sane-private-change-passwd: remove
use `gocrypt --passwd /nix/persist/private` instead
This commit is contained in:
@@ -25,7 +25,6 @@ in
|
|||||||
"sane-scripts.deadlines"
|
"sane-scripts.deadlines"
|
||||||
"sane-scripts.find-dotfiles"
|
"sane-scripts.find-dotfiles"
|
||||||
"sane-scripts.ip-check"
|
"sane-scripts.ip-check"
|
||||||
"sane-scripts.private-change-passwd"
|
|
||||||
"sane-scripts.private-do"
|
"sane-scripts.private-do"
|
||||||
"sane-scripts.private-init"
|
"sane-scripts.private-init"
|
||||||
"sane-scripts.private-lock"
|
"sane-scripts.private-lock"
|
||||||
@@ -119,14 +118,6 @@ in
|
|||||||
|
|
||||||
"sane-scripts.ip-port-forward" = {};
|
"sane-scripts.ip-port-forward" = {};
|
||||||
|
|
||||||
"sane-scripts.private-change-passwd".sandbox = {
|
|
||||||
method = "bwrap";
|
|
||||||
autodetectCliPaths = "existing"; #< for the new `private` location
|
|
||||||
capabilities = [ "sys_admin" ]; # it needs to mount the new store
|
|
||||||
extraHomePaths = [
|
|
||||||
".persist/private"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
"sane-scripts.private-do".sandbox = {
|
"sane-scripts.private-do".sandbox = {
|
||||||
# because `mount` is a cap_sys_admin syscall, there's no great way to mount stuff dynamically like this.
|
# because `mount` is a cap_sys_admin syscall, there's no great way to mount stuff dynamically like this.
|
||||||
# instead, we put ourselves in a mount namespace, do the mount, and drop into a shell or run a command.
|
# instead, we put ourselves in a mount namespace, do the mount, and drop into a shell or run a command.
|
||||||
|
@@ -118,11 +118,6 @@ let
|
|||||||
srcRoot = ./src;
|
srcRoot = ./src;
|
||||||
pkgs = [ "inetutils" "miniupnpc" "sane-scripts.lib.ssdp"];
|
pkgs = [ "inetutils" "miniupnpc" "sane-scripts.lib.ssdp"];
|
||||||
};
|
};
|
||||||
private-change-passwd = static-nix-shell.mkBash {
|
|
||||||
pname = "sane-private-change-passwd";
|
|
||||||
srcRoot = ./src;
|
|
||||||
pkgs = [ "gocryptfs" "rsync" ];
|
|
||||||
};
|
|
||||||
private-do = static-nix-shell.mkBash {
|
private-do = static-nix-shell.mkBash {
|
||||||
pname = "sane-private-do";
|
pname = "sane-private-do";
|
||||||
srcRoot = ./src;
|
srcRoot = ./src;
|
||||||
|
@@ -1,40 +0,0 @@
|
|||||||
#!/usr/bin/env nix-shell
|
|
||||||
#!nix-shell -i bash -p bash -p gocryptfs -p rsync
|
|
||||||
|
|
||||||
# HOW TO USE
|
|
||||||
# ```sh
|
|
||||||
# $ sudo mkdir /nix/persist/private.new && sudo chown colin:users /nix/persist/private.new
|
|
||||||
# $ sane-private-change-passwd /nix/persist/private.new
|
|
||||||
# this should prompt you to enter a password for the new directory.
|
|
||||||
# now all data in the original /mnt/persist/private has been re-encrypted, into /nix/persist/private.new/cipher
|
|
||||||
# if the data on-disk looks reasonable, continue:
|
|
||||||
# $ sudo mv /nix/persist/private /nix/persist/private.old
|
|
||||||
# $ sudo mv /nix/persist/private.new/cipher /nix/persist/private
|
|
||||||
# $ sudo rmdir /nix/persist/private.new
|
|
||||||
# ```
|
|
||||||
|
|
||||||
set -ex
|
|
||||||
|
|
||||||
new_cipher="$1/cipher"
|
|
||||||
new_plain="$1/plain"
|
|
||||||
old_plain=/mnt/persist/private
|
|
||||||
old_cipher=/nix/persist/private
|
|
||||||
|
|
||||||
mkdir -p "$new_cipher"
|
|
||||||
mkdir -p "$new_plain"
|
|
||||||
|
|
||||||
# initialize the new store
|
|
||||||
gocryptfs -init "$new_cipher"
|
|
||||||
|
|
||||||
# mount the new store. assume the old store is mounted.
|
|
||||||
# if old store ISN'T mounted, then run this entire script inside `sane-private-do`
|
|
||||||
gocryptfs "$new_cipher" "$new_plain"
|
|
||||||
|
|
||||||
# transfer to the new store
|
|
||||||
rsync -arv "$old_plain/" "$new_plain/"
|
|
||||||
|
|
||||||
echo "now spot-check the data on-disk at $new_cipher"
|
|
||||||
echo "if it looks good, then:"
|
|
||||||
echo " - sudo mv $old_cipher $old_cipher.old"
|
|
||||||
echo " - sudo mv $new_cipher $old_cipher"
|
|
||||||
echo " - sudo rmdir $new_plain && sudo rmdir $new_plain/.."
|
|
Reference in New Issue
Block a user