bragi backup config #28

Gonne · 2024-01-08T15:00:11Z

Gonne commented

2024-01-08 15:00:11 +00:00

This config is currently running on the backup host.

Gonne added 2 commits 2024-01-08 15:00:12 +00:00

4197474fec Differentiate hardware and vms in roles

79ba6d9e63 Create backuphost Bragi

Gonne reviewed 2024-01-08 15:07:36 +00:00

nixos/machines/bragi/hardware-configuration.nix Outdated

					
				@ -0,0 +5,4 @@

				    options = ["size=2G" "mode=755"];

				  };

				  fileSystems."/persist" = {

				    device = "/dev/disk/by-label/nixos";

Gonne commented

2024-01-08 15:06:51 +00:00

Is addressing by label actually nicer than by uuid? It seems to work at least.

nixos/modules/borgbackup.nix Outdated

					
				@ -0,0 +19,4 @@

				  config = mkIf cfg.enable {

				    services.borgbackup = {

				      # repos are made available at ssh://borg@hostname and served according to the presented ssh-key

				      repos = {

Gonne commented

2024-01-08 15:05:41 +00:00

Perhaps we want to create these repos by a function that only takes the name and the ssh-key. Not sure if that is worth it.

Gonne force-pushed bragi from 79ba6d9e63 to d2ff7b50c9

2024-01-09 08:22:01 +00:00

Compare

Gonne force-pushed bragi from d2ff7b50c9 to 7b4c51bffd

2024-01-20 12:37:24 +00:00

Compare

Gonne added 1 commit 2024-02-07 14:21:59 +00:00

6b1038c102 Backup des Fachschaftsaccounts

Gonne added 1 commit 2024-02-07 14:28:53 +00:00

2c5cb23ef4 Korrigiere Pfad

Gonne force-pushed bragi from 2c5cb23ef4 to d4128640f5

2024-02-07 14:47:42 +00:00

Compare

Gonne added 1 commit 2024-02-07 17:48:25 +00:00

529f12c052 Korrigiere Group

Gonne force-pushed bragi from 529f12c052 to b44e2cbbb0

2024-02-07 18:06:51 +00:00

Compare

Gonne added 1 commit 2024-02-07 18:11:58 +00:00

85111743d8 Temporarily disable persistence

Gonne force-pushed bragi from 85111743d8 to b44e2cbbb0

2024-02-07 18:21:41 +00:00

Compare

Gonne added 1 commit 2024-02-07 18:28:33 +00:00

30c2f5ede4 Korrigiere Dateirechte

Gonne added 1 commit 2024-02-07 18:32:24 +00:00

8de0651c36 Persiste ganzen Home-Ordner

Gonne force-pushed bragi from 8de0651c36 to 3b51a70e70

2024-02-08 06:04:55 +00:00

Compare

Gonne force-pushed bragi from 3b51a70e70 to 01246a78a8

2024-02-08 06:28:18 +00:00

Compare

Gonne force-pushed bragi from 01246a78a8 to b6c2893a3e

2024-02-08 06:42:16 +00:00

Compare

Gonne force-pushed bragi from b6c2893a3e to 001f4f49a7

2024-02-08 07:08:43 +00:00

Compare

Gonne force-pushed bragi from 001f4f49a7 to c9232fb823

2024-02-08 07:16:49 +00:00

Compare

Gonne force-pushed bragi from c9232fb823 to 1f590c6c9d

2024-02-08 07:19:48 +00:00

Compare

Gonne force-pushed bragi from 1f590c6c9d to 03cc2ec27f

2024-02-08 07:22:17 +00:00

Compare

Gonne force-pushed bragi from 03cc2ec27f to 371b1d3221

2024-02-08 07:24:00 +00:00

Compare

Gonne force-pushed bragi from 371b1d3221 to 52100f3e3b

2024-02-08 07:27:46 +00:00

Compare

Gonne force-pushed bragi from 52100f3e3b to 2992edffb0

2024-02-08 07:38:57 +00:00

Compare

Gonne force-pushed bragi from 2992edffb0 to 3b286fa05b

2024-02-08 07:42:58 +00:00

Compare

Gonne changed title from ~~WIP: bragi backup config~~ to bragi backup config

2024-02-08 07:44:02 +00:00

Gonne requested review from Server-Minions 2024-02-08 07:44:09 +00:00

Gonne reviewed 2024-02-09 09:37:46 +00:00

nixos/modules/borgbackup.nix Outdated

					
				@ -0,0 +123,4 @@

				        startAt = "daily";

				        user = "fsaccount";

				        group = "users";

				        readWritePaths = ["/home/fsaccount"];

