bragi backup config #28
1 changed files with 20 additions and 12 deletions
|
|
@ -112,16 +112,24 @@ in {
|
|||
allowSubRepos = true;
|
||||
};
|
||||
};
|
||||
# Configure backup of files on the department's fs account
|
||||
# Configure backup of files on the department's fs account:
|
||||
# This job first copies the files to the local account 'fsaccount' in tmpfs
|
||||
|
|
||||
# and then takes a regular backup of the mirrored folder.
|
||||
|
||||
# See also https://borgbackup.readthedocs.io/en/stable/deployment/pull-backup.html
|
||||
# which does not work due to missing permissions.
|
||||
jobs.fsaccount = {
|
||||
preHook = ''
|
||||
|
Gonne marked this conversation as resolved
nerf
commented
I would put a small note here, that encryption would mean either putting the key next to the backup or human interaction. I would put a small note here, that encryption would mean either putting the key next to the backup or human interaction.
|
||||
mkdir -p /home/fsaccount/sicherung # Create if it does not exist
|
||||
${pkgs.rsync}/bin/rsync -e 'ssh -i /run/secrets/backupKey' -r fachschaft@gw1.mathematik.tu-darmstadt.de:/home/fachschaft/* /home/fsaccount/sicherung
|
||||
'';
|
||||
|
nerf
commented
Why is this here, what does it do? I also don't really get it from the Borg documentation
Why is this here, what does it do? I also don't really get it from the Borg documentation
> BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=no (or =yes)
>
> For “Warning: Attempting to access a previously unknown unencrypted repository”
|
||||
paths = "/home/fsaccount/sicherung";
|
||||
Gonne
commented
By creating the folder By creating the folder `sicherung` via [systemd-tmpfiles](https://search.nixos.org/options?show=systemd.tmpfiles.rules) we could restrict this to `/home/fsaccount/sicherung`.
I don't know if this restriction is worth the increased complexity.
|
||||
encryption.mode = "none";
|
||||
encryption.mode = "none"; # Otherwise the key is next to the backup or we have human interaction.
|
||||
environment = {
|
||||
BORG_RSH = "ssh -i /run/secrets/backupKey";
|
||||
# “Borg ensures that backups are not created on random drives that ‘just happen’ to contain a Borg repository.”
|
||||
# https://borgbackup.readthedocs.io/en/stable/deployment/automated-local.html
|
||||
# We don't want this in order to not need to persist borg cache and simplify new deployments.
|
||||
BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes";
|
||||
};
|
||||
repo = "borg@localhost:fsaccount";
|
||||
|
|
@ -131,6 +139,16 @@ in {
|
|||
readWritePaths = ["/home/fsaccount"];
|
||||
};
|
||||
};
|
||||
|
Gonne marked this conversation as resolved
Outdated
nerf
commented
Why is this a normal user, do we plan to log in as this one, or is it just there to pull the fs account? Why is this a normal user, do we plan to log in as this one, or is it just there to pull the fs account?
Gonne
commented
Login is not necessary, so we can transform it to a system user. Login is not necessary, so we can transform it to a system user.
|
||||
# Extra user for FS account backup
|
||||
users.users = {
|
||||
fsaccount = {
|
||||
description = "FS Account backup";
|
||||
isSystemUser = true;
|
||||
home = "/home/fsaccount";
|
||||
createHome = true;
|
||||
group = "users";
|
||||
};
|
||||
};
|
||||
environment.persistence.${config.impermanence.name} = {
|
||||
users.fsaccount.files = [
|
||||
{
|
||||
|
|
@ -149,15 +167,5 @@ in {
|
|||
inherit (config.users.users.fsaccount) group;
|
||||
mode = "0400";
|
||||
};
|
||||
# Extra user for FS account backup
|
||||
users.users = {
|
||||
fsaccount = {
|
||||
description = "FS Account backup";
|
||||
isSystemUser = true;
|
||||
home = "/home/fsaccount";
|
||||
createHome = true;
|
||||
group = "users";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue
Did I get something wrong?
It seams the fsaccount backups are under
/home/fsaccountowned by
fsaccount:usersWhile all the machines ones are under
/var/lib/backupsprobably ownedby some backup system user. Why is this set up this way, or am I reading this wrong?