1
0
Fork 0

Make backup cli tool correctly use secrets (#284)

This commit is contained in:
Pierre Penninckx 2024-08-29 00:12:45 -07:00 committed by GitHub
parent e6c56891e1
commit 1774b61cfe
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 31 additions and 8 deletions

View file

@ -123,6 +123,8 @@ let
}; };
repoSlugName = name: builtins.replaceStrings ["/" ":"] ["_" "_"] (lib.strings.removePrefix "/" name); repoSlugName = name: builtins.replaceStrings ["/" ":"] ["_" "_"] (lib.strings.removePrefix "/" name);
backupName = name: repository: "${name}_${repoSlugName repository.path}";
fullName = name: repository: "restic-backups-${name}_${repoSlugName repository.path}";
in in
{ {
options.shb.restic = { options.shb.restic = {
@ -221,7 +223,7 @@ in
let let
mkRepositorySettings = name: instance: repository: mkRepositorySettings = name: instance: repository:
let let
serviceName = "restic-backups-${name}_${repoSlugName repository.path}"; serviceName = fullName name repository;
in in
{ {
${serviceName} = lib.mkMerge [ ${serviceName} = lib.mkMerge [
@ -263,12 +265,29 @@ in
lib.mkMerge (lib.flatten (lib.attrsets.mapAttrsToList mkSettings enabledInstances)); lib.mkMerge (lib.flatten (lib.attrsets.mapAttrsToList mkSettings enabledInstances));
} }
{ {
system.activationScripts = let
mkEnv = name: instance: repository:
lib.nameValuePair "${fullName name repository}_gen"
(shblib.replaceSecrets {
userConfig = repository.secrets // {
RESTIC_PASSWORD_FILE = instance.passphraseFile;
RESTIC_REPOSITORY = repository.path;
};
resultPath = "/run/secrets_restic_env/${fullName name repository}";
generator = name: v: pkgs.writeText (fullName name repository) (lib.generators.toINIWithGlobalSection {} { globalSection = v; });
user = instance.user;
});
mkSettings = name: instance: builtins.map (mkEnv name instance) instance.repositories;
in
lib.listToAttrs (lib.flatten (lib.attrsets.mapAttrsToList mkSettings cfg.instances));
environment.systemPackages = let environment.systemPackages = let
mkResticBinary = name: instance: repository: pkgs.writeShellScriptBin "restic-${name}_${repoSlugName repository.path}" '' mkResticBinary = name: instance: repository:
export RESTIC_PASSWORD_FILE=${instance.passphraseFile} pkgs.writeShellScriptBin (fullName name repository) ''
export RESTIC_REPOSITORY=${repository.path} export $(grep -v '^#' "/run/secrets_restic_env/${fullName name repository}" \
${pkgs.restic}/bin/restic $@ | xargs -d '\n')
''; ${pkgs.restic}/bin/restic $@
'';
mkSettings = name: instance: builtins.map (mkResticBinary name instance) instance.repositories; mkSettings = name: instance: builtins.map (mkResticBinary name instance) instance.repositories;
in in
lib.flatten (lib.attrsets.mapAttrsToList mkSettings cfg.instances); lib.flatten (lib.attrsets.mapAttrsToList mkSettings cfg.instances);

View file

@ -234,6 +234,10 @@ One can then restore a backup with:
restic-myfolder1_srv_pool1_backups restore latest -t / restic-myfolder1_srv_pool1_backups restore latest -t /
``` ```
### Troubleshooting {#blocks-restic-maintenance-troubleshooting}
In case something bad happens with a backup, the [official documentation](https://restic.readthedocs.io/en/stable/077_troubleshooting.html) has a lot of tips.
## Options Reference {#blocks-restic-options} ## Options Reference {#blocks-restic-options}
```{=include=} options ```{=include=} options

View file

@ -20,7 +20,7 @@ let
shb.restic.instances."testinstance" = { shb.restic.instances."testinstance" = {
enable = true; enable = true;
passphraseFile = pkgs.writeText "passphrase" "PassPhrase"; passphraseFile = toString (pkgs.writeText "passphrase" "PassPhrase");
sourceDirectories = [ sourceDirectories = [
"/opt/files/A" "/opt/files/A"

View file

@ -94,7 +94,7 @@ let
]; ];
shb.restic.instances."testinstance" = config.shb.vaultwarden.backup // { shb.restic.instances."testinstance" = config.shb.vaultwarden.backup // {
enable = true; enable = true;
passphraseFile = pkgs.writeText "passphrase" "PassPhrase"; passphraseFile = toString (pkgs.writeText "passphrase" "PassPhrase");
repositories = [ repositories = [
{ {
path = "/opt/repos/A"; path = "/opt/repos/A";