pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / borgbackup.nix
at 21.11-pre 6.1 kB view raw
1import ./make-test-python.nix ({ pkgs, ... }: 2 3let 4 passphrase = "supersecret"; 5 dataDir = "/ran:dom/data"; 6 excludeFile = "not_this_file"; 7 keepFile = "important_file"; 8 keepFileData = "important_data"; 9 localRepo = "/root/back:up"; 10 archiveName = "my_archive"; 11 remoteRepo = "borg@server:."; # No need to specify path 12 privateKey = pkgs.writeText "id_ed25519" '' 13 -----BEGIN OPENSSH PRIVATE KEY----- 14 b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW 15 QyNTUxOQAAACBx8UB04Q6Q/fwDFjakHq904PYFzG9pU2TJ9KXpaPMcrwAAAJB+cF5HfnBe 16 RwAAAAtzc2gtZWQyNTUxOQAAACBx8UB04Q6Q/fwDFjakHq904PYFzG9pU2TJ9KXpaPMcrw 17 AAAEBN75NsJZSpt63faCuaD75Unko0JjlSDxMhYHAPJk2/xXHxQHThDpD9/AMWNqQer3Tg 18 9gXMb2lTZMn0pelo8xyvAAAADXJzY2h1ZXR6QGt1cnQ= 19 -----END OPENSSH PRIVATE KEY----- 20 ''; 21 publicKey = '' 22 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHHxQHThDpD9/AMWNqQer3Tg9gXMb2lTZMn0pelo8xyv root@client 23 ''; 24 privateKeyAppendOnly = pkgs.writeText "id_ed25519" '' 25 -----BEGIN OPENSSH PRIVATE KEY----- 26 b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW 27 QyNTUxOQAAACBacZuz1ELGQdhI7PF6dGFafCDlvh8pSEc4cHjkW0QjLwAAAJC9YTxxvWE8 28 cQAAAAtzc2gtZWQyNTUxOQAAACBacZuz1ELGQdhI7PF6dGFafCDlvh8pSEc4cHjkW0QjLw 29 AAAEAAhV7wTl5dL/lz+PF/d4PnZXuG1Id6L/mFEiGT1tZsuFpxm7PUQsZB2Ejs8Xp0YVp8 30 IOW+HylIRzhweORbRCMvAAAADXJzY2h1ZXR6QGt1cnQ= 31 -----END OPENSSH PRIVATE KEY----- 32 ''; 33 publicKeyAppendOnly = '' 34 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFpxm7PUQsZB2Ejs8Xp0YVp8IOW+HylIRzhweORbRCMv root@client 35 ''; 36 37in { 38 name = "borgbackup"; 39 meta = with pkgs.lib; { 40 maintainers = with maintainers; [ dotlambda ]; 41 }; 42 43 nodes = { 44 client = { ... }: { 45 services.borgbackup.jobs = { 46 47 local = { 48 paths = dataDir; 49 repo = localRepo; 50 preHook = '' 51 # Don't append a timestamp 52 archiveName="${archiveName}" 53 ''; 54 encryption = { 55 mode = "repokey"; 56 inherit passphrase; 57 }; 58 compression = "auto,zlib,9"; 59 prune.keep = { 60 within = "1y"; 61 yearly = 5; 62 }; 63 exclude = [ "*/${excludeFile}" ]; 64 postHook = "echo post"; 65 startAt = [ ]; # Do not run automatically 66 }; 67 68 remote = { 69 paths = dataDir; 70 repo = remoteRepo; 71 encryption.mode = "none"; 72 startAt = [ ]; 73 environment.BORG_RSH = "ssh -oStrictHostKeyChecking=no -i /root/id_ed25519"; 74 }; 75 76 remoteAppendOnly = { 77 paths = dataDir; 78 repo = remoteRepo; 79 encryption.mode = "none"; 80 startAt = [ ]; 81 environment.BORG_RSH = "ssh -oStrictHostKeyChecking=no -i /root/id_ed25519.appendOnly"; 82 }; 83 84 }; 85 }; 86 87 server = { ... }: { 88 services.openssh = { 89 enable = true; 90 passwordAuthentication = false; 91 challengeResponseAuthentication = false; 92 }; 93 94 services.borgbackup.repos.repo1 = { 95 authorizedKeys = [ publicKey ]; 96 path = "/data/borgbackup"; 97 }; 98 99 # Second repo to make sure the authorizedKeys options are merged correctly 100 services.borgbackup.repos.repo2 = { 101 authorizedKeysAppendOnly = [ publicKeyAppendOnly ]; 102 path = "/data/borgbackup"; 103 quota = ".5G"; 104 }; 105 }; 106 }; 107 108 testScript = '' 109 start_all() 110 111 client.fail('test -d "${remoteRepo}"') 112 113 client.succeed( 114 "cp ${privateKey} /root/id_ed25519" 115 ) 116 client.succeed("chmod 0600 /root/id_ed25519") 117 client.succeed( 118 "cp ${privateKeyAppendOnly} /root/id_ed25519.appendOnly" 119 ) 120 client.succeed("chmod 0600 /root/id_ed25519.appendOnly") 121 122 client.succeed("mkdir -p ${dataDir}") 123 client.succeed("touch ${dataDir}/${excludeFile}") 124 client.succeed("echo '${keepFileData}' > ${dataDir}/${keepFile}") 125 126 with subtest("local"): 127 borg = "BORG_PASSPHRASE='${passphrase}' borg" 128 client.systemctl("start --wait borgbackup-job-local") 129 client.fail("systemctl is-failed borgbackup-job-local") 130 # Make sure exactly one archive has been created 131 assert int(client.succeed("{} list '${localRepo}' | wc -l".format(borg))) > 0 132 # Make sure excludeFile has been excluded 133 client.fail( 134 "{} list '${localRepo}::${archiveName}' | grep -qF '${excludeFile}'".format(borg) 135 ) 136 # Make sure keepFile has the correct content 137 client.succeed("{} extract '${localRepo}::${archiveName}'".format(borg)) 138 assert "${keepFileData}" in client.succeed("cat ${dataDir}/${keepFile}") 139 # Make sure the same is true when using `borg mount` 140 client.succeed( 141 "mkdir -p /mnt/borg && {} mount '${localRepo}::${archiveName}' /mnt/borg".format( 142 borg 143 ) 144 ) 145 assert "${keepFileData}" in client.succeed( 146 "cat /mnt/borg/${dataDir}/${keepFile}" 147 ) 148 149 with subtest("remote"): 150 borg = "BORG_RSH='ssh -oStrictHostKeyChecking=no -i /root/id_ed25519' borg" 151 server.wait_for_unit("sshd.service") 152 client.wait_for_unit("network.target") 153 client.systemctl("start --wait borgbackup-job-remote") 154 client.fail("systemctl is-failed borgbackup-job-remote") 155 156 # Make sure we can't access repos other than the specified one 157 client.fail("{} list borg\@server:wrong".format(borg)) 158 159 # TODO: Make sure that data is actually deleted 160 161 with subtest("remoteAppendOnly"): 162 borg = ( 163 "BORG_RSH='ssh -oStrictHostKeyChecking=no -i /root/id_ed25519.appendOnly' borg" 164 ) 165 server.wait_for_unit("sshd.service") 166 client.wait_for_unit("network.target") 167 client.systemctl("start --wait borgbackup-job-remoteAppendOnly") 168 client.fail("systemctl is-failed borgbackup-job-remoteAppendOnly") 169 170 # Make sure we can't access repos other than the specified one 171 client.fail("{} list borg\@server:wrong".format(borg)) 172 173 # TODO: Make sure that data is not actually deleted 174 ''; 175})