bragi backup config #28

Merged
Gonne merged 5 commits from Gonne/nixConfig:bragi into main 2024-03-30 19:10:30 +00:00
3 changed files with 55 additions and 6 deletions
Showing only changes of commit 1bf59168fb - Show all commits

View file

@ -1,6 +1,6 @@
keys: keys:
- &nerf age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln - &nerf age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
- &gonne age1xv5rfxkxg9jyqx5jg2j82cxv7w7ep4a3795p4yl5fuqf38f3m3eqfnefju - &gonne age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
- &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4 - &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4
- &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe - &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe

View file

@ -0,0 +1,39 @@
backupKey: ENC[AES256_GCM,data:PBdeV6uQ/Jg9xk7HXylyDKCBdny/XRflF752arUZAnUvmVv4yiSwOY9ua3tH1BDpddiql1aNJqmfatZOB3JKB2mHnyeSt7L0B81zuIFpxJOdsnGACviH6sUfsC5ogkGRhLKynf5Ghz/6xanthyK6euIpAAu05wDWcseg4y8k5rdFhL7rasmOMi0oVLN54Psmyf9vahfX6BNGBHQA1qJyeaI5iDLI+6gh7dtOXjTd4pHX8T9PEYpGnOBMHvaaVA2r7z27iUJSKqzzSB9B/rm01tI6LTG/yfQU+TKlWFU2iIodCG7eJ2qe+exvxOlEj9At/UI/Kd+dNSHcffLDUxVcstthOOP0TUdHkPCTC8BEJtAAexUBqSv+LTOPfJeAbIw3QhEpfeyZOpw2FY1qstQ/G0+1sDF8762uJu9v1amx4+4e8NEiSa/dtdnQAKFiEswk+5nqRSKQJOH3w0tHr9NRhhS775lUtUX4DW0xN42QeABM0xg56qJPxPNif3K2ovPX3BTSSZnQ0EZzuxployu1MyJxpcBT+6qa8l/h,iv:ZdivBorDtIyBOs7XSg/DHjReG+T6/exeS8ziA7ms7FM=,tag:gcIXgpyd2UeQV3APqCCxMg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaR2dRc3NPeUwwaHdCL25V
RHNaWU9xRUw5dDlaOG5hczVlNm5UR01QUEVNClJsVFRBWU85Z0JuV1l3MDdvd1F2
RS9CcXhuNEJWdEE1cktXYjF3RW9wUDQKLS0tIHk3MURmWlJNanVZaHlUR3R2UEZG
K2JxOHpNY2hsTysrWjNLajFKQkxuNHcKaFMvnDt9a3HsnbP1Q/i4ifRIXFcXYn8z
YyOho0hSmWZNhTbltmuVKjvCNgt9ONVRW93uRDDoju8Odps0qwwvuA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMM1NCbHdFZDJvYjJjcmZ6
bUFjSG5OUEdydS9pTkNHRjFKb3gvWll0Q0RVCk56ZnhDa0NGeUNhVVdDZENieDFW
Q0xSNXhYQXZSVnI3WlRzUjhxOXRyM2sKLS0tIGhnVWJaRG4vSGpUcnQ5SFVFT3VQ
YUFzTlNLSE9CbW9oYTFsY0tpTE4vZTQKjurd87tDH8z58pAGJyVXRAu8Q2+k7e4G
zOGZhm5DpSmFv2O2fqXgBg8nT5wrPKQDFvcDh1P+a0753tUTbUttIA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlWmlwS0E5TytFdEpxN09U
Y3k0SDhnM2h5Rnh1bXQ2czA5bWt1Mkk3aUFFCmtwT2ZmN0IweGdOYURWNDVHcWtH
R3lRaFRkcWYzb2g4NWNFQU5WOXZZaGMKLS0tIHpWNnNvVUNucE5MQ1cxQWl6Qm1x
NUZDVnJORXF1NGlyNUkzOGl2REFHdmsK18k9UfOmtFSep6mZcSp6di7SjvrBXgGp
oWtLehp1UFEHCgaU5YxlYhtkrrOhb8ykFb1on+kmzrloaHqyvks7Aw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-03-21T16:38:08Z"
mac: ENC[AES256_GCM,data:kEVWd988Ia6T8v3w0slQhM0lh78VhnP8qJNa6IZg0NF2B0JQbFRnQNbUfvG9Rf4mkAR/O9PD+r6HR+b3LCwzb/Ok/eD4/M3+oPaEx/JnoHrzF/1N29VEAvBHjQgw6DL05toqu5G03UDcDUFGc111AeRsexhONQRHJx3zqWyWGy4=,iv:T5Pkhl3vhSAIoKkC3r3VQn3tC4t04WxvAZDQ4PMvD84=,tag:h0/aB91SFr5q0Or5daxWUQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

