duplicity: port passphrase to secrets file

machines/uninsane/services/duplicity.nix

@@ -6,7 +6,8 @@
   services.duplicity.targetUrl = secrets.duplicity.url;
   # format: PASSPHRASE=<cleartext>
   # two sisters
-  services.duplicity.secretFile = /etc/nixos/secrets/duplicity_env;
+  services.duplicity.secretFile =
+    builtins.toFile "duplicity_env" "PASSPHRASE=${secrets.duplicity.passphrase}";
   # NB: manually trigger with `systemctl start duplicity`
   services.duplicity.frequency = "daily";
   services.duplicity.exclude = [

secrets/default.nix

@@ -6,6 +6,8 @@
   #   ^ run this until you get a key with no forward slashes :upside_down:
   #   web-created keys are allowed to delete files, which you probably don't want for an incremental backup program
   duplicity.url = "b2://<REPLACEME:KEY_ID>:<REPLACEME:APPKEY>:<REPLACEME:BUCKET>";
+  # remote backups will be encrypted using this (gpg) passphrase
+  duplicity.passphrase = "<REPLACEME>";
 
   # to generate:
   # wg genkey > wg0.private