diff options
-rwxr-xr-x | hosts/vidhar/borg/copy.py | 16 | ||||
-rw-r--r-- | hosts/vidhar/borg/default.nix | 14 |
2 files changed, 9 insertions, 21 deletions
diff --git a/hosts/vidhar/borg/copy.py b/hosts/vidhar/borg/copy.py index 91c65e1e..f685a490 100755 --- a/hosts/vidhar/borg/copy.py +++ b/hosts/vidhar/borg/copy.py | |||
@@ -115,15 +115,13 @@ def copy_archive(src_repo_path, dst_repo_path, entry): | |||
115 | for path in [chroot,upper,work]: | 115 | for path in [chroot,upper,work]: |
116 | path.mkdir() | 116 | path.mkdir() |
117 | subprocess.run(['mount', '-t', 'overlay', 'overlay', '-o', f'lowerdir=/,upperdir={upper},workdir={work}', chroot], check=True) | 117 | subprocess.run(['mount', '-t', 'overlay', 'overlay', '-o', f'lowerdir=/,upperdir={upper},workdir={work}', chroot], check=True) |
118 | bindMounts = ['nix', 'run', 'proc', 'dev', 'sys', pathlib.Path(os.path.expanduser('~')).relative_to('/')] | 118 | bindMounts = ['nix', 'run', 'run/secrets.d', 'proc', 'dev', 'sys', pathlib.Path(os.path.expanduser('~')).relative_to('/')] |
119 | if os.environ.get('BORG_BASE_DIR'): | 119 | if os.environ.get('BORG_BASE_DIR'): |
120 | bindMounts.append(pathlib.Path(os.environ['BORG_BASE_DIR']).relative_to('/')) | 120 | bindMounts.append(pathlib.Path(os.environ['BORG_BASE_DIR']).relative_to('/')) |
121 | if not ":" in src_repo_path: | 121 | if not ":" in src_repo_path: |
122 | bindMounts.append(pathlib.Path(src_repo_path).relative_to('/')) | 122 | bindMounts.append(pathlib.Path(src_repo_path).relative_to('/')) |
123 | if 'SSH_AUTH_SOCK' in os.environ: | 123 | if 'SSH_AUTH_SOCK' in os.environ: |
124 | bindMounts.append(pathlib.Path(os.environ['SSH_AUTH_SOCK']).parent.relative_to('/')) | 124 | bindMounts.append(pathlib.Path(os.environ['SSH_AUTH_SOCK']).parent.relative_to('/')) |
125 | if 'CREDENTIALS_DIRECTORY' in os.environ: | ||
126 | bindMounts.append(pathlib.Path(os.environ['CREDENTIALS_DIRECTORY']).parent.relative_to('/')) | ||
127 | for bindMount in bindMounts: | 125 | for bindMount in bindMounts: |
128 | (chroot / bindMount).mkdir(parents=True,exist_ok=True) | 126 | (chroot / bindMount).mkdir(parents=True,exist_ok=True) |
129 | # print(*['mount', '--bind', pathlib.Path('/') / bindMount, chroot / bindMount], file=stderr) | 127 | # print(*['mount', '--bind', pathlib.Path('/') / bindMount, chroot / bindMount], file=stderr) |
@@ -241,18 +239,6 @@ def sigterm(signum, frame): | |||
241 | 239 | ||
242 | def main(): | 240 | def main(): |
243 | signal.signal(signal.SIGTERM, sigterm) | 241 | signal.signal(signal.SIGTERM, sigterm) |
244 | |||
245 | if 'CREDENTIALS_DIRECTORY' in os.environ: | ||
246 | def do_chown(path): | ||
247 | os.chown(path, borg_pwd.pw_uid, borg_pwd.pw_gid) | ||
248 | do_chown(os.environ['CREDENTIALS_DIRECTORY']) | ||
249 | |||
250 | for root, dirs, files in os.walk(os.environ['CREDENTIALS_DIRECTORY']): | ||
251 | root_path = pathlib.Path(root) | ||
