From d4982d6b72565352b04ce0eb4cd6ce6caa52232a Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Thu, 17 Feb 2022 17:44:07 +0100
Subject: vidhar: ...

---
 hosts/vidhar/borg/copy.py     | 6 +++++-
 hosts/vidhar/borg/default.nix | 8 ++++++--
 2 files changed, 11 insertions(+), 3 deletions(-)

(limited to 'hosts/vidhar')

diff --git a/hosts/vidhar/borg/copy.py b/hosts/vidhar/borg/copy.py
index 809184a3..c839194c 100755
--- a/hosts/vidhar/borg/copy.py
+++ b/hosts/vidhar/borg/copy.py
@@ -101,7 +101,11 @@ def copy_archive(src_repo_path, dst_repo_path, entry):
             for path in [chroot,upper,work]:
                 path.mkdir()
             subprocess.run(['mount', '-t', 'overlay', 'overlay', '-o', f'lowerdir=/,upperdir={upper},workdir={work}', chroot], check=True)
-            bindMounts = ['nix', 'run', 'run/secrets.d', 'var/lib/borg', 'proc', 'dev', 'sys', pathlib.Path(os.path.expanduser('~')).relative_to('/')]
+            bindMounts = ['nix', 'run', 'proc', 'dev', 'sys', pathlib.Path(os.path.expanduser('~')).relative_to('/')]
+            if os.environ.get('BORG_BASE_DIR'):
+                bindMounts.append(os.environ['BORG_BASE_DIR'])
+            if os.environ.get('CREDENTIALS_DIRECTORY'):
+                bindMounts.append(os.environ['CREDENTIALS_DIRECTORY'])
             if not ":" in src_repo_path:
                 bindMounts.append(pathlib.Path(src_repo_path).relative_to('/'))
             if 'SSH_AUTH_SOCK' in os.environ:
diff --git a/hosts/vidhar/borg/default.nix b/hosts/vidhar/borg/default.nix
index 7250c4c7..352ce887 100644
--- a/hosts/vidhar/borg/default.nix
+++ b/hosts/vidhar/borg/default.nix
@@ -11,7 +11,7 @@ let
       Host yggdrasil.borgbase
         HostName nx69hpl8.repo.borgbase.com
         User nx69hpl8
-        IdentityFile ${config.sops.secrets."append.borgbase".path}
+        IdentityFile /run/credentials/${serviceName}.service/ssh-identity
         IdentitiesOnly yes
 
         BatchMode yes
@@ -33,9 +33,13 @@ let
         "BORG_CACHE_DIR=/var/lib/borg/cache"
         "BORG_SECURITY_DIR=/var/lib/borg/security"
         "BORG_KEYS_DIR=/var/lib/borg/keys"
-        "BORG_KEY_FILE=${config.sops.secrets."yggdrasil.borgkey".path}"
+        "BORG_KEY_FILE=/run/credentials/${serviceName}.service/keyfile"
         "BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes"
       ];
+      LoadCredential = [
+        "ssh-identity:${config.sops.secrets."append.borgbase".path}"
+        "keyfile:${config.sops.secrets."yggdrasil.borgkey".path}"
+      ];
     };
   };
 
-- 
cgit v1.2.3