Gonne commented

2024-02-09 09:37:46 +00:00

By creating the folder sicherung via systemd-tmpfiles we could restrict this to /home/fsaccount/sicherung.
I don't know if this restriction is worth the increased complexity.

By creating the folder `sicherung` via [systemd-tmpfiles](https://search.nixos.org/options?show=systemd.tmpfiles.rules) we could restrict this to `/home/fsaccount/sicherung`. I don't know if this restriction is worth the increased complexity.

Gonne requested review from nerf 2024-02-17 12:13:07 +00:00

nerf reviewed 2024-03-01 16:33:14 +00:00

nixos/modules/borgbackup.nix Outdated

					
				@ -0,0 +138,4 @@

				    users.users = {

				      fsaccount = {

				        description = "FS Account backup";

				        isNormalUser = true;

nerf commented

2024-03-01 16:33:14 +00:00

Why is this a normal user, do we plan to log in as this one, or is it just there to pull the fs account?

Gonne commented

2024-03-03 18:23:46 +00:00

Login is not necessary, so we can transform it to a system user.

Gonne marked this conversation as resolved

nerf reviewed 2024-03-01 16:36:17 +00:00

nixos/modules/borgbackup.nix Outdated

					
				@ -0,0 +20,4 @@

				  config = mkIf cfg.enable {

				    services.borgbackup = {

				      # repos are made available at ssh://borg@hostname and served according to the presented ssh-key

				      repos = {

nerf commented

2024-03-01 16:36:17 +00:00

where exactly do these keys come from? Can we automatize this? so we either just need to name the machine here, or completely automatically by virtue of beeing a machine?

Of course we need a a mechanism like this for legacy non nix machines

where exactly do these keys come from? Can we automatize this? so we either just need to name the machine here, or completely automatically by virtue of beeing a machine? Of course we need a a mechanism like this for legacy non nix machines

Gonne commented

2024-03-03 18:22:01 +00:00

See also #28 (comment)

This can probably be automated (?) but currently no Nix machine needs backups.
Thus I would like to postpone it.

See also https://gitea.mathebau.de/Fachschaft/nixConfig/pulls/28#issuecomment-565 This can probably be automated (?) but currently no Nix machine needs backups. Thus I would like to postpone it.

nerf commented

2024-03-03 18:41:38 +00:00

Can we then put a comment like:

„Congratulations, you are the first person to make backups from a nixos machine.
Your won the task of automatizing this endeavor, so in future we don't need to hand copy any
ssh keys anymore“

Btw. I don't think this is too trivial, as the public keys are needed while config build time, but the secret keys should probably never leave the machines.

One way would be pre-generated key-pairs that are deployed through sops.
(But then we should make sure to use dedicated keys for this task.)

Can we then put a comment like: „Congratulations, you are the first person to make backups from a nixos machine. Your won the task of automatizing this endeavor, so in future we don't need to hand copy any ssh keys anymore“ Btw. I don't think this is too trivial, as the public keys are needed while config build time, but the secret keys should probably never leave the machines. One way would be pre-generated key-pairs that are deployed through sops. (But then we should make sure to use dedicated keys for this task.)

