From c3f3d1a6fe870081fa904fc539866943a04f4a7b Mon Sep 17 00:00:00 2001 From: Moritz Date: Tue, 3 Oct 2023 22:39:06 +0200 Subject: [PATCH] restic_repo as secret option #31 --- .env.sample | 10 ++++++---- README.md | 17 +++++++++++++++++ backupbot.py | 16 +++++++++++----- compose.secret.yml | 13 +++++++++++++ 4 files changed, 47 insertions(+), 9 deletions(-) create mode 100644 compose.secret.yml diff --git a/.env.sample b/.env.sample index 048d303..172d156 100644 --- a/.env.sample +++ b/.env.sample @@ -21,7 +21,9 @@ CRON_SCHEDULE='30 3 * * *' #AWS_ACCESS_KEY_ID=something-secret #COMPOSE_FILE="$COMPOSE_FILE:compose.s3.yml" -# HTTPS storage -#SECRET_HTTPS_PASSWORD_VERSION=v1 -#COMPOSE_FILE="$COMPOSE_FILE:compose.https.yml" -#RESTIC_USER= +# Secret restic repository +# use a secret to store the RESTIC_REPO if the repository location contains a secret value +# i.E rest:https://user:SECRET_PASSWORD@host:8000/ +# it overwrites the RESTIC_REPO variable +#SECRET_RESTIC_REPO_VERSION=v1 +#COMPOSE_FILE="$COMPOSE_FILE:compose.secret.yml" diff --git a/README.md b/README.md index 661fbda..e772270 100644 --- a/README.md +++ b/README.md @@ -83,6 +83,23 @@ abra app secret insert ssh_key v1 """$(cat backupkey) """ ``` +### Restic REST server Storage + +You can simply set the `RESTIC_REPO` variable to your REST server URL `rest:http://host:8000/`. +If you access the REST server with a password `rest:https://user:pass@host:8000/` you should hide the whole URL containing the password inside a secret. +Uncomment these lines: +``` +SECRET_RESTIC_REPO_VERSION=v1 +COMPOSE_FILE="$COMPOSE_FILE:compose.secret.yml" +``` +Add your REST server url as secret: +``` +`abra app secret insert restic_repo v1 "rest:https://user:pass@host:8000/"` +``` +The secret will overwrite the `RESTIC_REPO` variable. + + +See [restic REST docs](https://restic.readthedocs.io/en/latest/030_preparing_a_new_repo.html#rest-server) for more information. ## Usage diff --git a/backupbot.py b/backupbot.py index a15d848..0f4286c 100755 --- a/backupbot.py +++ b/backupbot.py @@ -26,17 +26,21 @@ def cli(loglevel, service, repository): global SERVICE if service: SERVICE = service.replace('.', '_') + if repository: + os.environ['RESTIC_REPO'] = repository if loglevel: numeric_level = getattr(logging, loglevel.upper(), None) if not isinstance(numeric_level, int): raise ValueError('Invalid log level: %s' % loglevel) logging.basicConfig(level=numeric_level) export_secrets() - init_repo(repository) + init_repo() -def init_repo(repository): - restic.repository = repository +def init_repo(): + repo = os.environ['RESTIC_REPO'] + logging.debug(f"set restic repository location: {repo}") + restic.repository = repo restic.password_file = '/var/run/secrets/restic_password' try: restic.cat.config() @@ -50,10 +54,12 @@ def init_repo(repository): def export_secrets(): for env in os.environ: - if env.endswith('PASSWORD_FILE') or env.endswith('KEY_FILE'): + if env.endswith('FILE') and not "COMPOSE_FILE" in env: logging.debug(f"exported secret: {env}") with open(os.environ[env]) as file: - os.environ[env.removesuffix('_FILE')] = file.read() + secret = file.read() + os.environ[env.removesuffix('_FILE')] = secret + # logging.debug(f"Read secret value: {secret}") @cli.command() diff --git a/compose.secret.yml b/compose.secret.yml new file mode 100644 index 0000000..ab649ae --- /dev/null +++ b/compose.secret.yml @@ -0,0 +1,13 @@ +--- +version: "3.8" +services: + app: + environment: + - RESTIC_REPO_FILE=/run/secrets/restic_repo + secrets: + - restic_repo + +secrets: + restic_repo: + external: true + name: ${STACK_NAME}_restic_repo_${SECRET_RESTIC_REPO_VERSION}