Add separate restic roles for separate credentials

I don't want corp and prod accidentally smashing each other, or being
used as a credentials escalation attack.

modules/system/restic/default.nix

@@ -10,7 +10,7 @@ with lib;
 	config = {
 		sops.secrets.restic-env = {
 			format = "yaml";
-			key = "backblaze";
+			key = "backblaze-${config.myModules.restic.role}";
 			group = "root";
 			mode = "0440";
 			owner = "root";
@@ -18,11 +18,15 @@ with lib;
 		};
 		sops.secrets.restic-password = {
 			format = "yaml";
-			key = "password";
+			key = "password-${config.myModules.restic.role}";
 			group = "root";
 			mode = "0440";
 			owner = "root";
 			sopsFile = ../../../secrets/restic.yaml;
 		};
 	};
+	options.myModules.restic.role = mkOption {
+		description = "The role which picks the key to use";
+		type = types.str;
+	};
 }

roles/corp.nix

@@ -9,6 +9,7 @@
 		label-studio.enable = true;
 		librechat.enable = true;
 		minio.enable = true;
+		restic.role = "corp";
 		static-websites.enable = true;
 		synapse.enable = true;
 		timecardbot.enable = true;

roles/nidus-sync.nix

@@ -25,5 +25,6 @@ in {
 	myModules.caddy.enable = true;
 	myModules.qgis.enable = false;
 	myModules.nidus-sync.enable = true;
+	myModules.restic.role = "nidus";
 	myModules.tegola.enable = true;
 }

secrets/restic.yaml

@@ -1,5 +1,7 @@
-password: ENC[AES256_GCM,data:8+9fN4o5sDIdfvi9tSKE2ZzvuF3yCJtboNOML0bfoIEYRTkk,iv:tq9URJYhpDOx8rg5RdhyazBpp7EHpLUXCCQITapKvio=,tag:U99XmbB2mQ4HGv/uF0B+HA==,type:str]
-backblaze: ENC[AES256_GCM,data:yY61q4Bfa9ABc+Lo5D4btjWX47WDy7X+Na6f3QhbC0jIs+TkOInR/NgU6d8WoUeFUgp4Uv9v1wHx0mmR81G9KWCoFtBuPkD4v6OZNjGMeiTmQl7TSh2TwsOchZqcyJ22ELM/s1fEH3pS1WhG5jugmpvji5c8552t1ZcYqDYygZ6kpHAd098bkhKwiwBxsTsKlrLTTGvq9lWB+SOlqzo=,iv:D7Qq1S0gE6R0dfWI9ZPJ3eVFE4ANVOdOqRf0hnu0Zsk=,tag:SdiLYe6PROffLr78P0JwEw==,type:str]
+password-corp: ENC[AES256_GCM,data:hdOuBzYIKw6ZL97rs/W82NqIbux3o8dHjqb1Rqx2NRVQ0h3/,iv:W75AdM1EeKcSNeu52NqKDmg20JX5TAVzy2N0XvnHJfw=,tag:faqTI48m5tgD2MGlBVrnUQ==,type:str]
+password-nidus: ENC[AES256_GCM,data:qZLS/orQFXcx1HDpSvFuaXq+c18AIuYOpxqj3OL86W80BHKT,iv:f5633bn+EIEiwENTVAQ6MGj30eKktNbLJT4drBPANOQ=,tag:bPTVe5MuD7NGTSIubJoEsw==,type:str]
+backblaze-corp: ENC[AES256_GCM,data:X/DKQ8rs8R3IofS7HhxRpRT+NbE8TZ8hsND9+iAFzfXTyGQeK14zj6ZhUKO2XfaHpsrSYbbXm3cQ5SqJF/ZZ5UQ45yTnlRm5PQ5yLs8BelCyYtAz1lDhxImD/1PWWJLx9QCFmll0fOIhSbhbZvKW5npZD/mjEpWHpgmJiBOyPX49U3dBs7/Khm6sbifzsjEtLTE5PiOu0CMzekc6Ye8=,iv:KM7gkipEbSzJP/7I2lugr4dW4B+vS9CPSGsZR162ERQ=,tag:lEzhPKV2tRVk6Rh28aIVjw==,type:str]
+backblaze-nidus: ENC[AES256_GCM,data:wxtqelZpNL/jufnmlE6gpXHKyahTKsLi/vG58F8BFWQOAqCXwf/PqhujJmCCS3t2vz6ezHoZb6Tc/QDALhHwGxEOYiQdhxr0J/mI3aOmqKKr9bON0byS16J8aCsHUJ8Mp3+ex2c2nIgwMydo0STPYrDpSpVIHrI8J4dofVezGVa389CVb5HM6zKJ9tZUKJXXGVdXJFMNXF8aN8wDuB4=,iv:Ay/dYKRJDjxLXGxhqopFd7NarhK7669oj4fd1oOncX4=,tag:x4izw4LBcZDQFGiXh1IKzQ==,type:str]
 sops:
     age:
         - recipient: age1fnkhk9rv7r8gh84vxnhvndk4fgh20qcj4hvnfhdpumcydl6m6vrse50lrz
@@ -74,7 +76,7 @@ sops:
             RGJPVEhIa3FkeERHWlJtYStxRkM5TmMKdOYg8Vbq+0ozSyt4CFTb4xnDPE2Uk5jx
             uVZOgItLCZ4774lqqqQKDUkrZlthuVXwYpaNSHNbA8LbAw9IDWqYkw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-09-30T17:43:08Z"
-    mac: ENC[AES256_GCM,data:aGvETiPMIFHSTD+HFbpxcZZChseyYa/nSYG6Jdn4N9IZ07NTrQGrCoXydAyPbMcZ2/1nHxUjEBDjR/WyqJXtBRgpLQIBRWUU9BXonUeK1lCfvFsNoxCKGmWUGxVFMyRs9t+z/bzYKiFx5yFrhxZ0O73K7E5E7bk4D4np7C+xJCI=,iv:eopRqkfBx3308W5jBBGZViKXMVwJARJA484j8N15SFI=,tag:HjltEecsL5f5o4dI6pd8Kw==,type:str]
+    lastmodified: "2026-01-13T14:03:41Z"
+    mac: ENC[AES256_GCM,data:pGDHVS0FKn8LCVjiEFyWlxr5F1AsHkPGxnTssRf8bs6aDROqOVwKDPJMgtL0yu9+uwUz8wHFAHjFuM2K3icgFD6nzkQxjuewhxZd4776GatqvneyPeQx6sP1sPHAqOjzDOE0My1xpf4QiXwkx8Xls2ciLnq8j9ZL+/x5INUCYdA=,iv:XOFrgljl3a4RJoJ9BNKq0I/pVSca+gQcs+TwsQjwZco=,tag:ReAMvKAamofyQCYS1uJ4Qg==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.11.0