mirror of
https://git.mediani.de/mirrors_public/oddlama_nixos-extra-modules.git
synced 2025-10-10 22:10:38 +02:00
feat: change program to rclone and use --append-only on restic server
This commit is contained in:
parent
c058a7597b
commit
2dfcc1f7de
2 changed files with 17 additions and 12 deletions
|
@ -12,6 +12,7 @@
|
||||||
filterAttrs
|
filterAttrs
|
||||||
flatten
|
flatten
|
||||||
flip
|
flip
|
||||||
|
forEach
|
||||||
getExe
|
getExe
|
||||||
groupBy
|
groupBy
|
||||||
head
|
head
|
||||||
|
@ -24,9 +25,9 @@
|
||||||
;
|
;
|
||||||
|
|
||||||
allBoxDefinitions = flatten (
|
allBoxDefinitions = flatten (
|
||||||
flip map (attrValues nixosConfigurations) (
|
forEach (attrValues nixosConfigurations) (
|
||||||
hostCfg:
|
hostCfg:
|
||||||
flip map (attrValues hostCfg.config.services.restic.backups) (
|
forEach (attrValues hostCfg.config.services.restic.backups) (
|
||||||
backupCfg:
|
backupCfg:
|
||||||
optional backupCfg.hetznerStorageBox.enable (
|
optional backupCfg.hetznerStorageBox.enable (
|
||||||
backupCfg.hetznerStorageBox
|
backupCfg.hetznerStorageBox
|
||||||
|
@ -42,16 +43,16 @@
|
||||||
# We need to know the main storage box user to create subusers
|
# We need to know the main storage box user to create subusers
|
||||||
boxSubuserToMainUser =
|
boxSubuserToMainUser =
|
||||||
flip mapAttrs boxesBySubuser (_: boxes:
|
flip mapAttrs boxesBySubuser (_: boxes:
|
||||||
head (unique (flip map boxes (box: box.mainUser))));
|
head (unique (forEach boxes (box: box.mainUser))));
|
||||||
|
|
||||||
boxSubuserToPrivateKeys =
|
boxSubuserToPrivateKeys =
|
||||||
flip mapAttrs boxesBySubuser (_: boxes:
|
flip mapAttrs boxesBySubuser (_: boxes:
|
||||||
unique (flip map boxes (box: box.sshPrivateKeyFile)));
|
unique (forEach boxes (box: box.sshPrivateKeyFile)));
|
||||||
|
|
||||||
# Any subuid that has more than one path in use
|
# Any subuid that has more than one path in use
|
||||||
boxSubuserToPaths =
|
boxSubuserToPaths =
|
||||||
flip mapAttrs boxesBySubuser (_: boxes:
|
flip mapAttrs boxesBySubuser (_: boxes:
|
||||||
unique (flip map boxes (box: box.path)));
|
unique (forEach boxes (box: box.path)));
|
||||||
|
|
||||||
duplicates = filterAttrs (_: boxes: length boxes > 1) boxSubuserToPaths;
|
duplicates = filterAttrs (_: boxes: length boxes > 1) boxSubuserToPaths;
|
||||||
|
|
||||||
|
@ -61,10 +62,12 @@
|
||||||
${concatStringsSep "\n" (mapAttrsToList (n: v: "${n}: ${toString v}") duplicates)}
|
${concatStringsSep "\n" (mapAttrsToList (n: v: "${n}: ${toString v}") duplicates)}
|
||||||
'' (mapAttrs (_: head) boxSubuserToPaths);
|
'' (mapAttrs (_: head) boxSubuserToPaths);
|
||||||
|
|
||||||
appendPubkey = privateKey: ''
|
authorizeResticCommand = privateKey: ''
|
||||||
|
(
|
||||||
|
echo -n 'command="rclone serve restic --stdio --append-only ./repo" '
|
||||||
PATH="$PATH:${pkgs.age-plugin-yubikey}/bin" ${pkgs.rage}/bin/rage -d -i ${decryptIdentity} ${escapeShellArg privateKey} \
|
PATH="$PATH:${pkgs.age-plugin-yubikey}/bin" ${pkgs.rage}/bin/rage -d -i ${decryptIdentity} ${escapeShellArg privateKey} \
|
||||||
| (exec 3<&0; ssh-keygen -f /proc/self/fd/3 -y) \
|
| (exec 3<&0; ssh-keygen -f /proc/self/fd/3 -y)
|
||||||
>> "$TMPFILE"
|
) >> "$TMPFILE"
|
||||||
'';
|
'';
|
||||||
|
|
||||||
setupSubuser = subuser: privateKeys: let
|
setupSubuser = subuser: privateKeys: let
|
||||||
|
@ -77,10 +80,12 @@
|
||||||
echo "${mainUser} (for ${subuser}): Creating ${path}/.ssh"
|
echo "${mainUser} (for ${subuser}): Creating ${path}/.ssh"
|
||||||
# Create subuser directory and .ssh
|
# Create subuser directory and .ssh
|
||||||
${pkgs.openssh}/bin/ssh -p 23 "${mainUser}@${mainUser}.your-storagebox.de" -- mkdir -p ./${path}/.ssh
|
${pkgs.openssh}/bin/ssh -p 23 "${mainUser}@${mainUser}.your-storagebox.de" -- mkdir -p ./${path}/.ssh
|
||||||
|
# Create repo directory
|
||||||
|
${pkgs.openssh}/bin/ssh -p 23 "${mainUser}@${mainUser}.your-storagebox.de" -- mkdir -p ./${path}/repo
|
||||||
|
|
||||||
# Derive and upload all authorized keys
|
# Derive and upload all authorized keys
|
||||||
TMPFILE=$(mktemp)
|
TMPFILE=$(mktemp)
|
||||||
${concatLines (map appendPubkey privateKeys)}
|
${concatLines (map authorizeResticCommand privateKeys)}
|
||||||
echo "${mainUser} (for ${subuser}): Uploading $(wc -l < "$TMPFILE") authorized_keys"
|
echo "${mainUser} (for ${subuser}): Uploading $(wc -l < "$TMPFILE") authorized_keys"
|
||||||
${pkgs.openssh}/bin/scp -P 23 "$TMPFILE" "${mainUser}@${mainUser}.your-storagebox.de":./${path}/.ssh/authorized_keys
|
${pkgs.openssh}/bin/scp -P 23 "$TMPFILE" "${mainUser}@${mainUser}.your-storagebox.de":./${path}/.ssh/authorized_keys
|
||||||
rm "$TMPFILE"
|
rm "$TMPFILE"
|
||||||
|
|
|
@ -55,9 +55,9 @@ in {
|
||||||
url = "${subuser}@${submod.config.hetznerStorageBox.mainUser}.your-storagebox.de";
|
url = "${subuser}@${submod.config.hetznerStorageBox.mainUser}.your-storagebox.de";
|
||||||
in
|
in
|
||||||
mkIf submod.config.hetznerStorageBox.enable {
|
mkIf submod.config.hetznerStorageBox.enable {
|
||||||
repository = "sftp://${url}:23/";
|
repository = "rclone:";
|
||||||
extraOptions = [
|
extraOptions = [
|
||||||
"sftp.command='ssh -p23 ${url} -i ${config.age.secrets.${submod.config.hetznerStorageBox.sshAgeSecret}.path} -s sftp'"
|
"rclone.program='ssh -p23 ${url} -i ${config.age.secrets.${submod.config.hetznerStorageBox.sshAgeSecret}.path}'"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
}));
|
}));
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue