Update from updated-inputs-2025-02-17-02-03

flake.lock

@@ -542,11 +542,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1739446958,
-        "narHash": "sha256-+/bYK3DbPxMIvSL4zArkMX0LQvS7rzBKXnDXLfKyRVc=",
+        "lastModified": 1739580444,
+        "narHash": "sha256-+/bSz4EAVbqz8/HsIGLroF8aNaO8bLRL7WfACN+24g4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "2ff53fe64443980e139eaa286017f53f88336dd0",
+        "rev": "8bb37161a0488b89830168b81c48aed11569cb93",
         "type": "github"
       },
       "original": {

hosts/backup-4/secrets.json

@@ -1,5 +1,5 @@
 {
-	"restic-server-magenta-htpasswd": "ENC[AES256_GCM,data:QxdmemBB/iuU+fvc2QRRkbOHO5Ef8ZJqfTdFCnlOqKog5krZ2oIpURuttH9YeggJXV2Cr+kJDGI0b9Ca6BtCkOhahfWicTeFhuODJsSyZJqzw36Ba8pX3nIpqoa7StTydK1Dx5chOi2g8oB4895SvWqDa/qP10yDtBQAYURHYfodb9/tiKzfjJAGDlqsR2h+qmdbAkvR3/oAquBO8Nb493G2sixs20XIG85moYv6l0MPnZtWEXhDT8lM5tw0PCgpSfYaUeMWnmFuzFBj3MQSo3zAjGPeOSYVFlbwbLqFWL507z0dlRgzsxMYB1F4OL38nOpO2CP2/VvbidgbQZjKCfiHMJtWLQfzZIfNEhcF8kq2uhhOwRSKN3G7u1/ezzu+9UlUVMV6PY2jjbZHJ79Knu5SJ3KqphygjjIhdHufqI03BP/aJa0QkE/mGg9is3H0myW5rG9ElA1C4stF,iv:1Ue/H48af3ECUZ5GC0hrMMBfOuCZSuX9wOSAd5XG7Fk=,tag:HchM/ZJEDG4pWQdDanC9cA==,type:str]",
+	"restic-server-magenta-htpasswd": "ENC[AES256_GCM,data:gfvmAd7z+jQwoYDJf/Hv2sR9ISJT+Hw4jrHmvW64PXjoETy+LjdsmqEPuRyq/YhrGA2rqW+YodPlkh/eE4crdTL2eNim+ij/OUubliUwBMyJuxsdGKuDUMc+txqN2x6Q24MnnU88P08SKpsm3jciMhz7JEg62W77jhesWlkzsuJDmg9oTlA9SeYOEac3pIKpekfRyE77GSFVUflwwCA+xvcEg5xyuRosFzBWGGEC3kDNB0licF0X6epz3HtlqhCLd/mkuEkftjpkNOFm9oJYzdwYv5PwVNg7G7JOgsUx9e5I29mwWPfhinX1yEFNwxKeB1FbUhYOKhRhdqWD6THVLkDzU0zP8vrm5FXTaxLHZr5+EpKit8/MJS5UBVvpSTDQ0cLExJyonWP2T+zr6rxKwU/q1jQRvsU6DJ7Bt