From 467ddd0e9388a2038ac0ee30a21830be7edacc31 Mon Sep 17 00:00:00 2001 From: cvlc12 Date: Fri, 8 Nov 2024 00:27:07 +0100 Subject: [PATCH] creds: Only support single credential by default --- docs/how-to/provide-your-passwords.md | 30 +++++++++++++++++++++------ sample/systemd/borgmatic.service | 6 ++++-- 2 files changed, 28 insertions(+), 8 deletions(-) diff --git a/docs/how-to/provide-your-passwords.md b/docs/how-to/provide-your-passwords.md index 8abf9131..57803864 100644 --- a/docs/how-to/provide-your-passwords.md +++ b/docs/how-to/provide-your-passwords.md @@ -39,9 +39,15 @@ Save your password as an encrypted credential to `/etc/credstore.encrypted/borgm # systemd-ask-password -n | systemd-creds encrypt - /etc/credstore.encrypted/borgmatic.pw ``` +Then uncomment or use the following in your configuration file: + +```yaml +encryption_passcommand: "cat ${CREDENTIALS_DIRECTORY}/borgmatic.pw" +``` + Note that the name `borgmatic.pw` is hardcoded in the systemd service file. -If you use multiple different passwords, save them as encrypted credentials to `/etc/credstore.encrypted/borgmatic/`, e.g., +To use multiple different passwords, save them as encrypted credentials to `/etc/credstore.encrypted/borgmatic/`, e.g., ``` # mkdir /etc/credstore.encrypted/borgmatic @@ -49,17 +55,29 @@ If you use multiple different passwords, save them as encrypted credentials to ` # systemd-ask-password -n | systemd-creds encrypt --name=borgmatic_pw2 - /etc/credstore.encrypted/borgmatic/pw2 ... ``` + Ensure that the file names, (e.g. `backupserver1`) match the corresponding part of -the `--name` option *after* the underscore (_). The `borgmatic` folder is hardcoded in the systemd service file. +the `--name` option *after* the underscore (_), and that the part *before* +the underscore matches the directory name (e.g. `borgmatic`). -Then uncomment or use one of the following in your configuration file. Adjust `borgmatic_backupserver1` -according to the name given to the credential. +Then, uncomment the appropriate line in the systemd service file: -```yaml -encryption_passcommand: "cat ${CREDENTIALS_DIRECTORY}/borgmatic.pw" +``` +# systemctl edit borgmatic.service +... +# Load multiple encrypted credentials. +LoadCredentialEncrypted=borgmatic:/etc/credstore.encrypted/borgmatic/ +``` + +Finally, use the following in your configuration file: + +``` encryption_passcommand: "cat ${CREDENTIALS_DIRECTORY}/borgmatic_backupserver1" ``` +Adjust `borgmatic_backupserver1` according to the name given to the credential +and the directory set in the service file. + ### Environment variable interpolation New in version 1.6.4 borgmatic diff --git a/sample/systemd/borgmatic.service b/sample/systemd/borgmatic.service index a3391c32..7a96b834 100644 --- a/sample/systemd/borgmatic.service +++ b/sample/systemd/borgmatic.service @@ -10,10 +10,12 @@ Documentation=https://torsion.org/borgmatic/ [Service] Type=oneshot -# Load encrypted credentials. -LoadCredentialEncrypted=borgmatic:/etc/credstore.encrypted/borgmatic/ +# Load single encrypted credential. LoadCredentialEncrypted=borgmatic.pw +# Load multiple encrypted credentials. +# LoadCredentialEncrypted=borgmatic:/etc/credstore.encrypted/borgmatic/ + # Security settings for systemd running as root, optional but recommended to improve security. You # can disable individual settings if they cause problems for your use case. For more details, see # the systemd manual: https://www.freedesktop.org/software/systemd/man/systemd.exec.html