bragi backup config #28
1 changed files with 41 additions and 0 deletions
|
|
@ -1,6 +1,7 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}: let
|
||||
inherit
|
||||
|
|
@ -56,6 +57,13 @@ in {
|
|||
path = "/var/lib/backups/eihort";
|
||||
allowSubRepos = true;
|
||||
};
|
||||
fsaccount = {
|
||||
authorizedKeysAppendOnly = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG+Y7fQTYdIWHehrKdk92CaJ0AisEux4OrS4nIyMstU4 FS Account Backup"
|
||||
];
|
||||
path = "/var/lib/backups/fsaccount";
|
||||
allowSubRepos = true;
|
||||
};
|
||||
hastur = {
|
||||
authorizedKeysAppendOnly = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILeDvTyOUdIPARatX0PPhHgrV1gjERWLt2Twa8E2GETb Hastur Backupsystem"
|
||||
|
|
@ -99,6 +107,39 @@ in {
|
|||
allowSubRepos = true;
|
||||
};
|
||||
};
|
||||
# Configure backup of files on the department's fs account
|
||||
jobs.fsaccount = {
|
||||
preHook = ''
|
||||
mkdir -p /home/fsaccount/sicherung # Create if it does not exist
|
||||
${pkgs.rsync}/bin/rsync -e 'ssh -i /home/fsaccount/.ssh/fsaccount' -r fachschaft@gw1.mathematik.tu-darmstadt.de:/home/fachschaft/* /home/fsaccount/sicherung
|
||||
'';
|
||||
paths = "/home/fsaccount/sicherung";
|
||||
|
|
||||
encryption.mode = "none";
|
||||
environment = {
|
||||
BORG_RSH = "ssh -i /home/fsaccount/.ssh/fsaccount";
|
||||
BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes";
|
||||
};
|
||||
repo = "borg@localhost:fsaccount";
|
||||
|
Gonne marked this conversation as resolved
nerf
commented
I would put a small note here, that encryption would mean either putting the key next to the backup or human interaction. I would put a small note here, that encryption would mean either putting the key next to the backup or human interaction.
|
||||
startAt = "daily";
|
||||
user = "fsaccount";
|
||||
group = "users";
|
||||
|
nerf
commented
Why is this here, what does it do? I also don't really get it from the Borg documentation
Why is this here, what does it do? I also don't really get it from the Borg documentation
> BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=no (or =yes)
>
> For “Warning: Attempting to access a previously unknown unencrypted repository”
|
||||
readWritePaths = ["/home/fsaccount"];
|
||||
Gonne
commented
By creating the folder By creating the folder `sicherung` via [systemd-tmpfiles](https://search.nixos.org/options?show=systemd.tmpfiles.rules) we could restrict this to `/home/fsaccount/sicherung`.
I don't know if this restriction is worth the increased complexity.
|
||||
};
|
||||
};
|
||||
environment.persistence.${config.impermanence.name} = {
|
||||
users.fsaccount.directories = [
|
||||
{
|
||||
directory = ".ssh"; # SSH Key with access to FS Account and known_hosts
|
||||
mode = "u=rwx,g=,o=";
|
||||
}
|
||||
];
|
||||
};
|
||||
# Extra user for FS account backup
|
||||
users.users = {
|
||||
fsaccount = {
|
||||
description = "FS Account backup";
|
||||
isNormalUser = true;
|
||||
|
Gonne marked this conversation as resolved
Outdated
nerf
commented
Why is this a normal user, do we plan to log in as this one, or is it just there to pull the fs account? Why is this a normal user, do we plan to log in as this one, or is it just there to pull the fs account?
Gonne
commented
Login is not necessary, so we can transform it to a system user. Login is not necessary, so we can transform it to a system user.
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue
Did I get something wrong?
It seams the fsaccount backups are under
/home/fsaccountowned by
fsaccount:usersWhile all the machines ones are under
/var/lib/backupsprobably ownedby some backup system user. Why is this set up this way, or am I reading this wrong?