mauville: idempotent backblaze authentication (#37)

* mauville: add backblaze secrets * mauville/home: authenticate with backblaze before nightly backups * fix format * mauville: move backblaze secret to home * aly: setup backblaze secrets * mauville: pass config to hm module
2024-11-24 16:51:54 -05:00 · 2024-07-15 23:53:15 -04:00 · 2024-07-15 23:53:15 -04:00 · 67d0f7f6ac
parent a16cd5ef41
commit 67d0f7f6ac
5 changed files with 47 additions and 2 deletions
--- a/homes/aly/default.nix
+++ b/homes/aly/default.nix
@ -18,6 +18,11 @@ in {
    self.inputs.nur.hmModules.nur
  ];

+  age.secrets = {
+    backblazeKeyId.file = ../../secrets/backblaze/keyId.age;
+    backblazeKey.file = ../../secrets/backblaze/key.age;
+  };
+
  home = {
    homeDirectory = "/home/aly";

@ -26,6 +31,7 @@ in {
    };

    packages = [
+      pkgs.backblaze-b2
      pkgs.browsh
      pkgs.curl
      pkgs.fractal
--- a/hosts/mauville/home.nix
+++ b/hosts/mauville/home.nix
@ -17,13 +17,25 @@
      }
    ];

-    users.aly = lib.mkForce {
+    users.aly = lib.mkForce ({
+      config,
+      pkgs,
+      lib,
+      ...
+    }: {
      imports = [self.homeManagerModules.aly];
+
      systemd.user = {
        services.backblaze-sync = {
          Unit.Description = "Backup to Backblaze.";

          Service.ExecStart = "${pkgs.writeShellScript "backblaze-sync" ''
+            # Authenticate with backblaze.
+            b2KeyId=`cat ${config.age.secrets.backblazeKeyId.path}`
+            b2Key=`cat ${config.age.secrets.backblazeKey.path}`
+
+            ${lib.getExe pkgs.backblaze-b2} authorize_account $b2KeyId $b2Key
+
            declare -A backups
            backups=(
              ['/home/aly/pics/camera']="b2://aly-camera"
@ -32,6 +44,7 @@
              ['/mnt/Media/Audiobooks']="b2://aly-audiobooks"
              ['/mnt/Media/Music']="b2://aly-music"
            )
+
            # Recursively backup folders to B2 with sanity checks.
            for folder in "''${!backups[@]}"; do
              if [ -d "$folder" ] && [ "$(ls -A "$folder")" ]; then
@ -50,6 +63,6 @@
          Unit.Description = "Daily backups to Backblaze.";
        };
      };
-    };
+    });
  };
 }
--- a/secrets/backblaze/key.age
+++ b/secrets/backblaze/key.age
--- a/secrets/backblaze/keyId.age
+++ b/secrets/backblaze/keyId.age
@ -0,0 +1,24 @@
+age-encryption.org/v1
+-> ssh-ed25519 xIeYNQ 0eLTUD0+gpBV67tINrV3wJPvYLLZ+fWkyyNUkjTlVjY
+Hku5xxDCcOvq9+odSaOmhot1QUYPlp8ap+IElqs5m5A
+-> ssh-ed25519 g+apXg e/F8XZYo2dkbuP/P4cDGZLtLBcadF4gENH0fOIyM6Sk
+XQJSvz6hUFxYFmk0X2FTePeh5JojOXF0ATISOa5ZgmQ
+-> ssh-ed25519 osHDzw th+ZE7J9HthB4VPxcOReG7PVkh3hX1sjd8KnJs1dvFc
+psvs6wQ4c0iLAOQlfScIngFb94OYLcmZ7jYNo2DBPos
+-> ssh-ed25519 GrlIbA 0oCMgHSWUhFXu9pU2buDq9nO7P3T9cMDZ4b7kTqA5Sc
+TvxWJU/laU+JYktaPU8V/OJEf3AGWpjv9QXvym6+sVY
+-> ssh-ed25519 STQ5RA NYFHQGikY+IE5HD4lggPeZ4i/YQpETVjLxkEskCpfic
+FNUroiFjS0AONQcJv5e+/+4b9FzgtUUm/HuaZHOmhQc
+-> ssh-ed25519 nrny8w /dRtHkwucgHVT5uHud1wSqRh67/7vdPxyA5UMYAtyAw
+1BLi+VpoBmlOlgOdGcOn9MAzjFL5HnsorVM73h8Qee0
+-> ssh-ed25519 c7E/gQ gIDvCjkIbd43R6vfa65ngGd1xiHTPrbnA4O8WxJJOUA
+g+Blq7FXbYx0mSgjSdTOHiLlC9tTT43LebWNUcpb02I
+-> ssh-ed25519 W5caqg mZNrp9La5aj5r8qN0l0G78kPKypYoeeOXVZzTjhu2Vc
+VpUQZQpMGKWZXDFiBFfUiYGey9jICPBYMaqZ5aO04eQ
+-> ssh-ed25519 1mX44w c+NsOrCyoFdXIu2K0ZDn1Qih6+rii9wcb8tQlu8lEBw
+GB+OdxQUF3i1Rl0UtJ+7eVJg89A9CQIKuiFYjAjExb0
+-> ssh-ed25519 FhVeqQ NImafw9CGL4NRT50CHmuXyhCj5zNm0fzbCv4MyNvRC4
+Q+VVd73FmOuase22MLEntFaVQkXTb9dsXW153CPw21g
+--- XmBwIXTnJG7z92lXYsA+y+0L8W96a2vsiTMz87pe8CI
+ã~”E<YOªà_ŸcØ¶‘L}#àgÕñX:J<0B>m“!
+øÖGŸŸ}67º•W”ZªÀï:L
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -17,6 +17,8 @@ let
  userKeys = builtins.map (user: builtins.readFile ./publicKeys/${user}.pub) users;
  keys = systemKeys ++ userKeys;
 in {
+  "backblaze/key.age".publicKeys = keys;
+  "backblaze/keyId.age".publicKeys = keys;
  "cloudflare.age".publicKeys = keys;
  "lastFM/apiKey.age".publicKeys = keys;
  "lastFM/secret.age".publicKeys = keys;