summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rwxr-xr-xhosts/vidhar/borg/copy.py16
-rw-r--r--hosts/vidhar/borg/default.nix14
2 files changed, 9 insertions, 21 deletions
diff --git a/hosts/vidhar/borg/copy.py b/hosts/vidhar/borg/copy.py
index 91c65e1e..f685a490 100755
--- a/hosts/vidhar/borg/copy.py
+++ b/hosts/vidhar/borg/copy.py
@@ -115,15 +115,13 @@ def copy_archive(src_repo_path, dst_repo_path, entry):
115 for path in [chroot,upper,work]: 115 for path in [chroot,upper,work]:
116 path.mkdir() 116 path.mkdir()
117 subprocess.run(['mount', '-t', 'overlay', 'overlay', '-o', f'lowerdir=/,upperdir={upper},workdir={work}', chroot], check=True) 117 subprocess.run(['mount', '-t', 'overlay', 'overlay', '-o', f'lowerdir=/,upperdir={upper},workdir={work}', chroot], check=True)
118 bindMounts = ['nix', 'run', 'proc', 'dev', 'sys', pathlib.Path(os.path.expanduser('~')).relative_to('/')] 118 bindMounts = ['nix', 'run', 'run/secrets.d', 'proc', 'dev', 'sys', pathlib.Path(os.path.expanduser('~')).relative_to('/')]
119 if os.environ.get('BORG_BASE_DIR'): 119 if os.environ.get('BORG_BASE_DIR'):
120 bindMounts.append(pathlib.Path(os.environ['BORG_BASE_DIR']).relative_to('/')) 120 bindMounts.append(pathlib.Path(os.environ['BORG_BASE_DIR']).relative_to('/'))
121 if not ":" in src_repo_path: 121 if not ":" in src_repo_path:
122 bindMounts.append(pathlib.Path(src_repo_path).relative_to('/')) 122 bindMounts.append(pathlib.Path(src_repo_path).relative_to('/'))
123 if 'SSH_AUTH_SOCK' in os.environ: 123 if 'SSH_AUTH_SOCK' in os.environ:
124 bindMounts.append(pathlib.Path(os.environ['SSH_AUTH_SOCK']).parent.relative_to('/')) 124 bindMounts.append(pathlib.Path(os.environ['SSH_AUTH_SOCK']).parent.relative_to('/'))
125 if 'CREDENTIALS_DIRECTORY' in os.environ:
126 bindMounts.append(pathlib.Path(os.environ['CREDENTIALS_DIRECTORY']).parent.relative_to('/'))
127 for bindMount in bindMounts: 125 for bindMount in bindMounts:
128 (chroot / bindMount).mkdir(parents=True,exist_ok=True) 126 (chroot / bindMount).mkdir(parents=True,exist_ok=True)
129 # print(*['mount', '--bind', pathlib.Path('/') / bindMount, chroot / bindMount], file=stderr) 127 # print(*['mount', '--bind', pathlib.Path('/') / bindMount, chroot / bindMount], file=stderr)
@@ -241,18 +239,6 @@ def sigterm(signum, frame):
241 239
242def main(): 240def main():
243 signal.signal(signal.SIGTERM, sigterm) 241 signal.signal(signal.SIGTERM, sigterm)
244
245 if 'CREDENTIALS_DIRECTORY' in os.environ:
246 def do_chown(path):
247 os.chown(path, borg_pwd.pw_uid, borg_pwd.pw_gid)
248 do_chown(os.environ['CREDENTIALS_DIRECTORY'])
249
250 for root, dirs, files in os.walk(os.environ['CREDENTIALS_DIRECTORY']):
251 root_path = pathlib.Path(root)
252 for dir in dirs:
253 do_chown(root_path / pathlib.Path(dir))
254 for file in files:
255 do_chown(root_path / pathlib.Path(file))
256 242
257 if "::" in args.source: 243 if "::" in args.source:
258 (src_repo_path, _, src_archive) = args.source.partition("::") 244 (src_repo_path, _, src_archive) = args.source.partition("::")
diff --git a/hosts/vidhar/borg/default.nix b/hosts/vidhar/borg/default.nix
index 7a508971..3804aa76 100644
--- a/hosts/vidhar/borg/default.nix
+++ b/hosts/vidhar/borg/default.nix
@@ -11,7 +11,7 @@ let
11 Host yggdrasil.borgbase 11 Host yggdrasil.borgbase
12 HostName nx69hpl8.repo.borgbase.com 12 HostName nx69hpl8.repo.borgbase.com
13 User nx69hpl8 13 User nx69hpl8
14 IdentityFile /run/credentials/${serviceName}.service/ssh-identity 14 IdentityFile ${config.sops.secrets."append.borgbase".path}
15 IdentitiesOnly yes 15 IdentitiesOnly yes
16 16
17 BatchMode yes 17 BatchMode yes
@@ -33,14 +33,10 @@ let
33 "BORG_CACHE_DIR=/var/lib/borg/cache" 33 "BORG_CACHE_DIR=/var/lib/borg/cache"
34 "BORG_SECURITY_DIR=/var/lib/borg/security" 34 "BORG_SECURITY_DIR=/var/lib/borg/security"
35 "BORG_KEYS_DIR=/var/lib/borg/keys" 35 "BORG_KEYS_DIR=/var/lib/borg/keys"
36 "BORG_KEY_FILE=/run/credentials/${serviceName}.service/keyfile" 36 "BORG_KEY_FILE=${config.sops.secrets."yggdrasil.borgkey".path}"
37 "BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes" 37 "BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes"
38 "BORG_HOSTNAME_IS_UNIQUE=yes" 38 "BORG_HOSTNAME_IS_UNIQUE=yes"
39 ]; 39 ];
40 LoadCredential = [
41 "ssh-identity:${config.sops.secrets."append.borgbase".path}"
42 "keyfile:${config.sops.secrets."yggdrasil.borgkey".path}"
43 ];
44 }; 40 };
45 }; 41 };
46 42
@@ -102,10 +98,16 @@ in {
102 sops.secrets."append.borgbase" = { 98 sops.secrets."append.borgbase" = {
103 format = "binary"; 99 format = "binary";
104 sopsFile = ./append.borgbase; 100 sopsFile = ./append.borgbase;
101 owner = "borg";
102 group = "borg";
103 mode = "0640";
105 }; 104 };
106 sops.secrets."yggdrasil.borgkey" = { 105 sops.secrets."yggdrasil.borgkey" = {
107 format = "binary"; 106 format = "binary";
108 sopsFile = ./yggdrasil.borgkey; 107 sopsFile = ./yggdrasil.borgkey;
108 owner = "borg";
109 group = "borg";
110 mode = "0640";
109 }; 111 };
110 112
111 systemd.services = listToAttrs (map copyService [{ repo = "/srv/backup/borg/jotnar"; repoEscaped = "srv-backup-borg-jotnar"; }]); 113 systemd.services = listToAttrs (map copyService [{ repo = "/srv/backup/borg/jotnar"; repoEscaped = "srv-backup-borg-jotnar"; }]);