bragi backup config #28

Merged
Gonne merged 5 commits from Gonne/nixConfig:bragi into main 2024-03-30 19:10:30 +00:00
Showing only changes of commit b0af48a9d0 - Show all commits

View file

@ -1,6 +1,7 @@
{ {
config, config,
lib, lib,
pkgs,
... ...
}: let }: let
inherit inherit
@ -56,6 +57,13 @@ in {
path = "/var/lib/backups/eihort"; path = "/var/lib/backups/eihort";
allowSubRepos = true; allowSubRepos = true;
}; };
fsaccount = {
authorizedKeysAppendOnly = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG+Y7fQTYdIWHehrKdk92CaJ0AisEux4OrS4nIyMstU4 FS Account Backup"
];
path = "/var/lib/backups/fsaccount";
allowSubRepos = true;
};
hastur = { hastur = {
authorizedKeysAppendOnly = [ authorizedKeysAppendOnly = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILeDvTyOUdIPARatX0PPhHgrV1gjERWLt2Twa8E2GETb Hastur Backupsystem" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILeDvTyOUdIPARatX0PPhHgrV1gjERWLt2Twa8E2GETb Hastur Backupsystem"
@ -99,6 +107,39 @@ in {
allowSubRepos = true; allowSubRepos = true;
}; };
}; };
# Configure backup of files on the department's fs account
jobs.fsaccount = {
preHook = ''
mkdir -p /home/fsaccount/sicherung # Create if it does not exist
${pkgs.rsync}/bin/rsync -e 'ssh -i /home/fsaccount/.ssh/fsaccount' -r fachschaft@gw1.mathematik.tu-darmstadt.de:/home/fachschaft/* /home/fsaccount/sicherung
'';
paths = "/home/fsaccount/sicherung";
Outdated
Review

Did I get something wrong?
It seams the fsaccount backups are under /home/fsaccount
owned by fsaccount:users

While all the machines ones are under /var/lib/backups probably owned
by some backup system user. Why is this set up this way, or am I reading this wrong?

Did I get something wrong? It seams the fsaccount backups are under `/home/fsaccount` owned by `fsaccount:users` While all the machines ones are under `/var/lib/backups` probably owned by some backup system user. Why is this set up this way, or am I reading this wrong?
encryption.mode = "none";
environment = {
BORG_RSH = "ssh -i /home/fsaccount/.ssh/fsaccount";
BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes";
};
repo = "borg@localhost:fsaccount";
Gonne marked this conversation as resolved
Review

I would put a small note here, that encryption would mean either putting the key next to the backup or human interaction.

I would put a small note here, that encryption would mean either putting the key next to the backup or human interaction.
startAt = "daily";
user = "fsaccount";
group = "users";
Review

Why is this here, what does it do? I also don't really get it from the Borg documentation

BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=no (or =yes)

For “Warning: Attempting to access a previously unknown unencrypted repository”

Why is this here, what does it do? I also don't really get it from the Borg documentation > BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=no (or =yes) > > For “Warning: Attempting to access a previously unknown unencrypted repository”
readWritePaths = ["/home/fsaccount"];
Outdated
Review

By creating the folder sicherung via systemd-tmpfiles we could restrict this to /home/fsaccount/sicherung.
I don't know if this restriction is worth the increased complexity.

By creating the folder `sicherung` via [systemd-tmpfiles](https://search.nixos.org/options?show=systemd.tmpfiles.rules) we could restrict this to `/home/fsaccount/sicherung`. I don't know if this restriction is worth the increased complexity.
};
};
environment.persistence.${config.impermanence.name} = {
users.fsaccount.directories = [
{
directory = ".ssh"; # SSH Key with access to FS Account and known_hosts
mode = "u=rwx,g=,o=";
}
];
};
# Extra user for FS account backup
users.users = {
fsaccount = {
description = "FS Account backup";
isNormalUser = true;
Gonne marked this conversation as resolved Outdated
Outdated
Review

Why is this a normal user, do we plan to log in as this one, or is it just there to pull the fs account?

Why is this a normal user, do we plan to log in as this one, or is it just there to pull the fs account?
Outdated
Review

Login is not necessary, so we can transform it to a system user.

Login is not necessary, so we can transform it to a system user.
};
}; };
}; };
} }