- Shell 100%
Add ANSI colors to the status (==>), prompt, warning, error, and final summary lines. Colors are gated on both stdout and stderr being TTYs and on NO_COLOR being unset, so piping/redirecting either stream or running under CI produces clean plain-text output. The env file contents and the redacted-secret marker are unaffected. |
||
|---|---|---|
| .gitignore | ||
| provision.sh | ||
| README.md | ||
automatic-backups-provisioner
One-shot CLI: creates a B2 bucket officeryoda-backups-<service> plus a
bucket-scoped application key, writes credentials to ./<service>.b2.env
(mode 0600) ready to drop into the sibling
automatic-backups
container via env_file:.
Prerequisites
bash,curl,jq.- A B2 master key with capabilities
writeBuckets,writeKeys,listBuckets. Create at https://secure.backblaze.com/ -> Account -> Application Keys (access: All buckets, type: Read and Write). Save both values immediately - B2 only shows the secret once.
Usage
curl -fsSL https://forgejo.officeryoda.dev/OfficerYoda/automatic-backups-provisioner/raw/branch/main/provision.sh | bash -s -- <service-name>
The script prompts for B2_MASTER_KEY_ID and B2_MASTER_APPLICATION_KEY
(input hidden) if they are not already set in the environment. To skip the
prompt, prefix the invocation:
B2_MASTER_KEY_ID=... B2_MASTER_APPLICATION_KEY=... \
curl -fsSL https://forgejo.officeryoda.dev/OfficerYoda/automatic-backups-provisioner/raw/branch/main/provision.sh | bash -s -- <service-name>
Optional flags: --prefix <path> (also scopes the issued key);
--bucket-type allPrivate|allPublic (default allPrivate).
Output ./<service-name>.b2.env (mode 0600):
B2_BUCKET=officeryoda-backups-<service-name>
B2_ACCOUNT_ID=...
B2_APPLICATION_KEY=...
# B2_PATH=... (only if --prefix was passed)
The application key is written to the env file only and is never printed to stdout. B2 will not show it again - back up the file before deleting it.
Issued key capabilities
listBuckets, listFiles, readFiles, shareFiles, writeFiles, deleteFiles.
deleteFiles is required for RETENTION_DAYS pruning. The key has no
bucket- or key-management capabilities, so a leak is contained to one
bucket's contents.
Security
- Never commit
*.b2.env(covered by.gitignore). - Pass the master key from a password manager or interactive prompt, not a
file - the script reads it only from env vars or
/dev/tty. The master key is account-takeover-grade. - No teardown by design. Delete buckets and keys manually in the B2 UI.
Failure modes
- Pre-flight aborts (no API calls): bad service name, bucket name > 50 chars, output file already exists, master key empty after prompt, no TTY available when env vars are unset.
- Mid-run abort: bucket with the target name already exists in the account.
- Bucket created, key creation failed: prints the bucketId and stops. Manual cleanup required - no auto-rollback.
- Any non-2xx B2 response: response JSON dumped to stderr, script exits non-zero.
Pairing with automatic-backups
services:
backup:
image: forgejo.officeryoda.dev/officeryoda/automatic-backups:latest
env_file: ./forgejo.b2.env
environment:
BACKUP_CRON: "0 3 * * *"
RETENTION_DAYS: "30"
BACKUP_ALL: "true"
volumes:
- forgejo_data:/backup:ro