Fachschaft/nixConfig
7
2
Fork 2
Code Issues 12 Pull requests 2 Projects Wiki Activity

bragi backup config #28

Merged
Gonne merged 5 commits from Gonne/nixConfig:bragi into main 2024-03-30 19:10:30 +00:00
Conversation 7 Commits 5 Files changed 6 +273 -1
Gonne commented 2024-01-08 15:00:11 +00:00
Owner
Copy link

This config is currently running on the backup host.

This config is currently running on the backup host.
Gonne reviewed 2024-01-08 15:07:36 +00:00
nixos/machines/bragi/hardware-configuration.nix Outdated
@ -0,0 +5,4 @@
options = ["size=2G" "mode=755"];
};
fileSystems."/persist" = {
device = "/dev/disk/by-label/nixos";
Gonne commented 2024-01-08 15:06:51 +00:00
Author
Owner
Copy link

Is addressing by label actually nicer than by uuid? It seems to work at least.

Is addressing by label actually nicer than by uuid? It seems to work at least.
nixos/modules/borgbackup.nix Outdated
@ -0,0 +19,4 @@
config = mkIf cfg.enable {
services.borgbackup = {
# repos are made available at ssh://borg@hostname and served according to the presented ssh-key
repos = {
Gonne commented 2024-01-08 15:05:41 +00:00
Author
Owner
Copy link

Perhaps we want to create these repos by a function that only takes the name and the ssh-key. Not sure if that is worth it.

Perhaps we want to create these repos by a function that only takes the name and the ssh-key. Not sure if that is worth it.
Gonne changed title from WIP: bragi backup config to bragi backup config 2024-02-08 07:44:02 +00:00
requested review from Server-Minions 2024-02-08 07:44:09 +00:00
Gonne reviewed 2024-02-09 09:37:46 +00:00
nixos/modules/borgbackup.nix Outdated
@ -0,0 +123,4 @@
startAt = "daily";
user = "fsaccount";
group = "users";
readWritePaths = ["/home/fsaccount"];
Gonne commented 2024-02-09 09:37:46 +00:00
Author
Owner
Copy link

By creating the folder sicherung via systemd-tmpfiles we could restrict this to /home/fsaccount/sicherung.
I don't know if this restriction is worth the increased complexity.

By creating the folder `sicherung` via [systemd-tmpfiles](https://search.nixos.org/options?show=systemd.tmpfiles.rules) we could restrict this to `/home/fsaccount/sicherung`. I don't know if this restriction is worth the increased complexity.
requested review from nerf 2024-02-17 12:13:07 +00:00
nerf reviewed 2024-03-01 16:33:14 +00:00
nixos/modules/borgbackup.nix Outdated
@ -0,0 +138,4 @@
users.users = {
fsaccount = {
description = "FS Account backup";
isNormalUser = true;
nerf commented 2024-03-01 16:33:14 +00:00
Owner
Copy link

Why is this a normal user, do we plan to log in as this one, or is it just there to pull the fs account?

Why is this a normal user, do we plan to log in as this one, or is it just there to pull the fs account?
Gonne commented 2024-03-03 18:23:46 +00:00
Author
Owner
Copy link

Login is not necessary, so we can transform it to a system user.

Login is not necessary, so we can transform it to a system user.
Gonne marked this conversation as resolved
nerf reviewed 2024-03-01 16:36:17 +00:00
nixos/modules/borgbackup.nix Outdated
@ -0,0 +20,4 @@
config = mkIf cfg.enable {
services.borgbackup = {
# repos are made available at ssh://borg@hostname and served according to the presented ssh-key
repos = {
nerf commented 2024-03-01 16:36:17 +00:00
Owner
Copy link

where exactly do these keys come from? Can we automatize this? so we either just need to name the machine here, or completely automatically by virtue of beeing a machine?

Of course we need a a mechanism like this for legacy non nix machines

where exactly do these keys come from? Can we automatize this? so we either just need to name the machine here, or completely automatically by virtue of beeing a machine? Of course we need a a mechanism like this for legacy non nix machines
Gonne commented 2024-03-03 18:22:01 +00:00
Author
Owner
Copy link

See also #28 (comment)

This can probably be automated (?) but currently no Nix machine needs backups.
Thus I would like to postpone it.

See also https://gitea.mathebau.de/Fachschaft/nixConfig/pulls/28#issuecomment-565 This can probably be automated (?) but currently no Nix machine needs backups. Thus I would like to postpone it.
nerf commented 2024-03-03 18:41:38 +00:00
Owner
Copy link

Can we then put a comment like:

„Congratulations, you are the first person to make backups from a nixos machine.
Your won the task of automatizing this endeavor, so in future we don't need to hand copy any
ssh keys anymore“

Btw. I don't think this is too trivial, as the public keys are needed while config build time, but the secret keys should probably never leave the machines.

