From 3baa511fce2e5731b97cf27a18b18bd2c1af18bc Mon Sep 17 00:00:00 2001
From: Quentin Dufour <quentin@deuxfleurs.fr>
Date: Thu, 27 Jan 2022 16:32:57 +0100
Subject: Plume backup + WIP consul

---
 op_guide/backup_minio/README.md | 56 +++++++++++++++++++++++++++++++++--------
 1 file changed, 46 insertions(+), 10 deletions(-)

(limited to 'op_guide')

diff --git a/op_guide/backup_minio/README.md b/op_guide/backup_minio/README.md
index 31194e5..b67e42a 100644
--- a/op_guide/backup_minio/README.md
+++ b/op_guide/backup_minio/README.md
@@ -3,9 +3,12 @@ Add the admin account as `deuxfleurs` to your `~/.mc/config` file
 You need to choose some names/identifiers:
 
 ```bash
-export BUCKET_NAME=example
-export NEW_ACCESS_KEY_ID=hello
+export ENDPOINT="https://s3.garage.tld"
+export SERVICE_NAME="example"
 
+
+export BUCKET_NAME="backups-${SERVICE_NAME}"
+export NEW_ACCESS_KEY_ID="key-${SERVICE_NAME}"
 export NEW_SECRET_ACCESS_KEY=$(openssl rand -base64 32)
 export POLICY_NAME="policy-$BUCKET_NAME"
 ```
@@ -22,7 +25,19 @@ Create a new user:
 mc admin user add deuxfleurs $NEW_ACCESS_KEY_ID $NEW_SECRET_ACCESS_KEY
 ```
 
-Add this new user to your `~/.mc/config.json` file, as `backup-user` for example.
+Add this new user to your `~/.mc/config.json`, run this command before to generate the snippet to copy/paste:
+
+```
+cat > /dev/stdout <<EOF
+"$NEW_ACCESS_KEY_ID": {
+	"url": "$ENDPOINT",
+	"accessKey": "$NEW_ACCESS_KEY_ID",
+	"secretKey": "$NEW_SECRET_ACCESS_KEY",
+	"api": "S3v4",
+	"path": "auto"
+},
+EOF
+```
 
 ---
 
@@ -79,8 +94,6 @@ mc ls backup-user/
 Now we need to initialize the repository with restic.
 
 ```bash
-export ENDPOINT="https://garage.tld"
-
 export AWS_ACCESS_KEY_ID=$NEW_ACCESS_KEY_ID
 export AWS_SECRET_ACCESS_KEY=$NEW_SECRET_ACCESS_KEY
 export RESTIC_REPOSITORY="s3:$ENDPOINT/$BUCKET_NAME"
@@ -101,16 +114,39 @@ See your snapshots with:
 restic snapshots
 ```
 
+Check also these useful commands:
+
+```
+restic ls
+restic diff
+restic help
+```
+
 ---
 
 Add the secrets to Consul, near your service secrets.
 The idea is that the backuping service is a component of the global running service.
-You must add:
-  - `backup_aws_access_key_id`
-  - `backup_aws_secret_access_key`
-  - `backup_restic_repository`
-  - `backup_restic_password`
+You must run in `app/<name>/secrets/<subpath>`:
+
+```bash
+echo "USER Backup AWS access key ID" > backup_aws_access_key_id
+echo "USER Backup AWS secret access key" > backup_aws_secret_access_key
+echo "USER Restic repository, eg. s3:https://s3.garage.tld" > backup_restic_repository
+echo "USER Restic password to encrypt backups" > backup_restic_password
+```
+
+Then run secretmgr:
 
+```bash
+# Spawning a nix shell is an easy way to get all the dependencies you need
+nix-shell
+
+# Check that secretmgr works for you
+python3 secretmgr.py check <name>
+
+# Now interactively feed the secrets
+python3 secretmgr.py gen <name>
+```
 
 ---
 
-- 
cgit v1.2.3