unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed
From: Richard Sent <richard@freakingpenguin.com>
To: 71662@debbugs.gnu.org, 71639@debbugs.gnu.org
Cc: "Richard Sent" <richard@freakingpenguin.com>,
	"Florian Pelz" <pelzflorian@pelzflorian.de>,
	"Ludovic Courtès" <ludo@gnu.org>,
	"Matthew Trzcinski" <matt@excalamus.com>,
	"Maxim Cournoyer" <maxim.cournoyer@gmail.com>
Subject: [bug#71662] [PATCH v2 2/5] services: backup: Add password-command support to restic-service
Date: Wed, 19 Jun 2024 23:44:13 -0400	[thread overview]
Message-ID: <ceb1cc05b9c66b1f3d0ca59ba5548921d71cb11b.1718854920.git.richard@freakingpenguin.com> (raw)
In-Reply-To: <cover.1718854920.git.richard@freakingpenguin.com>

* gnu/services/backup.scm (restic-backup-job): Add password-command.
(verify-restic-backup-job-configuration): Create.
(restic-backup-job-program): Set either RESTIC_PASSWORD or
RESTIC_PASSWORD_COMMAND depending on what is configured.
* doc/guix.texi (Miscellaneous Services): Document it.

Change-Id: Ice9cf85d1ee4485a2737f515c63c969918219df0
---
 doc/guix.texi           |  7 +++++++
 gnu/services/backup.scm | 41 ++++++++++++++++++++++++++++++++++++-----
 2 files changed, 43 insertions(+), 5 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 63c9cbd1a7..f22d679023 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -41344,6 +41344,13 @@ Miscellaneous Services
 that will be used to set the @env{RESTIC_PASSWORD} environment variable
 for the current job.
 
+@item @code{password-command} (type: file-like)
+String path or file-like object representing the executable file that
+prints password to stdout.  If a file-like object is used, it is placed
+in the store globally executable and in plain text.  The executable
+should be designed such that it does not compromise the password if an
+unauthorized user runs it.
+
 @item @code{schedule} (type: gexp-or-string)
 A string or a gexp that will be passed as time specification in the
 mcron job specification (@pxref{Syntax, mcron job specifications,,
diff --git a/gnu/services/backup.scm b/gnu/services/backup.scm
index 1279ece88f..fd904bc9a9 100644
--- a/gnu/services/backup.scm
+++ b/gnu/services/backup.scm
@@ -66,6 +66,9 @@ (define (lowerable? value)
 (define list-of-lowerables?
   (list-of lowerable?))
 
+(define-maybe/no-serialization string)
+(define-maybe/no-serialization file-like)
+
 (define-configuration/no-serialization restic-backup-job
   (restic
    (package restic)
@@ -80,10 +83,16 @@ (define-configuration/no-serialization restic-backup-job
    (string)
    "The restic repository target of this job.")
   (password-file
-   (string)
+   (maybe-string)
    "Name of the password file, readable by the configured @code{user}, that
 will be used to set the @code{RESTIC_PASSWORD} environment variable for the
 current job.")
+  (password-command
+   (maybe-file-like)
+   "An executable file who's path is stored in @code{RESTIC_PASSWORD_COMMAND}.
+When run, the file writes the password to standard output. Due to the nature
+of the store this command will be globally executable and should have external
+protections to ensure unauthorized users cannot retrieve the password.")
   (schedule
    (gexp-or-string)
    "A string or a gexp that will be passed as time specification in the mcron
@@ -104,6 +113,14 @@ (define-configuration/no-serialization restic-backup-job
    "A list of values that are lowered to strings.  These will be passed as
 command-line arguments to the current job @command{restic backup} invokation."))
 
+(define (verify-restic-backup-job-configuration config)
+  (unless (or (maybe-value-set? (restic-backup-job-password-file config))
+              (maybe-value-set? (restic-backup-job-password-command config)))
+    (error "either password-file or password-command must be configured."))
+  (when (and (maybe-value-set? (restic-backup-job-password-file config))
+             (maybe-value-set? (restic-backup-job-password-command config)))
+    (error "password-file and password-command can not be configured simultaneously.")))
+
 (define list-of-restic-backup-jobs?
   (list-of restic-backup-job?))
 
@@ -113,12 +130,21 @@ (define-configuration/no-serialization restic-backup-configuration
    "The list of backup jobs for the current system."))
 
