Fachschaft/nixConfig
5
2
Fork 2
Code Issues 7 Pull requests 1 Projects 1 Wiki Activity

bragi backup config #28

Merged
Gonne merged 5 commits from Gonne/nixConfig:bragi into main 2024-03-30 19:10:30 +00:00
Conversation 1 Commits 5 Files changed 6 +273 -1
Gonne commented 2024-01-08 15:00:11 +00:00
Owner
Copy link

This config is currently running on the backup host.

This config is currently running on the backup host.
Gonne added 2 commits 2024-01-08 15:00:12 +00:00
Gonne reviewed 2024-01-08 15:07:36 +00:00
nixos/machines/bragi/hardware-configuration.nix Outdated
@ -0,0 +5,4 @@
options = ["size=2G" "mode=755"];
};
fileSystems."/persist" = {
device = "/dev/disk/by-label/nixos";
Gonne commented 2024-01-08 15:06:51 +00:00
Author
Owner
Copy link

Is addressing by label actually nicer than by uuid? It seems to work at least.

Is addressing by label actually nicer than by uuid? It seems to work at least.
nixos/modules/borgbackup.nix Outdated
@ -0,0 +19,4 @@
config = mkIf cfg.enable {
services.borgbackup = {
# repos are made available at ssh://borg@hostname and served according to the presented ssh-key
repos = {
Gonne commented 2024-01-08 15:05:41 +00:00
Author
Owner
Copy link

Perhaps we want to create these repos by a function that only takes the name and the ssh-key. Not sure if that is worth it.

Perhaps we want to create these repos by a function that only takes the name and the ssh-key. Not sure if that is worth it.
Gonne force-pushed bragi from 79ba6d9e63 to d2ff7b50c9 2024-01-09 08:22:01 +00:00 Compare
Gonne force-pushed bragi from d2ff7b50c9 to 7b4c51bffd 2024-01-20 12:37:24 +00:00 Compare
Gonne added 1 commit 2024-02-07 14:21:59 +00:00
Gonne added 1 commit 2024-02-07 14:28:53 +00:00
Gonne force-pushed bragi from 2c5cb23ef4 to d4128640f5 2024-02-07 14:47:42 +00:00 Compare
Gonne added 1 commit 2024-02-07 17:48:25 +00:00
Gonne force-pushed bragi from 529f12c052 to b44e2cbbb0 2024-02-07 18:06:51 +00:00 Compare
Gonne added 1 commit 2024-02-07 18:11:58 +00:00
Gonne force-pushed bragi from 85111743d8 to b44e2cbbb0 2024-02-07 18:21:41 +00:00 Compare
Gonne added 1 commit 2024-02-07 18:28:33 +00:00
Gonne added 1 commit 2024-02-07 18:32:24 +00:00
Gonne force-pushed bragi from 8de0651c36 to 3b51a70e70 2024-02-08 06:04:55 +00:00 Compare
Gonne force-pushed bragi from 3b51a70e70 to 01246a78a8 2024-02-08 06:28:18 +00:00 Compare
Gonne force-pushed bragi from 01246a78a8 to b6c2893a3e 2024-02-08 06:42:16 +00:00 Compare
Gonne force-pushed bragi from b6c2893a3e to 001f4f49a7 2024-02-08 07:08:43 +00:00 Compare
Gonne force-pushed bragi from 001f4f49a7 to c9232fb823 2024-02-08 07:16:49 +00:00 Compare
Gonne force-pushed bragi from c9232fb823 to 1f590c6c9d 2024-02-08 07:19:48 +00:00 Compare
Gonne force-pushed bragi from 1f590c6c9d to 03cc2ec27f 2024-02-08 07:22:17 +00:00 Compare
Gonne force-pushed bragi from 03cc2ec27f to 371b1d3221 2024-02-08 07:24:00 +00:00 Compare
Gonne force-pushed bragi from 371b1d3221 to 52100f3e3b 2024-02-08 07:27:46 +00:00 Compare
Gonne force-pushed bragi from 52100f3e3b to 2992edffb0 2024-02-08 07:38:57 +00:00 Compare
Gonne force-pushed bragi from 2992edffb0 to 3b286fa05b 2024-02-08 07:42:58 +00:00 Compare
Gonne changed title from WIP: bragi backup config to bragi backup config 2024-02-08 07:44:02 +00:00
Gonne requested review from Server-Minions 2024-02-08 07:44:09 +00:00
Gonne reviewed 2024-02-09 09:37:46 +00:00
nixos/modules/borgbackup.nix Outdated
@ -0,0 +123,4 @@
startAt = "daily";
user = "fsaccount";
group = "users";
readWritePaths = ["/home/fsaccount"];
Gonne commented 2024-02-09 09:37:46 +00:00
Author
Owner
Copy link

By creating the folder sicherung via systemd-tmpfiles we could restrict this to /home/fsaccount/sicherung.
I don't know if this restriction is worth the increased complexity.

