diff --git a/site-modules/profile/manifests/borg/client.pp b/site-modules/profile/manifests/borg/client.pp index d9383b77..341c6819 100644 --- a/site-modules/profile/manifests/borg/client.pp +++ b/site-modules/profile/manifests/borg/client.pp @@ -1,90 +1,90 @@ # Borg backup client setup class profile::borg::client { include profile::borg::packages $fqdn = $::swh_hostname['internal_fqdn'] $seed = lookup('borg::passphrase::seed') - $passphrase = Sensitive(seeded_rand_string(16, "borg::passphrase::${seed}::${fqdn}")) + $passphrase = seeded_rand_string(16, "borg::passphrase::${seed}::${fqdn}") $encryption = lookup('borg::encryption') $repo_user = lookup('borg::repository_user') $repo_hostname = lookup('borg::repository_server') $repo_path = lookup('borg::repository_path') $base_dir = '/var/lib/borg' file {$base_dir: ensure => directory, mode => '0600', owner => 'root', group => 'root', } $ssh_key_type = 'ed25519' $ssh_key_basename = "id_${ssh_key_type}.borg" $ssh_key_pubname = "${ssh_key_basename}.pub" $ssh_key_file = "/root/.ssh/${ssh_key_basename}" exec {"ssh-keygen -t ${ssh_key_type} -f ${ssh_key_file} -N ''": path => ['/bin', '/usr/bin'], creates => $ssh_key_file, } if $ssh_keys_users and $ssh_keys_users['root'] and $ssh_keys_users['root'][$ssh_key_pubname] { $key = $ssh_keys_users['root'][$ssh_key_pubname] @@profile::borg::repository {$fqdn: passphrase => $passphrase, encryption => $encryption, authorized_key => "ssh-${key['type']} ${key['key']} ${key['comment']}", tag => $repo_hostname, } } $backup_base = lookup('backups::base') $backup_excludes = lookup('backups::exclude', Array, 'unique').map |$d| { "${backup_base}${d}" } $borgmatic_config = { location => { source_directories => [$backup_base], repositories => ["${repo_user}@${repo_hostname}:${repo_path}/${fqdn}"], exclude_patterns => $backup_excludes + [$base_dir], exclude_caches => true, exclude_if_present => '.nobackup', }, storage => { ssh_command => "ssh -i ${ssh_key_file}", - encryption_passphrase => $passphrase.unwrap, + encryption_passphrase => $passphrase, borg_base_directory => $base_dir, archive_name_format => "${fqdn}-{now:%Y-%m-%dT%H:%M:%S.%f}", }, retention => { keep_hourly => 24, keep_daily => 7, keep_weekly => 4, keep_monthly => 6, prefix => "${fqdn}-", }, consistency => { prefix => "${fqdn}-", }, } file {'/etc/borgmatic': ensure => 'directory', owner => 'root', group => 'root', mode => '0600', } file {'/etc/borgmatic/config.yaml': ensure => 'present', owner => 'root', group => 'root', mode => '0600', # contains passphrase content => inline_yaml($borgmatic_config), require => Package['borgmatic'], } } diff --git a/site-modules/profile/manifests/borg/repository.pp b/site-modules/profile/manifests/borg/repository.pp index f9a4b05e..f24d1425 100644 --- a/site-modules/profile/manifests/borg/repository.pp +++ b/site-modules/profile/manifests/borg/repository.pp @@ -1,29 +1,29 @@ # Definition of a Borg Backup repository server define profile::borg::repository ( - String $encryption, - Sensitive[String] $passphrase, - String $authorized_key, - String $fqdn = $title, + String $encryption, + String $passphrase, + String $authorized_key, + String $fqdn = $title, ){ include profile::borg::repository_base $user = $profile::borg::repository_base::user $fullpath = "${profile::borg::repository_base::repository_path}/${fqdn}" $borg_authorized_keys = $profile::borg::repository_base::authorized_keys exec {"borg init --encryption=${encryption} ${fullpath}": user => $user, path => ['/bin', '/usr/bin'], creates => $fullpath, - environment => "BORG_PASSPHRASE=${passphrase.unwrap}", + environment => "BORG_PASSPHRASE=${passphrase}", require => Package['borgbackup'], } ::concat::fragment {"borg-authorized-keys-${fullpath}": target => $borg_authorized_keys, order => '10', content => "command=\"borg serve --restrict-to-path ${fullpath}\",restrict ${authorized_key}\n", tag => 'borg-authorized-keys', } }