From 7dcda8021cba4fc791eadc0183c03b32c9d5e504 Mon Sep 17 00:00:00 2001
From: Brendan Golden <git@brendan.ie>
Date: Sat, 24 Jun 2023 01:34:45 +0100
Subject: [PATCH] backup: more robust handling of credentials

---
 applications/restic.nix | 51 +++++++++++++++++++++++++++++++----------
 1 file changed, 39 insertions(+), 12 deletions(-)

diff --git a/applications/restic.nix b/applications/restic.nix
index e511534..32cd827 100644
--- a/applications/restic.nix
+++ b/applications/restic.nix
@@ -1,6 +1,6 @@
 
 # nodes is all the nodes
-{ lib, config, nodes, ...}: with lib;
+{ lib, config, nodes, pkgs, ...}: with lib;
   let
     cfg = config.services.skynet_backup;
 
@@ -39,7 +39,27 @@
           {
             name = value.config.services.skynet_backup.host.name;
             value = base // {
-              repository = "rest:http://${value.config.services.skynet_backup.host.ip}:${value.config.services.skynet_backup.server.port}/${cfg.host.name}";
+              repositoryFile = "${destination}/${value.config.services.skynet_backup.host.name}";
+
+              backupPrepareCommand = ''
+                #!${pkgs.stdenv.shell}
+                set -euo pipefail
+
+                baseDir="/etc/skynet/restic"
+
+                mkdir -p $baseDir
+                cd $baseDir
+
+                #touch ${value.config.services.skynet_backup.host.name}
+                echo -n "rest:http://root:password@${value.config.services.skynet_backup.host.ip}:${value.config.services.skynet_backup.server.port}/root/${value.config.services.skynet_backup.host.name}" > ${value.config.services.skynet_backup.host.name}
+
+                # read in teh password
+                #PW = `cat ${config.age.secrets.restic.path}`
+                line=$(head -n 1 ${config.age.secrets.restic.path})
+
+                sed -i "s/password/$line/g" ${value.config.services.skynet_backup.host.name}
+              '';
+
             };
           }
         ]
@@ -56,6 +76,7 @@
     ];
 
     # using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base
+    # https://git.hrnz.li/Ulli/nixos/src/commit/5edca2dfdab3ce52208e4dfd2b92951e500f8418/profiles/server/restic.nix
     # will eb enabled on every server
     options.services.skynet_backup = {
       # backup is enabled by default
@@ -128,6 +149,12 @@
 
   config = {
     # these values are anabled for every client
+
+    environment.systemPackages = [
+      # for flakes
+      pkgs.restic
+    ];
+
     age.secrets.restic.file    = ../secrets/backup/restic.age;
 #    age.secrets.backblaze.file = ../secrets/backup/backblaze.age;
 
@@ -141,22 +168,22 @@
 
     };
 
-
-    #age.secrets.restic_pw.file = mkIf cfg.server.enable ../secrets/backup/restic_pw.age;
+    age.secrets.restic_pw = mkIf cfg.server.enable {
+      file = ../secrets/backup/restic_pw.age;
+      path = "${config.services.restic.server.dataDir}/.htpasswd";
+      symlink = false;
+      mode = "770";
+      owner = "restic";
+      group = "restic";
+    };
 
     services.restic.server = mkIf cfg.server.enable{
       enable = true;
       listenAddress = "${cfg.host.ip}:${cfg.server.port}";
       appendOnly = cfg.server.appendOnly;
-      #privateRepos = true;
-
-      extraFlags = ["--no-auth"];
-      #
+      privateRepos = true;
     };
 
-    # https://git.hrnz.li/Ulli/nixos/src/commit/5edca2dfdab3ce52208e4dfd2b92951e500f8418/profiles/server/restic.nix
-    #systemd.tmpfiles.rules = mkIf cfg.server.enable [
-    #  "L+ ${config.services.restic.server.dataDir}/.htpasswd - - - - ${config.age.secrets.restic_pw.path}"
-    #];
+
   };
 }