Remove hardcoded Nextcloud token from railiance-backup.
All checks were successful
CI Smoke / host-smoke (push) Successful in 2s
CI Smoke / container-smoke (push) Successful in 10s

Load NC_WEBDAV_TOKEN from OpenBao offsite-lane path after OIDC login,
or from RAILIANCE_BACKUP_NC_TOKEN env (CCR-2026-0004).
This commit is contained in:
tegwick 2026-07-07 17:16:30 +02:00
parent cb74114358
commit 52a72363f3

View file

@ -7,8 +7,21 @@ source "${ROOT}/lib/railiance-print.sh"
# ── Configuration ─────────────────────────────────────────────────────────────
AGE_PUBLIC_KEY="age1zvryunvjhvpkmasskauga2heeg0ztnte9ymgppvjge36ekumk50syr3tsz"
NC_WEBDAV_URL="https://nx4069.your-storageshare.de/public.php/webdav"
NC_TOKEN="MfTBEjcJTGS8Ywo"
BAO_PATH="platform/workloads/railiance/backup/offsite-lane"
NC_WEBDAV_URL="${RAILIANCE_BACKUP_NC_WEBDAV_URL:-}"
NC_TOKEN="${RAILIANCE_BACKUP_NC_TOKEN:-}"
if [[ -z "${NC_TOKEN}" || -z "${NC_WEBDAV_URL}" ]] && command -v bao >/dev/null 2>&1; then
if bao kv metadata get "${BAO_PATH}" >/dev/null 2>&1; then
NC_TOKEN="$(bao kv get -field=NC_WEBDAV_TOKEN "${BAO_PATH}")"
NC_WEBDAV_URL="$(bao kv get -field=NC_WEBDAV_URL "${BAO_PATH}")"
fi
fi
: "${NC_WEBDAV_URL:=https://nx4069.your-storageshare.de/public.php/webdav}"
if [[ -z "${NC_TOKEN}" ]]; then
bad "credentials" "set RAILIANCE_BACKUP_NC_TOKEN or: bao login -method=oidc -path=netkingdom role=railiance-backup-workload-kv-read"
exit 1
fi
PG_CONTAINER="infra-postgres-1"
PG_USER="custodian"
PG_DB="custodian"