Timemachine/cloud-sync
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
49d1cb32801c6c9f84df0d616739f90de26ae0a5
cloud-sync/cloud_sync/sync.py
T
claude-timemachine 49d1cb3280
CI / test (3.10) (push) Successful in 8s
Details
CI / test (3.11) (push) Successful in 8s
Details
CI / test (3.12) (push) Successful in 7s
Details
CI / build-pyz (push) Successful in 4s
Details
CI / release (push) Has been skipped
Details
drop restic repo encryption; rely on TLS + append-only + LUKS 
User credentials now serve HTTP basic auth only. Repos init with
--insecure-no-password. Removes:
  - RESTIC_PASSWORD env in client subprocess
  - Per-repo password coordination story
  - Multi-key restic setup (user key + operator-master key)
  - Two-password recovery edge cases

Operator-side prune now runs over the filesystem path (-r /srv/.../<user>/)
which bypasses rest-server's HTTP-layer append-only enforcement. No
password needed at all.

Protection model stays:
  - TLS in transit (reverse proxy)
  - HTTP basic per-user (htpasswd) for read/write authorization
  - --private-repos for per-user URL isolation
  - --append-only for client-side delete protection
  - LUKS / disk-level for at-rest encryption (operator's responsibility)

Verified end-to-end on john: pull → push → restore round-trip works,
DELETE on bogus snapshot still returns 403 (append-only intact),
operator can read repo via filesystem path (prune-mode access works).

33 pytest still green.
2026-06-04 22:23:40 +02:00

141 lines
4.3 KiB
Python
Raw Blame History

"""pull + push entry points.
Both subprocess restic against ``rest:<scheme>://<id>:<password>@<host>/<id>/``
where the password is HTTP basic auth ONLY. Restic repos are initialised with
``--insecure-no-password`` so no encryption-at-rest password exists; protection
relies on:
1. TLS in transit at the reverse proxy
2. ``--private-repos`` + htpasswd per user at restic-rest-server
3. ``--append-only`` to prevent client-side deletion
4. Disk-level encryption (LUKS) on the host
Defense-in-depth via repo encryption was dropped because the threat model
(homelab, operator-trusted) doesn't justify the password-coordination cost.
"""
from __future__ import annotations
import sys
import urllib.parse
from pathlib import Path
from . import restic, scope as scopemod
from .cli import Args
from .creds import read_credentials
def pull(args: Args) -> int:
"""Restore latest snapshot's files into pack_folder.
If the repo has no snapshots yet, this is a no-op (first run on this
machine; nothing to restore).
"""
discord_id, password = read_credentials(args.token_file)
binary = restic.resolve_binary(args)
repo = _restic_repo(args.url, discord_id, password)
env = _restic_env()
# Check whether any snapshots exist
code, out = restic.run(
binary,
["-r", repo, "--insecure-no-password", "snapshots", "--json", "--latest", "1"],
env=env,
)
if code != 0:
print(
f"cloud-sync: failed to list snapshots (restic exit {code})",
file=sys.stderr,
)
return 2
stripped = out.strip()
if stripped in ("", "null", "[]"):
print(
"cloud-sync: no snapshots yet for this user "
"(first run on this machine?); nothing to pull"
)
return 0
scope = scopemod.load(args.pack_folder)
_, exclude_from = scopemod.materialize_for_restic(args.pack_folder, scope)
code, _ = restic.run(
binary,
[
"-r", repo, "--insecure-no-password",
"restore", "latest",
"--target", str(args.pack_folder),
"--exclude-file", str(exclude_from),
],
env=env,
)
if code != 0:
print(f"cloud-sync: restic restore failed (exit {code})", file=sys.stderr)
return 2
print("cloud-sync: pull ok")
return 0
def push(args: Args) -> int:
"""Snapshot the in-scope files into the user's repo."""
discord_id, password = read_credentials(args.token_file)
binary = restic.resolve_binary(args)
repo = _restic_repo(args.url, discord_id, password)
env = _restic_env()
scope = scopemod.load(args.pack_folder)
files_from, exclude_from = scopemod.materialize_for_restic(args.pack_folder, scope)
code, _ = restic.run(
binary,
[
"-r", repo, "--insecure-no-password",
"backup",
"--files-from", str(files_from),
"--exclude-file", str(exclude_from),
"--host", "cloud-sync",
"--tag", "auto",
],
env=env,
cwd=args.pack_folder,
)
if code != 0:
print(f"cloud-sync: restic backup failed (exit {code})", file=sys.stderr)
return 2
print("cloud-sync: push ok")
return 0
# ---------------------------------------------------------------------------
# helpers
# ---------------------------------------------------------------------------
def _restic_repo(base_url: str, discord_id: str, password: str) -> str:
"""Build rest:<scheme>://<id>:<pw>@<host>/<id>/
URL-embedded basic auth is universally supported by restic; alternative
env vars (RESTIC_REST_USERNAME, RESTIC_REST_PASSWORD) require 0.16+.
"""
raw = base_url.strip()
if raw.startswith("rest:"):
raw = raw[len("rest:"):]
raw = raw.rstrip("/")
scheme_end = raw.find("://")
if scheme_end <= 0:
raise ValueError(
f"--url must include scheme (http:// or https://): {base_url!r}"
)
scheme = raw[: scheme_end + 3]
host_and_path = raw[scheme_end + 3 :]
u = urllib.parse.quote(discord_id, safe="")
p = urllib.parse.quote(password, safe="")
return f"rest:{scheme}{u}:{p}@{host_and_path}/{discord_id}/"
def _restic_env() -> dict[str, str]:
return {
# No RESTIC_PASSWORD — repos use --insecure-no-password.
"RESTIC_PROGRESS_FPS": "0",
}
Reference in New Issue View Git Blame Copy Permalink