nixos: tarsnap - allow keys for individual archives

Two concurrent tarsnap backups cannot be run at the same time with the same keys - completely separate sets of keys must be generated for each archive in this case, if you want backups to overlap. This extends the archives attrset to support a 'keyfile' option, which defaults to /root/tarsnap.key like the top-level attribute. With this change, if you generate two keys with tarsnap-keygen(1) and use each of those separately for each archive, you can backup concurrently. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2016-01-07 05:47:04 -06:00 · 2016-01-07 05:47:04 -06:00 · 7a01badef5
commit 7a01badef5
parent ec70f64ecd
1 changed files with 37 additions and 1 deletions
--- a/nixos/modules/services/backup/tarsnap.nix
+++ b/nixos/modules/services/backup/tarsnap.nix
@ -7,7 +7,7 @@ let

  configFile = name: cfg: ''
    cachedir ${config.services.tarsnap.cachedir}/${name}
-    keyfile  ${config.services.tarsnap.keyfile}
+    keyfile  ${cfg.keyfile}
    ${optionalString cfg.nodump "nodump"}
    ${optionalString cfg.printStats "print-stats"}
    ${optionalString cfg.printStats "humanize-numbers"}
@ -41,6 +41,20 @@ in
          account.
          Create the keyfile with <command>tarsnap-keygen</command>.

+          Note that each individual archive (specified below) may also have its
+          own individual keyfile specified. Tarsnap does not allow multiple
+          concurrent backups with the same cache directory and key (starting a
+          new backup will cause another one to fail). If you have multiple
+          archives specified, you should either spread out your backups to be
+          far apart, or specify a separate key for each archive. By default
+          every archive defaults to using
+          <literal>"/root/tarsnap.key"</literal>.
+
+          It's recommended for backups that you generate a key for every archive
+          using <literal>tarsnap-keygen(1)</literal>, and then generate a
+          write-only tarsnap key using <literal>tarsnap-keymgmt(1)</literal>,
+          and keep your master key(s) for a particular machine off-site.
+
          The keyfile name should be given as a string and not a path, to
          avoid the key being copied into the Nix store.
        '';
@ -71,6 +85,28 @@ in
        type = types.attrsOf (types.submodule (
          {
            options = {
+              keyfile = mkOption {
+                type = types.str;
+                default = config.services.tarsnap.keyfile;
+                description = ''
+                  Set a specific keyfile for this archive. This defaults to
+                  <literal>"/root/tarsnap.key"</literal> if left unspecified.
+
+                  Use this option if you want to run multiple backups
+                  concurrently - each archive must have a unique key. You can
+                  generate a write-only key derived from your master key (which
+                  is recommended) using <literal>tarsnap-keymgmt(1)</literal>.
+
+                  Note: every archive must have an individual master key. You
+                  must generate multiple keys with
+                  <literal>tarsnap-keygen(1)</literal>, and then generate write
+                  only keys from those.
+
+                  The keyfile name should be given as a string and not a path, to
+                  avoid the key being copied into the Nix store.
+                '';
+              };
+
              nodump = mkOption {
                type = types.bool;
                default = true;