No description
Find a file
OfficerYoda f3aae46f53
feat: colorize user-facing output
Add ANSI colors to the status (==>), prompt, warning, error, and final
summary lines. Colors are gated on both stdout and stderr being TTYs and
on NO_COLOR being unset, so piping/redirecting either stream or running
under CI produces clean plain-text output. The env file contents and the
redacted-secret marker are unaffected.
2026-05-26 18:44:09 +02:00
.gitignore chore: initial repo scaffolding 2026-05-25 21:05:43 +02:00
provision.sh feat: colorize user-facing output 2026-05-26 18:44:09 +02:00
README.md security: redact B2_APPLICATION_KEY from stdout 2026-05-26 18:42:29 +02:00

automatic-backups-provisioner

One-shot CLI: creates a B2 bucket officeryoda-backups-<service> plus a bucket-scoped application key, writes credentials to ./<service>.b2.env (mode 0600) ready to drop into the sibling automatic-backups container via env_file:.

Prerequisites

  • bash, curl, jq.
  • A B2 master key with capabilities writeBuckets, writeKeys, listBuckets. Create at https://secure.backblaze.com/ -> Account -> Application Keys (access: All buckets, type: Read and Write). Save both values immediately - B2 only shows the secret once.

Usage

curl -fsSL https://forgejo.officeryoda.dev/OfficerYoda/automatic-backups-provisioner/raw/branch/main/provision.sh | bash -s -- <service-name>

The script prompts for B2_MASTER_KEY_ID and B2_MASTER_APPLICATION_KEY (input hidden) if they are not already set in the environment. To skip the prompt, prefix the invocation:

B2_MASTER_KEY_ID=... B2_MASTER_APPLICATION_KEY=... \
  curl -fsSL https://forgejo.officeryoda.dev/OfficerYoda/automatic-backups-provisioner/raw/branch/main/provision.sh | bash -s -- <service-name>

Optional flags: --prefix <path> (also scopes the issued key); --bucket-type allPrivate|allPublic (default allPrivate).

Output ./<service-name>.b2.env (mode 0600):

B2_BUCKET=officeryoda-backups-<service-name>
B2_ACCOUNT_ID=...
B2_APPLICATION_KEY=...
# B2_PATH=...    (only if --prefix was passed)

The application key is written to the env file only and is never printed to stdout. B2 will not show it again - back up the file before deleting it.

Issued key capabilities

listBuckets, listFiles, readFiles, shareFiles, writeFiles, deleteFiles. deleteFiles is required for RETENTION_DAYS pruning. The key has no bucket- or key-management capabilities, so a leak is contained to one bucket's contents.

Security

  • Never commit *.b2.env (covered by .gitignore).
  • Pass the master key from a password manager or interactive prompt, not a file - the script reads it only from env vars or /dev/tty. The master key is account-takeover-grade.
  • No teardown by design. Delete buckets and keys manually in the B2 UI.

Failure modes

  • Pre-flight aborts (no API calls): bad service name, bucket name > 50 chars, output file already exists, master key empty after prompt, no TTY available when env vars are unset.
  • Mid-run abort: bucket with the target name already exists in the account.
  • Bucket created, key creation failed: prints the bucketId and stops. Manual cleanup required - no auto-rollback.
  • Any non-2xx B2 response: response JSON dumped to stderr, script exits non-zero.

Pairing with automatic-backups

services:
  backup:
    image: forgejo.officeryoda.dev/officeryoda/automatic-backups:latest
    env_file: ./forgejo.b2.env
    environment:
      BACKUP_CRON: "0 3 * * *"
      RETENTION_DAYS: "30"
      BACKUP_ALL: "true"
    volumes:
      - forgejo_data:/backup:ro