change capitalization of storage endpoints & backup misskey media

hosts/hetzner-vm/containers/music/profiles/music-sync.nix

@@ -13,7 +13,7 @@
       rclone_config = pkgs.writeText "rclone.conf" ''
         [Music]
         type = webdav
-        url = https://storage-webdav.owo.monster/music_ro/
+        url = https://storage-webdav.owo.monster/MusicRO/
         vendor = nextcloud
       '';
     in ''

hosts/hetzner-vm/containers/storage/data/ports.nix

@@ -1,13 +1,14 @@
 {...}: {
-  rclone_serve_webdav_main = 4242;
+  rclone_serve_webdav_main = 4200;
-  rclone_serve_webdav_media = 4243;
+  rclone_serve_webdav_media = 4201;
-  rclone_serve_webdav_music_ro = 4244;
+  rclone_serve_webdav_misskey = 4202;
+  rclone_serve_webdav_music_ro = 4203;
 
-  rclone_serve_restic_hvm = 4245;
+  rclone_serve_restic_hvm = 4210;
-  rclone_serve_restic_music = 4246;
+  rclone_serve_restic_music = 4211;
-  rclone_serve_restic_vault = 4247;
+  rclone_serve_restic_vault = 4212;
-  rclone_serve_restic_matrix = 4248;
+  rclone_serve_restic_matrix = 4213;
 
-  rclone_serve_http_music = 4249;
+  rclone_serve_http_music = 4220;
-  rclone_serve_http_public = 4250;
+  rclone_serve_http_public = 4221;
 }

hosts/hetzner-vm/containers/storage/profiles/rclone-serve.nix

@@ -23,12 +23,23 @@ in {
         extraArgs = [
           "--addr=0.0.0.0:${toString ports.rclone_serve_webdav_main}"
           "--htpasswd=${secrets.webdav_main_htpasswd.path}"
-          "--baseurl=/main/"
+          "--baseurl=/Main/"
           "--cache-dir=/caches/main_webdav_serve"
           "--vfs-cache-mode=full"
         ];
         inherit serviceConfig;
       }
+      {
+        user = "storage";
+        remote = "StorageBox:Backups/Misskey";
+        type = "webdav";
+        extraArgs = [
+          "--addr=0.0.0.0:${toString ports.rclone_serve_webdav_misskey}"
+          "--htpasswd=${secrets.webdav_misskey_htpasswd.path}"
+          "--baseurl=/Misskey/"
+        ];
+        inherit serviceConfig;
+      }
       {
         user = "storage";
         remote = "Media-Combine-Serve:";
@@ -36,7 +47,7 @@ in {
         extraArgs = [
           "--addr=0.0.0.0:${toString ports.rclone_serve_webdav_media}"
           "--htpasswd=${secrets.webdav_media_htpasswd.path}"
-          "--baseurl=/media/"
+          "--baseurl=/Media/"
           "--cache-dir=/caches/media_webdav_serve"
           "--vfs-cache-max-age=30m"
           "--vfs-cache-max-size=5g"
@@ -51,7 +62,7 @@ in {
         extraArgs = [
           "--addr=0.0.0.0:${toString ports.rclone_serve_webdav_music_ro}"
           "--read-only"
-          "--baseurl=/music_ro/"
+          "--baseurl=/MusicRO/"
         ];
         inherit serviceConfig;
       }

hosts/hetzner-vm/containers/storage/profiles/secrets.nix

@@ -80,6 +80,7 @@
           htpasswd -bc "$secretFile" "$username" "$password" 2>/dev/null
         '';
       };
+
       webdav_main_htpasswd = {
         user = "storage";
         group = "storage";
@@ -89,7 +90,6 @@
           htpasswd -bc "$secretFile" "$username" "$password" 2>&1
         '';
       };
-
       webdav_media_htpasswd = {
         user = "storage";
         group = "storage";
@@ -99,6 +99,15 @@
           htpasswd -bc "$secretFile" "$username" "$password" 2>&1
         '';
       };
+      webdav_misskey_htpasswd = {
+        user = "storage";
+        group = "storage";
+        fetchScript = ''
+          username=$(simple_get "/api-keys/storage/webdav/misskey" .username)
+          password=$(simple_get "/api-keys/storage/webdav/misskey" .password)
+          htpasswd -bc "$secretFile" "$username" "$password" 2>&1
+        '';
+      };
 
       rclone_config = {
         user = "storage";

hosts/hetzner-vm/containers/storage/storage.nix

@@ -72,9 +72,10 @@ in {
     forceSSL = true;
     enableACME = true;
     locations = {
-      "/main/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_webdav_main}";
+      "/Main/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_webdav_main}";
-      "/media/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_webdav_media}";
+      "/Media/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_webdav_media}";
-      "/music_ro/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_webdav_music_ro}";
+      "/Misskey/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_webdav_misskey}";
+      "/MusicRO/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_webdav_music_ro}";
     };
   };
 