👍 1

Gonne marked this conversation as resolved

Gonne added 1 commit 2024-03-04 08:23:57 +00:00

d06350b450 Address Feedback

Gonne force-pushed bragi from d06350b450 to f95860f000

2024-03-21 16:03:48 +00:00

Compare

Gonne added 1 commit 2024-03-21 16:51:20 +00:00

6746f0c047 Use sops for private key distribution

Gonne force-pushed bragi from 6746f0c047 to b03039f47b

2024-03-21 16:54:17 +00:00

Compare

Gonne force-pushed bragi from b03039f47b to 224530117e

2024-03-21 16:55:06 +00:00

Compare

Gonne force-pushed bragi from 224530117e to 39a9213e30

2024-03-21 16:57:13 +00:00

Compare

Gonne force-pushed bragi from 39a9213e30 to c5bf5f8e79

2024-03-21 17:02:33 +00:00

Compare

Gonne force-pushed bragi from c5bf5f8e79 to 95509a447c

2024-03-21 17:10:38 +00:00

Compare

Gonne force-pushed bragi from 95509a447c to 9027b418ae

2024-03-21 17:20:25 +00:00

Compare

Gonne force-pushed bragi from 9027b418ae to 80594d679f

2024-03-21 17:37:35 +00:00

Compare

Gonne force-pushed bragi from 80594d679f to 28f02d8543

2024-03-21 17:48:36 +00:00

Compare

Gonne force-pushed bragi from 28f02d8543 to 690c56491d

2024-03-21 17:56:15 +00:00

Compare

Gonne force-pushed bragi from 690c56491d to 3a8fd7ee40

2024-03-21 18:11:31 +00:00

Compare

Gonne force-pushed bragi from 3a8fd7ee40 to 6625e82d12

2024-03-21 18:32:09 +00:00

Compare

Gonne commented

2024-03-21 18:39:34 +00:00

I've moved the ssh key to sops. Ready for review again.

Gonne force-pushed bragi from 6625e82d12 to 05036bdaee

2024-03-27 09:44:15 +00:00

Compare

Gonne force-pushed bragi from 05036bdaee to 1bf59168fb

2024-03-30 08:01:28 +00:00

Compare

nerf reviewed 2024-03-30 15:39:11 +00:00

nixos/modules/borgbackup.nix Outdated

					
				@ -0,0 +113,4 @@

				        };

				      };

				      # Configure backup of files on the department's fs account

				      jobs.fsaccount = {

nerf commented

2024-03-30 15:36:04 +00:00

Did I get something wrong?
It seams the fsaccount backups are under /home/fsaccount
owned by fsaccount:users

While all the machines ones are under /var/lib/backups probably owned
by some backup system user. Why is this set up this way, or am I reading this wrong?

Did I get something wrong? It seams the fsaccount backups are under `/home/fsaccount` owned by `fsaccount:users` While all the machines ones are under `/var/lib/backups` probably owned by some backup system user. Why is this set up this way, or am I reading this wrong?

nixos/modules/borgbackup.nix

					
				@ -0,0 +119,4 @@

				          ${pkgs.rsync}/bin/rsync -e 'ssh -i /run/secrets/backupKey' -r fachschaft@gw1.mathematik.tu-darmstadt.de:/home/fachschaft/* /home/fsaccount/sicherung

				        '';

				        paths = "/home/fsaccount/sicherung";

				        encryption.mode = "none";

nerf commented

2024-03-30 15:29:10 +00:00

I would put a small note here, that encryption would mean either putting the key next to the backup or human interaction.

Gonne marked this conversation as resolved

nixos/modules/borgbackup.nix

					
				@ -0,0 +122,4 @@

				        encryption.mode = "none";

				        environment = {

				          BORG_RSH = "ssh -i /run/secrets/backupKey";

				          BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes";

nerf commented

2024-03-30 15:33:13 +00:00

Why is this here, what does it do? I also don't really get it from the Borg documentation

BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=no (or =yes)

For “Warning: Attempting to access a previously unknown unencrypted repository”

Why is this here, what does it do? I also don't really get it from the Borg documentation > BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=no (or =yes) > > For “Warning: Attempting to access a previously unknown unencrypted repository”

Gonne added 1 commit 2024-03-30 18:53:02 +00:00

326cc52c2e Feedback: more comments

nerf approved these changes 2024-03-30 19:07:58 +00:00

Gonne merged commit 326cc52c2e into main

2024-03-30 19:10:30 +00:00

Gonne deleted branch bragi

2024-03-30 19:10:30 +00:00

Sign in to join this conversation.

No reviewers