diff options
| -rwxr-xr-x | hosts/vidhar/borg/copy.py | 6 | ||||
| -rw-r--r-- | hosts/vidhar/borg/default.nix | 8 |
2 files changed, 11 insertions, 3 deletions
diff --git a/hosts/vidhar/borg/copy.py b/hosts/vidhar/borg/copy.py index 809184a3..c839194c 100755 --- a/hosts/vidhar/borg/copy.py +++ b/hosts/vidhar/borg/copy.py | |||
| @@ -101,7 +101,11 @@ def copy_archive(src_repo_path, dst_repo_path, entry): | |||
| 101 | for path in [chroot,upper,work]: | 101 | for path in [chroot,upper,work]: |
| 102 | path.mkdir() | 102 | path.mkdir() |
| 103 | subprocess.run(['mount', '-t', 'overlay', 'overlay', '-o', f'lowerdir=/,upperdir={upper},workdir={work}', chroot], check=True) | 103 | subprocess.run(['mount', '-t', 'overlay', 'overlay', '-o', f'lowerdir=/,upperdir={upper},workdir={work}', chroot], check=True) |
| 104 | bindMounts = ['nix', 'run', 'run/secrets.d', 'var/lib/borg', 'proc', 'dev', 'sys', pathlib.Path(os.path.expanduser('~')).relative_to('/')] | 104 | bindMounts = ['nix', 'run', 'proc', 'dev', 'sys', pathlib.Path(os.path.expanduser('~')).relative_to('/')] |
| 105 | if os.environ.get('BORG_BASE_DIR'): | ||
| 106 | bindMounts.append(os.environ['BORG_BASE_DIR']) | ||
| 107 | if os.environ.get('CREDENTIALS_DIRECTORY'): | ||
| 108 | bindMounts.append(os.environ['CREDENTIALS_DIRECTORY']) | ||
| 105 | if not ":" in src_repo_path: | 109 | if not ":" in src_repo_path: |
| 106 | bindMounts.append(pathlib.Path(src_repo_path).relative_to('/')) | 110 | bindMounts.append(pathlib.Path(src_repo_path).relative_to('/')) |
| 107 | if 'SSH_AUTH_SOCK' in os.environ: | 111 | if 'SSH_AUTH_SOCK' in os.environ: |
diff --git a/hosts/vidhar/borg/default.nix b/hosts/vidhar/borg/default.nix index 7250c4c7..352ce887 100644 --- a/hosts/vidhar/borg/default.nix +++ b/hosts/vidhar/borg/default.nix | |||
| @@ -11,7 +11,7 @@ let | |||
| 11 | Host yggdrasil.borgbase | 11 | Host yggdrasil.borgbase |
| 12 | HostName nx69hpl8.repo.borgbase.com | 12 | HostName nx69hpl8.repo.borgbase.com |
| 13 | User nx69hpl8 | 13 | User nx69hpl8 |
| 14 | IdentityFile ${config.sops.secrets."append.borgbase".path} | 14 | IdentityFile /run/credentials/${serviceName}.service/ssh-identity |
| 15 | IdentitiesOnly yes | 15 | IdentitiesOnly yes |
| 16 | 16 | ||
| 17 | BatchMode yes | 17 | BatchMode yes |
| @@ -33,9 +33,13 @@ let | |||
| 33 | "BORG_CACHE_DIR=/var/lib/borg/cache" | 33 | "BORG_CACHE_DIR=/var/lib/borg/cache" |
| 34 | "BORG_SECURITY_DIR=/var/lib/borg/security" | 34 | "BORG_SECURITY_DIR=/var/lib/borg/security" |
| 35 | "BORG_KEYS_DIR=/var/lib/borg/keys" | 35 | "BORG_KEYS_DIR=/var/lib/borg/keys" |
| 36 | "BORG_KEY_FILE=${config.sops.secrets."yggdrasil.borgkey".path}" | 36 | "BORG_KEY_FILE=/run/credentials/${serviceName}.service/keyfile" |
| 37 | "BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes" | 37 | "BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes" |
| 38 | ]; | 38 | ]; |
| 39 | LoadCredential = [ | ||
| 40 | "ssh-identity:${config.sops.secrets."append.borgbase".path}" | ||
| 41 | "keyfile:${config.sops.secrets."yggdrasil.borgkey".path}" | ||
| 42 | ]; | ||
| 39 | }; | 43 | }; |
| 40 | }; | 44 | }; |
| 41 | 45 | ||