By creating the folder `sicherung` via [systemd-tmpfiles](https://search.nixos.org/options?show=systemd.tmpfiles.rules) we could restrict this to `/home/fsaccount/sicherung`. I don't know if this restriction is worth the increased complexity.
Gonne requested review from nerf 2024-02-17 12:13:07 +00:00
nerf reviewed 2024-03-01 16:33:14 +00:00
nixos/modules/borgbackup.nix Outdated
@ -0,0 +138,4 @@
users.users = {
fsaccount = {
description = "FS Account backup";
isNormalUser = true;
nerf commented 2024-03-01 16:33:14 +00:00
Owner
Copy link

Why is this a normal user, do we plan to log in as this one, or is it just there to pull the fs account?

Why is this a normal user, do we plan to log in as this one, or is it just there to pull the fs account?
Gonne commented 2024-03-03 18:23:46 +00:00
Author
Owner
Copy link

Login is not necessary, so we can transform it to a system user.

Login is not necessary, so we can transform it to a system user.
Gonne marked this conversation as resolved
nerf reviewed 2024-03-01 16:36:17 +00:00
nixos/modules/borgbackup.nix Outdated
@ -0,0 +20,4 @@
config = mkIf cfg.enable {
services.borgbackup = {
# repos are made available at ssh://borg@hostname and served according to the presented ssh-key
repos = {
nerf commented 2024-03-01 16:36:17 +00:00
Owner
Copy link

where exactly do these keys come from? Can we automatize this? so we either just need to name the machine here, or completely automatically by virtue of beeing a machine?

Of course we need a a mechanism like this for legacy non nix machines

where exactly do these keys come from? Can we automatize this? so we either just need to name the machine here, or completely automatically by virtue of beeing a machine? Of course we need a a mechanism like this for legacy non nix machines
Gonne commented 2024-03-03 18:22:01 +00:00
Author
Owner
Copy link

See also #28 (comment)

This can probably be automated (?) but currently no Nix machine needs backups.
Thus I would like to postpone it.

See also https://gitea.mathebau.de/Fachschaft/nixConfig/pulls/28#issuecomment-565 This can probably be automated (?) but currently no Nix machine needs backups. Thus I would like to postpone it.
nerf commented 2024-03-03 18:41:38 +00:00
Owner
Copy link

Can we then put a comment like:

„Congratulations, you are the first person to make backups from a nixos machine.
Your won the task of automatizing this endeavor, so in future we don't need to hand copy any
ssh keys anymore“

Btw. I don't think this is too trivial, as the public keys are needed while config build time, but the secret keys should probably never leave the machines.

One way would be pre-generated key-pairs that are deployed through sops.
(But then we should make sure to use dedicated keys for this task.)

Can we then put a comment like: „Congratulations, you are the first person to make backups from a nixos machine. Your won the task of automatizing this endeavor, so in future we don't need to hand copy any ssh keys anymore“ Btw. I don't think this is too trivial, as the public keys are needed while config build time, but the secret keys should probably never leave the machines. One way would be pre-generated key-pairs that are deployed through sops. (But then we should make sure to use dedicated keys for this task.)
👍 1
Gonne marked this conversation as resolved
Gonne added 1 commit 2024-03-04 08:23:57 +00:00
Gonne force-pushed bragi from d06350b450 to f95860f000 2024-03-21 16:03:48 +00:00 Compare
Gonne added 1 commit 2024-03-21 16:51:20 +00:00
Gonne force-pushed bragi from 6746f0c047 to b03039f47b 2024-03-21 16:54:17 +00:00 Compare
Gonne force-pushed bragi from b03039f47b to 224530117e 2024-03-21 16:55:06 +00:00 Compare
Gonne force-pushed bragi from 224530117e to 39a9213e30 2024-03-21 16:57:13 +00:00 Compare
Gonne force-pushed bragi from 39a9213e30 to c5bf5f8e79 2024-03-21 17:02:33 +00:00 Compare
Gonne force-pushed bragi from c5bf5f8e79 to 95509a447c 2024-03-21 17:10:38 +00:00 Compare
Gonne force-pushed bragi from 95509a447c to 9027b418ae 2024-03-21 17:20:25 +00:00 Compare
Gonne force-pushed bragi from 9027b418ae to 80594d679f 2024-03-21 17:37:35 +00:00 Compare
Gonne force-pushed bragi from 80594d679f to 28f02d8543 2024-03-21 17:48:36 +00:00 Compare
Gonne force-pushed bragi from 28f02d8543 to 690c56491d 2024-03-21 17:56:15 +00:00 Compare
Gonne force-pushed bragi from 690c56491d to 3a8fd7ee40 2024-03-21 18:11:31 +00:00 Compare
Gonne force-pushed bragi from 3a8fd7ee40 to 6625e82d12 2024-03-21 18:32:09 +00:00 Compare
Gonne commented 2024-03-21 18:39:34 +00:00
Author
Owner
Copy link

I've moved the ssh key to sops. Ready for review again.

