.gitignore

@@ -1,3 +1,5 @@
 data/source/*/
 data/.bash_history
-data/credentials/*
+data_sources_*
+secret_sources_*
+credentials/*

data/borgmatic/common.yaml

@@ -7,9 +7,9 @@ repositories:
     label: hetzner
 
 remote_path: borg-1.4
-ssh_command: ssh -i ~/.ssh/${SSH_KEY_NAME}
+ssh_command: ssh -i /var/run/secrets/${SSH_KEY_NAME}
 
-encryption_passphrase: "{credential file /credentials/borg_passphrase}"
+encryption_passphrase: "{credential container ${BORG_PASSPHRASE_NAME}}"
 compression: lz4
 
 checks:

start.py

@@ -2,6 +2,7 @@ import os
 import subprocess
 import socket
 from pathlib import Path, PurePosixPath
+from dataclasses import dataclass
 
 is_windows = os.name == "nt"
 
@@ -13,6 +14,25 @@ def read_data_sources(hostname: str, login: str) -> list[Path]:
         return [Path(p_str.strip()).expanduser() for p_str in paths]
 
 
+@dataclass
+class Secret:
+    host_path: Path
+    name: str
+    mode: int
+
+    @classmethod
+    def from_line(cls, line: str):
+        path = Path(line).expanduser()
+        return cls(host_path=path, name=path.name, mode=0o0400)
+
+
+def read_secret_sources(hostname: str, login: str) -> list[Secret]:
+    file = Path(f"./secret_sources_{hostname}_{login}")
+    with open(file) as f:
+        lines = f.readlines()
+        return [Secret.from_line(l.strip()) for l in lines]
+
+
 def to_source_path(path: Path):
     mount_base = PurePosixPath("/mnt") / "source"
     inner_path = PurePosixPath(path)
@@ -24,20 +44,19 @@ def main():
     login = os.getlogin()
     hostname = socket.gethostname()
     data_sources = read_data_sources(hostname, login)
+    secret_sources = read_secret_sources(hostname, login)
     container_name = "borgmatic"
     ssh_auth_sock = os.getenv("SSH_AUTH_SOCK")
 
     data_path = Path.cwd() / "data"
     config_d_path = data_path / "borgmatic.d"
     config_path = data_path / "borgmatic"
-    credentials_path = data_path / "credentials"
     history_file = data_path / ".bash_history"
     history_file.touch()
     ssh_config_path = Path.home() / ".ssh"
     volumes = [
         f"{config_d_path}:/etc/borgmatic.d/",
         f"{config_path}:/etc/borgmatic/",
-        f"{credentials_path}:/credentials/",
         f"{ssh_config_path}:/root/.ssh",
         f"{history_file}:/root/.bash_history",
         "borg_config:/root/.config/borg",
@@ -52,6 +71,16 @@ def main():
     ]
 
     volume_args = [a for vol in volumes for a in ["-v", vol]]
+
+    if not secret_sources:
+        print("no secret required ?")
+
+    for s in secret_sources:
+        args = ["podman", "secret", "create", "--replace", s.name, s.host_path]
+        print(args)
+        subprocess.run(args)
+
+    secrets_args = [a for s in secret_sources for a in ["--secret", f"{s.name},mode=0{s.mode:o}"]]
     image_name = "ghcr.io/borgmatic-collective/borgmatic"
 
     args = [
@@ -71,7 +100,7 @@ def main():
         "-e",
         f"HOST_LOGIN={login}",
         "--security-opt=label=disable"
-    ] + volume_args + [image_name]
+    ] + volume_args + secrets_args + [image_name]
     print(args)
     subprocess.run(args)