2 files changed, 9 insertions, 21 deletions

diff --git a/hosts/vidhar/borg/copy.py b/hosts/vidhar/borg/copy.py
index 91c65e1e..f685a490 100755
--- a/hosts/vidhar/borg/copy.py
+++ b/hosts/vidhar/borg/copy.py
@@ -115,15 +115,13 @@ def copy_archive(src_repo_path, dst_repo_path, entry):
             for path in [chroot,upper,work]:
                 path.mkdir()
             subprocess.run(['mount', '-t', 'overlay', 'overlay', '-o', f'lowerdir=/,upperdir={upper},workdir={work}', chroot], check=True)
-            bindMounts = ['nix', 'run', 'proc', 'dev', 'sys', pathlib.Path(os.path.expanduser('~')).relative_to('/')]
+            bindMounts = ['nix', 'run', 'run/secrets.d', 'proc', 'dev', 'sys', pathlib.Path(os.path.expanduser('~')).relative_to('/')]
             if os.environ.get('BORG_BASE_DIR'):
                 bindMounts.append(pathlib.Path(os.environ['BORG_BASE_DIR']).relative_to('/'))
             if not ":" in src_repo_path:
                 bindMounts.append(pathlib.Path(src_repo_path).relative_to('/'))
             if 'SSH_AUTH_SOCK' in os.environ:
                 bindMounts.append(pathlib.Path(os.environ['SSH_AUTH_SOCK']).parent.relative_to('/'))
-            if 'CREDENTIALS_DIRECTORY' in os.environ:
-                bindMounts.append(pathlib.Path(os.environ['CREDENTIALS_DIRECTORY']).parent.relative_to('/'))
             for bindMount in bindMounts:
                 (chroot / bindMount).mkdir(parents=True,exist_ok=True)
                 # print(*['mount', '--bind', pathlib.Path('/') / bindMount, chroot / bindMount], file=stderr)
@@ -241,18 +239,6 @@ def sigterm(signum, frame):
 
 def main():
     signal.signal(signal.SIGTERM, sigterm)
-
-    if 'CREDENTIALS_DIRECTORY' in os.environ:
-        def do_chown(path):
-            os.chown(path, borg_pwd.pw_uid, borg_pwd.pw_gid)
-        do_chown(os.environ['CREDENTIALS_DIRECTORY'])
-            
-        for root, dirs, files in os.walk(os.environ['CREDENTIALS_DIRECTORY']):
-            root_path = pathlib.Path(root)
-            for dir in dirs:
-                do_chown(root_path / pathlib.Path(dir))
-            for file in files:
-                do_chown(root_path / pathlib.Path(file))
     
     if "::" in args.source:
         (src_repo_path, _, src_archive) = args.source.partition("::")
diff --git a/hosts/vidhar/borg/default.nix b/hosts/vidhar/borg/default.nix
index 7a508971..3804aa76 100644
--- a/hosts/vidhar/borg/default.nix
+++ b/hosts/vidhar/borg/default.nix
@@ -11,7 +11,7 @@ let
       Host yggdrasil.borgbase
         HostName nx69hpl8.repo.borgbase.com
         User nx69hpl8
-        IdentityFile /run/credentials/${serviceName}.service/ssh-identity
+        IdentityFile ${config.sops.secrets."append.borgbase".path}
         IdentitiesOnly yes
 
         BatchMode yes
@@ -33,14 +33,10 @@ let
         "BORG_CACHE_DIR=/var/lib/borg/cache"
         "BORG_SECURITY_DIR=/var/lib/borg/security"
         "BORG_KEYS_DIR=/var/lib/borg/keys"
-        "BORG_KEY_FILE=/run/credentials/${serviceName}.service/keyfile"
+        "BORG_KEY_FILE=${config.sops.secrets."yggdrasil.borgkey".path}"
         "BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes"
         "BORG_HOSTNAME_IS_UNIQUE=yes"
       ];
-      LoadCredential = [
-        "ssh-identity:${config.sops.secrets."append.borgbase".path}"
-        "keyfile:${config.sops.secrets."yggdrasil.borgkey".path}"
-      ];
     };
   };
 
@@ -102,10 +98,16 @@ in {
     sops.secrets."append.borgbase" = {
       format = "binary";
       sopsFile = ./append.borgbase;
+      owner = "borg";
+      group = "borg";
+      mode = "0640";
     };
     sops.secrets."yggdrasil.borgkey" = {
       format = "binary";
       sopsFile = ./yggdrasil.borgkey;
+      owner = "borg";
+      group = "borg";
+      mode = "0640";
     };
 
     systemd.services = listToAttrs (map copyService [{ repo = "/srv/backup/borg/jotnar"; repoEscaped = "srv-backup-borg-jotnar"; }]);