public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos: tarsnap - allow keys for individual archives

Browse Source 
Two concurrent tarsnap backups cannot be run at the same time with the
same keys - completely separate sets of keys must be generated for each
archive in this case, if you want backups to overlap.

This extends the archives attrset to support a 'keyfile' option, which
defaults to /root/tarsnap.key like the top-level attribute.

With this change, if you generate two keys with tarsnap-keygen(1) and
use each of those separately for each archive, you can backup
concurrently.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
This commit is contained in:
Austin Seipp 2016-01-07 05:47:04 -06:00
parent ec70f64ecd
commit 7a01badef5
1 changed files with 37 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
nixos/modules/services/backup/tarsnap.nix
View File

@ -7,7 +7,7 @@ let
configFile = name: cfg: '' configFile = name: cfg: ''
cachedir ${config.services.tarsnap.cachedir}/${name} cachedir ${config.services.tarsnap.cachedir}/${name}
keyfile ${config.services.tarsnap.keyfile} keyfile ${cfg.keyfile}
${optionalString cfg.nodump "nodump"} ${optionalString cfg.nodump "nodump"}
${optionalString cfg.printStats "print-stats"} ${optionalString cfg.printStats "print-stats"}
${optionalString cfg.printStats "humanize-numbers"} ${optionalString cfg.printStats "humanize-numbers"}
@ -41,6 +41,20 @@ in
account. account.
Create the keyfile with <command>tarsnap-keygen</command>. Create the keyfile with <command>tarsnap-keygen</command>.
Note that each individual archive (specified below) may also have its
own individual keyfile specified. Tarsnap does not allow multiple
concurrent backups with the same cache directory and key (starting a
new backup will cause another one to fail). If you have multiple
archives specified, you should either spread out your backups to be
far apart, or specify a separate key for each archive. By default
every archive defaults to using
<literal>"/root/tarsnap.key"</literal>.
It's recommended for backups that you generate a key for every archive
using <literal>tarsnap-keygen(1)</literal>, and then generate a
write-only tarsnap key using <literal>tarsnap-keymgmt(1)</literal>,
and keep your master key(s) for a particular machine off-site.
The keyfile name should be given as a string and not a path, to The keyfile name should be given as a string and not a path, to
avoid the key being copied into the Nix store. avoid the key being copied into the Nix store.
''; '';
@ -71,6 +85,28 @@ in
type = types.attrsOf (types.submodule ( type = types.attrsOf (types.submodule (
{ {
options = { options = {
keyfile = mkOption {
type = types.str;
default = config.services.tarsnap.keyfile;
description = ''
Set a specific keyfile for this archive. This defaults to
<literal>"/root/tarsnap.key"</literal> if left unspecified.
Use this option if you want to run multiple backups
concurrently - each archive must have a unique key. You can
generate a write-only key derived from your master key (which
is recommended) using <literal>tarsnap-keymgmt(1)</literal>.
Note: every archive must have an individual master key. You
must generate multiple keys with
<literal>tarsnap-keygen(1)</literal>, and then generate write
only keys from those.
The keyfile name should be given as a string and not a path, to
avoid the key being copied into the Nix store.
'';
};
nodump = mkOption { nodump = mkOption {
type = types.bool; type = types.bool;
default = true; default = true;