8+9chrXBNOeyPM9xzWN1Zyyrntm9j5Ufj1YFwyrDT5ve2rOgNHA4KoS28+vsP1fcVO8XlLR24zFx5+/1BPG25qSECTPn6KkcL+yV+WS4oOnu4Oo0GVPEz+4SfyYIEVmaV61KC61pKa/6ACeUd6nABcDbReMqPXU7/bksM4sTDoFSmmiAycnxT4xavbaFdfbYIOXVQwYAIjaR1tAqQ6gYVCQ/LtKhIHCGCg10xRXNV3qkPqOUvJ7JnRcre+pQVDVLg==,iv:tvhvTPzhHoG4yG3C+o9s8yh4DafMpPb67nNxbUZcFxQ=,tag:8P5lYeP2EB5AfKgeeBISLg==,type:str]",
 	"wg-monitoring": "ENC[AES256_GCM,data:lCuE2EgUo3ER9NNg1rD24Z4cZS+VZ4KmDojnfCsb/LyBsfyu6uOJ4IVtxOE=,iv:KHRP1pXYXk8Fi23cjUZVUUadu9yWoJ2ddxj2fMJJYE0=,tag:TiFlekXM7WLLHAPlmYbP8w==,type:str]",
 	"sops": {
 		"kms": null,
@@ -12,8 +12,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpdFREUEVzb2JFd3hSaG9y\neVA2a2Fodko0OTI4ZGM0NlZxRmNtYmFDY1hVCm9ncXdWYTJlSU1FSG1WdlNBZ3VW\nM2VtRmZiWldzalRsRWJ0UkV1L1hSMkEKLS0tIGVLQU9kQXhZbC9SUW9CS2JnWGlJ\nQ3RoeXVkRXNkUWNaZ0VQOW1hcEJnNjAKHgZ48PERJlfkkh2TyCLl52zUZY674BXW\n4zPtmhZrb4xlExetINrOd4hZtL7S7qn5GnTxhoxvCddeU+JPPsfWoQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2024-06-03T18:16:25Z",
-		"mac": "ENC[AES256_GCM,data:hWCI1hWTbbasov9Si0JDI39rUuBOEqrz+qxTKrNN4S/r9Ktofrk46b3rxSQF3+bC03HrbCMLk9/7XkvIFJXQj5pa9I1aG8MuMbgF0Z8Ft/uNdHPUUyLJwo/4aav4zXVpdg7zNtPdwjk66pw7iRO5XBmYgnQlnXotHM6S9s7RzuA=,iv:VJmLD1SImGtreceQP+DofnzOGp3sm12iCzbPsqzw6SI=,tag:aUryi0xUG7sd/EOmqrMQCg==,type:str]",
+		"lastmodified": "2025-02-16T18:13:41Z",
+		"mac": "ENC[AES256_GCM,data:O+E3UbWbmlbpUPeSS/BFcJpWr2WEXbu0aaj9u3XUwstp4ba6e0xuVdzfbntQwbN378sDNpDMkAuxp1+R/0THBSs+nqXC9q9IgK+hfSBd7q2v4lvdhxRdM1x4wysTDJGtjFNdfz8EzqMz42Y2IWjxSozgPNpjZSIGhwMBA2TS/gU=,iv:1waH/yUGt5jGJbQlYmp5b97NGVyRykgzI2g1xX+Jo/U=,tag:4bxFxkClt3LbqCH552XePw==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-05-04T12:30:52Z",

