pyrox.dev / nixpkgs
lol
fork atom

nixos: tarsnap - allow keys for individual archives

Two concurrent tarsnap backups cannot be run at the same time with the
same keys - completely separate sets of keys must be generated for each
archive in this case, if you want backups to overlap.

This extends the archives attrset to support a 'keyfile' option, which
defaults to /root/tarsnap.key like the top-level attribute.

With this change, if you generate two keys with tarsnap-keygen(1) and
use each of those separately for each archive, you can backup
concurrently.

Signed-off-by: Austin Seipp <aseipp@pobox.com>

Austin Seipp 7a01bade ec70f64e

options
unified split
Changed files
+37 -1
nixos
modules
services
backup
tarsnap.nix
+37 -1
nixos/modules/services/backup/tarsnap.nix 
···

       
7

       
7

       
 

       



     

       
8

       
8

       
 

       
  configFile = name: cfg: ''


     

       
9

       
9

       
 

       
    cachedir ${config.services.tarsnap.cachedir}/${name}


     

       
10

       

       
-

       
    keyfile  ${config.services.tarsnap.keyfile}


     

       

       
10

       
+

       
    keyfile  ${cfg.keyfile}


     

       
11

       
11

       
 

       
    ${optionalString cfg.nodump "nodump"}


     

       
12

       
12

       
 

       
    ${optionalString cfg.printStats "print-stats"}


     

       
13

       
13

       
 

       
    ${optionalString cfg.printStats "humanize-numbers"}


     
···

       
41

       
41

       
 

       
          account.


     

       
42

       
42

       
 

       
          Create the keyfile with <command>tarsnap-keygen</command>.


     

       
43

       
43

       
 

       



     

       

       
44

       
+

       
          Note that each individual archive (specified below) may also have its


     

       

       
45

       
+

       
          own individual keyfile specified. Tarsnap does not allow multiple


     

       

       
46

       
+

       
          concurrent backups with the same cache directory and key (starting a


     

       

       
47

       
+

       
          new backup will cause another one to fail). If you have multiple


     

       

       
48

       
+

       
          archives specified, you should either spread out your backups to be


     

       

       
49

       
+

       
          far apart, or specify a separate key for each archive. By default


     

       

       
50

       
+

       
          every archive defaults to using


     

       

       
51

       
+

       
          <literal>"/root/tarsnap.key"</literal>.


     

       

       
52

       
+

       



     

       

       
53

       
+

       
          It's recommended for backups that you generate a key for every archive


     

       

       
54

       
+

       
          using <literal>tarsnap-keygen(1)</literal>, and then generate a


     

       

       
55

       
+

       
          write-only tarsnap key using <literal>tarsnap-keymgmt(1)</literal>,


     

       

       
56

       
+

       
          and keep your master key(s) for a particular machine off-site.


     

       

       
57

       
+

       



     

       
44

       
58

       
 

       
          The keyfile name should be given as a string and not a path, to


     

       
45

       
59

       
 

       
          avoid the key being copied into the Nix store.


     

       
46

       
60

       
 

       
        '';


     
···

       
71

       
85

       
 

       
        type = types.attrsOf (types.submodule (


     

       
72

       
86

       
 

       
          {


     

       
73

       
87

       
 

       
            options = {


     

       

       
88

       
+

       
              keyfile = mkOption {


     

       

       
89

       
+

       
                type = types.str;


     

       

       
90

       
+

       
                default = config.services.tarsnap.keyfile;


     

       

       
91

       
+

       
                description = ''


     

       

       
92

       
+

       
                  Set a specific keyfile for this archive. This defaults to


     

       

       
93

       
+

       
                  <literal>"/root/tarsnap.key"</literal> if left unspecified.


     

       

       
94

       
+

       



     

       

       
95

       
+

       
                  Use this option if you want to run multiple backups


     

       

       
96

       
+

       
                  concurrently - each archive must have a unique key. You can


     

       

       
97

       
+

       
                  generate a write-only key derived from your master key (which


     

       

       
98

       
+

       
                  is recommended) using <literal>tarsnap-keymgmt(1)</literal>.


     

       

       
99

       
+

       



     

       

       
100

       
+

       
                  Note: every archive must have an individual master key. You


     

       

       
101

       
+

       
                  must generate multiple keys with


     

       

       
102

       
+

       
                  <literal>tarsnap-keygen(1)</literal>, and then generate write


     

       

       
103

       
+

       
                  only keys from those.


     

       

       
104

       
+

       



     

       

       
105

       
+

       
                  The keyfile name should be given as a string and not a path, to


     

       

       
106

       
+

       
                  avoid the key being copied into the Nix store.


     

       

       
107

       
+

       
                '';


     

       

       
108

       
+

       
              };


     

       

       
109

       
+

       



     

       
74

       
110

       
 

       
              nodump = mkOption {


     

       
75

       
111

       
 

       
                type = types.bool;


     

       
76

       
112

       
 

       
                default = true;