pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / borgbackup.nix
at 23.05-pre 7.4 kB view raw
1import ./make-test-python.nix ({ pkgs, ... }: 2 3let 4 passphrase = "supersecret"; 5 dataDir = "/ran:dom/data"; 6 excludeFile = "not_this_file"; 7 keepFile = "important_file"; 8 keepFileData = "important_data"; 9 localRepo = "/root/back:up"; 10 archiveName = "my_archive"; 11 remoteRepo = "borg@server:."; # No need to specify path 12 privateKey = pkgs.writeText "id_ed25519" '' 13 -----BEGIN OPENSSH PRIVATE KEY----- 14 b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW 15 QyNTUxOQAAACBx8UB04Q6Q/fwDFjakHq904PYFzG9pU2TJ9KXpaPMcrwAAAJB+cF5HfnBe 16 RwAAAAtzc2gtZWQyNTUxOQAAACBx8UB04Q6Q/fwDFjakHq904PYFzG9pU2TJ9KXpaPMcrw 17 AAAEBN75NsJZSpt63faCuaD75Unko0JjlSDxMhYHAPJk2/xXHxQHThDpD9/AMWNqQer3Tg 18 9gXMb2lTZMn0pelo8xyvAAAADXJzY2h1ZXR6QGt1cnQ= 19 -----END OPENSSH PRIVATE KEY----- 20 ''; 21 publicKey = '' 22 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHHxQHThDpD9/AMWNqQer3Tg9gXMb2lTZMn0pelo8xyv root@client 23 ''; 24 privateKeyAppendOnly = pkgs.writeText "id_ed25519" '' 25 -----BEGIN OPENSSH PRIVATE KEY----- 26 b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW 27 QyNTUxOQAAACBacZuz1ELGQdhI7PF6dGFafCDlvh8pSEc4cHjkW0QjLwAAAJC9YTxxvWE8 28 cQAAAAtzc2gtZWQyNTUxOQAAACBacZuz1ELGQdhI7PF6dGFafCDlvh8pSEc4cHjkW0QjLw 29 AAAEAAhV7wTl5dL/lz+PF/d4PnZXuG1Id6L/mFEiGT1tZsuFpxm7PUQsZB2Ejs8Xp0YVp8 30 IOW+HylIRzhweORbRCMvAAAADXJzY2h1ZXR6QGt1cnQ= 31 -----END OPENSSH PRIVATE KEY----- 32 ''; 33 publicKeyAppendOnly = '' 34 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFpxm7PUQsZB2Ejs8Xp0YVp8IOW+HylIRzhweORbRCMv root@client 35 ''; 36 37in { 38 name = "borgbackup"; 39 meta = with pkgs.lib; { 40 maintainers = with maintainers; [ dotlambda ]; 41 }; 42 43 nodes = { 44 client = { ... }: { 45 services.borgbackup.jobs = { 46 47 local = { 48 paths = dataDir; 49 repo = localRepo; 50 preHook = '' 51 # Don't append a timestamp 52 archiveName="${archiveName}" 53 ''; 54 encryption = { 55 mode = "repokey"; 56 inherit passphrase; 57 }; 58 compression = "auto,zlib,9"; 59 prune.keep = { 60 within = "1y"; 61 yearly = 5; 62 }; 63 exclude = [ "*/${excludeFile}" ]; 64 postHook = "echo post"; 65 startAt = [ ]; # Do not run automatically 66 }; 67 68 remote = { 69 paths = dataDir; 70 repo = remoteRepo; 71 encryption.mode = "none"; 72 startAt = [ ]; 73 environment.BORG_RSH = "ssh -oStrictHostKeyChecking=no -i /root/id_ed25519"; 74 }; 75 76 remoteAppendOnly = { 77 paths = dataDir; 78 repo = remoteRepo; 79 encryption.mode = "none"; 80 startAt = [ ]; 81 environment.BORG_RSH = "ssh -oStrictHostKeyChecking=no -i /root/id_ed25519.appendOnly"; 82 }; 83 84 commandSuccess = { 85 dumpCommand = pkgs.writeScript "commandSuccess" '' 86 echo -n test 87 ''; 88 repo = remoteRepo; 89 encryption.mode = "none"; 90 startAt = [ ]; 91 environment.BORG_RSH = "ssh -oStrictHostKeyChecking=no -i /root/id_ed25519"; 92 }; 93 94 commandFail = { 95 dumpCommand = "${pkgs.coreutils}/bin/false"; 96 repo = remoteRepo; 97 encryption.mode = "none"; 98 startAt = [ ]; 99 environment.BORG_RSH = "ssh -oStrictHostKeyChecking=no -i /root/id_ed25519"; 100 }; 101 102 }; 103 }; 104 105 server = { ... }: { 106 services.openssh = { 107 enable = true; 108 passwordAuthentication = false; 109 kbdInteractiveAuthentication = false; 110 }; 111 112 services.borgbackup.repos.repo1 = { 113 authorizedKeys = [ publicKey ]; 114 path = "/data/borgbackup"; 115 }; 116 117 # Second repo to make sure the authorizedKeys