hosts/hetzner-vm/data/misskey_rclone.template

@@ -0,0 +1,12 @@
+[Misskey-Storage]
+type = webdav
+url = https://storage-webdav.owo.monster/Misskey/
+vendor = nextcloud
+user = misskey
+pass = MISSKEY_STORAGE_PASSWORD
+
+[Storage-Media-Crypt]
+type = crypt
+remote = Misskey-Storage:
+password = STORAGE_MISSKEY_CRYPT_PASSWORD
+password2 = STORAGE_MISSKEY_CRYPT_SALT

hosts/hetzner-vm/profiles/misskey.nix

@@ -1,8 +1,11 @@
 {
+  config,
   pkgs,
   tree,
   ...
 }: let
+  secrets = config.services.secrets.secrets;
+
   ports = import ../ports.nix {};
 
   misskeyDomain = "social.owo.monster";
@@ -62,8 +65,6 @@ in {
     imports = with tree; [home.base home.dev.small];
   };
 
-  systemd.tmpfiles.rules = ["d /home/misskey/misskey-files - misskey users"];
-
   systemd.services.misskey-files = {
     serviceConfig.Type = "oneshot";
     wantedBy = ["misskey.service"];
@@ -151,4 +152,36 @@ in {
     enable = true;
     port = ports.misskey-redis;
   };
+
+  environment.systemPackages = with pkgs; [
+    rclone
+    (pkgs.writeShellScriptBin "rclone-misskey" ''
+      ${pkgs.rclone}/bin/rclone --config ${secrets.misskey_storage_rclone_config.path} \
+        $@
+    '')
+  ];
+
+  systemd.tmpfiles.rules = [
+    "d /home/misskey/misskey-files - misskey users"
+
+    "d /home/misskey/.config - misskey users"
+    "d /home/misskey/.config/rclone - misskey users"
+    "L /home/misskey/.config/rclone/rclone.conf - - - - ${secrets.misskey_storage_rclone_config.path}"
+  ];
+
+  services.rclone-sync = {
+    enable = true;
+    user = "misskey";
+    sync_jobs = [
+      {
+        source = "/home/misskey/misskey-files";
+        dest = "Storage-Media-Crypt:";
+        serviceConfig = {};
+        timerConfig = {
+          OnStartupSec = "60";
+          OnCalendar = "4h";
+        };
+      }
+    ];
+  };
 }

hosts/hetzner-vm/secrets.nix

@@ -5,8 +5,32 @@
     extraPackages = with pkgs; [
       # for music & mail passwd files
       apacheHttpd
+
+      # for rclone file for misskey files sync
+      rclone
     ];
 
+    extraFunctions = ''
+      replace_slash_for_sed() {
+        sed "s#/#\\\/#"
+      }
+
+      simple_get_obscure() {
+        rclone obscure "$(simple_get "$@")"
+      }
+
+      simple_get_replace_crypt() {
+        password=$(simple_get "$1" .password | replace_slash_for_sed)
+        salt=$(simple_get "$1" .salt | replace_slash_for_sed)
+
+        replace_password=''${2}_ACCOUNT
+        replace_salt=''${2}_KEY
+
+        sed -i "s/$replace_password/$password/" "$3"
+        sed -i "s/$replace_salt/$salt/" "$3"
+      }
+    '';
+
     secrets = {
       mpd_control_password = {
         user = "mpd";
@@ -63,6 +87,30 @@
           echo "GITLAB_TOKEN=$token" > $secretFile
         '';
       };
+
+      misskey_storage_rclone_config = {
+        user = "misskey";
+        group = "users";
+        fetchScript = ''
+          TMP_DIR="$(mktemp -d)"
+
+          cp ${./data/misskey_rclone.template} "$TMP_DIR/template"
+
+          pushd "$TMP_DIR" 2>/dev/null
+
+          MISSKEY_STORAGE_PASSWORD=$(simple_get_obscure /api-keys/storage/webdav/misskey .password)
+          sed -i "s/MISSKEY_STORAGE_PASSWORD/$MISSKEY_STORAGE_PASSWORD/" ./template
+
+          simple_get_replace_crypt "/private-public-keys/rclone/Backups-Misskey-Crypt" "STORAGE_MISSKEY_CRYPT" ./template
+
+          cp ./template $secretFile
+
+          popd 2>/dev/null
+
+          rm -rf "$TMP_DIR"
+        '';
+      };
+
       matrix_restic_password = {
         fetchScript = ''
           simple_get "/private-public-keys/restic/Matrix" .password > $secretFile