9u1*%=k>#Pqj-Jlh
zCB9ki<tTP#`4y%ZJ1RJu`MLRJTZ9;yIXZeKhGjVCr<+9PmRFT0Rb{6a`k0#~ni^#L
zYkT^eCmL`S<Xf6+d*y@|dYZe17>B278=E`%y1V9724y9N=LhGOxkaXiy5@UmSCw<=
z>gp<lRvD){7vu#+CV5zfq<B_@`h;qid*_-(g!vbQB&C>pxtcm9<|pNZ7J722$5bbK
u9nyTEEXW|$t;`WBTD9=$iJI5do6N2*v1HGyS`wNcu`guR^|!2k%MAf5ip+`t

literal 0
HcmV?d00001