ondra/zerobyte
1
1
Fork 0
mirror of https://github.com/nicotsx/zerobyte.git synced 2025-12-10 12:10:51 +01:00
Code Issues Packages Projects Releases 1 Wiki Activity

feat: encrypt repository credentials at rest

Browse Source
This commit is contained in:
Nicolas Meienberger
2025-10-18 15:15:30 +02:00
parent 6e8aa4b465
commit 100c24de13
3 changed files with 84 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
apps/server/src/utils/restic.ts
View File

@@ -6,6 +6,7 @@ import { type } from "arktype";
import { $ } from "bun";
import { RESTIC_PASS_FILE } from "../core/constants";
import { logger } from "./logger";
import { cryptoUtils } from "./crypto";
const backupOutputSchema = type({
message_type: "'summary'",
@@ -45,13 +46,13 @@ const buildRepoUrl = (config: RepositoryConfig): string => {
}
};
const buildEnv = (config: RepositoryConfig): Record<string, string> => {
const buildEnv = async (config: RepositoryConfig) => {
const env: Record<string, string> = {};
switch (config.backend) {
case "s3":
env.AWS_ACCESS_KEY_ID = config.accessKeyId;
env.AWS_SECRET_ACCESS_KEY = config.secretAccessKey;
env.AWS_ACCESS_KEY_ID = await cryptoUtils.decrypt(config.accessKeyId);
env.AWS_SECRET_ACCESS_KEY = await cryptoUtils.decrypt(config.secretAccessKey);
break;
}
@@ -62,7 +63,7 @@ const init = async (config: RepositoryConfig) => {
await ensurePassfile();
const repoUrl = buildRepoUrl(config);
const env = buildEnv(config);
const env = await buildEnv(config);
const res = await $`restic init --repo ${repoUrl} --password-file ${RESTIC_PASS_FILE} --json`.env(env).nothrow();
@@ -77,7 +78,7 @@ const init = async (config: RepositoryConfig) => {
const backup = async (config: RepositoryConfig, source: string) => {
const repoUrl = buildRepoUrl(config);
const env = buildEnv(config);
const env = await buildEnv(config);
const res = await $`restic --repo ${repoUrl} backup ${source} --password-file /data/secrets/restic.pass --json`
.env(env)