IM/ansible_fencl
4
0
Fork 0
forked from jakub/ansible
Code Pull Requests Activity

Encrypt borg repos with repokey-blake2 + shared passphrase

Browse Source 
borg_passphrase is required (Semaphore secret, same across hosts).
The role writes it to /etc/borgmatic/passphrase (0600 root) and
configures borgmatic to use BORG_PASSCOMMAND=cat /etc/borgmatic/passphrase,
and runs `borg init --encryption=repokey-blake2` with BORG_PASSPHRASE in
the env. no_log on the tasks that touch the passphrase.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Jakub Žáček
2026-05-15 21:58:14 +02:00
parent 885a617388
commit 54e111338d
2 changed files with 22 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
roles/backup/tasks/borgcontroller.yml
+4 -1
View File
@@ -120,9 +120,12 @@
- name: Initialize borg repository (no-op if already initialized)
ansible.builtin.command:
cmd: borg init --encryption=none {{ borgcontroller_repo_uri }}
cmd: borg init --encryption=repokey-blake2 {{ borgcontroller_repo_uri }}
environment:
BORG_PASSPHRASE: "{{ borg_passphrase }}"
register: _borg_init
changed_when: _borg_init.rc == 0
failed_when:
- _borg_init.rc != 0
- "'already exists' not in (_borg_init.stderr | default(''))"
no_log: true