One way would be pre-generated key-pairs that are deployed through sops.
(But then we should make sure to use dedicated keys for this task.)

Can we then put a comment like: „Congratulations, you are the first person to make backups from a nixos machine. Your won the task of automatizing this endeavor, so in future we don't need to hand copy any ssh keys anymore“ Btw. I don't think this is too trivial, as the public keys are needed while config build time, but the secret keys should probably never leave the machines. One way would be pre-generated key-pairs that are deployed through sops. (But then we should make sure to use dedicated keys for this task.)
👍 1
Gonne marked this conversation as resolved
Gonne commented 2024-03-21 18:39:34 +00:00
Author
Owner
Copy link

I've moved the ssh key to sops. Ready for review again.

I've moved the ssh key to sops. Ready for review again.
nerf reviewed 2024-03-30 15:39:11 +00:00
nixos/modules/borgbackup.nix Outdated
@ -0,0 +113,4 @@
};
};
# Configure backup of files on the department's fs account
jobs.fsaccount = {
nerf commented 2024-03-30 15:36:04 +00:00
Owner
Copy link

Did I get something wrong?
It seams the fsaccount backups are under /home/fsaccount
owned by fsaccount:users

While all the machines ones are under /var/lib/backups probably owned
by some backup system user. Why is this set up this way, or am I reading this wrong?

Did I get something wrong? It seams the fsaccount backups are under `/home/fsaccount` owned by `fsaccount:users` While all the machines ones are under `/var/lib/backups` probably owned by some backup system user. Why is this set up this way, or am I reading this wrong?
nixos/modules/borgbackup.nix
@ -0,0 +119,4 @@
${pkgs.rsync}/bin/rsync -e 'ssh -i /run/secrets/backupKey' -r fachschaft@gw1.mathematik.tu-darmstadt.de:/home/fachschaft/* /home/fsaccount/sicherung
'';
paths = "/home/fsaccount/sicherung";
encryption.mode = "none";
nerf commented 2024-03-30 15:29:10 +00:00
Owner
Copy link

I would put a small note here, that encryption would mean either putting the key next to the backup or human interaction.

I would put a small note here, that encryption would mean either putting the key next to the backup or human interaction.
Gonne marked this conversation as resolved
nixos/modules/borgbackup.nix
@ -0,0 +122,4 @@
encryption.mode = "none";
environment = {
BORG_RSH = "ssh -i /run/secrets/backupKey";
BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes";
nerf commented 2024-03-30 15:33:13 +00:00
Owner
Copy link

Why is this here, what does it do? I also don't really get it from the Borg documentation

BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=no (or =yes)

For “Warning: Attempting to access a previously unknown unencrypted repository”

Why is this here, what does it do? I also don't really get it from the Borg documentation > BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=no (or =yes) > > For “Warning: Attempting to access a previously unknown unencrypted repository”
nerf approved these changes 2024-03-30 19:07:58 +00:00
Gonne merged commit 326cc52c2e into main 2024-03-30 19:10:30 +00:00
Gonne deleted branch bragi 2024-03-30 19:10:30 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
nerf
Labels
Clear labels   
Kind/Breaking

Breaking change that won't be backward compatible

  
Kind/Bug

Something is not working

  
Kind/Documentation

Documentation changes

  
Kind/Enhancement

Improve existing functionality

  
Kind/Feature

New functionality

  
Kind/Security

This is security issue

  
Kind/Testing

Issue or pull request related to testing

  
Priority
Critical
The priority is critical

  
Priority
High
The priority is high

  
Priority
Low
The priority is low

  
Priority
Medium
The priority is medium

  
Reviewed
Confirmed
Issue has been confirmed

  
Reviewed
Duplicate
This issue or pull request already exists

  
Reviewed
Invalid
Invalid issue

  
Reviewed
Won't Fix
This issue won't be fixed

  
Status
Abandoned
Somebody has started to work on this but abandoned work

  
Status
Blocked
Something is blocking this issue or pull request

  
Status
Need More Info
Feedback is required to reproduce issue or to continue work

No labels
Kind/Breaking
Kind/Bug
Kind/Documentation
Kind/Enhancement
Kind/Feature
Kind/Security
Kind/Testing
Priority
Critical
Priority
High
Priority
Low
Priority
Medium
Reviewed
Confirmed
Reviewed
Duplicate
Reviewed
Invalid
Reviewed
Won't Fix
Status
Abandoned
Status
Blocked
Status
Need More Info
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: Fachschaft/nixConfig#28
No description provided.
Delete branch "Gonne/nixConfig:bragi"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?