252 | for dir in dirs: | ||
253 | do_chown(root_path / pathlib.Path(dir)) | ||
254 | for file in files: | ||
255 | do_chown(root_path / pathlib.Path(file)) | ||
256 | 242 | ||
257 | if "::" in args.source: | 243 | if "::" in args.source: |
258 | (src_repo_path, _, src_archive) = args.source.partition("::") | 244 | (src_repo_path, _, src_archive) = args.source.partition("::") |
diff --git a/hosts/vidhar/borg/default.nix b/hosts/vidhar/borg/default.nix index 7a508971..3804aa76 100644 --- a/hosts/vidhar/borg/default.nix +++ b/hosts/vidhar/borg/default.nix | |||
@@ -11,7 +11,7 @@ let | |||
11 | Host yggdrasil.borgbase | 11 | Host yggdrasil.borgbase |
12 | HostName nx69hpl8.repo.borgbase.com | 12 | HostName nx69hpl8.repo.borgbase.com |
13 | User nx69hpl8 | 13 | User nx69hpl8 |
14 | IdentityFile /run/credentials/${serviceName}.service/ssh-identity | 14 | IdentityFile ${config.sops.secrets."append.borgbase".path} |
15 | IdentitiesOnly yes | 15 | IdentitiesOnly yes |
16 | 16 | ||
17 | BatchMode yes | 17 | BatchMode yes |
@@ -33,14 +33,10 @@ let | |||
33 | "BORG_CACHE_DIR=/var/lib/borg/cache" | 33 | "BORG_CACHE_DIR=/var/lib/borg/cache" |
34 | "BORG_SECURITY_DIR=/var/lib/borg/security" | 34 | "BORG_SECURITY_DIR=/var/lib/borg/security" |
35 | "BORG_KEYS_DIR=/var/lib/borg/keys" | 35 | "BORG_KEYS_DIR=/var/lib/borg/keys" |
36 | "BORG_KEY_FILE=/run/credentials/${serviceName}.service/keyfile" | 36 | "BORG_KEY_FILE=${config.sops.secrets."yggdrasil.borgkey".path}" |
37 | "BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes" | 37 | "BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes" |
38 | "BORG_HOSTNAME_IS_UNIQUE=yes" | 38 | "BORG_HOSTNAME_IS_UNIQUE=yes" |
39 | ]; | 39 | ]; |
40 | LoadCredential = [ | ||
41 | "ssh-identity:${config.sops.secrets."append.borgbase".path}" | ||
42 | "keyfile:${config.sops.secrets."yggdrasil.borgkey".path}" | ||
43 | ]; | ||
44 | }; | 40 | }; |
45 | }; | 41 | }; |
46 | 42 | ||
@@ -102,10 +98,16 @@ in { | |||
102 | sops.secrets."append.borgbase" = { | 98 | sops.secrets."append.borgbase" = { |
103 | format = "binary"; | 99 | format = "binary"; |
104 | sopsFile = ./append.borgbase; | 100 | sopsFile = ./append.borgbase; |
101 | owner = "borg"; | ||
102 | group = "borg"; | ||
103 | mode = "0640"; | ||
105 | }; | 104 | }; |
106 | sops.secrets."yggdrasil.borgkey" = { | 105 | sops.secrets."yggdrasil.borgkey" = { |
107 | format = "binary"; | 106 | format = "binary"; |
108 | sopsFile = ./yggdrasil.borgkey; | 107 | sopsFile = ./yggdrasil.borgkey; |
108 | owner = "borg"; | ||
109 | group = "borg"; | ||
110 | mode = "0640"; | ||
109 | }; | 111 | }; |
110 | 112 | ||
111 | systemd.services = listToAttrs (map copyService [{ repo = "/srv/backup/borg/jotnar"; repoEscaped = "srv-backup-borg-jotnar"; }]); | 113 | systemd.services = listToAttrs (map copyService [{ repo = "/srv/backup/borg/jotnar"; repoEscaped = "srv-backup-borg-jotnar"; }]); |