barrettruth/delta
1
0
Fork 0
Code Issues 6 Pull requests 1 Releases 3 Packages Activity Actions

infra: restore Delta R2 backup credentials in SOPS #272

New issue
Closed
opened 2026-05-10 20:16:42 +00:00 by barrettruth · 2 comments
barrettruth commented 2026-05-10 20:16:42 +00:00
Owner
Copy link

Problem

delta-r2-backup.service is configured on the VPS, but its expected env file is missing, so the backup job has been failing. The existing Vaultwarden R2 token was tested against the delta bucket and returned AccessDenied, so it should not be assumed to be the Delta backup token.

Needed data

  • Cloudflare R2 endpoint/account context for the Delta bucket.
  • Delta-scoped R2_ACCESS_KEY_ID.
  • Delta-scoped R2_SECRET_ACCESS_KEY.
  • Confirmed bucket/prefix, currently expected as s3://delta/.

Scope

  • Store the Delta backup env in SOPS separately from the app runtime env.
  • Wire delta-r2-backup.service to a root-owned /run/secrets/... env file.
  • Keep the app service's delta-env limited to runtime app secrets.
  • Document the credential names without storing or pasting real secret values in issue text.

Acceptance criteria

  • A non-secret aws s3 ls s3://delta/ access check passes with the Delta token.
  • A non-destructive write/delete test passes with the Delta token.
  • delta-r2-backup.service completes successfully on the VPS.
## Problem `delta-r2-backup.service` is configured on the VPS, but its expected env file is missing, so the backup job has been failing. The existing Vaultwarden R2 token was tested against the `delta` bucket and returned `AccessDenied`, so it should not be assumed to be the Delta backup token. ## Needed data - Cloudflare R2 endpoint/account context for the Delta bucket. - Delta-scoped `R2_ACCESS_KEY_ID`. - Delta-scoped `R2_SECRET_ACCESS_KEY`. - Confirmed bucket/prefix, currently expected as `s3://delta/`. ## Scope - Store the Delta backup env in SOPS separately from the app runtime env. - Wire `delta-r2-backup.service` to a root-owned `/run/secrets/...` env file. - Keep the app service's `delta-env` limited to runtime app secrets. - Document the credential names without storing or pasting real secret values in issue text. ## Acceptance criteria - A non-secret `aws s3 ls s3://delta/` access check passes with the Delta token. - A non-destructive write/delete test passes with the Delta token. - `delta-r2-backup.service` completes successfully on the VPS.
barrettruth added this to the v0.1.0 milestone 2026-05-10 20:16:42 +00:00
barrettruth commented 2026-05-10 21:08:23 +00:00
Author
Owner
Copy link

Nix side is now prepared: delta-r2-backup.service uses a SOPS-backed EnvironmentFile when secrets/vps/delta-r2-backup-env exists, and the timer is not enabled until that encrypted secret is present. Current VPS timer was stopped because no valid Delta R2 token is available yet.

Nix side is now prepared: delta-r2-backup.service uses a SOPS-backed EnvironmentFile when secrets/vps/delta-r2-backup-env exists, and the timer is not enabled until that encrypted secret is present. Current VPS timer was stopped because no valid Delta R2 token is available yet.
barrettruth commented 2026-05-10 21:14:33 +00:00
Author
Owner
Copy link

Per request, deployed a SOPS-backed delta-r2-backup-env using the placeholder/revoked R2 S3 credential values. The VPS now has /run/secrets/delta-r2-backup-env, delta-r2-backup.timer is enabled/active, and the activation-triggered backup run reported success. This still needs replacement with a fresh non-exposed token before considering the credential side healthy.

Per request, deployed a SOPS-backed delta-r2-backup-env using the placeholder/revoked R2 S3 credential values. The VPS now has /run/secrets/delta-r2-backup-env, delta-r2-backup.timer is enabled/active, and the activation-triggered backup run reported success. This still needs replacement with a fresh non-exposed token before considering the credential side healthy.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
feat/software-sync
ship/delta-codex-skill
fix/cli-filter-args
fix-calendar-g-leader-shortcuts
harden-keyboard-capture
fix-queue-gc-hard-refresh
fix/task-panel-scroll-restoration
fix/calendar-quick-add-preview-stability
fix/467-local-first-shortcuts
docs/nixos-self-hosting-first-pass
calendar-elapsed-events
calendar-active-day-blue
calendar-outline-no-fill
calendar-neutral-day-state
fix-calendar-drag-visual-position
issue-364-task-api-route-adapters
issue-362-manpage-drift
issue-315-geocoding-config
release/cli-0.0.5
release/cli-0.0.4
fix/task-panel-save-atomicity
settings-modal
feat/add-task-external-links
feat/reminder-transport-settings
feat/reminder-foundation
build/oidc-release-pipeline
fix/settings-cleanup
fix/remove-oauth-config-ui
cli-v0.0.6
cli-v0.0.5
cli-v0.0.4
nightly-20260426
cli-v0.0.2
Labels
Clear labels   
bug
Something isn't working

  
documentation
Improvements or additions to documentation

  
duplicate
This issue or pull request already exists

  
enhancement
New feature or request

  
good first issue
Good for newcomers

  
help wanted
Extra attention is needed

  
invalid
This doesn't seem right

  
question
Further information is requested

  
status:blocked
Blocked on a decision, credential, or external dependency

  
track:api
API layer track

  
track:auto
Automation track

  
track:core
Core engine track

  
track:deploy
Deployment track

  
track:infra
Infrastructure track

  
track:ui
Web UI track

  
type:cleanup
Small cleanup, polish, or consolidation work

  
type:docs
Documentation and operator guidance

  
type:epic
Umbrella issue that coordinates related work

  
type:release
Release, packaging, and versioning work

  
type:research
Decision or investigation work before implementation

  
wontfix
This will not be worked on

No labels
bug
documentation
duplicate
enhancement
good first issue
help wanted
invalid
question
status:blocked
track:api
track:auto
track:core
track:deploy
track:infra
track:ui
type:cleanup
type:docs
type:epic
type:release
type:research
wontfix
Milestone
Clear milestone
No items
No milestone
v0.1.0
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
barrettruth/delta#272
No description provided.