From 6bd3313e55858407ad05b555f08b74f566c7885a Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Mon, 30 Jun 2025 23:20:59 +0200 Subject: [PATCH] Rotate backblaze keys used by restic --- hosts/alto/secrets.yaml | 8 +++++--- hosts/cirrus/secrets.yaml | 8 +++++--- .../system/services/restic-backups/default.nix | 16 ++++++++++++---- 3 files changed, 22 insertions(+), 10 deletions(-) diff --git a/hosts/alto/secrets.yaml b/hosts/alto/secrets.yaml index c412753..71e682c 100644 --- a/hosts/alto/secrets.yaml +++ b/hosts/alto/secrets.yaml @@ -6,7 +6,9 @@ nextcloud: hedgedoc: seb-password: ENC[AES256_GCM,data:+pejm+Ju9l1jqY/8gpWRR6I5z3VEFzPxzw==,iv:0ji6ayKljy7LoZW423xcMmKJqsbon3JGzEb8KlbR2zs=,tag:sz8Szb8wA00U9Es0q0N/tw==,type:str] restic: - environment: ENC[AES256_GCM,data:v1Ui5mG7Q98CFEpq7sSpzEf86cJAcRi+sqFdvy6ZPuY9dukJD2wAGt5fuNQkMzBCKAUTHb46ga1WYf9fZ5AUOPdA1MNrJWKrXlrsYh8ZJYKOgfEVBBYPUKKGcajILNQ5SzU=,iv:Asg4CWJbGqSZh8YaxcWA0Yxau1dE4ZV9JBJSiDHufGI=,tag:46pNMWoCbciEv4cIHo7KFQ==,type:str] + backblaze: + key-id: ENC[AES256_GCM,data:NLi1oxFyJGtxUiYmQpLbiwiu5aKHek4jUw==,iv:99ZWKy7ZVQx8LxMddu/s3LoIl5Ap6RKWcp8Cc4AK9Rc=,tag:luq5+koITm69eiOTESGMHg==,type:str] + application-key: ENC[AES256_GCM,data:15z8f1TpIh5IWpPd5bDSXAMgkX3Y2SCUFPBATQAjIg==,iv:GatmQHcMQxCBNiELorVUtPu/MCqenNUk/jkmTM0kmr0=,tag:jVCWqGKqFnzqod6Xb6n2Bg==,type:str] password: ENC[AES256_GCM,data:NVeqrWqtdgbhu3U7dAgwFeNLS9oPtnAPSrkGtvYD,iv:3l+9+bZfOpZdSCBKzXn5PqJvqo7mz/rj1tkihJqMHIs=,tag:JXigRR1adGlm8ehRv5wzIA==,type:str] healthchecks-ping-key: ENC[AES256_GCM,data:Cbk04CrYd9WcHnVRUed9aIImHbULhA==,iv:70cOOk5LfYciBx5baftFiBuquXY2welnjhoYmIB1iAQ=,tag:I5hqoai/HLdqUqonK77ubA==,type:str] sops: @@ -29,7 +31,7 @@ sops: dEhnSkQ5SDlnbmhGSVdYaDNuc3ZkM00K7WPEZRYWAd7uGY0IcDwGgQVPrpkF/tnz ncj03JXM4BXwvEQOmD/i6wS4U4WCwkh9EauGJljVFTeu6TciomDULQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-05-28T19:18:21Z" - mac: ENC[AES256_GCM,data:9K+Q8tf3rgoja+XmQS6E3HkoPp6v1jVdSVRarkLZvp3ELPjzUvE7Y4EkG0nq4wV5jdsaKdyH3QqjjPgRhSvrP4nKGwktA5hBJsCg/D7acjutcokc4oO3L11KFkBA/FxS1LCBBM5yufoIi1YQ8vX5XVqJafEIXD4fzfBn8SqZNcc=,iv:XutGQkil5NKEiBLZPtmdHJreiPvkPHiX4GhZrgrNC1Y=,tag:T+2MUaLXG6nkmfNQBQTq/g==,type:str] + lastmodified: "2025-06-30T21:08:41Z" + mac: ENC[AES256_GCM,data:MK8jssDOXQlS34h1MwsCT5KR+aR72NsKn1xexzbhzwHR0+73ykLSDIjIjvGL1lePDX0Y0f7Em1oDcwnJpoMQWxHqjc2B8t0YbIZtktP9uD2SqIhYr3RvGIX1m4B8HSUEG1usAWFK8BblGZIjngWT1nlWDHakhE17rGc4WgKeHHM=,iv:p/UfEqLF8gVXyMc9VMfXY0O0v4Ed6976WIO78w/LSIE=,tag:q69Hm7hdT8OIh0eEQzEn8w==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/hosts/cirrus/secrets.yaml b/hosts/cirrus/secrets.yaml index 96f8443..72cb0d8 100644 --- a/hosts/cirrus/secrets.yaml +++ b/hosts/cirrus/secrets.yaml @@ -6,7 +6,9 @@ hedgedoc: forgejo: admin-password: ENC[AES256_GCM,data:DOZah26AGeR89kgeIvWPCJlVRxML9r7F2g==,iv:4BCOmHxzCr4Z3975MN4mr/lyeEVyJhwuGfDxek6GiSI=,tag:IsgsIhrTEMRp1/FFFQbyhA==,type:str] restic: - environment: ENC[AES256_GCM,data:oPgJ20N7eO0W+SnRPA/uaGDbYBpKX3jWixuVIG0+eBRRlaPWBFpJKA7CK9oVvwuqQUtGiRnoR2gqO42C22WRSiHXqe1zoarhvQMcXy8CTQd6Y+k5iMspSzMZynfkMapooK4=,iv:Ub1ONOcoEZ52E8W1qK93xpmYXMUiVszFbHoO/pUa/Mo=,tag:2yTJZmirhPIN01cB5F0Lsw==,type:str] + backblaze: + key-id: ENC[AES256_GCM,data:PWe/VRiXKmL4/fPlKj6HyYqugJ4wssWKjA==,iv:tSVeVcbZI+AuXXllEax+IKD2gkNQSDC5cW0yJa8Dfyc=,tag:5A5YgQnM/Br47sYCQbJOcg==,type:str] + application-key: ENC[AES256_GCM,data:0W3eE8sxS6seWX9L1koksN6lQLJ8gFBNGh8fSadSIw==,iv:8Eyu9vKX9IcY/Ixgy1jigl4Ef4e55duyZZX4nKU/At0=,tag:S+LwXW0Q6q6/JN7AjyZ+3g==,type:str] password: ENC[AES256_GCM,data:gMd4G8o83r3sTZEH1kRkn05Mye96sHV2mdRWNbbS,iv:E2hBYbvpCMDul81lgUBNVr5Fm7x0u1f9cEkma9jKwYE=,tag:CeFrP3pO1VmGxcvj7b7pYA==,type:str] healthchecks-ping-key: ENC[AES256_GCM,data:HT6bEtZ4ii3na8VDRA59GHtRuaOV+w==,iv:ZZlnpDPoPUYgq/jHOfCqHMUmKpPUTpXmZp3GWxYAL3I=,tag:Lg97lItvoGzXqoz6Pwadfw==,type:str] crowdsec: @@ -31,7 +33,7 @@ sops: aHNody9YR2ZKTDNINmNvbGNHb0dCRVkKXcUQxU0Craqkze0l0mH75MKTnkf7a/ae XeqWVJRO1WpG+UhF3QB3yMq9uy0vlc3JnD3LsE0inWUSl0s6AgDZOg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-05-28T19:18:32Z" - mac: ENC[AES256_GCM,data:NVrQa5s01ws9WmDHjdByc6e7tHQSNQpDYY1J/6D6PZBq51Rs7/kmrA+M9myBjL40CzX4aT3AOPQQkD9V6iP9tP/2sN39kpfebnV55YtSTWI8t03r0bnSG4ZWlW84neg6qc96+cclSyEWSVxoBNZHIIyD02JJ9kSgfyyycZuxYf8=,iv:OHPeuZCHrmRk8TkNjHtujZTD4Bks7yPX0pReoMifBAE=,tag:DT/wMrApSpxT11/auDADDQ==,type:str] + lastmodified: "2025-06-30T21:14:35Z" + mac: ENC[AES256_GCM,data:2fDTzibwzBLx1L46M55s494wlbdvAPEvba4T5ZqgspQxxiyiN4FTnhwrDFu5a8WeRTSIxsa2dGTjtPX7z2LCe8lbyxdBDDMtD0neJuHK18Ht80r4dhGR/h0KPvvf3yjCLytpP8Fouo/bv8G1kGscwh7nr419vIMcZKB89zmXpJE=,iv:DHMJ4f+BpJ6EslQAOV/c5Evu1gwNL9bxJ8PLNQUPkgE=,tag:3nkwNDpO7chRz3GcjN+1Hw==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/modules/system/services/restic-backups/default.nix b/modules/system/services/restic-backups/default.nix index 5a3c420..42533b0 100644 --- a/modules/system/services/restic-backups/default.nix +++ b/modules/system/services/restic-backups/default.nix @@ -25,9 +25,17 @@ in }; config = lib.mkIf (resticBackups != { }) { - sops.secrets = { - "restic/environment" = { }; - "restic/password" = { }; + sops = { + secrets = { + "restic/backblaze/key-id" = { }; + "restic/backblaze/application-key" = { }; + "restic/password" = { }; + }; + + templates."restic/environment".content = '' + AWS_ACCESS_KEY_ID=${config.sops.placeholder."restic/backblaze/key-id"} + AWS_SECRET_ACCESS_KEY=${config.sops.placeholder."restic/backblaze/application-key"} + ''; }; systemd.tmpfiles.rules = @@ -41,7 +49,7 @@ in { initialize = true; repository = "s3:https://s3.eu-central-003.backblazeb2.com/stork-atlas/${name}"; - environmentFile = config.sops.secrets."restic/environment".path; + environmentFile = config.sops.templates."restic/environment".path; passwordFile = config.sops.secrets."restic/password".path; pruneOpts = [ "--keep-daily 7"