From 67d0f7f6aca7a9d2807baff32e4546f21a7f7b45 Mon Sep 17 00:00:00 2001
From: Aly Raffauf <aly@raffauflabs.com>
Date: Mon, 15 Jul 2024 23:53:15 -0400
Subject: [PATCH] mauville: idempotent backblaze authentication (#37)

* mauville: add backblaze secrets

* mauville/home: authenticate with backblaze before nightly backups

* fix format

* mauville: move backblaze secret to home

* aly: setup backblaze secrets

* mauville: pass config to hm module
---
 homes/aly/default.nix       |   6 ++++++
 hosts/mauville/home.nix     |  17 +++++++++++++++--
 secrets/backblaze/key.age   | Bin 0 -> 1234 bytes
 secrets/backblaze/keyId.age |  24 ++++++++++++++++++++++++
 secrets/secrets.nix         |   2 ++
 5 files changed, 47 insertions(+), 2 deletions(-)
 create mode 100644 secrets/backblaze/key.age
 create mode 100644 secrets/backblaze/keyId.age

diff --git a/homes/aly/default.nix b/homes/aly/default.nix
index beadc0c6..edea9240 100644
--- a/homes/aly/default.nix
+++ b/homes/aly/default.nix
@@ -18,6 +18,11 @@ in {
     self.inputs.nur.hmModules.nur
   ];
 
+  age.secrets = {
+    backblazeKeyId.file = ../../secrets/backblaze/keyId.age;
+    backblazeKey.file = ../../secrets/backblaze/key.age;
+  };
+
   home = {
     homeDirectory = "/home/aly";
 
@@ -26,6 +31,7 @@ in {
     };
 
     packages = [
+      pkgs.backblaze-b2
       pkgs.browsh
       pkgs.curl
       pkgs.fractal
diff --git a/hosts/mauville/home.nix b/hosts/mauville/home.nix
index c2e675b1..49a1bd7a 100644
--- a/hosts/mauville/home.nix
+++ b/hosts/mauville/home.nix
@@ -17,13 +17,25 @@
       }
     ];
 
-    users.aly = lib.mkForce {
+    users.aly = lib.mkForce ({
+      config,
+      pkgs,
+      lib,
+      ...
+    }: {
       imports = [self.homeManagerModules.aly];
+
       systemd.user = {
         services.backblaze-sync = {
           Unit.Description = "Backup to Backblaze.";
 
           Service.ExecStart = "${pkgs.writeShellScript "backblaze-sync" ''
+            # Authenticate with backblaze.
+            b2KeyId=`cat ${config.age.secrets.backblazeKeyId.path}`
+            b2Key=`cat ${config.age.secrets.backblazeKey.path}`
+
+            ${lib.getExe pkgs.backblaze-b2} authorize_account $b2KeyId $b2Key
+
             declare -A backups
             backups=(
               ['/home/aly/pics/camera']="b2://aly-camera"
@@ -32,6 +44,7 @@
               ['/mnt/Media/Audiobooks']="b2://aly-audiobooks"
               ['/mnt/Media/Music']="b2://aly-music"
             )
+
             # Recursively backup folders to B2 with sanity checks.
             for folder in "''${!backups[@]}"; do
               if [ -d "$folder" ] && [ "$(ls -A "$folder")" ]; then
@@ -50,6 +63,6 @@
           Unit.Description = "Daily backups to Backblaze.";
         };
       };
-    };
+    });
   };
 }
diff --git a/secrets/backblaze/key.age b/secrets/backblaze/key.age
new file mode 100644
index 0000000000000000000000000000000000000000..f8095201ff433e71b371f9cbfb0d177aee9ae0d7
GIT binary patch
literal 1234
zcmZY8D-Y{r0LF0ym{|l61oh2WuWLs*B)#9(b#1q<tstlOZoRzgdR-l!V2=a=27-Y=
zFa(1@@(E55hXjGaoFF-Re1cz|<oO3#vP|mecE5IKP`?ju*=j%+%a5S8&6i1xktDi-
zCMEH9CL|Ahq<d0CVLm;0yEI+vf`${EOYHmH>hMfE=-wtR*_l{eNS_<XfD)`x7B|73
z*4j$aNVRfSqVDMzoG^9seDD%#eAF^HxVjm1v_|z7gf8rCIk;d~L34+b)5_?LNE=vN
zU}OGN?Y8~-3>FEGYg}ia03|!!6dGm^vz&u(eBbJky=9A0I|v+4U}xn~1Fg)@Bh)l=
zPI4jAV!ObuxuLl#(?}_dn(HjWRTD4x90Q|Xfq;cn6)kKrLdP<LlB$4c)*vrS)$BZn
z*rxN^0(CdAX9qBknsh6bkb%+}c)N}d&?{kvy{utoSDS2SlvER{$D3CldtX5>lWArP
zSgtRjrt<|&q&t(li(ZB+Hz%$;KN|2<#sN^yj>yL-@~GJdle8GfZE_XE>IocF7GpYg
zGLc{wXA~zvcSw&SjBwjR<(mi@7pmvgYIblFa@97jYuj08`#g_eCZjTOdSN8PIcgaz
zZ?Z?NzSVbngj|`H+>BE~0SDssuo{`lNxD89g_VC|h5Qm(bl*>@BkPO4ii;iFUpSC9
z2_lx_EKr2xt>aBGpxb^O+TuVotg5NtQHv;Hm6_1Rl{Yzt3_6LeJ$_GasX}#`G@3Vr
zEV@ahC9EGt*S5{*MICP4eW6$*eAPnXw%uMq-0MO<T9n?oe84DkV{E|nivRB=Co&3}
z45F~}ex8MT-wh{sJhf4vkN#;@8*wVkL3-ZU>mUVsxsr|xc#mbBs2JejpIO?P!`ohH
zt#GD~{BWCZc8_1nWS_a`SbyAxRxUw|&`oHO^nTfGaW84sv6rNb18`r?a&6~vvf!bV
zAG6%69|{Y+sLDwejiM;Zovei2q)wBBXKllIzEmPJpoP)c3TN+sy@|P#G$zzBZbmvI
zRUGwJu&lW*6PK!pl5yqc4yw&6s&J1_G3!-BX0Pa*lQi(%R0Q_LrajJ6od`eWnm_4Q
zJRJNEl{6%wj*I1T2}Kz^w-??pQrpKSO-d|nSo0q4qO>6#K}Fa;3<RpeOJ?x}{o&ug
zeDdDgzy9{e^C#CIUVrxG8=t>?_euT&ee0d*>7UO({r9KOzWcd6VE+jDU*CWG?DE0O
TA3uJ2eC?|j-zdY^zrXn(^qH4Q

