Skip to content
/ pass-backup Public template

Example repository used to demonstrate regular interval backups on a Unix pass git repository

2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

tbobm/pass-backup

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits
.github/workflows
.github/workflows
 
 
passwords
passwords
 
 
terraform
terraform
 
 
.pre-commit-config.yaml
.pre-commit-config.yaml
 
 
README.md
README.md
 
 

Repository files navigation

Pass Backup

pass-backup:ci pass-backup:archive

Perform regular backups of a pass git repository.

See: pass, the standard unix password manager

pass is a password management solution with GPG encryption and a native git support

note: I've been using this tool for a couple of years now, I highly recommend giving it a try

Goal

This repository aims to offer a simple backup mechanism of git repositories used to version control passwords managed using pass, the standard unix password manager. (site)

The pass-backup:archive Workflow is used to schedule a Job that will create a tarball archive of the passwords directory and upload it to AWS S3.

It leverages 2 services:

  • AWS S3: store the password archive tarball
  • Github Actions: generate the tarball and copy it to AWS S3

Features

  • Regular backups to an S3 bucket
  • GPG-encrypted passwords using pass
  • Easy to implement: terraform manifests are available in ./terraform/

next steps

  • KMS encryption
  • Different S3 backends

Usage

  1. Credential management a. Generate a Github Personal Access Token b. Make sure you are authenticated against the AWS Terraform provider
  2. Adapt the configuration of the created Terraform resources
  3. Create the Infrastructure and configure the Github Secrets
  4. Add a schedule directive in the ./.github/workflows/backup.yml Workflow

Credential management

You can create a PAT by following the documentation at creating a personal access token.

Then, export it in your environment by running:

$ export GITHUB_TOKEN=ghp_xxxxxxxxxx

See Github Provider Authentication for more information

As for the AWS Terraform provider, please refer to the corresponding documentation: hashicorp/aws.

Adapt the resources

You must edit the following in the ./terraform/main.tf file:

  • module.bucket.bucket: the name of the S3 Bucket (unique)
  • module.backup_user.{namespace,stage,name}: the identifier of the IAM User
  • module.secrets.repository: the name of your Github Repository

Create the Terraform resources

Then, you can run the following commands in the terraform directory:

$ terraform apply

This will create:

  • The AWS S3 Bucket bootstrapped using the terraform-aws-s3-bucket module
  • An IAM User with API capabilities to authenticate the pass-backup:archive workflow
  • The Github Actions Secret to set the S3 bucket identifiers and API keys

Schedule the backups

In the ./.github/workflows/backup.yml Workflow, add the following lines:

on:
  workflow_dispatch:
  # add the lines below
  schedule:
    - cron: '30 5,17 * * *'

See Schedule Trigger for Workflows for more information on the syntax

Trying out the backup mechanism

You can confirm that your configuration is working as expected by trigger the pass-backup:archvie Worfklow using workflow_dispatch.

See Manual events - workflow_dispatch for more informations.

Access your backups

The tarball archives are located in S3:

$ aws s3 ls s3://tbobm-bucket-pass-backup/pass-backup/prod/archive/
2022-01-02 23:10:57        162 2022-01-02.tar.gz

The S3 Bucket key can be overriden in the ./terraform/main.tf file.

About

Example repository used to demonstrate regular interval backups on a Unix pass git repository

Topics

backups aws cron password-manager terraform s3 password pass github-actions pass-unix

Resources

Readme
Activity

Stars

2 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages