mauville: idempotent backblaze authentication (#37)

* mauville: add backblaze secrets

* mauville/home: authenticate with backblaze before nightly backups

* fix format

* mauville: move backblaze secret to home

* aly: setup backblaze secrets

* mauville: pass config to hm module

homes/aly/default.nix

@@ -18,6 +18,11 @@ in {
     self.inputs.nur.hmModules.nur
   ];
 
+  age.secrets = {
+    backblazeKeyId.file = ../../secrets/backblaze/keyId.age;
+    backblazeKey.file = ../../secrets/backblaze/key.age;
+  };
+
   home = {
     homeDirectory = "/home/aly";
 
@@ -26,6 +31,7 @@ in {
     };
 
     packages = [
+      pkgs.backblaze-b2
       pkgs.browsh
       pkgs.curl
       pkgs.fractal

hosts/mauville/home.nix

@@ -17,13 +17,25 @@
       }
     ];
 
-    users.aly = lib.mkForce {
+    users.aly = lib.mkForce ({
+      config,
+      pkgs,
+      lib,
+      ...
+    }: {
       imports = [self.homeManagerModules.aly];
+
       systemd.user = {
         services.backblaze-sync = {
           Unit.Description = "Backup to Backblaze.";
 
           Service.ExecStart = "${pkgs.writeShellScript "backblaze-sync" ''
+            # Authenticate with backblaze.
+            b2KeyId=`cat ${config.age.secrets.backblazeKeyId.path}`
+            b2Key=`cat ${config.age.secrets.backblazeKey.path}`
+
+            ${lib.getExe pkgs.backblaze-b2} authorize_account $b2KeyId $b2Key
+
             declare -A backups
             backups=(
               ['/home/aly/pics/camera']="b2://aly-camera"
@@ -32,6 +44,7 @@
               ['/mnt/Media/Audiobooks']="b2://aly-audiobooks"
               ['/mnt/Media/Music']="b2://aly-music"
             )
+
             # Recursively backup folders to B2 with sanity checks.
             for folder in "''${!backups[@]}"; do
               if [ -d "$folder" ] && [ "$(ls -A "$folder")" ]; then
@@ -50,6 +63,6 @@
           Unit.Description = "Daily backups to Backblaze.";
         };
       };
-    };
+    });
   };
 }

secrets/backblaze/keyId.age

@@ -0,0 +1,24 @@
+age-encryption.org/v1
+-> ssh-ed25519 xIeYNQ 0eLTUD0+gpBV67tINrV3wJPvYLLZ+fWkyyNUkjTlVjY
+Hku5xxDCcOvq9+odSaOmhot1QUYPlp8ap+IElqs5m5A
+-> ssh-ed25519 g+apXg e/F8XZYo2dkbuP/P4cDGZLtLBcadF4gENH0fOIyM6Sk
+XQJSvz6hUFxYFmk0X2FTePeh5JojOXF0ATISOa5ZgmQ
+-> ssh-ed25519 osHDzw th+ZE7J9HthB4VPxcOReG7PVkh3hX1sjd8KnJs1dvFc
+psvs6wQ4c0iLAOQlfScIngFb94OYLcmZ7jYNo2DBPos
+-> ssh-ed25519 GrlIbA 0oCMgHSWUhFXu9pU2buDq9nO7P3T9cMDZ4b7kTqA5Sc
+TvxWJU/laU+JYktaPU8V/OJEf3AGWpjv9QXvym6+sVY
+-> ssh-ed25519 STQ5RA NYFHQGikY+IE5HD4lggPeZ4i/YQpETVjLxkEskCpfic
+FNUroiFjS0AONQcJv5e+/+4b9FzgtUUm/HuaZHOmhQc
+-> ssh-ed25519 nrny8w /dRtHkwucgHVT5uHud1wSqRh67/7vdPxyA5UMYAtyAw
+1BLi+VpoBmlOlgOdGcOn9MAzjFL5HnsorVM73h8Qee0
+-> ssh-ed25519 c7E/gQ gIDvCjkIbd43R6vfa65ngGd1xiHTPrbnA4O8WxJJOUA
+g+Blq7FXbYx0mSgjSdTOHiLlC9tTT43LebWNUcpb02I
+-> ssh-ed25519 W5caqg mZNrp9La5aj5r8qN0l0G78kPKypYoeeOXVZzTjhu2Vc
+VpUQZQpMGKWZXDFiBFfUiYGey9jICPBYMaqZ5aO04eQ
+-> ssh-ed25519 1mX44w c+NsOrCyoFdXIu2K0ZDn1Qih6+rii9wcb8tQlu8lEBw
+GB+OdxQUF3i1Rl0UtJ+7eVJg89A9CQIKuiFYjAjExb0
+-> ssh-ed25519 FhVeqQ NImafw9CGL4NRT50CHmuXyhCj5zNm0fzbCv4MyNvRC4
+Q+VVd73FmOuase22MLEntFaVQkXTb9dsXW153CPw21g
+--- XmBwIXTnJG7z92lXYsA+y+0L8W96a2vsiTMz87pe8CI
+ã~”E<YOªà_Ÿcض‘L}#àgÕñX:J<0B>m“!
+øÖGŸŸ}67º•W”ZªÀï:L

secrets/secrets.nix

@@ -17,6 +17,8 @@ let
   userKeys = builtins.map (user: builtins.readFile ./publicKeys/${user}.pub) users;
   keys = systemKeys ++ userKeys;
 in {
+  "backblaze/key.age".publicKeys = keys;
+  "backblaze/keyId.age".publicKeys = keys;
   "cloudflare.age".publicKeys = keys;
   "lastFM/apiKey.age".publicKeys = keys;
   "lastFM/secret.age".publicKeys = keys;