restic_repo as secret option #31

.env.sample

@@ -21,7 +21,9 @@ CRON_SCHEDULE='30 3 * * *'
 #AWS_ACCESS_KEY_ID=something-secret
 #COMPOSE_FILE="$COMPOSE_FILE:compose.s3.yml"
 
-# HTTPS storage
-#SECRET_HTTPS_PASSWORD_VERSION=v1
-#COMPOSE_FILE="$COMPOSE_FILE:compose.https.yml"
-#RESTIC_USER=<somebody>
+# Secret restic repository
+# use a secret to store the RESTIC_REPO if the repository location contains a secret value
+# i.E rest:https://user:SECRET_PASSWORD@host:8000/
+# it overwrites the RESTIC_REPO variable
+#SECRET_RESTIC_REPO_VERSION=v1
+#COMPOSE_FILE="$COMPOSE_FILE:compose.secret.yml"

README.md

@@ -83,6 +83,23 @@ abra app secret insert <app_name> ssh_key v1 """$(cat backupkey)
 """
 ```
 
+### Restic REST server Storage
+
+You can simply set the `RESTIC_REPO` variable to your REST server URL `rest:http://host:8000/`.
+If you access the REST server with a password `rest:https://user:pass@host:8000/` you should hide the whole URL containing the password inside a secret.
+Uncomment these lines:
+```
+SECRET_RESTIC_REPO_VERSION=v1
+COMPOSE_FILE="$COMPOSE_FILE:compose.secret.yml"
+```
+Add your REST server url as secret:
+```
+`abra app secret insert <app_name> restic_repo v1 "rest:https://user:pass@host:8000/"`
+```
+The secret will overwrite the `RESTIC_REPO` variable.
+
+
+See [restic REST docs](https://restic.readthedocs.io/en/latest/030_preparing_a_new_repo.html#rest-server) for more information.
 
 ## Usage
 

backupbot.py

@@ -26,17 +26,21 @@ def cli(loglevel, service, repository):
     global SERVICE
     if service:
         SERVICE = service.replace('.', '_')
+    if repository:
+        os.environ['RESTIC_REPO'] = repository
     if loglevel:
         numeric_level = getattr(logging, loglevel.upper(), None)
         if not isinstance(numeric_level, int):
             raise ValueError('Invalid log level: %s' % loglevel)
         logging.basicConfig(level=numeric_level)
     export_secrets()
-    init_repo(repository)
+    init_repo()
 
 
-def init_repo(repository):
-    restic.repository = repository
+def init_repo():
+    repo = os.environ['RESTIC_REPO']
+    logging.debug(f"set restic repository location: {repo}")
+    restic.repository = repo
     restic.password_file = '/var/run/secrets/restic_password'
     try:
         restic.cat.config()
@@ -50,10 +54,12 @@ def init_repo(repository):
 
 def export_secrets():
     for env in os.environ:
-        if env.endswith('PASSWORD_FILE') or env.endswith('KEY_FILE'):
+        if env.endswith('FILE') and not "COMPOSE_FILE" in env:
             logging.debug(f"exported secret: {env}")
             with open(os.environ[env]) as file:
-                os.environ[env.removesuffix('_FILE')] = file.read()
+                secret =  file.read()
+                os.environ[env.removesuffix('_FILE')] = secret
+                # logging.debug(f"Read secret value: {secret}")
 
 
 @cli.command()

compose.secret.yml

@@ -0,0 +1,13 @@
+---
+version: "3.8"
+services:
+  app:
+    environment:
+      - RESTIC_REPO_FILE=/run/secrets/restic_repo
+    secrets:
+      - restic_repo
+
+secrets:
+  restic_repo:
+    external: true
+    name: ${STACK_NAME}_restic_repo_${SECRET_RESTIC_REPO_VERSION}