Fachschaft/nixConfig
5
2
Fork 2
Code Issues 7 Pull requests 1 Projects 1 Wiki Activity

bragi backup config #28

Merged
Gonne merged 5 commits from Gonne/nixConfig:bragi into main 2024-03-30 19:10:30 +00:00
Conversation 1 Commits 5 Files changed 6 +20 -12
1 changed files with 20 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit 326cc52c2e - Show all commits

32
nixos/modules/borgbackup.nix
View file

@ -112,16 +112,24 @@ in {
allowSubRepos = true; allowSubRepos = true;
}; };
}; };
# Configure backup of files on the department's fs account # Configure backup of files on the department's fs account:
# This job first copies the files to the local account 'fsaccount' in tmpfs
nerf commented 2024-03-30 15:36:04 +00:00
Outdated
Review
Copy link

Did I get something wrong?
It seams the fsaccount backups are under /home/fsaccount
owned by fsaccount:users

While all the machines ones are under /var/lib/backups probably owned
by some backup system user. Why is this set up this way, or am I reading this wrong?

Did I get something wrong? It seams the fsaccount backups are under `/home/fsaccount` owned by `fsaccount:users` While all the machines ones are under `/var/lib/backups` probably owned by some backup system user. Why is this set up this way, or am I reading this wrong?
# and then takes a regular backup of the mirrored folder.
# See also https://borgbackup.readthedocs.io/en/stable/deployment/pull-backup.html
# which does not work due to missing permissions.
jobs.fsaccount = { jobs.fsaccount = {
preHook = '' preHook = ''
Gonne marked this conversation as resolved
nerf commented 2024-03-30 15:29:10 +00:00
Review
Copy link

I would put a small note here, that encryption would mean either putting the key next to the backup or human interaction.

I would put a small note here, that encryption would mean either putting the key next to the backup or human interaction.
mkdir -p /home/fsaccount/sicherung # Create if it does not exist mkdir -p /home/fsaccount/sicherung # Create if it does not exist
${pkgs.rsync}/bin/rsync -e 'ssh -i /run/secrets/backupKey' -r fachschaft@gw1.mathematik.tu-darmstadt.de:/home/fachschaft/* /home/fsaccount/sicherung ${pkgs.rsync}/bin/rsync -e 'ssh -i /run/secrets/backupKey' -r fachschaft@gw1.mathematik.tu-darmstadt.de:/home/fachschaft/* /home/fsaccount/sicherung
''; '';
nerf commented 2024-03-30 15:33:13 +00:00
Review
Copy link

Why is this here, what does it do? I also don't really get it from the Borg documentation

BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=no (or =yes)

For “Warning: Attempting to access a previously unknown unencrypted repository”

Why is this here, what does it do? I also don't really get it from the Borg documentation > BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=no (or =yes) > > For “Warning: Attempting to access a previously unknown unencrypted repository”
paths = "/home/fsaccount/sicherung"; paths = "/home/fsaccount/sicherung";
Gonne commented 2024-02-09 09:37:46 +00:00
Outdated
Review
Copy link

By creating the folder sicherung via systemd-tmpfiles we could restrict this to /home/fsaccount/sicherung.
I don't know if this restriction is worth the increased complexity.

By creating the folder `sicherung` via [systemd-tmpfiles](https://search.nixos.org/options?show=systemd.tmpfiles.rules) we could restrict this to `/home/fsaccount/sicherung`. I don't know if this restriction is worth the increased complexity.
encryption.mode = "none"; encryption.mode = "none"; # Otherwise the key is next to the backup or we have human interaction.
environment = { environment = {
BORG_RSH = "ssh -i /run/secrets/backupKey"; BORG_RSH = "ssh -i /run/secrets/backupKey";
# “Borg ensures that backups are not created on random drives that just happen to contain a Borg repository.”
# https://borgbackup.readthedocs.io/en/stable/deployment/automated-local.html
# We don't want this in order to not need to persist borg cache and simplify new deployments.
BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes"; BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes";
}; };
repo = "borg@localhost:fsaccount"; repo = "borg@localhost:fsaccount";
@ -131,6 +139,16 @@ in {
readWritePaths = ["/home/fsaccount"]; readWritePaths = ["/home/fsaccount"];
}; };
}; };
Gonne marked this conversation as resolved Outdated
nerf commented 2024-03-01 16:33:14 +00:00
Outdated
Review
Copy link

Why is this a normal user, do we plan to log in as this one, or is it just there to pull the fs account?

Why is this a normal user, do we plan to log in as this one, or is it just there to pull the fs account?
Gonne commented 2024-03-03 18:23:46 +00:00
Outdated
Review
Copy link

Login is not necessary, so we can transform it to a system user.

Login is not necessary, so we can transform it to a system user.
# Extra user for FS account backup
users.users = {
fsaccount = {
description = "FS Account backup";
isSystemUser = true;
home = "/home/fsaccount";
createHome = true;
group = "users";
};
};
environment.persistence.${config.impermanence.name} = { environment.persistence.${config.impermanence.name} = {
users.fsaccount.files = [ users.fsaccount.files = [
{ {
@ -149,15 +167,5 @@ in {
inherit (config.users.users.fsaccount) group; inherit (config.users.users.fsaccount) group;
mode = "0400"; mode = "0400";
}; };
# Extra user for FS account backup
users.users = {
fsaccount = {
description = "FS Account backup";
isSystemUser = true;
home = "/home/fsaccount";
createHome = true;
group = "users";
};
};
}; };
} }