restic_repo as secret option #31
This commit is contained in:
parent
ab6c06d423
commit
c3f3d1a6fe
10
.env.sample
10
.env.sample
|
@ -21,7 +21,9 @@ CRON_SCHEDULE='30 3 * * *'
|
|||
#AWS_ACCESS_KEY_ID=something-secret
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.s3.yml"
|
||||
|
||||
# HTTPS storage
|
||||
#SECRET_HTTPS_PASSWORD_VERSION=v1
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.https.yml"
|
||||
#RESTIC_USER=<somebody>
|
||||
# Secret restic repository
|
||||
# use a secret to store the RESTIC_REPO if the repository location contains a secret value
|
||||
# i.E rest:https://user:SECRET_PASSWORD@host:8000/
|
||||
# it overwrites the RESTIC_REPO variable
|
||||
#SECRET_RESTIC_REPO_VERSION=v1
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.secret.yml"
|
||||
|
|
17
README.md
17
README.md
|
@ -83,6 +83,23 @@ abra app secret insert <app_name> ssh_key v1 """$(cat backupkey)
|
|||
"""
|
||||
```
|
||||
|
||||
### Restic REST server Storage
|
||||
|
||||
You can simply set the `RESTIC_REPO` variable to your REST server URL `rest:http://host:8000/`.
|
||||
If you access the REST server with a password `rest:https://user:pass@host:8000/` you should hide the whole URL containing the password inside a secret.
|
||||
Uncomment these lines:
|
||||
```
|
||||
SECRET_RESTIC_REPO_VERSION=v1
|
||||
COMPOSE_FILE="$COMPOSE_FILE:compose.secret.yml"
|
||||
```
|
||||
Add your REST server url as secret:
|
||||
```
|
||||
`abra app secret insert <app_name> restic_repo v1 "rest:https://user:pass@host:8000/"`
|
||||
```
|
||||
The secret will overwrite the `RESTIC_REPO` variable.
|
||||
|
||||
|
||||
See [restic REST docs](https://restic.readthedocs.io/en/latest/030_preparing_a_new_repo.html#rest-server) for more information.
|
||||
|
||||
## Usage
|
||||
|
||||
|
|
16
backupbot.py
16
backupbot.py
|
@ -26,17 +26,21 @@ def cli(loglevel, service, repository):
|
|||
global SERVICE
|
||||
if service:
|
||||
SERVICE = service.replace('.', '_')
|
||||
if repository:
|
||||
os.environ['RESTIC_REPO'] = repository
|
||||
if loglevel:
|
||||
numeric_level = getattr(logging, loglevel.upper(), None)
|
||||
if not isinstance(numeric_level, int):
|
||||
raise ValueError('Invalid log level: %s' % loglevel)
|
||||
logging.basicConfig(level=numeric_level)
|
||||
export_secrets()
|
||||
init_repo(repository)
|
||||
init_repo()
|
||||
|
||||
|
||||
def init_repo(repository):
|
||||
restic.repository = repository
|
||||
def init_repo():
|
||||
repo = os.environ['RESTIC_REPO']
|
||||
logging.debug(f"set restic repository location: {repo}")
|
||||
restic.repository = repo
|
||||
restic.password_file = '/var/run/secrets/restic_password'
|
||||
try:
|
||||
restic.cat.config()
|
||||
|
@ -50,10 +54,12 @@ def init_repo(repository):
|
|||
|
||||
def export_secrets():
|
||||
for env in os.environ:
|
||||
if env.endswith('PASSWORD_FILE') or env.endswith('KEY_FILE'):
|
||||
if env.endswith('FILE') and not "COMPOSE_FILE" in env:
|
||||
logging.debug(f"exported secret: {env}")
|
||||
with open(os.environ[env]) as file:
|
||||
os.environ[env.removesuffix('_FILE')] = file.read()
|
||||
secret = file.read()
|
||||
os.environ[env.removesuffix('_FILE')] = secret
|
||||
# logging.debug(f"Read secret value: {secret}")
|
||||
|
||||
|
||||
@cli.command()
|
||||
|
|
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
version: "3.8"
|
||||
services:
|
||||
app:
|
||||
environment:
|
||||
- RESTIC_REPO_FILE=/run/secrets/restic_repo
|
||||
secrets:
|
||||
- restic_repo
|
||||
|
||||
secrets:
|
||||
restic_repo:
|
||||
external: true
|
||||
name: ${STACK_NAME}_restic_repo_${SECRET_RESTIC_REPO_VERSION}
|
Loading…
Reference in New Issue