hosts/clerie-backup/secrets.json

@@ -1,5 +1,5 @@
 {
-	"restic-server-cyan-htpasswd": "ENC[AES256_GCM,data:ZKrEv/bU1X+iO7GLlxsM8HhUy6B2+EXRA8JO2X8E8X5nt8Ydwa+wAqTea3hGyW/QNFrNg/nnAFaVg+VNa6UEqOuF0eg4Nf0LOYTtTpNt4uqDHomfFpvFxDfVCbk4a3fnjnJzk51XnZqeVlvuH2JKg9uD6QzTghTuZfysdGePZdD4WRfY+qHsZg2jREgA26WKsRnD1zU4ZnbRAA1s0Lzf5gG4kFciIzovt0x5MYEiVERFeM+HG1a117EvSlsijPNJVLTaFRLTVOlTOYLKXt4KcRJq9KwoZR/LgEz++rUE4DN5f7iQs+Sb9epH9sV/V06R6AKE5ZFcyi5Y+ipt8B4sWX8PQUeFxNlpljXHro8szGNnLnSxxieg10SEwfIEw+nTGVMHToUpvybzdoI4VPUHZGF+kpqv8ejEzhrKZXyPrd7ZCWGDsTdl8gGSefimpEUR8IwuPqImgu2UU8gT,iv:Y/G/odtZ4enBtNc2Wj7bZjsJ3nur5huYAqlu1PgnWlo=,tag:tg3ut7R2jJd+TVvYHIiTdA==,type:str]",
+	"restic-server-cyan-htpasswd": "ENC[AES256_GCM,data:Fe6lcXXy0Hu27Y2LtwQRbk+78+unSGkII144jtstOgK0pyjlJqG2mo8ZG7L+3mmthuu+leZ6XXadEcRGpby3eCwyVEYd3lDr930pPC8hChWYMC5mGkkRUAobYED63iVxcsc36PVFQYMCDbYvtcPk8uQTXfQmhs9kSzCrONrL1Id0L9D+sGoU0snpE+eCNXyiLwuyc1qocchhuHIwkGi4dyVJWgMsKGummF5Pf9zK4KzHmT6RuPouEUAfwHkdPwtOSJ8OqZof/C/CuPYmJQyfOFAqtw8xD9OXUpvyxjC1Kta89sL5cRAE0R15oPvNUmYGaXputm9iMycPjMacpouycx1TXMTEDB0caryX9uEFAyTfPm7keHT86qA1UfImWqEE9QqJ3uCeiwW698SbTZVeKLDBqDCPP+nP/L+N412d+HHyGugPOnTj1gXY50xeOay8Wryw87iDZ9rnJxcn0u5D4+JjOIbjWvydqBXacMD/o0NG2CcQu6LVRAHRiDKoSQWEwx25tzVwn2dsgFV8c3oQ0xQI7050R11Z3M9QWOvPmOZCvYV5VSoxu7r1jMu5asrcPbbhXKatbrabEHCAbDGsBpDkqts3BVUfUaHwboXVR0DxqOC6CHVE34J99SVTGI0kIHXyNqpeUJ36tCXFg7eNPNsu8cra9whjyUUHtw==,iv:Gfg3t3YPw2hz0LJ5hovPftMYOADN2Xjc93VmT2fFVQI=,tag:k6KH4qDPrFYIU2PGgW3F9Q==,type:str]",
 	"wg-monitoring": "ENC[AES256_GCM,data:rOpBlDt9K//zlgWo1Bw9IX5jmpLbnit5zi60Ulz8f6tHwqVsKJv5NkxYc9A=,iv:Jlo0QZP6R1CEE20iLa7M/LV/ZX2/33oMv/FzBBo6nvY=,tag:Ttqo7BKd6RuUiMksW6rZnw==,type:str]",
 	"sops": {
 		"kms": null,
@@ -12,8 +12,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UCtUZ3NZQWxOK1FUNDhL\nbWhaanN2OEJIVmpMOURzWU1vcGhuODdtcDJnCm9Nb01NaVVpWDJ6Q3JCbXRkRUJP\nUVdFaGVScUdxRnlpSnRNOG1RalNRaFUKLS0tICs0cW1WR0JMUmdaVWVzdTh2bjFm\nenBzaERpb1hCS1E3TUo3cmxpZFUxWmcKcLL5/YTGyZEVLwHSpbEI5XfWGklkI7h+\n0uhCww8Wh23EpUYFslZ0Nnbf5HX5/Z34qBwf20cvN8eLToTAQvTdeg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2024-06-03T18:16:18Z",
-		"mac": "ENC[AES256_GCM,data:kWeyNv82yc6H+FJjhTh8vkuxjZ4YFEqmZbqzZr+pEXxXeMUEGi9hr7cauGDNxnRMgWJz9KG1M4tzUyEK8rfVQWLc+Wcf/5Pjsxn1Zg0yJiJAxVFV7AcvGdKUeQuBKgOT5L+Z5+cFdvq9+CU/0M+6/e8jB6OdQWcuy0emBaCut4U=,iv:3w5arXHKapwwo7kgLtHcKfO+dhH22opVP+fjagize0c=,tag:+cCaX2FUG+5UYqutE9IsAA==,type:str]",
+		"lastmodified": "2025-02-16T18:13:34Z",
+		"mac": "ENC[AES256_GCM,data:io2WVxTxHSlxrk7JaN6/fUI7YotvPfgbXTD1lEf1tN7QhuGRH/iZrji/VQlhJ8tk2dAS1Pe0rsTuxCMXcXcxRIh4EYbQky5IZj5jpfPcslQOquTcXzmPYdijPUWSqu6leGc0GG/7KccjSFD8TfwAgeuVrc2Br57yfqKoPf+M0fY=,iv:iYp73PrFnLZoI9014mbqQQERhFtfhb5YmzV6HiUi+YM=,tag:2AZEzhVVdEos5FLkg8cr5w==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-05-05T12:12:27Z",

pkgs/clerie-sops/clerie-sops-edit.sh

@@ -7,17 +7,19 @@ set -euo pipefail
 
 print_help() {
 	cat << EOF
-clerie-sops-edit <secrets_file> <action> <key>
+clerie-sops-edit <secrets_file> <action> <key> [cmd...]
 
   This script allows editing single secrets in a secrets file by key.
 
