| blob | d3cd6c66bfebedd0e494fa1b6b3ddd9c3c88243f |
1 import ./make-test-python.nix ({ pkgs, ... }:
3 let
4 passphrase = "supersecret";
5 dataDir = "/ran:dom/data";
6 excludeFile = "not_this_file";
7 keepFile = "important_file";
8 keepFileData = "important_data";
9 localRepo = "/root/back:up";
10 archiveName = "my_archive";
11 remoteRepo = "borg@server:."; # No need to specify path
12 privateKey = pkgs.writeText "id_ed25519" ''
13 -----BEGIN OPENSSH PRIVATE KEY-----
14 b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
15 QyNTUxOQAAACBx8UB04Q6Q/fwDFjakHq904PYFzG9pU2TJ9KXpaPMcrwAAAJB+cF5HfnBe
16 RwAAAAtzc2gtZWQyNTUxOQAAACBx8UB04Q6Q/fwDFjakHq904PYFzG9pU2TJ9KXpaPMcrw
17 AAAEBN75NsJZSpt63faCuaD75Unko0JjlSDxMhYHAPJk2/xXHxQHThDpD9/AMWNqQer3Tg
18 9gXMb2lTZMn0pelo8xyvAAAADXJzY2h1ZXR6QGt1cnQ=
19 -----END OPENSSH PRIVATE KEY-----
20 '';
21 publicKey = ''
22 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHHxQHThDpD9/AMWNqQer3Tg9gXMb2lTZMn0pelo8xyv root@client
23 '';
24 privateKeyAppendOnly = pkgs.writeText "id_ed25519" ''
25 -----BEGIN OPENSSH PRIVATE KEY-----
26 b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
27 QyNTUxOQAAACBacZuz1ELGQdhI7PF6dGFafCDlvh8pSEc4cHjkW0QjLwAAAJC9YTxxvWE8
28 cQAAAAtzc2gtZWQyNTUxOQAAACBacZuz1ELGQdhI7PF6dGFafCDlvh8pSEc4cHjkW0QjLw
29 AAAEAAhV7wTl5dL/lz+PF/d4PnZXuG1Id6L/mFEiGT1tZsuFpxm7PUQsZB2Ejs8Xp0YVp8
30 IOW+HylIRzhweORbRCMvAAAADXJzY2h1ZXR6QGt1cnQ=
31 -----END OPENSSH PRIVATE KEY-----
32 '';
33 publicKeyAppendOnly = ''
34 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFpxm7PUQsZB2Ejs8Xp0YVp8IOW+HylIRzhweORbRCMv root@client
35 '';
37 in {
38 name = "borgbackup";
39 meta = with pkgs.lib; {
40 maintainers = with maintainers; [ dotlambda ];
41 };
43 nodes = {
44 client = { ... }: {
45 services.borgbackup.jobs = {
47 local = {
48 paths = dataDir;
49 repo = localRepo;
50 preHook = ''
51 # Don't append a timestamp
52 archiveName="${archiveName}"
53 '';
54 encryption = {
55 mode = "repokey";
56 inherit passphrase;
57 };
58 compression = "auto,zlib,9";
59 prune.keep = {
60 within = "1y";
61 yearly = 5;
62 };
63 exclude = [ "*/${excludeFile}" ];
64 postHook = "echo post";
65 startAt = [ ]; # Do not run automatically
66 };
68 remote = {
69 paths = dataDir;
70 repo = remoteRepo;
71 encryption.mode = "none";
72 startAt = [ ];
73 environment.BORG_RSH = "ssh -oStrictHostKeyChecking=no -i /root/id_ed25519";
74 };
76 remoteAppendOnly = {
77 paths = dataDir;
78 repo = remoteRepo;
79 encryption.mode = "none";
80 startAt = [ ];
81 environment.BORG_RSH = "ssh -oStrictHostKeyChecking=no -i /root/id_ed25519.appendOnly";
82 };
84 commandSuccess = {
85 dumpCommand = pkgs.writeScript "commandSuccess" ''
86 echo -n test
87 '';
88 repo = remoteRepo;
89 encryption.mode = "none";
90 startAt = [ ];
91 environment.BORG_RSH = "ssh -oStrictHostKeyChecking=no -i /root/id_ed25519";
92 };
94 commandFail = {
95 dumpCommand = "${pkgs.coreutils}/bin/false";
96 repo = remoteRepo;
97 encryption.mode = "none";
98 startAt = [ ];
99 environment.BORG_RSH = "ssh -oStrictHostKeyChecking=no -i /root/id_ed25519";
100 };
102 };
103 };
105 server = { ... }: {
106 services.openssh = {
107 enable = true;
108 passwordAuthentication = false;
109 kbdInteractiveAuthentication = false;
110 };
112 services.borgbackup.repos.repo1 = {
113 authorizedKeys = [ publicKey ];
114 path = "/data/borgbackup";
115 };
117 # Second repo to make sure the authorizedKeys options are merged correctly
