Make backup cli tool correctly use secrets (#284)

modules/blocks/restic.nix

@@ -123,6 +123,8 @@ let
   };
 
   repoSlugName = name: builtins.replaceStrings ["/" ":"] ["_" "_"] (lib.strings.removePrefix "/" name);
+  backupName = name: repository: "${name}_${repoSlugName repository.path}";
+  fullName = name: repository: "restic-backups-${name}_${repoSlugName repository.path}";
 in
 {
   options.shb.restic = {
@@ -221,7 +223,7 @@ in
           let
             mkRepositorySettings = name: instance: repository:
               let
-                serviceName = "restic-backups-${name}_${repoSlugName repository.path}";
+                serviceName = fullName name repository;
               in
                 {
                   ${serviceName} = lib.mkMerge [
@@ -263,12 +265,29 @@ in
             lib.mkMerge (lib.flatten (lib.attrsets.mapAttrsToList mkSettings enabledInstances));
       }
       {
+        system.activationScripts = let
+          mkEnv = name: instance: repository:
+            lib.nameValuePair "${fullName name repository}_gen"
+              (shblib.replaceSecrets {
+                userConfig = repository.secrets // {
+                  RESTIC_PASSWORD_FILE = instance.passphraseFile;
+                  RESTIC_REPOSITORY = repository.path;
+                };
+                resultPath = "/run/secrets_restic_env/${fullName name repository}";
+                generator = name: v: pkgs.writeText (fullName name repository) (lib.generators.toINIWithGlobalSection {} { globalSection = v; });
+                user = instance.user;
+              });
+          mkSettings = name: instance: builtins.map (mkEnv name instance) instance.repositories;
+        in
+          lib.listToAttrs (lib.flatten (lib.attrsets.mapAttrsToList mkSettings cfg.instances));
+
         environment.systemPackages = let
-          mkResticBinary = name: instance: repository: pkgs.writeShellScriptBin "restic-${name}_${repoSlugName repository.path}" ''
-            export RESTIC_PASSWORD_FILE=${instance.passphraseFile}
-            export RESTIC_REPOSITORY=${repository.path}
-            ${pkgs.restic}/bin/restic $@
-          '';
+          mkResticBinary = name: instance: repository:
+            pkgs.writeShellScriptBin (fullName name repository) ''
+              export $(grep -v '^#' "/run/secrets_restic_env/${fullName name repository}" \
+                       | xargs -d '\n')
+              ${pkgs.restic}/bin/restic $@
+              '';
           mkSettings = name: instance: builtins.map (mkResticBinary name instance) instance.repositories;
         in
           lib.flatten (lib.attrsets.mapAttrsToList mkSettings cfg.instances);

modules/blocks/restic/docs/default.md

@@ -234,6 +234,10 @@ One can then restore a backup with:
 restic-myfolder1_srv_pool1_backups restore latest -t /
 ```
 
+### Troubleshooting {#blocks-restic-maintenance-troubleshooting}
+
+In case something bad happens with a backup, the [official documentation](https://restic.readthedocs.io/en/stable/077_troubleshooting.html) has a lot of tips.
+
 ## Options Reference {#blocks-restic-options}
 
 ```{=include=} options

test/blocks/restic.nix

@@ -20,7 +20,7 @@ let
       shb.restic.instances."testinstance" = {
         enable = true;
 
-        passphraseFile = pkgs.writeText "passphrase" "PassPhrase";
+        passphraseFile = toString (pkgs.writeText "passphrase" "PassPhrase");
 
         sourceDirectories = [
           "/opt/files/A"

test/services/vaultwarden.nix

@@ -94,7 +94,7 @@ let
     ];
     shb.restic.instances."testinstance" = config.shb.vaultwarden.backup // {
       enable = true;
-      passphraseFile = pkgs.writeText "passphrase" "PassPhrase";
+      passphraseFile = toString (pkgs.writeText "passphrase" "PassPhrase");
       repositories = [
         {
           path = "/opt/repos/A";