Eli Ribble
5288c5857a
I don't want corp and prod accidentally smashing each other, or being used as a credentials escalation attack.
32 lines
830 B
Nix
32 lines
830 B
Nix
{ pkgs, lib, config, ... }:
|
|
with lib;
|
|
{
|
|
# Disable the stable channel version of restic and use our
|
|
# local copy of the unstable version so that we get access to stdin-from-command
|
|
disabledModules = [ "services/backup/restic.nix" ];
|
|
imports = [
|
|
./restic.nix
|
|
];
|
|
config = {
|
|
sops.secrets.restic-env = {
|
|
format = "yaml";
|
|
key = "backblaze-${config.myModules.restic.role}";
|
|
group = "root";
|
|
mode = "0440";
|
|
owner = "root";
|
|
sopsFile = ../../../secrets/restic.yaml;
|
|
};
|
|
sops.secrets.restic-password = {
|
|
format = "yaml";
|
|
key = "password-${config.myModules.restic.role}";
|
|
group = "root";
|
|
mode = "0440";
|
|
owner = "root";
|
|
sopsFile = ../../../secrets/restic.yaml;
|
|
};
|
|
};
|
|
options.myModules.restic.role = mkOption {
|
|
description = "The role which picks the key to use";
|
|
type = types.str;
|
|
};
|
|
}
|