restic_repo as secret option #31

2023-10-03 22:39:06 +02:00 · 2023-10-03 22:39:06 +02:00 · c3f3d1a6fe
parent ab6c06d423
commit c3f3d1a6fe
4 changed files with 47 additions and 9 deletions
--- a/.env.sample
+++ b/.env.sample
@ -21,7 +21,9 @@ CRON_SCHEDULE='30 3 * * *'
 #AWS_ACCESS_KEY_ID=something-secret
 #COMPOSE_FILE="$COMPOSE_FILE:compose.s3.yml"

-# HTTPS storage
-#SECRET_HTTPS_PASSWORD_VERSION=v1
-#COMPOSE_FILE="$COMPOSE_FILE:compose.https.yml"
-#RESTIC_USER=<somebody>
+# Secret restic repository
+# use a secret to store the RESTIC_REPO if the repository location contains a secret value
+# i.E rest:https://user:SECRET_PASSWORD@host:8000/
+# it overwrites the RESTIC_REPO variable
+#SECRET_RESTIC_REPO_VERSION=v1
+#COMPOSE_FILE="$COMPOSE_FILE:compose.secret.yml"
--- a/README.md
+++ b/README.md
@ -83,6 +83,23 @@ abra app secret insert <app_name> ssh_key v1 """$(cat backupkey)
 """
 ```

+### Restic REST server Storage
+
+You can simply set the `RESTIC_REPO` variable to your REST server URL `rest:http://host:8000/`.
+If you access the REST server with a password `rest:https://user:pass@host:8000/` you should hide the whole URL containing the password inside a secret.
+Uncomment these lines:
+```
+SECRET_RESTIC_REPO_VERSION=v1
+COMPOSE_FILE="$COMPOSE_FILE:compose.secret.yml"
+```
+Add your REST server url as secret:
+```
+`abra app secret insert <app_name> restic_repo v1 "rest:https://user:pass@host:8000/"`
+```
+The secret will overwrite the `RESTIC_REPO` variable.
+
+
+See [restic REST docs](https://restic.readthedocs.io/en/latest/030_preparing_a_new_repo.html#rest-server) for more information.

 ## Usage

--- a/backupbot.py
+++ b/backupbot.py
@ -26,17 +26,21 @@ def cli(loglevel, service, repository):
    global SERVICE
    if service:
        SERVICE = service.replace('.', '_')
+    if repository:
+        os.environ['RESTIC_REPO'] = repository
    if loglevel:
        numeric_level = getattr(logging, loglevel.upper(), None)
        if not isinstance(numeric_level, int):
            raise ValueError('Invalid log level: %s' % loglevel)
        logging.basicConfig(level=numeric_level)
    export_secrets()
-    init_repo(repository)
+    init_repo()


-def init_repo(repository):
-    restic.repository = repository
+def init_repo():
+    repo = os.environ['RESTIC_REPO']
+    logging.debug(f"set restic repository location: {repo}")
+    restic.repository = repo
    restic.password_file = '/var/run/secrets/restic_password'
    try:
        restic.cat.config()
@ -50,10 +54,12 @@ def init_repo(repository):

 def export_secrets():
    for env in os.environ:
-        if env.endswith('PASSWORD_FILE') or env.endswith('KEY_FILE'):
+        if env.endswith('FILE') and not "COMPOSE_FILE" in env:
            logging.debug(f"exported secret: {env}")
            with open(os.environ[env]) as file:
-                os.environ[env.removesuffix('_FILE')] = file.read()
+                secret =  file.read()
+                os.environ[env.removesuffix('_FILE')] = secret
+                # logging.debug(f"Read secret value: {secret}")


@cli.command()
--- a/compose.secret.yml
+++ b/compose.secret.yml
@ -0,0 +1,13 @@
+---
+version: "3.8"
+services:
+  app:
+    environment:
+      - RESTIC_REPO_FILE=/run/secrets/restic_repo
+    secrets:
+      - restic_repo
+
+secrets:
+  restic_repo:
+    external: true
+    name: ${STACK_NAME}_restic_repo_${SECRET_RESTIC_REPO_VERSION}