borgmatic-collective/borgmatic
borgmatic-collective/borgmatic
9
65
Fork 31
Code Issues 45 Pull Requests 4 Actions Packages Releases 147 Activity

Add passcommand for database dumps #795

New Issue
Closed
opened 2023-11-24 20:16:08 +00:00 by Martin · 7 comments
Martin commented 2023-11-24 20:16:08 +00:00
Copy Link

What I'd like to do and why

A passcommand in addition to password for database dumps would be nice for those who cannot login without password nor like to have the password in config.yaml.

Other notes / implementation ideas

No response

### What I'd like to do and why A `passcommand` in addition to `password` for database dumps would be nice for those who cannot login without password nor like to have the password in `config.yaml`. ### Other notes / implementation ideas _No response_
witten added the
good first issue
 label 2023-11-24 21:17:27 +00:00
witten commented 2023-11-24 21:21:36 +00:00
Owner
Copy Link

Thanks for taking the time to file this! Maybe there could be a new option in each database configuration that allows the user to specify the passcommand for that database instead of a password. And if specified, borgmatic would call out to that command, consuming its stdout (stripped of newlines) to get the password to use.

In the meantime though, these docs may be helpful: https://torsion.org/borgmatic/docs/how-to/provide-your-passwords/

Thanks for taking the time to file this! Maybe there could be a new option in each database configuration that allows the user to specify the passcommand for that database instead of a password. And if specified, borgmatic would call out to that command, consuming its stdout (stripped of newlines) to get the password to use. In the meantime though, these docs may be helpful: https://torsion.org/borgmatic/docs/how-to/provide-your-passwords/
IBims1NicerTobi commented 2023-11-27 12:43:11 +00:00
Contributor
Copy Link

But borgmatic can already do that right? Afaik it should support reading things from the env so why add a feature to do that manually for one field? Is there any limitation to running your password script before calling borgmatic, saving the output in the env and calling borgmatic after that?

But borgmatic can already do that right? Afaik it should support reading things from the env so why add a feature to do that manually for one field? Is there any limitation to running your password script before calling borgmatic, saving the output in the env and calling borgmatic after that?
witten commented 2023-11-27 22:22:34 +00:00
Owner
Copy Link

If there's one common theme in borgmatic feature requests, it's that users want to do more and more directly from the configuration file rather than having to rely on external shell scripting. Having said that, the work-around you describe is a totally viable option for certain users.

If there's one common theme in borgmatic feature requests, it's that users want to do more and more directly from the configuration file rather than having to rely on external shell scripting. Having said that, the work-around you describe is a totally viable option for certain users.
witten commented 2025-02-16 02:49:45 +00:00
Owner
Copy Link

@Martin borgmatic is getting several new credential loading hooks in the next release. None of them directly solve this ask, but it would be pretty easy now to add a new credential hook that allows calling arbitrary commands from password fields within borgmatic's configuration file. Made-up example:

postgresql_databases:
    - name: invoices
      username: postgres
      password: "{credential command some-command-to-run}"

However, one question first so I can understand the use case: What command do you want to run to get your password? It might be useful to support running arbitrary commands, but it might also be neat to add a more targeted credential hook as well (or instead). For instance, I just added a credential hook that allows loading credentials from KeePassXC, a password manager. Example:

postgresql_databases:
    - name: invoices
      username: postgres
      password: "{credential keepassxc keys.kdbx borgmatic}"

So where is your database password actually coming from?

@Martin borgmatic is getting several new credential loading hooks in the next release. None of them directly solve this ask, but it would be pretty easy now to add a new credential hook that allows calling arbitrary commands from password fields within borgmatic's configuration file. Made-up example: ```yaml postgresql_databases: - name: invoices username: postgres password: "{credential command some-command-to-run}" ``` However, one question first so I can understand the use case: What command do you want to run to get your password? It might be useful to support running arbitrary commands, but it might also be neat to add a more targeted credential hook as well (or instead). For instance, I just added a credential hook that allows loading credentials from KeePassXC, a password manager. Example: ```yaml postgresql_databases: - name: invoices username: postgres password: "{credential keepassxc keys.kdbx borgmatic}" ``` So where is your database password actually coming from?
Martin commented 2025-02-16 10:45:55 +00:00
Author
Copy Link

So where is your database password actually coming from?

In my case, it is probably sth. simple as cat <filename>, while the file contains only the password.
I.e. special handling that might make sense.

> So where is your database password actually coming from? In my case, it is probably sth. simple as `cat <filename>`, while the file contains only the password. I.e. special handling that might make sense.
witten commented 2025-02-16 17:15:13 +00:00
Owner
Copy Link

Oh, good news then! This is already implemented in main and will be part of the next release! Example usage:

postgresql_databases:
    - name: invoices
      username: postgres
      password: "{credential file /path/to/my/credential.txt}"

What that does is read the contents of the /path/to/my/credential.txt file and insert it into the password field.

So I'll call this done for now even though it doesn't (yet) support running arbitrary commands. But that could potentially be added later on if there's a need.

Oh, good news then! This is already implemented in main and will be part of the next release! Example usage: ``` postgresql_databases: - name: invoices username: postgres password: "{credential file /path/to/my/credential.txt}" ``` What that does is read the contents of the `/path/to/my/credential.txt` file and insert it into the password field. So I'll call this done for now even though it doesn't (yet) support running arbitrary commands. But that could potentially be added later on if there's a need.
witten commented 2025-02-22 22:43:38 +00:00
Owner
Copy Link

Released in borgmatic 1.9.11!

Released in borgmatic 1.9.11!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
blocked
bug
data loss
design finalized
good first issue
new feature area
question / support
security
waiting for response
No Label
good first issue
Milestone
No items
No Milestone
Assignees
Clear assignees
diivi import_bot witten
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: borgmatic-collective/borgmatic#795
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?