View file

@ -116,12 +116,12 @@ in {
jobs.fsaccount = { jobs.fsaccount = {
Outdated
Review

Did I get something wrong?
It seams the fsaccount backups are under /home/fsaccount
owned by fsaccount:users

While all the machines ones are under /var/lib/backups probably owned
by some backup system user. Why is this set up this way, or am I reading this wrong?

Did I get something wrong? It seams the fsaccount backups are under `/home/fsaccount` owned by `fsaccount:users` While all the machines ones are under `/var/lib/backups` probably owned by some backup system user. Why is this set up this way, or am I reading this wrong?
preHook = '' preHook = ''
mkdir -p /home/fsaccount/sicherung # Create if it does not exist mkdir -p /home/fsaccount/sicherung # Create if it does not exist
${pkgs.rsync}/bin/rsync -e 'ssh -i /home/fsaccount/.ssh/fsaccount' -r fachschaft@gw1.mathematik.tu-darmstadt.de:/home/fachschaft/* /home/fsaccount/sicherung ${pkgs.rsync}/bin/rsync -e 'ssh -i /run/secrets/backupKey' -r fachschaft@gw1.mathematik.tu-darmstadt.de:/home/fachschaft/* /home/fsaccount/sicherung
''; '';
paths = "/home/fsaccount/sicherung"; paths = "/home/fsaccount/sicherung";
encryption.mode = "none"; encryption.mode = "none";
Gonne marked this conversation as resolved
Review

I would put a small note here, that encryption would mean either putting the key next to the backup or human interaction.

I would put a small note here, that encryption would mean either putting the key next to the backup or human interaction.
environment = { environment = {
BORG_RSH = "ssh -i /home/fsaccount/.ssh/fsaccount"; BORG_RSH = "ssh -i /run/secrets/backupKey";
BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes"; BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes";
Review

Why is this here, what does it do? I also don't really get it from the Borg documentation

BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=no (or =yes)

For “Warning: Attempting to access a previously unknown unencrypted repository”

Why is this here, what does it do? I also don't really get it from the Borg documentation > BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=no (or =yes) > > For “Warning: Attempting to access a previously unknown unencrypted repository”
}; };
Outdated
Review

By creating the folder sicherung via systemd-tmpfiles we could restrict this to /home/fsaccount/sicherung.
I don't know if this restriction is worth the increased complexity.

By creating the folder `sicherung` via [systemd-tmpfiles](https://search.nixos.org/options?show=systemd.tmpfiles.rules) we could restrict this to `/home/fsaccount/sicherung`. I don't know if this restriction is worth the increased complexity.
repo = "borg@localhost:fsaccount"; repo = "borg@localhost:fsaccount";
@ -132,13 +132,23 @@ in {
}; };
}; };
environment.persistence.${config.impermanence.name} = { environment.persistence.${config.impermanence.name} = {
users.fsaccount.directories = [ users.fsaccount.files = [
{ {
directory = ".ssh"; # SSH Key with access to FS Account and known_hosts file = ".ssh/known_hosts";
parentDirectory = {
mode = "u=rwx,g=,o="; mode = "u=rwx,g=,o=";
user = "fsaccount";
group = "users";
Gonne marked this conversation as resolved Outdated
Outdated
Review

Why is this a normal user, do we plan to log in as this one, or is it just there to pull the fs account?

Why is this a normal user, do we plan to log in as this one, or is it just there to pull the fs account?
Outdated
Review

Login is not necessary, so we can transform it to a system user.

Login is not necessary, so we can transform it to a system user.
};
} }
]; ];
}; };
sops.secrets.backupKey = {
sopsFile = ../machines/bragi/backupKey.yaml;
owner = config.users.users.fsaccount.name;
inherit (config.users.users.fsaccount) group;
mode = "0400";
};
# Extra user for FS account backup # Extra user for FS account backup
users.users = { users.users = {
fsaccount = { fsaccount = {