From 5d80ed9d80b551327d75f8738f77363cb94e2b9f Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Fri, 18 Feb 2022 12:08:01 +0100 Subject: vidhar: ... --- hosts/vidhar/borg/copy.py | 16 +--------------- hosts/vidhar/borg/default.nix | 14 ++++++++------ 2 files changed, 9 insertions(+), 21 deletions(-) diff --git a/hosts/vidhar/borg/copy.py b/hosts/vidhar/borg/copy.py index 91c65e1e..f685a490 100755 --- a/hosts/vidhar/borg/copy.py +++ b/hosts/vidhar/borg/copy.py @@ -115,15 +115,13 @@ def copy_archive(src_repo_path, dst_repo_path, entry): for path in [chroot,upper,work]: path.mkdir() subprocess.run(['mount', '-t', 'overlay', 'overlay', '-o', f'lowerdir=/,upperdir={upper},workdir={work}', chroot], check=True) - bindMounts = ['nix', 'run', 'proc', 'dev', 'sys', pathlib.Path(os.path.expanduser('~')).relative_to('/')] + bindMounts = ['nix', 'run', 'run/secrets.d', 'proc', 'dev', 'sys', pathlib.Path(os.path.expanduser('~')).relative_to('/')] if os.environ.get('BORG_BASE_DIR'): bindMounts.append(pathlib.Path(os.environ['BORG_BASE_DIR']).relative_to('/')) if not ":" in src_repo_path: bindMounts.append(pathlib.Path(src_repo_path).relative_to('/')) if 'SSH_AUTH_SOCK' in os.environ: bindMounts.append(pathlib.Path(os.environ['SSH_AUTH_SOCK']).parent.relative_to('/')) - if 'CREDENTIALS_DIRECTORY' in os.environ: - bindMounts.append(pathlib.Path(os.environ['CREDENTIALS_DIRECTORY']).parent.relative_to('/')) for bindMount in bindMounts: (chroot / bindMount).mkdir(parents=True,exist_ok=True) # print(*['mount', '--bind', pathlib.Path('/') / bindMount, chroot / bindMount], file=stderr) @@ -241,18 +239,6 @@ def sigterm(signum, frame): def main(): signal.signal(signal.SIGTERM, sigterm) - - if 'CREDENTIALS_DIRECTORY' in os.environ: - def do_chown(path): - os.chown(path, borg_pwd.pw_uid, borg_pwd.pw_gid) - do_chown(os.environ['CREDENTIALS_DIRECTORY']) - - for root, dirs, files in os.walk(os.environ['CREDENTIALS_DIRECTORY']): - root_path = pathlib.Path(root) - for dir in dirs: - do_chown(root_path / pathlib.Path(dir)) - for file in files: - do_chown(root_path / pathlib.Path(file)) if "::" in args.source: (src_repo_path, _, src_archive) = args.source.partition("::") diff --git a/hosts/vidhar/borg/default.nix b/hosts/vidhar/borg/default.nix index 7a508971..3804aa76 100644 --- a/hosts/vidhar/borg/default.nix +++ b/hosts/vidhar/borg/default.nix @@ -11,7 +11,7 @@ let Host yggdrasil.borgbase HostName nx69hpl8.repo.borgbase.com User nx69hpl8 - IdentityFile /run/credentials/${serviceName}.service/ssh-identity + IdentityFile ${config.sops.secrets."append.borgbase".path} IdentitiesOnly yes BatchMode yes @@ -33,14 +33,10 @@ let "BORG_CACHE_DIR=/var/lib/borg/cache" "BORG_SECURITY_DIR=/var/lib/borg/security" "BORG_KEYS_DIR=/var/lib/borg/keys" - "BORG_KEY_FILE=/run/credentials/${serviceName}.service/keyfile" + "BORG_KEY_FILE=${config.sops.secrets."yggdrasil.borgkey".path}" "BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes" "BORG_HOSTNAME_IS_UNIQUE=yes" ]; - LoadCredential = [ - "ssh-identity:${config.sops.secrets."append.borgbase".path}" - "keyfile:${config.sops.secrets."yggdrasil.borgkey".path}" - ]; }; }; @@ -102,10 +98,16 @@ in { sops.secrets."append.borgbase" = { format = "binary"; sopsFile = ./append.borgbase; + owner = "borg"; + group = "borg"; + mode = "0640"; }; sops.secrets."yggdrasil.borgkey" = { format = "binary"; sopsFile = ./yggdrasil.borgkey; + owner = "borg"; + group = "borg"; + mode = "0640"; }; systemd.services = listToAttrs (map copyService [{ repo = "/srv/backup/borg/jotnar"; repoEscaped = "srv-backup-borg-jotnar"; }]); -- cgit v1.2.3