nixfiles/hosts/storage/secrets.nix

{ pkgs, ... }:
let secrets-db = (import ./secrets-db.nix { });
in {
  systemd.tmpfiles.rules = [ "d /secrets - root root" ];
  environment.systemPackages = [
    (pkgs.writeShellScriptBin "init-secrets" ''
      set -e -o pipefail

      VAULT_ADDR_DEFAULT="https://vault.owo.monster"
      [ -n "$VAULT_ADDR" ] && export VAULT_ADDR="$VAULT_ADDR_DEFAULT"

      export PATH=$PATH:${pkgs.vault}/bin
      export PATH=$PATH:${pkgs.jq}/bin
      export PATH=$PATH:${pkgs.apacheHttpd}/bin

      kv_get() {
        vault kv get -format json $1
      }

      simple_get() {
        kv_get $1 | jq .data.data$2 -r
      }

      file=${secrets-db.restic_hetznervm_htpasswd.path}
      echo $file
      username=$(simple_get "/api-keys/storage/restic/HetznerVM" .username)
      password=$(simple_get "/api-keys/storage/restic/HetznerVM" .password)
      htpasswd -bc $file "$username" "$password"
      chown ${secrets-db.restic_hetznervm_htpasswd.user}:${secrets-db.restic_hetznervm_htpasswd.group} $file
      chmod ${secrets-db.restic_hetznervm_htpasswd.permissions} $file

      file=${secrets-db.restic_music_htpasswd.path}
      echo $file
      username=$(simple_get "/api-keys/storage/restic/Music" .username)
      password=$(simple_get "/api-keys/storage/restic/Music" .password)
      htpasswd -bc $file "$username" "$password"
      chown ${secrets-db.restic_music_htpasswd.user}:${secrets-db.restic_music_htpasswd.group} $file
      chmod ${secrets-db.restic_music_htpasswd.permissions} $file

      file=${secrets-db.restic_vault_htpasswd.path}
      echo $file
      username=$(simple_get "/api-keys/storage/restic/Vault" .username)
      password=$(simple_get "/api-keys/storage/restic/Vault" .password)
      htpasswd -bc $file "$username" "$password"
      chown ${secrets-db.restic_vault_htpasswd.user}:${secrets-db.restic_vault_htpasswd.group} $file
      chmod ${secrets-db.restic_vault_htpasswd.permissions} $file

      file=${secrets-db.webdav_main_htpasswd.path}
      echo $file
      username=$(simple_get "/api-keys/storage/webdav/main" .username)
      password=$(simple_get "/api-keys/storage/webdav/main" .password)
      htpasswd -bc $file "$username" "$password"
      chown ${secrets-db.webdav_main_htpasswd.user}:${secrets-db.webdav_main_htpasswd.group} $file
      chmod ${secrets-db.webdav_main_htpasswd.permissions} $file

      file=${secrets-db.vault_password.path}
      echo $file
      simple_get "/vault-users/storage" .password > $file
      chown ${secrets-db.vault_password.user}:${secrets-db.vault_password.group} $file
      chmod ${secrets-db.vault_password.permissions} $file
    '')
  ];
}
beep 2022-11-02 11:32:03 +00:00			`{ pkgs, ... }:`
			`let secrets-db = (import ./secrets-db.nix { });`
			`in {`
			`systemd.tmpfiles.rules = [ "d /secrets - root root" ];`
			`environment.systemPackages = [`
			`(pkgs.writeShellScriptBin "init-secrets" ''`
			`set -e -o pipefail`

			`VAULT_ADDR_DEFAULT="https://vault.owo.monster"`
			`[ -n "$VAULT_ADDR" ] && export VAULT_ADDR="$VAULT_ADDR_DEFAULT"`

			`export PATH=$PATH:${pkgs.vault}/bin`
			`export PATH=$PATH:${pkgs.jq}/bin`
			`export PATH=$PATH:${pkgs.apacheHttpd}/bin`

			`kv_get() {`
			`vault kv get -format json $1`
			`}`

			`simple_get() {`
			`kv_get $1 \| jq .data.data$2 -r`
			`}`

			`file=${secrets-db.restic_hetznervm_htpasswd.path}`
			`echo $file`
			`username=$(simple_get "/api-keys/storage/restic/HetznerVM" .username)`
			`password=$(simple_get "/api-keys/storage/restic/HetznerVM" .password)`
			`htpasswd -bc $file "$username" "$password"`
			`chown ${secrets-db.restic_hetznervm_htpasswd.user}:${secrets-db.restic_hetznervm_htpasswd.group} $file`
			`chmod ${secrets-db.restic_hetznervm_htpasswd.permissions} $file`

			`file=${secrets-db.restic_music_htpasswd.path}`
			`echo $file`
			`username=$(simple_get "/api-keys/storage/restic/Music" .username)`
			`password=$(simple_get "/api-keys/storage/restic/Music" .password)`
			`htpasswd -bc $file "$username" "$password"`
			`chown ${secrets-db.restic_music_htpasswd.user}:${secrets-db.restic_music_htpasswd.group} $file`
			`chmod ${secrets-db.restic_music_htpasswd.permissions} $file`

			`file=${secrets-db.restic_vault_htpasswd.path}`
			`echo $file`
			`username=$(simple_get "/api-keys/storage/restic/Vault" .username)`
			`password=$(simple_get "/api-keys/storage/restic/Vault" .password)`
			`htpasswd -bc $file "$username" "$password"`
			`chown ${secrets-db.restic_vault_htpasswd.user}:${secrets-db.restic_vault_htpasswd.group} $file`
			`chmod ${secrets-db.restic_vault_htpasswd.permissions} $file`

beep 2022-11-02 16:04:43 +00:00			`file=${secrets-db.webdav_main_htpasswd.path}`
beep 2022-11-02 11:32:03 +00:00			`echo $file`
beep 2022-11-02 16:04:43 +00:00			`username=$(simple_get "/api-keys/storage/webdav/main" .username)`
			`password=$(simple_get "/api-keys/storage/webdav/main" .password)`
beep 2022-11-02 11:32:03 +00:00			`htpasswd -bc $file "$username" "$password"`
beep 2022-11-02 16:04:43 +00:00			`chown ${secrets-db.webdav_main_htpasswd.user}:${secrets-db.webdav_main_htpasswd.group} $file`
			`chmod ${secrets-db.webdav_main_htpasswd.permissions} $file`
beep 2022-11-02 11:32:03 +00:00
			`file=${secrets-db.vault_password.path}`
			`echo $file`
			`simple_get "/vault-users/storage" .password > $file`
			`chown ${secrets-db.vault_password.user}:${secrets-db.vault_password.group} $file`
			`chmod ${secrets-db.vault_password.permissions} $file`
			`'')`
			`];`
			`}`