Fachschaft/nixConfig
5
2
Fork 2
Code Issues 7 Pull requests 1 Projects 1 Wiki Activity

bragi backup config #28

Merged
Gonne merged 5 commits from Gonne/nixConfig:bragi into main 2024-03-30 19:10:30 +00:00
Conversation 1 Commits 5 Files changed 6 +166
4 changed files with 166 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit b7b0e07f44 - Show all commits

15
nixos/machines/bragi/configuration.nix Normal file
View file

@ -0,0 +1,15 @@
{
imports = [
./hardware-configuration.nix
../../roles
../../roles/hardware.nix
./network.nix
../../modules/borgbackup.nix
];
services.mathebau-borgbackup.enable = true;
# System configuration here
networking.hostName = "bragi";
system.stateVersion = "23.11";
}

32
nixos/machines/bragi/hardware-configuration.nix Normal file
View file

@ -0,0 +1,32 @@
{lib, ...}: {
fileSystems."/" = {
device = "root";
fsType = "tmpfs";
options = ["size=2G" "mode=755"];
};
fileSystems."/persist" = {
device = "/dev/disk/by-label/nixos";
Gonne commented 2024-01-08 15:06:51 +00:00
Outdated
Review
Copy link

Is addressing by label actually nicer than by uuid? It seems to work at least.

Is addressing by label actually nicer than by uuid? It seems to work at least.
fsType = "btrfs";
options = ["subvol=persist"];
neededForBoot = true;
};
fileSystems."/boot" = {
device = "/dev/disk/by-label/boot";
fsType = "ext4";
};
fileSystems."/nix" = {
device = "/dev/disk/by-label/nixos";
fsType = "btrfs";
options = ["subvol=nix"];
};
fileSystems."/var/lib/backups" = {
device = "/dev/disk/by-label/backups";
fsType = "btrfs";
};
swapDevices = [{device = "/dev/disk/by-label/swap";}];
boot.loader.grub.device = "/dev/disk/by-id/wwn-0x5000c5003891662c";
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

15
nixos/machines/bragi/network.nix Normal file
View file

@ -0,0 +1,15 @@
# We sohuld put that config somewhere in roles and give it a parameter or something,
# everyone gets the same nameserver and the same prefixLength and address vs defaultGateway alsways
# depend on the same thing
{
networking = {
interfaces.enp0s25.ipv4.addresses = [
{
address = "192.168.1.11";
prefixLength = 24;
}
];
defaultGateway = "192.168.1.137";
nameservers = ["130.83.2.22" "130.83.56.60" "130.83.22.60" "130.82.22.63"];
};
}

104
nixos/modules/borgbackup.nix Normal file
View file

@ -0,0 +1,104 @@
{
config,
lib,
...
}: let
inherit
(lib)
mkIf
mkEnableOption
;
cfg = config.services.mathebau-borgbackup;
in {
imports = [];
options.services.mathebau-borgbackup = {
enable = mkEnableOption "mathebau borgbackup service";
};
config = mkIf cfg.enable {
services.borgbackup = {
# repos are made available at ssh://borg@hostname and served according to the presented ssh-key
repos = {
Gonne commented 2024-01-08 15:05:41 +00:00
Outdated
Review
Copy link

Perhaps we want to create these repos by a function that only takes the name and the ssh-key. Not sure if that is worth it.

Perhaps we want to create these repos by a function that only takes the name and the ssh-key. Not sure if that is worth it.
aphoom-zhah = {
Gonne marked this conversation as resolved Outdated
nerf commented 2024-03-01 16:36:17 +00:00
Outdated
Review
Copy link

where exactly do these keys come from? Can we automatize this? so we either just need to name the machine here, or completely automatically by virtue of beeing a machine?

Of course we need a a mechanism like this for legacy non nix machines

where exactly do these keys come from? Can we automatize this? so we either just need to name the machine here, or completely automatically by virtue of beeing a machine? Of course we need a a mechanism like this for legacy non nix machines
Gonne commented 2024-03-03 18:22:01 +00:00
Outdated
Review
Copy link

See also #28 (comment)

This can probably be automated (?) but currently no Nix machine needs backups.
Thus I would like to postpone it.

