colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

sane-private-change-passwd: remove

Browse Source 
use `gocrypt --passwd /nix/persist/private` instead
This commit is contained in:
Colin
2024-07-21 21:48:31 +00:00
parent 5f0eaa9771
commit 3ce2b44b7d
3 changed files with 0 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
hosts/common/programs/sane-scripts.nix
View File

@@ -25,7 +25,6 @@ in
"sane-scripts.deadlines"
"sane-scripts.find-dotfiles"
"sane-scripts.ip-check"
"sane-scripts.private-change-passwd"
"sane-scripts.private-do"
"sane-scripts.private-init"
"sane-scripts.private-lock"
@@ -119,14 +118,6 @@ in
"sane-scripts.ip-port-forward" = {};
"sane-scripts.private-change-passwd".sandbox = {
method = "bwrap";
autodetectCliPaths = "existing"; #< for the new `private` location
capabilities = [ "sys_admin" ]; # it needs to mount the new store
extraHomePaths = [
".persist/private"
];
};
"sane-scripts.private-do".sandbox = {
# because `mount` is a cap_sys_admin syscall, there's no great way to mount stuff dynamically like this.
# instead, we put ourselves in a mount namespace, do the mount, and drop into a shell or run a command.

5
pkgs/additional/sane-scripts/default.nix
View File

@@ -118,11 +118,6 @@ let
srcRoot = ./src;
pkgs = [ "inetutils" "miniupnpc" "sane-scripts.lib.ssdp"];
};
private-change-passwd = static-nix-shell.mkBash {
pname = "sane-private-change-passwd";
srcRoot = ./src;
pkgs = [ "gocryptfs" "rsync" ];
};
private-do = static-nix-shell.mkBash {
pname = "sane-private-do";
srcRoot = ./src;

40
pkgs/additional/sane-scripts/src/sane-private-change-passwd
View File

@@ -1,40 +0,0 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p bash -p gocryptfs -p rsync
# HOW TO USE
# ```sh
# $ sudo mkdir /nix/persist/private.new && sudo chown colin:users /nix/persist/private.new
# $ sane-private-change-passwd /nix/persist/private.new
# this should prompt you to enter a password for the new directory.
# now all data in the original /mnt/persist/private has been re-encrypted, into /nix/persist/private.new/cipher
# if the data on-disk looks reasonable, continue:
# $ sudo mv /nix/persist/private /nix/persist/private.old
# $ sudo mv /nix/persist/private.new/cipher /nix/persist/private
# $ sudo rmdir /nix/persist/private.new
# ```
set -ex
new_cipher="$1/cipher"
new_plain="$1/plain"
old_plain=/mnt/persist/private
old_cipher=/nix/persist/private
mkdir -p "$new_cipher"
mkdir -p "$new_plain"
# initialize the new store
gocryptfs -init "$new_cipher"
# mount the new store. assume the old store is mounted.
# if old store ISN'T mounted, then run this entire script inside `sane-private-do`
gocryptfs "$new_cipher" "$new_plain"
# transfer to the new store
rsync -arv "$old_plain/" "$new_plain/"
echo "now spot-check the data on-disk at $new_cipher"
echo "if it looks good, then:"
echo " - sudo mv $old_cipher $old_cipher.old"
echo " - sudo mv $new_cipher $old_cipher"
echo " - sudo rmdir $new_plain && sudo rmdir $new_plain/.."