118 services.borgbackup.repos.repo2 = {
119 authorizedKeysAppendOnly = [ publicKeyAppendOnly ];
120 path = "/data/borgbackup";
121 quota = ".5G";
122 };
123 };
124 };
126 testScript = ''
127 start_all()
129 client.fail('test -d "${remoteRepo}"')
131 client.succeed(
132 "cp ${privateKey} /root/id_ed25519"
133 )
134 client.succeed("chmod 0600 /root/id_ed25519")
135 client.succeed(
136 "cp ${privateKeyAppendOnly} /root/id_ed25519.appendOnly"
137 )
138 client.succeed("chmod 0600 /root/id_ed25519.appendOnly")
140 client.succeed("mkdir -p ${dataDir}")
141 client.succeed("touch ${dataDir}/${excludeFile}")
142 client.succeed("echo '${keepFileData}' > ${dataDir}/${keepFile}")
144 with subtest("local"):
145 borg = "BORG_PASSPHRASE='${passphrase}' borg"
146 client.systemctl("start --wait borgbackup-job-local")
147 client.fail("systemctl is-failed borgbackup-job-local")
148 # Make sure exactly one archive has been created
149 assert int(client.succeed("{} list '${localRepo}' | wc -l".format(borg))) > 0
150 # Make sure excludeFile has been excluded
151 client.fail(
152 "{} list '${localRepo}::${archiveName}' | grep -qF '${excludeFile}'".format(borg)
153 )
154 # Make sure keepFile has the correct content
155 client.succeed("{} extract '${localRepo}::${archiveName}'".format(borg))
156 assert "${keepFileData}" in client.succeed("cat ${dataDir}/${keepFile}")
157 # Make sure the same is true when using `borg mount`
158 client.succeed(
159 "mkdir -p /mnt/borg && {} mount '${localRepo}::${archiveName}' /mnt/borg".format(
160 borg
161 )
162 )
163 assert "${keepFileData}" in client.succeed(
164 "cat /mnt/borg/${dataDir}/${keepFile}"
165 )
167 with subtest("remote"):
168 borg = "BORG_RSH='ssh -oStrictHostKeyChecking=no -i /root/id_ed25519' borg"
169 server.wait_for_unit("sshd.service")
170 client.wait_for_unit("network.target")
171 client.systemctl("start --wait borgbackup-job-remote")
172 client.fail("systemctl is-failed borgbackup-job-remote")
174 # Make sure we can't access repos other than the specified one
175 client.fail("{} list borg\@server:wrong".format(borg))
177 # TODO: Make sure that data is actually deleted
179 with subtest("remoteAppendOnly"):
180 borg = (
181 "BORG_RSH='ssh -oStrictHostKeyChecking=no -i /root/id_ed25519.appendOnly' borg"
182 )
183 server.wait_for_unit("sshd.service")
184 client.wait_for_unit("network.target")
185 client.systemctl("start --wait borgbackup-job-remoteAppendOnly")
186 client.fail("systemctl is-failed borgbackup-job-remoteAppendOnly")
188 # Make sure we can't access repos other than the specified one
189 client.fail("{} list borg\@server:wrong".format(borg))
191 # TODO: Make sure that data is not actually deleted
193 with subtest("commandSuccess"):
194 server.wait_for_unit("sshd.service")
195 client.wait_for_unit("network.target")
196 client.systemctl("start --wait borgbackup-job-commandSuccess")
197 client.fail("systemctl is-failed borgbackup-job-commandSuccess")
198 id = client.succeed("borg-job-commandSuccess list | tail -n1 | cut -d' ' -f1").strip()
199 client.succeed(f"borg-job-commandSuccess extract ::{id} stdin")
200 assert "test" == client.succeed("cat stdin")
202 with subtest("commandFail"):
203 server.wait_for_unit("sshd.service")
204 client.wait_for_unit("network.target")
205 client.systemctl("start --wait borgbackup-job-commandFail")
206 client.succeed("systemctl is-failed borgbackup-job-commandFail")
207 '';
208 })