move media to encrypted storage

2022-11-29 10:08:44 +00:00 · 2022-11-29 10:08:44 +00:00 · a6d02a3de9
parent 9ca10ad75a
commit a6d02a3de9
2 changed files with 28 additions and 5 deletions
--- a/hosts/storage/rclone_config.template
+++ b/hosts/storage/rclone_config.template
@ -68,6 +68,12 @@ vendor = nextcloud
 user = chaoticryptidz
 pass = PUTIO_PASSWORD

+[Storage-Media-Crypt]
+type = crypt
+remote = StorageBox:Media
+password = STORAGE_MEDIA_CRYPT_PASSWORD
+password2 = STORAGE_MEDIA_CRYPT_SALT
+
 [Media-Combine-Serve]
 type = combine
-upstreams = "Media=StorageBox:Media" "PutIO=PutIO-WebDAV:"
+upstreams = "Media=Storage-Media-Crypt:" "PutIO=PutIO-WebDAV:"
--- a/hosts/storage/secrets.nix
+++ b/hosts/storage/secrets.nix
@ -11,13 +11,17 @@
    ];

    extraFunctions = ''
+      replace_slash_for_sed() {
+        sed "s#/#\\\/#"
+      }
+
      simple_get_obscure() {
        rclone obscure "$(simple_get "$@")"
      }

      simple_get_replace_b2() {
-        api_account=$(simple_get "$1" .keyID)
-        api_key=$(simple_get "$1" .applicationKey | sed "s#/#\\\/#")
+        api_account=$(simple_get "$1" .keyID | replace_slash_for_sed)
+        api_key=$(simple_get "$1" .applicationKey | replace_slash_for_sed)

        replace_account=''${2}_ACCOUNT
        replace_key=''${2}_KEY
@ -25,6 +29,17 @@
        sed -i "s/$replace_account/$api_account/" "$3"
        sed -i "s/$replace_key/$api_key/" "$3"
      }
+    
+      simple_get_replace_crypt() {
+        password=$(simple_get "$1" .password | replace_slash_for_sed)
+        salt=$(simple_get "$1" .salt | replace_slash_for_sed)
+
+        replace_password=''${2}_ACCOUNT
+        replace_salt=''${2}_KEY
+
+        sed -i "s/$replace_password/$password/" "$3"
+        sed -i "s/$replace_salt/$salt/" "$3"
+      }
    '';

    secrets = {
@ -85,7 +100,7 @@

          cp ${./rclone_config.template} "$TMP_DIR/template"

-          pushd "$TMP_DIR"
+          pushd "$TMP_DIR" 2>/dev/null

          STORAGEBOX_PASSWORD=$(simple_get_obscure /api-keys/hetzner/storagebox .password)
          sed -i "s/STORAGEBOX_PASSWORD/$STORAGEBOX_PASSWORD/" ./template
@ -99,9 +114,11 @@
          PUTIO_PASSWORD="$(rclone obscure "$PUTIO_PASSWORD")"
          sed -i "s/PUTIO_PASSWORD/$PUTIO_PASSWORD/" ./template

+          simple_get_replace_crypt "/private-public-keys/rclone/Chaos-Media-Crypt" "STORAGE_MEDIA_CRYPT" ./template
+
          cp ./template $secretFile

-          popd
+          popd 2>/dev/null

          rm -rf "$TMP_DIR"
        '';