bragi backup config #28
1 changed files with 20 additions and 12 deletions
|
@ -112,16 +112,24 @@ in {
|
|||
allowSubRepos = true;
|
||||
};
|
||||
};
|
||||
# Configure backup of files on the department's fs account
|
||||
# Configure backup of files on the department's fs account:
|
||||
# This job first copies the files to the local account 'fsaccount' in tmpfs
|
||||
# and then takes a regular backup of the mirrored folder.
|
||||
|
||||
# See also https://borgbackup.readthedocs.io/en/stable/deployment/pull-backup.html
|
||||
# which does not work due to missing permissions.
|
||||
jobs.fsaccount = {
|
||||
preHook = ''
|
||||
Gonne marked this conversation as resolved
|
||||
mkdir -p /home/fsaccount/sicherung # Create if it does not exist
|
||||
${pkgs.rsync}/bin/rsync -e 'ssh -i /run/secrets/backupKey' -r fachschaft@gw1.mathematik.tu-darmstadt.de:/home/fachschaft/* /home/fsaccount/sicherung
|
||||
'';
|
||||
nerf
commented
Why is this here, what does it do? I also don't really get it from the Borg documentation
Why is this here, what does it do? I also don't really get it from the Borg documentation
> BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=no (or =yes)
>
> For “Warning: Attempting to access a previously unknown unencrypted repository”
|
||||
paths = "/home/fsaccount/sicherung";
|
||||
encryption.mode = "none";
|
||||
encryption.mode = "none"; # Otherwise the key is next to the backup or we have human interaction.
|
||||
environment = {
|
||||
BORG_RSH = "ssh -i /run/secrets/backupKey";
|
||||
# “Borg ensures that backups are not created on random drives that ‘just happen’ to contain a Borg repository.”
|
||||
# https://borgbackup.readthedocs.io/en/stable/deployment/automated-local.html
|
||||
# We don't want this in order to not need to persist borg cache and simplify new deployments.
|
||||
BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes";
|
||||
};
|
||||
repo = "borg@localhost:fsaccount";
|
||||
|
@ -131,6 +139,16 @@ in {
|
|||
readWritePaths = ["/home/fsaccount"];
|
||||
};
|
||||
};
|
||||
# Extra user for FS account backup
|
||||
users.users = {
|
||||
fsaccount = {
|
||||
description = "FS Account backup";
|
||||
isSystemUser = true;
|
||||
home = "/home/fsaccount";
|
||||
createHome = true;
|
||||
group = "users";
|
||||
};
|
||||
};
|
||||
environment.persistence.${config.impermanence.name} = {
|
||||
users.fsaccount.files = [
|
||||
{
|
||||
|
@ -149,15 +167,5 @@ in {
|
|||
inherit (config.users.users.fsaccount) group;
|
||||
mode = "0400";
|
||||
};
|
||||
# Extra user for FS account backup
|
||||
users.users = {
|
||||
fsaccount = {
|
||||
description = "FS Account backup";
|
||||
isSystemUser = true;
|
||||
home = "/home/fsaccount";
|
||||
createHome = true;
|
||||
group = "users";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue
I would put a small note here, that encryption would mean either putting the key next to the backup or human interaction.