Make backup cli tool correctly use secrets (#284)
This commit is contained in:
parent
e6c56891e1
commit
1774b61cfe
4 changed files with 31 additions and 8 deletions
|
@ -123,6 +123,8 @@ let
|
||||||
};
|
};
|
||||||
|
|
||||||
repoSlugName = name: builtins.replaceStrings ["/" ":"] ["_" "_"] (lib.strings.removePrefix "/" name);
|
repoSlugName = name: builtins.replaceStrings ["/" ":"] ["_" "_"] (lib.strings.removePrefix "/" name);
|
||||||
|
backupName = name: repository: "${name}_${repoSlugName repository.path}";
|
||||||
|
fullName = name: repository: "restic-backups-${name}_${repoSlugName repository.path}";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.shb.restic = {
|
options.shb.restic = {
|
||||||
|
@ -221,7 +223,7 @@ in
|
||||||
let
|
let
|
||||||
mkRepositorySettings = name: instance: repository:
|
mkRepositorySettings = name: instance: repository:
|
||||||
let
|
let
|
||||||
serviceName = "restic-backups-${name}_${repoSlugName repository.path}";
|
serviceName = fullName name repository;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
${serviceName} = lib.mkMerge [
|
${serviceName} = lib.mkMerge [
|
||||||
|
@ -263,12 +265,29 @@ in
|
||||||
lib.mkMerge (lib.flatten (lib.attrsets.mapAttrsToList mkSettings enabledInstances));
|
lib.mkMerge (lib.flatten (lib.attrsets.mapAttrsToList mkSettings enabledInstances));
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
|
system.activationScripts = let
|
||||||
|
mkEnv = name: instance: repository:
|
||||||
|
lib.nameValuePair "${fullName name repository}_gen"
|
||||||
|
(shblib.replaceSecrets {
|
||||||
|
userConfig = repository.secrets // {
|
||||||
|
RESTIC_PASSWORD_FILE = instance.passphraseFile;
|
||||||
|
RESTIC_REPOSITORY = repository.path;
|
||||||
|
};
|
||||||
|
resultPath = "/run/secrets_restic_env/${fullName name repository}";
|
||||||
|
generator = name: v: pkgs.writeText (fullName name repository) (lib.generators.toINIWithGlobalSection {} { globalSection = v; });
|
||||||
|
user = instance.user;
|
||||||
|
});
|
||||||
|
mkSettings = name: instance: builtins.map (mkEnv name instance) instance.repositories;
|
||||||
|
in
|
||||||
|
lib.listToAttrs (lib.flatten (lib.attrsets.mapAttrsToList mkSettings cfg.instances));
|
||||||
|
|
||||||
environment.systemPackages = let
|
environment.systemPackages = let
|
||||||
mkResticBinary = name: instance: repository: pkgs.writeShellScriptBin "restic-${name}_${repoSlugName repository.path}" ''
|
mkResticBinary = name: instance: repository:
|
||||||
export RESTIC_PASSWORD_FILE=${instance.passphraseFile}
|
pkgs.writeShellScriptBin (fullName name repository) ''
|
||||||
export RESTIC_REPOSITORY=${repository.path}
|
export $(grep -v '^#' "/run/secrets_restic_env/${fullName name repository}" \
|
||||||
${pkgs.restic}/bin/restic $@
|
| xargs -d '\n')
|
||||||
'';
|
${pkgs.restic}/bin/restic $@
|
||||||
|
'';
|
||||||
mkSettings = name: instance: builtins.map (mkResticBinary name instance) instance.repositories;
|
mkSettings = name: instance: builtins.map (mkResticBinary name instance) instance.repositories;
|
||||||
in
|
in
|
||||||
lib.flatten (lib.attrsets.mapAttrsToList mkSettings cfg.instances);
|
lib.flatten (lib.attrsets.mapAttrsToList mkSettings cfg.instances);
|
||||||
|
|
|
@ -234,6 +234,10 @@ One can then restore a backup with:
|
||||||
restic-myfolder1_srv_pool1_backups restore latest -t /
|
restic-myfolder1_srv_pool1_backups restore latest -t /
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Troubleshooting {#blocks-restic-maintenance-troubleshooting}
|
||||||
|
|
||||||
|
In case something bad happens with a backup, the [official documentation](https://restic.readthedocs.io/en/stable/077_troubleshooting.html) has a lot of tips.
|
||||||
|
|
||||||
## Options Reference {#blocks-restic-options}
|
## Options Reference {#blocks-restic-options}
|
||||||
|
|
||||||
```{=include=} options
|
```{=include=} options
|
||||||
|
|
|
@ -20,7 +20,7 @@ let
|
||||||
shb.restic.instances."testinstance" = {
|
shb.restic.instances."testinstance" = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
||||||
passphraseFile = pkgs.writeText "passphrase" "PassPhrase";
|
passphraseFile = toString (pkgs.writeText "passphrase" "PassPhrase");
|
||||||
|
|
||||||
sourceDirectories = [
|
sourceDirectories = [
|
||||||
"/opt/files/A"
|
"/opt/files/A"
|
||||||
|
|
|
@ -94,7 +94,7 @@ let
|
||||||
];
|
];
|
||||||
shb.restic.instances."testinstance" = config.shb.vaultwarden.backup // {
|
shb.restic.instances."testinstance" = config.shb.vaultwarden.backup // {
|
||||||
enable = true;
|
enable = true;
|
||||||
passphraseFile = pkgs.writeText "passphrase" "PassPhrase";
|
passphraseFile = toString (pkgs.writeText "passphrase" "PassPhrase");
|
||||||
repositories = [
|
repositories = [
|
||||||
{
|
{
|
||||||
path = "/opt/repos/A";
|
path = "/opt/repos/A";
|
||||||
|
|
Loading…
Reference in a new issue