options are merged correctly 118 services.borgbackup.repos.repo2 = { 119 authorizedKeysAppendOnly = [ publicKeyAppendOnly ]; 120 path = "/data/borgbackup"; 121 quota = ".5G"; 122 }; 123 }; 124 }; 125 126 testScript = '' 127 start_all() 128 129 client.fail('test -d "${remoteRepo}"') 130 131 client.succeed( 132 "cp ${privateKey} /root/id_ed25519" 133 ) 134 client.succeed("chmod 0600 /root/id_ed25519") 135 client.succeed( 136 "cp ${privateKeyAppendOnly} /root/id_ed25519.appendOnly" 137 ) 138 client.succeed("chmod 0600 /root/id_ed25519.appendOnly") 139 140 client.succeed("mkdir -p ${dataDir}") 141 client.succeed("touch ${dataDir}/${excludeFile}") 142 client.succeed("echo '${keepFileData}' > ${dataDir}/${keepFile}") 143 144 with subtest("local"): 145 borg = "BORG_PASSPHRASE='${passphrase}' borg" 146 client.systemctl("start --wait borgbackup-job-local") 147 client.fail("systemctl is-failed borgbackup-job-local") 148 # Make sure exactly one archive has been created 149 assert int(client.succeed("{} list '${localRepo}' | wc -l".format(borg))) > 0 150 # Make sure excludeFile has been excluded 151 client.fail( 152 "{} list '${localRepo}::${archiveName}' | grep -qF '${excludeFile}'".format(borg) 153 ) 154 # Make sure keepFile has the correct content 155 client.succeed("{} extract '${localRepo}::${archiveName}'".format(borg)) 156 assert "${keepFileData}" in client.succeed("cat ${dataDir}/${keepFile}") 157 # Make sure the same is true when using `borg mount` 158 client.succeed( 159 "mkdir -p /mnt/borg && {} mount '${localRepo}::${archiveName}' /mnt/borg".format( 160 borg 161 ) 162 ) 163 assert "${keepFileData}" in client.succeed( 164 "cat /mnt/borg/${dataDir}/${keepFile}" 165 ) 166 167 with subtest("remote"): 168 borg = "BORG_RSH='ssh -oStrictHostKeyChecking=no -i /root/id_ed25519' borg" 169 server.wait_for_unit("sshd.service") 170 client.wait_for_unit("network.target") 171 client.systemctl("start --wait borgbackup-job-remote") 172 client.fail("systemctl is-failed borgbackup-job-remote") 173 174 # Make sure we can't access repos other than the specified one 175 client.fail("{} list borg\@server:wrong".format(borg)) 176 177 # TODO: Make sure that data is actually deleted 178 179 with subtest("remoteAppendOnly"): 180 borg = ( 181 "BORG_RSH='ssh -oStrictHostKeyChecking=no -i /root/id_ed25519.appendOnly' borg" 182 ) 183 server.wait_for_unit("sshd.service") 184 client.wait_for_unit("network.target") 185 client.systemctl("start --wait borgbackup-job-remoteAppendOnly") 186 client.fail("systemctl is-failed borgbackup-job-remoteAppendOnly") 187 188 # Make sure we can't access repos other than the specified one 189 client.fail("{} list borg\@server:wrong".format(borg)) 190 191 # TODO: Make sure that data is not actually deleted 192 193 with subtest("commandSuccess"): 194 server.wait_for_unit("sshd.service") 195 client.wait_for_unit("network.target") 196 client.systemctl("start --wait borgbackup-job-commandSuccess") 197 client.fail("systemctl is-failed borgbackup-job-commandSuccess") 198 id = client.succeed("borg-job-commandSuccess list | tail -n1 | cut -d' ' -f1").strip() 199 client.succeed(f"borg-job-commandSuccess extract ::{id} stdin") 200 assert "test" == client.succeed("cat stdin") 201 202 with subtest("commandFail"): 203 server.wait_for_unit("sshd.service") 204 client.wait_for_unit("network.target") 205 client.systemctl("start --wait borgbackup-job-commandFail") 206 client.succeed("systemctl is-failed borgbackup-job-commandFail") 207 ''; 208})