I've moved the ssh key to sops. Ready for review again.
Gonne force-pushed bragi from 6625e82d12 to 05036bdaee 2024-03-27 09:44:15 +00:00 Compare
Gonne force-pushed bragi from 05036bdaee to 1bf59168fb 2024-03-30 08:01:28 +00:00 Compare
nerf reviewed 2024-03-30 15:39:11 +00:00
nixos/modules/borgbackup.nix Outdated
@ -0,0 +113,4 @@
};
};
# Configure backup of files on the department's fs account
jobs.fsaccount = {
nerf commented 2024-03-30 15:36:04 +00:00
Owner
Copy link

Did I get something wrong?
It seams the fsaccount backups are under /home/fsaccount
owned by fsaccount:users

While all the machines ones are under /var/lib/backups probably owned
by some backup system user. Why is this set up this way, or am I reading this wrong?

Did I get something wrong? It seams the fsaccount backups are under `/home/fsaccount` owned by `fsaccount:users` While all the machines ones are under `/var/lib/backups` probably owned by some backup system user. Why is this set up this way, or am I reading this wrong?
nixos/modules/borgbackup.nix
@ -0,0 +119,4 @@
${pkgs.rsync}/bin/rsync -e 'ssh -i /run/secrets/backupKey' -r fachschaft@gw1.mathematik.tu-darmstadt.de:/home/fachschaft/* /home/fsaccount/sicherung
'';
paths = "/home/fsaccount/sicherung";
encryption.mode = "none";
nerf commented 2024-03-30 15:29:10 +00:00
Owner
Copy link

I would put a small note here, that encryption would mean either putting the key next to the backup or human interaction.

I would put a small note here, that encryption would mean either putting the key next to the backup or human interaction.
Gonne marked this conversation as resolved
nixos/modules/borgbackup.nix
@ -0,0 +122,4 @@
encryption.mode = "none";
environment = {
BORG_RSH = "ssh -i /run/secrets/backupKey";
BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes";
nerf commented 2024-03-30 15:33:13 +00:00
Owner
Copy link

Why is this here, what does it do? I also don't really get it from the Borg documentation

BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=no (or =yes)

For “Warning: Attempting to access a previously unknown unencrypted repository”

Why is this here, what does it do? I also don't really get it from the Borg documentation > BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=no (or =yes) > > For “Warning: Attempting to access a previously unknown unencrypted repository”
Gonne added 1 commit 2024-03-30 18:53:02 +00:00
nerf approved these changes 2024-03-30 19:07:58 +00:00
Gonne merged commit 326cc52c2e into main 2024-03-30 19:10:30 +00:00
Gonne deleted branch bragi 2024-03-30 19:10:30 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
nerf
Labels
Clear labels   
Kind/Breaking

Breaking change that won't be backward compatible

  
Kind/Bug

Something is not working

  
Kind/Documentation

Documentation changes

  
Kind/Enhancement

Improve existing functionality

  
Kind/Feature

New functionality

  
Kind/Security

This is security issue

  
Kind/Testing

Issue or pull request related to testing

  
Priority
Critical
The priority is critical

  
Priority
High
The priority is high

  
Priority
Low
The priority is low

  
Priority
Medium
The priority is medium

  
Reviewed
Confirmed
Issue has been confirmed

  
Reviewed
Duplicate
This issue or pull request already exists

  
Reviewed
Invalid
Invalid issue

  
Reviewed
Won't Fix
This issue won't be fixed

  
Status
Abandoned
Somebody has started to work on this but abandoned work

  
Status
Blocked
Something is blocking this issue or pull request

  
Status
Need More Info
Feedback is required to reproduce issue or to continue work

No labels
Kind/Breaking
Kind/Bug
Kind/Documentation
Kind/Enhancement
Kind/Feature
Kind/Security
Kind/Testing
Priority
Critical
Priority
High
Priority
Low
Priority
Medium
Reviewed
Confirmed
Reviewed
Duplicate
Reviewed
Invalid
Reviewed
Won't Fix
Status
Abandoned
Status
Blocked
Status
Need More Info
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: Fachschaft/nixConfig#28
No description provided.
Delete branch "Gonne/nixConfig:bragi"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?