From 5288c5857a78d337540037701c5ca540c919c8fb Mon Sep 17 00:00:00 2001 From: Eli Ribble Date: Tue, 13 Jan 2026 14:57:33 +0000 Subject: [PATCH] Add separate restic roles for separate credentials I don't want corp and prod accidentally smashing each other, or being used as a credentials escalation attack. --- modules/system/restic/default.nix | 8 ++++++-- roles/corp.nix | 1 + roles/nidus-sync.nix | 1 + secrets/restic.yaml | 12 +++++++----- 4 files changed, 15 insertions(+), 7 deletions(-) diff --git a/modules/system/restic/default.nix b/modules/system/restic/default.nix index 2494ea6..db9034b 100644 --- a/modules/system/restic/default.nix +++ b/modules/system/restic/default.nix @@ -10,7 +10,7 @@ with lib; config = { sops.secrets.restic-env = { format = "yaml"; - key = "backblaze"; + key = "backblaze-${config.myModules.restic.role}"; group = "root"; mode = "0440"; owner = "root"; @@ -18,11 +18,15 @@ with lib; }; sops.secrets.restic-password = { format = "yaml"; - key = "password"; + key = "password-${config.myModules.restic.role}"; group = "root"; mode = "0440"; owner = "root"; sopsFile = ../../../secrets/restic.yaml; }; }; + options.myModules.restic.role = mkOption { + description = "The role which picks the key to use"; + type = types.str; + }; } diff --git a/roles/corp.nix b/roles/corp.nix index ae9fd21..e02fbbc 100644 --- a/roles/corp.nix +++ b/roles/corp.nix @@ -9,6 +9,7 @@ label-studio.enable = true; librechat.enable = true; minio.enable = true; + restic.role = "corp"; static-websites.enable = true; synapse.enable = true; timecardbot.enable = true; diff --git a/roles/nidus-sync.nix b/roles/nidus-sync.nix index 07fb742..eca24c6 100644 --- a/roles/nidus-sync.nix +++ b/roles/nidus-sync.nix @@ -25,5 +25,6 @@ in { myModules.caddy.enable = true; myModules.qgis.enable = false; myModules.nidus-sync.enable = true; + myModules.restic.role = "nidus"; myModules.tegola.enable = true; } diff --git a/secrets/restic.yaml b/secrets/restic.yaml index 75d6947..4ec0204 100644 --- a/secrets/restic.yaml +++ b/secrets/restic.yaml @@ -1,5 +1,7 @@ -password: ENC[AES256_GCM,data:8+9fN4o5sDIdfvi9tSKE2ZzvuF3yCJtboNOML0bfoIEYRTkk,iv:tq9URJYhpDOx8rg5RdhyazBpp7EHpLUXCCQITapKvio=,tag:U99XmbB2mQ4HGv/uF0B+HA==,type:str] -backblaze: ENC[AES256_GCM,data:yY61q4Bfa9ABc+Lo5D4btjWX47WDy7X+Na6f3QhbC0jIs+TkOInR/NgU6d8WoUeFUgp4Uv9v1wHx0mmR81G9KWCoFtBuPkD4v6OZNjGMeiTmQl7TSh2TwsOchZqcyJ22ELM/s1fEH3pS1WhG5jugmpvji5c8552t1ZcYqDYygZ6kpHAd098bkhKwiwBxsTsKlrLTTGvq9lWB+SOlqzo=,iv:D7Qq1S0gE6R0dfWI9ZPJ3eVFE4ANVOdOqRf0hnu0Zsk=,tag:SdiLYe6PROffLr78P0JwEw==,type:str] +password-corp: ENC[AES256_GCM,data:hdOuBzYIKw6ZL97rs/W82NqIbux3o8dHjqb1Rqx2NRVQ0h3/,iv:W75AdM1EeKcSNeu52NqKDmg20JX5TAVzy2N0XvnHJfw=,tag:faqTI48m5tgD2MGlBVrnUQ==,type:str] +password-nidus: ENC[AES256_GCM,data:qZLS/orQFXcx1HDpSvFuaXq+c18AIuYOpxqj3OL86W80BHKT,iv:f5633bn+EIEiwENTVAQ6MGj30eKktNbLJT4drBPANOQ=,tag:bPTVe5MuD7NGTSIubJoEsw==,type:str] +backblaze-corp: ENC[AES256_GCM,data:X/DKQ8rs8R3IofS7HhxRpRT+NbE8TZ8hsND9+iAFzfXTyGQeK14zj6ZhUKO2XfaHpsrSYbbXm3cQ5SqJF/ZZ5UQ45yTnlRm5PQ5yLs8BelCyYtAz1lDhxImD/1PWWJLx9QCFmll0fOIhSbhbZvKW5npZD/mjEpWHpgmJiBOyPX49U3dBs7/Khm6sbifzsjEtLTE5PiOu0CMzekc6Ye8=,iv:KM7gkipEbSzJP/7I2lugr4dW4B+vS9CPSGsZR162ERQ=,tag:lEzhPKV2tRVk6Rh28aIVjw==,type:str] +backblaze-nidus: ENC[AES256_GCM,data:wxtqelZpNL/jufnmlE6gpXHKyahTKsLi/vG58F8BFWQOAqCXwf/PqhujJmCCS3t2vz6ezHoZb6Tc/QDALhHwGxEOYiQdhxr0J/mI3aOmqKKr9bON0byS16J8aCsHUJ8Mp3+ex2c2nIgwMydo0STPYrDpSpVIHrI8J4dofVezGVa389CVb5HM6zKJ9tZUKJXXGVdXJFMNXF8aN8wDuB4=,iv:Ay/dYKRJDjxLXGxhqopFd7NarhK7669oj4fd1oOncX4=,tag:x4izw4LBcZDQFGiXh1IKzQ==,type:str] sops: age: - recipient: age1fnkhk9rv7r8gh84vxnhvndk4fgh20qcj4hvnfhdpumcydl6m6vrse50lrz @@ -74,7 +76,7 @@ sops: RGJPVEhIa3FkeERHWlJtYStxRkM5TmMKdOYg8Vbq+0ozSyt4CFTb4xnDPE2Uk5jx uVZOgItLCZ4774lqqqQKDUkrZlthuVXwYpaNSHNbA8LbAw9IDWqYkw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-09-30T17:43:08Z" - mac: ENC[AES256_GCM,data:aGvETiPMIFHSTD+HFbpxcZZChseyYa/nSYG6Jdn4N9IZ07NTrQGrCoXydAyPbMcZ2/1nHxUjEBDjR/WyqJXtBRgpLQIBRWUU9BXonUeK1lCfvFsNoxCKGmWUGxVFMyRs9t+z/bzYKiFx5yFrhxZ0O73K7E5E7bk4D4np7C+xJCI=,iv:eopRqkfBx3308W5jBBGZViKXMVwJARJA484j8N15SFI=,tag:HjltEecsL5f5o4dI6pd8Kw==,type:str] + lastmodified: "2026-01-13T14:03:41Z" + mac: ENC[AES256_GCM,data:pGDHVS0FKn8LCVjiEFyWlxr5F1AsHkPGxnTssRf8bs6aDROqOVwKDPJMgtL0yu9+uwUz8wHFAHjFuM2K3icgFD6nzkQxjuewhxZd4776GatqvneyPeQx6sP1sPHAqOjzDOE0My1xpf4QiXwkx8Xls2ciLnq8j9ZL+/x5INUCYdA=,iv:XOFrgljl3a4RJoJ9BNKq0I/pVSca+gQcs+TwsQjwZco=,tag:ReAMvKAamofyQCYS1uJ4Qg==,type:str] unencrypted_suffix: _unencrypted - version: 3.10.2 + version: 3.11.0