Add encrypted vault for dungflix

hosts/dingserver/rclone.nix

@@ -8,11 +8,16 @@
   file = ''
     [dungflix]
     type = b2
+
+    [dungflix-vault]
+    type = crypt
+    remote = dungflix:dungflix-bucket
   '';
 in {
   age.secrets = {
     dungflix_bucket_account_id.file = ../../secrets/dungflix_bucket_account_id.age;
     dungflix_bucket_account_key.file = ../../secrets/dungflix_bucket_account_key.age;
+    dungflix_crypt_remote_obscured_pass.file = ../../secrets/dungflix_crypt_remote_obscured_pass.age;
   };
   systemd.services.dungflix-mount = {
     description = "Mount the Backblaze B2 media store";
@@ -24,15 +29,23 @@ in {
     script = ''
       export RCLONE_B2_ACCOUNT=''$(cat ${config.age.secrets.dungflix_bucket_account_id.path})
       export RCLONE_B2_KEY=''$(cat ${config.age.secrets.dungflix_bucket_account_key.path})
-      ${pkgs.rclone}/bin/rclone --config="${pkgs.writeText "" file}" mount dungflix:dungflix-bucket ${mountdir} \
+      export RCLONE_CRYPT_PASSWORD=''$(cat ${config.age.secrets.dungflix_crypt_remote_obscured_pass.path})
+      ${pkgs.rclone}/bin/rclone --config="${pkgs.writeText "" file}" mount dungflix-vault: ${mountdir} \
+        --transfers 32 \
         --vfs-cache-mode full \
-        --vfs-cache-max-age 48h \
+        --vfs-cache-max-age 168h \
         --vfs-cache-max-size 100G \
         --allow-other \
         --no-modtime \
         --buffer-size 2G \
-        -vvv
+        --fast-list \
+        --rc \
+        --rc-no-auth \
+        -vv
+    '';
+    postStart = ''
+      sleep 5
+      ${pkgs.rclone}/bin/rclone rc vfs/refresh recursive=true _async=true
     '';
-    postStop = "fusermount -u ${mountdir}";
   };
 }

secrets/dungflix_crypt_remote_obscured_pass.age

@@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> ssh-ed25519 eYYv1Q Ri4RQl9mOus2QIc66lZJu42a4RoKszuLAf24wrJ0gTU
+Od0pYVFw83zJtMy4qRazVKYdN1CAl854LCQMHKKrMWI
+-> ssh-ed25519 Bp5IaA AxvFdHIXsB2m53sJmJ88xAsrqPuGZai8cmg9uS9lyQs
+mXQyRTx5R9BS3S7PzpbL+0LZgQWXIzibw9Q6kvIM0HU
+-> ssh-ed25519 T/DpgA EiTxdl7hNm0YT/DStbkiMjsND7c3W5m+9c9IF2EkZhA
+c1qlwzN9mkoAZVun2p1qNs+PEkURvy9PEIp/dbFrAR8
+-> ssh-ed25519 qMgRFg 0/DYlYNpoBw0rw3J7h+41QoVxVs8Rf5UHICCidg3XjQ
+eY+GeESrCCgb8dsU5nYndGwPmZEIXlBye65pRFj8A98
+-> ssh-ed25519 GzHGXw gm0B2SupF0ClywijhXzH54dxMvlyTkNV8J5b6d5innQ
+es3Y2pWvbEgPuk75bNLflZGluvfkvMo/ZP0haeJ3hMY
+-> G-grease KrDpKj
+K8OS1t1RFMg+g7UUV0DIE8GZ0uq/nSI/PYn6PPc0l5eMQtY43yYM+6BMHo4
+--- o+/vzZhLVMl98K6lsA+ajy86cU1rNlRMyZOS3xDKdwA
+<EFBFBD><EFBFBD>Í
+9+[<5B>9D<39>hsJ\'<27>Ji<0F>x,]<5D><>قoP<6F>d.<2E>lK{<7B>5Gl<47>a<EFBFBD><61>Ս<EFBFBD><D58D>b<EFBFBD><62>r<EFBFBD>q˳D<CBB3><44><EFBFBD><EFBFBD>_<EFBFBD>Ɗ	Ky<4B>N<EFBFBD><4E>/<2F><>ݏ;

secrets/dungflix_crypt_remote_pass.age

@@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> ssh-ed25519 eYYv1Q 9IgOw7ZDBzu2zfk634z4jqpiE/2L8USNaUGe/YXQGmo
+jzqRh2dW2tpItrXStlaV/2ye422c9Zj5tG7cKAhySdQ
+-> ssh-ed25519 Bp5IaA qkHoHaSqfm6G8nuu1aATJi7wcp5rYe4PVKN/xp+0UnY
+osoRd4i56Xh7zTru6Juj2HyrJNPqivwpHe6aK7+pmd8
+-> ssh-ed25519 T/DpgA ybfFgOgMpPqvhUcys77ke0w301ZVAcGQXhmcip5wOXo
+pyPe5wZCMVPVD0s9NbMXyq2kipcvuwAK3S0Tv7Bj4Wc
+-> ssh-ed25519 qMgRFg hk7ceQIqtvqggk0Jyg/sDk7aUT3/sfkyvPWbC/8Q6VI
+2per2s5msXlUUKI+w+uAaA5suHzAmb7TSKezcGekjmM
+-> ssh-ed25519 GzHGXw Sj9hiYHxRWWAvgIBpKvrxtpPQInvT7gRSAjsRxnHdXQ
+klgWxjpCBdEVthnHLw19otQxaPM3yFAPJ99JKFPzh9c
+-> ]p-grease x*NAtKPV N6.Z{NW
+yAbnz4dn7fdO9BUVHKU36mBFcgxdoxDdc2+5eOoF3rYLW9Sjs5MO2j76H6XB7jMz
+R5IxqCY0PJDYaqT7sdgisaBGqWfGFqWeIilNjQPI63Q
+--- bkdnuj10yhn2hWVp2bRU1mOf8CFp3QQb1aGcTecqIDM
+<EFBFBD>d<EFBFBD><EFBFBD>Q><3E><><EFBFBD><EFBFBD>ZE:VCZ%<25><><EFBFBD><EFBFBD><EFBFBD>H<EFBFBD>.<2E><1A>	W<>sC<>f<EFBFBD><66><EFBFBD><EFBFBD><EFBFBD><EFBFBD>$u<>Y<EFBFBD><1F><>$<24><>

secrets/secrets.nix

@@ -21,4 +21,6 @@ in {
   "rclone_password2.age".publicKeys = users ++ [system2];
   "dungflix_bucket_account_id.age".publicKeys = users ++ [system2];
   "dungflix_bucket_account_key.age".publicKeys = users ++ [system2];
+  "dungflix_crypt_remote_obscured_pass.age".publicKeys = users ++ [system2];
+  "dungflix_crypt_remote_pass.age".publicKeys = users ++ [system2];
 }