bragi backup config #28
1 changed files with 20 additions and 12 deletions
|
@ -112,16 +112,24 @@ in {
|
||||||
allowSubRepos = true;
|
allowSubRepos = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
# Configure backup of files on the department's fs account
|
# Configure backup of files on the department's fs account:
|
||||||
|
# This job first copies the files to the local account 'fsaccount' in tmpfs
|
||||||
|
# and then takes a regular backup of the mirrored folder.
|
||||||
|
|
||||||
|
# See also https://borgbackup.readthedocs.io/en/stable/deployment/pull-backup.html
|
||||||
|
# which does not work due to missing permissions.
|
||||||
jobs.fsaccount = {
|
jobs.fsaccount = {
|
||||||
preHook = ''
|
preHook = ''
|
||||||
Gonne marked this conversation as resolved
|
|||||||
mkdir -p /home/fsaccount/sicherung # Create if it does not exist
|
mkdir -p /home/fsaccount/sicherung # Create if it does not exist
|
||||||
${pkgs.rsync}/bin/rsync -e 'ssh -i /run/secrets/backupKey' -r fachschaft@gw1.mathematik.tu-darmstadt.de:/home/fachschaft/* /home/fsaccount/sicherung
|
${pkgs.rsync}/bin/rsync -e 'ssh -i /run/secrets/backupKey' -r fachschaft@gw1.mathematik.tu-darmstadt.de:/home/fachschaft/* /home/fsaccount/sicherung
|
||||||
'';
|
'';
|
||||||
nerf
commented
Why is this here, what does it do? I also don't really get it from the Borg documentation
Why is this here, what does it do? I also don't really get it from the Borg documentation
> BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=no (or =yes)
>
> For “Warning: Attempting to access a previously unknown unencrypted repository”
|
|||||||
paths = "/home/fsaccount/sicherung";
|
paths = "/home/fsaccount/sicherung";
|
||||||
encryption.mode = "none";
|
encryption.mode = "none"; # Otherwise the key is next to the backup or we have human interaction.
|
||||||
environment = {
|
environment = {
|
||||||
BORG_RSH = "ssh -i /run/secrets/backupKey";
|
BORG_RSH = "ssh -i /run/secrets/backupKey";
|
||||||
|
# “Borg ensures that backups are not created on random drives that ‘just happen’ to contain a Borg repository.”
|
||||||
|
# https://borgbackup.readthedocs.io/en/stable/deployment/automated-local.html
|
||||||
|
# We don't want this in order to not need to persist borg cache and simplify new deployments.
|
||||||
BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes";
|
BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes";
|
||||||
};
|
};
|
||||||
repo = "borg@localhost:fsaccount";
|
repo = "borg@localhost:fsaccount";
|
||||||
|
@ -131,6 +139,16 @@ in {
|
||||||
readWritePaths = ["/home/fsaccount"];
|
readWritePaths = ["/home/fsaccount"];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
# Extra user for FS account backup
|
||||||
|
users.users = {
|
||||||
|
fsaccount = {
|
||||||
|
description = "FS Account backup";
|
||||||
|
isSystemUser = true;
|
||||||
|
home = "/home/fsaccount";
|
||||||
|
createHome = true;
|
||||||
|
group = "users";
|
||||||
|
};
|
||||||
|
};
|
||||||
environment.persistence.${config.impermanence.name} = {
|
environment.persistence.${config.impermanence.name} = {
|
||||||
users.fsaccount.files = [
|
users.fsaccount.files = [
|
||||||
{
|
{
|
||||||
|
@ -149,15 +167,5 @@ in {
|
||||||
inherit (config.users.users.fsaccount) group;
|
inherit (config.users.users.fsaccount) group;
|
||||||
mode = "0400";
|
mode = "0400";
|
||||||
};
|
};
|
||||||
# Extra user for FS account backup
|
|
||||||
users.users = {
|
|
||||||
fsaccount = {
|
|
||||||
description = "FS Account backup";
|
|
||||||
isSystemUser = true;
|
|
||||||
home = "/home/fsaccount";
|
|
||||||
createHome = true;
|
|
||||||
group = "users";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue
I would put a small note here, that encryption would mean either putting the key next to the backup or human interaction.