diff options
author | Austin Seipp <aseipp@pobox.com> | 2016-01-07 05:47:04 -0600 |
---|---|---|
committer | Austin Seipp <aseipp@pobox.com> | 2016-01-07 05:54:41 -0600 |
commit | 7a01badef58ae91cbfa140df7f9f62f6bec5761e (patch) | |
tree | 0a87f51a4f59ad5af7fc3156ccdc9fd5fa79f33f /nixos/modules/services | |
parent | ec70f64ecd3030192a4c31573da8f6e883621700 (diff) | |
download | nixlib-7a01badef58ae91cbfa140df7f9f62f6bec5761e.tar nixlib-7a01badef58ae91cbfa140df7f9f62f6bec5761e.tar.gz nixlib-7a01badef58ae91cbfa140df7f9f62f6bec5761e.tar.bz2 nixlib-7a01badef58ae91cbfa140df7f9f62f6bec5761e.tar.lz nixlib-7a01badef58ae91cbfa140df7f9f62f6bec5761e.tar.xz nixlib-7a01badef58ae91cbfa140df7f9f62f6bec5761e.tar.zst nixlib-7a01badef58ae91cbfa140df7f9f62f6bec5761e.zip |
nixos: tarsnap - allow keys for individual archives
Two concurrent tarsnap backups cannot be run at the same time with the same keys - completely separate sets of keys must be generated for each archive in this case, if you want backups to overlap. This extends the archives attrset to support a 'keyfile' option, which defaults to /root/tarsnap.key like the top-level attribute. With this change, if you generate two keys with tarsnap-keygen(1) and use each of those separately for each archive, you can backup concurrently. Signed-off-by: Austin Seipp <aseipp@pobox.com>
Diffstat (limited to 'nixos/modules/services')
-rw-r--r-- | nixos/modules/services/backup/tarsnap.nix | 38 |
1 files changed, 37 insertions, 1 deletions
diff --git a/nixos/modules/services/backup/tarsnap.nix b/nixos/modules/services/backup/tarsnap.nix index d9a57eedc9ba..78776786468b 100644 --- a/nixos/modules/services/backup/tarsnap.nix +++ b/nixos/modules/services/backup/tarsnap.nix @@ -7,7 +7,7 @@ let configFile = name: cfg: '' cachedir ${config.services.tarsnap.cachedir}/${name} - keyfile ${config.services.tarsnap.keyfile} + keyfile ${cfg.keyfile} ${optionalString cfg.nodump "nodump"} ${optionalString cfg.printStats "print-stats"} ${optionalString cfg.printStats "humanize-numbers"} @@ -41,6 +41,20 @@ in account. Create the keyfile with <command>tarsnap-keygen</command>. + Note that each individual archive (specified below) may also have its + own individual keyfile specified. Tarsnap does not allow multiple + concurrent backups with the same cache directory and key (starting a + new backup will cause another one to fail). If you have multiple + archives specified, you should either spread out your backups to be + far apart, or specify a separate key for each archive. By default + every archive defaults to using + <literal>"/root/tarsnap.key"</literal>. + + It's recommended for backups that you generate a key for every archive + using <literal>tarsnap-keygen(1)</literal>, and then generate a + write-only tarsnap key using <literal>tarsnap-keymgmt(1)</literal>, + and keep your master key(s) for a particular machine off-site. + The keyfile name should be given as a string and not a path, to avoid the key being copied into the Nix store. ''; @@ -71,6 +85,28 @@ in type = types.attrsOf (types.submodule ( { options = { + keyfile = mkOption { + type = types.str; + default = config.services.tarsnap.keyfile; + description = '' + Set a specific keyfile for this archive. This defaults to + <literal>"/root/tarsnap.key"</literal> if left unspecified. + + Use this option if you want to run multiple backups + concurrently - each archive must have a unique key. You can + generate a write-only key derived from your master key (which + is recommended) using <literal>tarsnap-keymgmt(1)</literal>. + + Note: every archive must have an individual master key. You + must generate multiple keys with + <literal>tarsnap-keygen(1)</literal>, and then generate write + only keys from those. + + The keyfile name should be given as a string and not a path, to + avoid the key being copied into the Nix store. + ''; + }; + nodump = mkOption { type = types.bool; default = true; |