   <secrets_file> is a sops secrets file
-  <action> is one of "edit", "read", "set" and "append"
+  <action> is one of "edit", "cmd", "read", "set" and "append"
   <key> is the key of the secret in the secrets file to modify
+
+  ACTION "cmd" a command that get passed the decrypted secret in the argument being "{}"
 EOF
 }
 
-if [[ $# != 3 ]]; then
+if [[ $# -lt 3 ]]; then
 	print_help
 	exit 1
 fi
@@ -33,7 +35,7 @@ fi
 
 ACTION="$2"
 
-if ! echo "edit read set append" | grep -wq "${ACTION}"; then
+if ! echo "edit cmd read set append" | grep -wq "${ACTION}"; then
 	echo "Action \"${ACTION}\" not supported"
 	echo
 	print_help
@@ -43,6 +45,15 @@ fi
 KEY="$3"
 KEY_SELECTOR="$(jq -Rsc '[.]' <(echo -n "${KEY}"))"
 
+if [[ $# -gt 3 && "${ACTION}" != "cmd" ]]; then
+	print_help
+	exit 1
+fi
+
+shift
+shift
+shift
+
 if [[ -n $EDITOR ]]; then
 	EDITOR=vim
 fi
@@ -64,6 +75,18 @@ case "${ACTION}" in
 	edit)
 		"${EDITOR}" "${TMP_FILE}"
 		;;
+	cmd)
+		CMD=()
+		while [[ $# -gt 0 ]]; do
+			if [[ "$1" == "{}" ]]; then
+				CMD+=("${TMP_FILE}")
+			else
+				CMD+=("$1")
+			fi
+			shift
+		done
+		"${CMD[@]}"
+		;;
 	read)
 		cat "${TMP_FILE}"
 		;;

pkgs/nixfiles/nixfiles-generate-backup-secrets.sh

@@ -4,17 +4,50 @@ set -euo pipefail
 
 cd "$(git rev-parse --show-toplevel)"
 
+if [[ $# -eq 0 || $# -gt 2 ]]; then
+	echo "Usage: nixfiles-generate-backup-secrets HOST [--configure-host]"
+	echo
+	echo "  --configure-host"
+	echo "      Directly sets the secrets in the hosts secret store"
+	exit 1
+fi
+
 host="$1"
 
+CONFIGURE_HOST=
+
+if [[ $# -eq 2 ]]; then
+	if [[ "$2" == "--configure-host" ]]; then
+		if [[ ! -f "hosts/${host}/secrets.json" ]]; then
+			echo "Host ${host} does not have a secrets file, can't configure"
+			exit 1
+		fi
+		CONFIGURE_HOST=1
+	else
+		echo "Unknown option $2"
+		exit 1
+	fi
+fi
+
 job_main="$(pwgen -1 64 1)"
 target_cyan="$(pwgen -1 64 1)"
-target_cyan_htpasswd="$(htpasswd -nbB "${host}" "${target_cyan}")"
 target_magenta="$(pwgen -1 64 1)"
-target_magenta_htpasswd="$(htpasswd -nbB "${host}" "${target_magenta}")"
 
-echo "$job_main" | clerie-sops-edit "hosts/${host}/secrets.json" set "clerie-backup-job-main"
-echo "$target_cyan" | clerie-sops-edit "hosts/${host}/secrets.json" set "clerie-backup-target-cyan"
-echo "$target_magenta" | clerie-sops-edit "hosts/${host}/secrets.json" set "clerie-backup-target-magenta"
+echo "${target_cyan}" | clerie-sops-edit "hosts/clerie-backup/secrets.json" cmd "restic-server-cyan-htpasswd" htpasswd -iB "{}" "${host}"
+echo "${target_magenta}" | clerie-sops-edit "hosts/backup-4/secrets.json" cmd "restic-server-magenta-htpasswd" htpasswd -iB "{}" "${host}"
 
-echo "${target_cyan_htpasswd}" | clerie-sops-edit "hosts/clerie-backup/secrets.json" append "restic-server-cyan-htpasswd"
-echo "$target_magenta_htpasswd" | clerie-sops-edit "hosts/backup-4/secrets.json" append "restic-server-magenta-htpasswd"
+echo "Repo password main: ${job_main}"
+echo
+echo "URL cyan: https://cyan.backup.clerie.de/${host}/main"
+echo "Auth username cyan: ${host}"
+echo "Auth password cyan: ${target_cyan}"
+echo
+echo "URL magenta: https://magenta.backup.clerie.de/${host}/main"
+echo "Auth username magenta: ${host}"
+echo "Auth password magenta: ${target_magenta}"
+
+if [[ -n "${CONFIGURE_HOST}" ]]; then
+	echo "$job_main" | clerie-sops-edit "hosts/${host}/secrets.json" set "clerie-backup-job-main"
+	echo "$target_cyan" | clerie-sops-edit "hosts/${host}/secrets.json" set "clerie-backup-target-cyan"
+	echo "$target_magenta" | clerie-sops-edit "hosts/${host}/secrets.json" set "clerie-backup-target-magenta"
+fi