credential-rotation #1
4 changed files with 53 additions and 8 deletions
|
@ -1,3 +1,42 @@
|
|||
#!/usr/bin/env bb
|
||||
|
||||
(println "initialized")
|
||||
(require '[babashka.tasks :as tasks]
|
||||
'[dda.backup.cred-rot :as cr]
|
||||
'[dda.backup.restic :as rc]
|
||||
'[dda.backup.postgresql :as pg])
|
||||
|
||||
(def restic-repo {:password-file "restic-pwd"
|
||||
:restic-repository "restic-repo"})
|
||||
|
||||
(def file-config (merge restic-repo {:backup-path "files"
|
||||
:files ["test-backup"]
|
||||
:restore-target-directory "test-restore"}))
|
||||
|
||||
(def db-config (merge restic-repo {:backup-path "db"
|
||||
:pg-db "mydb"
|
||||
:pg-user "user"
|
||||
:pg-password "password"}))
|
||||
|
||||
(def cred-config (merge restic-repo {:new-password-file "new-pw-file"}))
|
||||
|
||||
(def dry-run {:dry-run true :debug true})
|
||||
|
||||
(defn prepare!
|
||||
[]
|
||||
(spit "/tmp/file_password" "file-password")
|
||||
(spit "restic-pwd" "ThePassword")
|
||||
(tasks/shell "mkdir" "-p" "test-backup")
|
||||
(spit "test-backup/file" "I was here")
|
||||
(spit "new-pw-file" "newpassword")
|
||||
(tasks/shell "mkdir" "-p" "test-restore")
|
||||
(pg/create-pg-pass! db-config))
|
||||
|
||||
(defn restic-repo-init!
|
||||
[]
|
||||
(rc/init! restic-repo))
|
||||
|
||||
(prepare!)
|
||||
(restic-repo-init!)
|
||||
(cr/list-passwords! cred-config)
|
||||
(cr/maybe-add-new! cred-config)
|
||||
(cr/list-passwords! cred-config)
|
|
@ -18,12 +18,12 @@ function main() {
|
|||
apt-get install -qqy ca-certificates curl gnupg postgresql-client-16 restic openjdk-21-jre-headless nano
|
||||
curl -Ss --fail https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | tee /etc/apt/trusted.gpg.d/postgresql-common_pgdg_archive_keyring.gpg
|
||||
sh -c 'echo "deb [signed-by=/etc/apt/trusted.gpg.d/postgresql-common_pgdg_archive_keyring.gpg] https://apt.postgresql.org/pub/repos/apt jammy-pgdg main" > /etc/apt/sources.list.d/pgdg.list'
|
||||
upgradeSystem
|
||||
babashka_install
|
||||
} > /dev/null
|
||||
|
||||
update-ca-certificates
|
||||
install -m 0700 -o root -g root /tmp/init-bb.bb /usr/local/bin/
|
||||
install -m 0600 -o root -g root /tmp/bb.edn /usr/local/bin/
|
||||
cleanupDocker
|
||||
}
|
||||
|
||||
|
|
|
@ -2,7 +2,8 @@
|
|||
(:require
|
||||
[orchestra.core :refer [defn-spec]]
|
||||
[clojure.spec.alpha :as s]
|
||||
[dda.backup.cred-rot.domain :as domain]))
|
||||
[dda.backup.cred-rot.domain :as domain]
|
||||
[dda.backup.infrastructure :as i]))
|
||||
|
||||
(s/def ::new-password-file string?)
|
||||
|
||||
|
@ -14,8 +15,13 @@
|
|||
|
||||
(defn-spec maybe-add-new! nil?
|
||||
[config ::cred-rot]
|
||||
(when-let [{:keys [new-password-file]} config]
|
||||
(domain/add-new-password! new-password-file)))
|
||||
(let [{:keys [new-password-file]} config]
|
||||
(if (not (nil? new-password-file))
|
||||
(i/execute! (domain/add-password-command config) config))))
|
||||
|
||||
(defn-spec list-passwords! nil?
|
||||
[config ::cred-rot]
|
||||
(i/execute! (domain/list-passwords-command config) config))
|
||||
|
||||
(defn-spec replace-old-password! nil?
|
||||
[]
|
||||
|
|
|
@ -57,15 +57,15 @@
|
|||
|
||||
(defn-spec list-passwords-command ::cd/command
|
||||
[config ::config]
|
||||
(base-command config ["key" "list" "--json"]))
|
||||
[(base-command config ["key" "list" "--json"])])
|
||||
|
||||
(defn-spec add-password-command ::cd/command
|
||||
[config ::config]
|
||||
(let [{:keys [new-password-file]} config]
|
||||
(base-command config ["key" "add" "--new-password-file" new-password-file])))
|
||||
[(base-command config ["key" "add" "--new-password-file" new-password-file])]))
|
||||
|
||||
(defn-spec remove-password-command ::cd/command
|
||||
[config ::config
|
||||
new-id ::id
|
||||
old-id ::id]
|
||||
(base-command config ["key" "remove" "--key-hint" new-id old-id]))
|
||||
[(base-command config ["key" "remove" "--key-hint" new-id old-id])])
|
||||
|
|
Loading…
Reference in a new issue