nixos: tarsnap - allow keys for individual archives

lol

Two concurrent tarsnap backups cannot be run at the same time with the
same keys - completely separate sets of keys must be generated for each
archive in this case, if you want backups to overlap.

This extends the archives attrset to support a 'keyfile' option, which
defaults to /root/tarsnap.key like the top-level attribute.

With this change, if you generate two keys with tarsnap-keygen(1) and
use each of those separately for each archive, you can backup
concurrently.

Signed-off-by: Austin Seipp <aseipp@pobox.com>

Austin Seipp 10 years ago 7a01bade ec70f64e

+37 -1

1 changed file

expand all

nixos

modules

services

backup

tarsnap.nix

+37 -1

nixos/modules/services/backup/tarsnap.nix

··· 7 7 8 8 configFile = name: cfg: '' 9 9 cachedir ${config.services.tarsnap.cachedir}/${name} 10 - keyfile ${config.services.tarsnap.keyfile} 10 + keyfile ${cfg.keyfile} 11 11 ${optionalString cfg.nodump "nodump"} 12 12 ${optionalString cfg.printStats "print-stats"} 13 13 ${optionalString cfg.printStats "humanize-numbers"} ··· 41 41 account. 42 42 Create the keyfile with <command>tarsnap-keygen</command>. 43 43 44 + Note that each individual archive (specified below) may also have its 45 + own individual keyfile specified. Tarsnap does not allow multiple 46 + concurrent backups with the same cache directory and key (starting a 47 + new backup will cause another one to fail). If you have multiple 48 + archives specified, you should either spread out your backups to be 49 + far apart, or specify a separate key for each archive. By default 50 + every archive defaults to using 51 + <literal>"/root/tarsnap.key"</literal>. 52 + 53 + It's recommended for backups that you generate a key for every archive 54 + using <literal>tarsnap-keygen(1)</literal>, and then generate a 55 + write-only tarsnap key using <literal>tarsnap-keymgmt(1)</literal>, 56 + and keep your master key(s) for a particular machine off-site. 57 + 44 58 The keyfile name should be given as a string and not a path, to 45 59 avoid the key being copied into the Nix store. 46 60 ''; ··· 71 85 type = types.attrsOf (types.submodule ( 72 86 { 73 87 options = { 88 + keyfile = mkOption { 89 + type = types.str; 90 + default = config.services.tarsnap.keyfile; 91 + description = '' 92 + Set a specific keyfile for this archive. This defaults to 93 + <literal>"/root/tarsnap.key"</literal> if left unspecified. 94 + 95 + Use this option if you want to run multiple backups 96 + concurrently - each archive must have a unique key. You can 97 + generate a write-only key derived from your master key (which 98 + is recommended) using <literal>tarsnap-keymgmt(1)</literal>. 99 + 100 + Note: every archive must have an individual master key. You 101 + must generate multiple keys with 102 + <literal>tarsnap-keygen(1)</literal>, and then generate write 103 + only keys from those. 104 + 105 + The keyfile name should be given as a string and not a path, to 106 + avoid the key being copied into the Nix store. 107 + ''; 108 + }; 109 + 74 110 nodump = mkOption { 75 111 type = types.bool; 76 112 default = true;