Add separate restic roles for separate credentials

I don't want corp and prod accidentally smashing each other, or being used as a credentials escalation attack.
2026-01-13 14:57:33 +00:00 · 2026-01-13 14:57:33 +00:00 · 5288c5857a
commit 5288c5857a
parent 6c24b30a61
4 changed files with 15 additions and 7 deletions
--- a/modules/system/restic/default.nix
+++ b/modules/system/restic/default.nix
@ -10,7 +10,7 @@ with lib;
 	config = {
 		sops.secrets.restic-env = {
 			format = "yaml";
-			key = "backblaze";
+			key = "backblaze-${config.myModules.restic.role}";
 			group = "root";
 			mode = "0440";
 			owner = "root";
@ -18,11 +18,15 @@ with lib;
 		};
 		sops.secrets.restic-password = {
 			format = "yaml";
-			key = "password";
+			key = "password-${config.myModules.restic.role}";
 			group = "root";
 			mode = "0440";
 			owner = "root";
 			sopsFile = ../../../secrets/restic.yaml;
 		};
 	};
+	options.myModules.restic.role = mkOption {
+		description = "The role which picks the key to use";
+		type = types.str;
+	};
 }