Perform regular backups of a pass git repository.
See: pass, the standard unix password manager
pass
is a password management solution with GPG encryption and
a native git support
note: I've been using this tool for a couple of years now, I highly recommend giving it a try
This repository aims to offer a simple backup mechanism of git repositories
used to version control passwords managed using pass
, the standard unix
password manager. (site)
The pass-backup:archive Workflow is used to schedule a Job
that will create a tarball archive of the passwords
directory and
upload it to AWS S3.
It leverages 2 services:
- AWS S3: store the password archive tarball
- Github Actions: generate the tarball and copy it to AWS S3
- Regular backups to an S3 bucket
- GPG-encrypted passwords using
pass
- Easy to implement: terraform manifests are available in
./terraform/
- KMS encryption
- Different S3 backends
- Credential management a. Generate a Github Personal Access Token b. Make sure you are authenticated against the AWS Terraform provider
- Adapt the configuration of the created Terraform resources
- Create the Infrastructure and configure the Github Secrets
- Add a
schedule
directive in the./.github/workflows/backup.yml
Workflow
You can create a PAT by following the documentation at creating a personal access token.
Then, export it in your environment by running:
$ export GITHUB_TOKEN=ghp_xxxxxxxxxx
See Github Provider Authentication for more information
As for the AWS Terraform provider, please refer to the corresponding documentation: hashicorp/aws.
You must edit the following in the ./terraform/main.tf
file:
module.bucket.bucket
: the name of the S3 Bucket (unique)module.backup_user.{namespace,stage,name}
: the identifier of the IAM Usermodule.secrets.repository
: the name of your Github Repository
Then, you can run the following commands in the terraform
directory:
$ terraform apply
This will create:
- The AWS S3 Bucket bootstrapped using the
terraform-aws-s3-bucket
module - An IAM User with API capabilities to authenticate the
pass-backup:archive
workflow - The Github Actions Secret to set the S3 bucket identifiers and API keys
In the ./.github/workflows/backup.yml
Workflow, add the following lines:
on:
workflow_dispatch:
# add the lines below
schedule:
- cron: '30 5,17 * * *'
See Schedule Trigger for Workflows for more information on the syntax
You can confirm that your configuration is working as expected by
trigger the pass-backup:archvie
Worfklow using workflow_dispatch
.
See Manual events - workflow_dispatch for more informations.
The tarball archives are located in S3:
$ aws s3 ls s3://tbobm-bucket-pass-backup/pass-backup/prod/archive/
2022-01-02 23:10:57 162 2022-01-02.tar.gz
The S3 Bucket key can be overriden in the ./terraform/main.tf
file.