 (define (restic-backup-job-program config)
+  (define (maybe-value-or-false maybe)
+    (if (maybe-value-set? maybe)
+        maybe
+        #f))
+
+  (verify-restic-backup-job-configuration config)
+
   (let ((restic
          (file-append (restic-backup-job-restic config) "/bin/restic"))
         (repository
          (restic-backup-job-repository config))
         (password-file
-         (restic-backup-job-password-file config))
+         (maybe-value-or-false (restic-backup-job-password-file config)))
+        (password-command
+         (maybe-value-or-false (restic-backup-job-password-command config)))
         (files
          (restic-backup-job-files config))
         (extra-flags
@@ -134,9 +160,14 @@ (define (restic-backup-job-program config)
      #~(begin
          (use-modules (ice-9 popen)
                       (ice-9 rdelim))
-         (setenv "RESTIC_PASSWORD"
-                 (with-input-from-file #$password-file read-line))
-
+         (or (and=> #$password-file (lambda (x)
+                                      (setenv "RESTIC_PASSWORD"
+                                              (with-input-from-file x read-line))))
+             (and=> #$password-command (lambda (x)
+                                         (setenv "RESTIC_PASSWORD_COMMAND" x)))
+             ;; Have a backup error message in case
+             ;; verify-restic-backup-job-configuration is messed with
+             (error "Neither password-file or password-command set"))
          (when #$init?
            ;; Use cat config to check if the repository exists. See
            ;; https://github.com/restic/restic/issues/1690 and
-- 
2.45.1





  parent reply	other threads:[~2024-06-20  3:46 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-06-20  3:44 [bug#71660] [PATCH v2 0/5] Improve on restic-backup-service Richard Sent
2024-06-20  3:44 ` [bug#71661] [PATCH v2 1/5] services: backup: Support bootstrapping an initial restic backup Richard Sent
2024-06-20  3:44 ` Richard Sent [this message]
2024-06-20  3:44 ` [bug#71663] [PATCH v2 3/5] services: backup: Add extra-packages field to restic-backup-job Richard Sent
2024-06-20  3:44 ` [bug#71639] [PATCH v2 4/5] services: backup: Move restic package to restic-configuration Richard Sent
2024-06-20  3:44 ` [bug#71665] [PATCH v2 5/5] tests: Add restic system test Richard Sent
2024-06-24 22:49   ` [bug#71639] [PATCHv2 0/5] Improve on restic-backup-service paul via Guix-patches via
2024-06-27  3:56     ` Richard Sent
2024-07-07 20:40       ` paul via Guix-patches via
  -- strict thread matches above, loose matches on Subject: below --
2024-06-18 22:06 [bug#71639] [PATCH WIP " Richard Sent
2024-06-18 22:08 ` [bug#71639] [PATCH WIP 1/5] services: backup: Support bootstrapping an initial restic backup Richard Sent
2024-06-18 22:08 ` [bug#71639] [PATCH WIP 2/5] services: backup: Add password-command support to restic-service Richard Sent
2024-06-18 22:08 ` [bug#71639] [PATCH WIP 3/5] services: backup: Add extra-packages field to restic-backup-job Richard Sent
2024-06-18 22:08 ` [bug#71639] [PATCH WIP 4/5] services: backup: Move restic package to restic-configuration Richard Sent
2024-06-18 22:08 ` [bug#71639] [PATCH WIP 5/5] tests: Add restic system test Richard Sent
2024-08-22 17:43 ` [bug#71639] [PATCHv2 0/5] Improve on restic-backup-service Fabio Natali via Guix-patches via
2024-08-25 14:12 ` paul via Guix-patches via
2024-09-03 16:43   ` [bug#71639] [PATCH WIP " Fabio Natali via Guix-patches via
2024-09-04 15:49     ` Richard Sent
2024-09-05 10:06       ` Fabio Natali via Guix-patches via

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ceb1cc05b9c66b1f3d0ca59ba5548921d71cb11b.1718854920.git.richard@freakingpenguin.com \
    --to=richard@freakingpenguin.com \
    --cc=71639@debbugs.gnu.org \
    --cc=71662@debbugs.gnu.org \
    --cc=ludo@gnu.org \
    --cc=matt@excalamus.com \
    --cc=maxim.cournoyer@gmail.com \
    --cc=pelzflorian@pelzflorian.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).