literal 0
HcmV?d00001

diff --git a/secrets/backblaze/keyId.age b/secrets/backblaze/keyId.age
new file mode 100644
index 00000000..96f3af02
--- /dev/null
+++ b/secrets/backblaze/keyId.age
@@ -0,0 +1,24 @@
+age-encryption.org/v1
+-> ssh-ed25519 xIeYNQ 0eLTUD0+gpBV67tINrV3wJPvYLLZ+fWkyyNUkjTlVjY
+Hku5xxDCcOvq9+odSaOmhot1QUYPlp8ap+IElqs5m5A
+-> ssh-ed25519 g+apXg e/F8XZYo2dkbuP/P4cDGZLtLBcadF4gENH0fOIyM6Sk
+XQJSvz6hUFxYFmk0X2FTePeh5JojOXF0ATISOa5ZgmQ
+-> ssh-ed25519 osHDzw th+ZE7J9HthB4VPxcOReG7PVkh3hX1sjd8KnJs1dvFc
+psvs6wQ4c0iLAOQlfScIngFb94OYLcmZ7jYNo2DBPos
+-> ssh-ed25519 GrlIbA 0oCMgHSWUhFXu9pU2buDq9nO7P3T9cMDZ4b7kTqA5Sc
+TvxWJU/laU+JYktaPU8V/OJEf3AGWpjv9QXvym6+sVY
+-> ssh-ed25519 STQ5RA NYFHQGikY+IE5HD4lggPeZ4i/YQpETVjLxkEskCpfic
+FNUroiFjS0AONQcJv5e+/+4b9FzgtUUm/HuaZHOmhQc
+-> ssh-ed25519 nrny8w /dRtHkwucgHVT5uHud1wSqRh67/7vdPxyA5UMYAtyAw
+1BLi+VpoBmlOlgOdGcOn9MAzjFL5HnsorVM73h8Qee0
+-> ssh-ed25519 c7E/gQ gIDvCjkIbd43R6vfa65ngGd1xiHTPrbnA4O8WxJJOUA
+g+Blq7FXbYx0mSgjSdTOHiLlC9tTT43LebWNUcpb02I
+-> ssh-ed25519 W5caqg mZNrp9La5aj5r8qN0l0G78kPKypYoeeOXVZzTjhu2Vc
+VpUQZQpMGKWZXDFiBFfUiYGey9jICPBYMaqZ5aO04eQ
+-> ssh-ed25519 1mX44w c+NsOrCyoFdXIu2K0ZDn1Qih6+rii9wcb8tQlu8lEBw
+GB+OdxQUF3i1Rl0UtJ+7eVJg89A9CQIKuiFYjAjExb0
+-> ssh-ed25519 FhVeqQ NImafw9CGL4NRT50CHmuXyhCj5zNm0fzbCv4MyNvRC4
+Q+VVd73FmOuase22MLEntFaVQkXTb9dsXW153CPw21g
+--- XmBwIXTnJG7z92lXYsA+y+0L8W96a2vsiTMz87pe8CI
+ã~”E<YOªà_ŸcØ¶‘L}#àgÕñX:Jm“!
+øÖGŸŸ}67º•W”ZªÀï:L
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 06f9270f..8636120d 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -17,6 +17,8 @@ let
   userKeys = builtins.map (user: builtins.readFile ./publicKeys/${user}.pub) users;
   keys = systemKeys ++ userKeys;
 in {
+  "backblaze/key.age".publicKeys = keys;
+  "backblaze/keyId.age".publicKeys = keys;
   "cloudflare.age".publicKeys = keys;
   "lastFM/apiKey.age".publicKeys = keys;
   "lastFM/secret.age".publicKeys = keys;