Send secrets via podman secret

.gitignore

@@ -2,3 +2,4 @@ data/source/*/
 data/.bash_history
 data/credentials/*
 data_sources_*
+secret_sources_*

data/borgmatic/common.yaml

@@ -7,7 +7,7 @@ repositories:
     label: hetzner
 
 remote_path: borg-1.4
-ssh_command: ssh -i ~/.ssh/${SSH_KEY_NAME}
+ssh_command: ssh -i /var/run/secrets/${SSH_KEY_NAME}
 
 encryption_passphrase: "{credential file /credentials/borg_passphrase}"
 compression: lz4

start.py

@@ -2,6 +2,7 @@ import os
 import subprocess
 import socket
 from pathlib import Path, PurePosixPath
+from dataclasses import dataclass
 
 is_windows = os.name == "nt"
 
@@ -13,6 +14,25 @@ def read_data_sources(hostname: str, login: str) -> list[Path]:
         return [Path(p_str.strip()).expanduser() for p_str in paths]
 
 
+@dataclass
+class Secret:
+    host_path: Path
+    name: str
+    mode: int
+
+    @classmethod
+    def from_line(cls, line: str):
+        path = Path(line).expanduser()
+        return cls(host_path=path, name=path.name, mode=0o0400)
+
+
+def read_secret_sources(hostname: str, login: str) -> list[Secret]:
+    file = Path(f"./secret_sources_{hostname}_{login}")
+    with open(file) as f:
+        lines = f.readlines()
+        return [Secret.from_line(l.strip()) for l in lines]
+
+
 def to_source_path(path: Path):
     mount_base = PurePosixPath("/mnt") / "source"
     inner_path = PurePosixPath(path)
@@ -24,6 +44,7 @@ def main():
     login = os.getlogin()
     hostname = socket.gethostname()
     data_sources = read_data_sources(hostname, login)
+    secret_sources = read_secret_sources(hostname, login)
     container_name = "borgmatic"
     ssh_auth_sock = os.getenv("SSH_AUTH_SOCK")
 
@@ -52,6 +73,16 @@ def main():
     ]
 
     volume_args = [a for vol in volumes for a in ["-v", vol]]
+
+    if not secret_sources:
+        print("no secret required ?")
+
+    for s in secret_sources:
+        args = ["podman", "secret", "create", "--replace", s.name, s.host_path]
+        print(args)
+        subprocess.run(args)
+
+    secrets_args = [a for s in secret_sources for a in ["--secret", f"{s.name},mode=0{s.mode:o}"]]
     image_name = "ghcr.io/borgmatic-collective/borgmatic"
 
     args = [
@@ -71,7 +102,7 @@ def main():
         "-e",
         f"HOST_LOGIN={login}",
         "--security-opt=label=disable"
-    ] + volume_args + [image_name]
+    ] + volume_args + secrets_args + [image_name]
     print(args)
     subprocess.run(args)