Skynet/nixos
6
1
Fork 0
Code Issues 43 Pull requests 1 Projects Releases Packages Wiki Activity Actions

backup: more robust handling of credentials

Browse source
This commit is contained in:
silver 2023-06-24 01:34:45 +01:00
parent 9eafd81e2e
commit 7dcda8021c
1 changed files with 39 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

51
applications/restic.nix
View file

@ -1,6 +1,6 @@
# nodes is all the nodes # nodes is all the nodes
{ lib, config, nodes, ...}: with lib; { lib, config, nodes, pkgs, ...}: with lib;
let let
cfg = config.services.skynet_backup; cfg = config.services.skynet_backup;
@ -39,7 +39,27 @@
{ {
name = value.config.services.skynet_backup.host.name; name = value.config.services.skynet_backup.host.name;
value = base // { value = base // {
repository = "rest:http://${value.config.services.skynet_backup.host.ip}:${value.config.services.skynet_backup.server.port}/${cfg.host.name}"; repositoryFile = "${destination}/${value.config.services.skynet_backup.host.name}";
backupPrepareCommand = ''
#!${pkgs.stdenv.shell}
set -euo pipefail
baseDir="/etc/skynet/restic"
mkdir -p $baseDir
cd $baseDir
#touch ${value.config.services.skynet_backup.host.name}
echo -n "rest:http://root:password@${value.config.services.skynet_backup.host.ip}:${value.config.services.skynet_backup.server.port}/root/${value.config.services.skynet_backup.host.name}" > ${value.config.services.skynet_backup.host.name}
# read in teh password
#PW = `cat ${config.age.secrets.restic.path}`
line=$(head -n 1 ${config.age.secrets.restic.path})
sed -i "s/password/$line/g" ${value.config.services.skynet_backup.host.name}
'';
}; };
} }
] ]
@ -56,6 +76,7 @@
]; ];
# using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base # using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base
# https://git.hrnz.li/Ulli/nixos/src/commit/5edca2dfdab3ce52208e4dfd2b92951e500f8418/profiles/server/restic.nix
# will eb enabled on every server # will eb enabled on every server
options.services.skynet_backup = { options.services.skynet_backup = {
# backup is enabled by default # backup is enabled by default
@ -128,6 +149,12 @@
config = { config = {
# these values are anabled for every client # these values are anabled for every client
environment.systemPackages = [
# for flakes
pkgs.restic
];
age.secrets.restic.file = ../secrets/backup/restic.age; age.secrets.restic.file = ../secrets/backup/restic.age;
# age.secrets.backblaze.file = ../secrets/backup/backblaze.age; # age.secrets.backblaze.file = ../secrets/backup/backblaze.age;
@ -141,22 +168,22 @@
}; };
age.secrets.restic_pw = mkIf cfg.server.enable {
#age.secrets.restic_pw.file = mkIf cfg.server.enable ../secrets/backup/restic_pw.age; file = ../secrets/backup/restic_pw.age;
path = "${config.services.restic.server.dataDir}/.htpasswd";
symlink = false;
mode = "770";
owner = "restic";
group = "restic";
};
services.restic.server = mkIf cfg.server.enable{ services.restic.server = mkIf cfg.server.enable{
enable = true; enable = true;
listenAddress = "${cfg.host.ip}:${cfg.server.port}"; listenAddress = "${cfg.host.ip}:${cfg.server.port}";
appendOnly = cfg.server.appendOnly; appendOnly = cfg.server.appendOnly;
#privateRepos = true; privateRepos = true;
extraFlags = ["--no-auth"];
#
}; };
# https://git.hrnz.li/Ulli/nixos/src/commit/5edca2dfdab3ce52208e4dfd2b92951e500f8418/profiles/server/restic.nix
#systemd.tmpfiles.rules = mkIf cfg.server.enable [
# "L+ ${config.services.restic.server.dataDir}/.htpasswd - - - - ${config.age.secrets.restic_pw.path}"
#];
}; };
} }