See also https://gitea.mathebau.de/Fachschaft/nixConfig/pulls/28#issuecomment-565 This can probably be automated (?) but currently no Nix machine needs backups. Thus I would like to postpone it.
nerf commented 2024-03-03 18:41:38 +00:00
Outdated
Review
Copy link

Can we then put a comment like:

„Congratulations, you are the first person to make backups from a nixos machine.
Your won the task of automatizing this endeavor, so in future we don't need to hand copy any
ssh keys anymore“

Btw. I don't think this is too trivial, as the public keys are needed while config build time, but the secret keys should probably never leave the machines.

One way would be pre-generated key-pairs that are deployed through sops.
(But then we should make sure to use dedicated keys for this task.)

Can we then put a comment like: „Congratulations, you are the first person to make backups from a nixos machine. Your won the task of automatizing this endeavor, so in future we don't need to hand copy any ssh keys anymore“ Btw. I don't think this is too trivial, as the public keys are needed while config build time, but the secret keys should probably never leave the machines. One way would be pre-generated key-pairs that are deployed through sops. (But then we should make sure to use dedicated keys for this task.)
👍 1
authorizedKeysAppendOnly = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA8pI6uinXezAMH4vG2yEbu/yOYU5vXcsZN74tYgV+Wj Aphoom-Zhah Backup"
];
path = "/var/lib/backups/aphoom-zhah";
# subrepos are allowed because each vm creates at least one repo below this filepath and yibb-tstll even more
allowSubRepos = true;
};
azathoth = {
authorizedKeysAppendOnly = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBEwllQ77ktoirXX6dJ6ET8TfK4lzq0aaq+X4rrX2Vk Azathoth Backup"
];
path = "/var/lib/backups/azathoth";
allowSubRepos = true;
};
cthulhu = {
authorizedKeysAppendOnly = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMSJl1MvabUADTdOCgufsBzn1tIIpxMq4iDcYZsaW1lV Cthulhu Backup"
];
path = "/var/lib/backups/cthulhu";
allowSubRepos = true;
};
dagon = {
authorizedKeysAppendOnly = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJaTBennwqT9eB43gVD1nM1os3dMPZ8RWwIKPEjqMK5V Dagon Backup"
];
path = "/var/lib/backups/dagon";
allowSubRepos = true;
};
eihort = {
authorizedKeysAppendOnly = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHLoDxtY4Tp6NKxLt9oHmWT6w4UpU6eA1TnPU2Ut83BN Eihort Backup"
];
path = "/var/lib/backups/eihort";
allowSubRepos = true;
};
hastur = {
authorizedKeysAppendOnly = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILeDvTyOUdIPARatX0PPhHgrV1gjERWLt2Twa8E2GETb Hastur Backupsystem"
];
path = "/var/lib/backups/hastur";
allowSubRepos = true;
};
ithaqua = {
authorizedKeysAppendOnly = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJmBf8cz3FTDdeuxWbp1MO2yPT5rvH8ZIGUzfogjpXi Ithaqua Backup"
];
path = "/var/lib/backups/ithaqua";
allowSubRepos = true;
};
sanctamariamaterdei = {
authorizedKeysAppendOnly = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH9Le5OI4ympQ0mQKYHmxgxGF598rzpD5VVpWK1mGfd8 Sanctamariamaterdei Backupsystem"
];
path = "/var/lib/backups/sanctamariamaterdei";
allowSubRepos = true;
};
tsathoggua = {
authorizedKeysAppendOnly = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKS9/1lFOhv+3sNuGcysM3TYh2xRrjMeAZX3K7CBx0QW Tsathoggua Backup"
];
path = "/var/lib/backups/tsathoggua";
allowSubRepos = true;
};
uvhash = {
authorizedKeysAppendOnly = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB8DjIqgFgmYhQnTLpbqL0r7xBPb8TPy6SO5RhQ31OGj Uvhash Backup"
];
path = "/var/lib/backups/uvhash";
allowSubRepos = true;
};
yibb-tstll = {
authorizedKeysAppendOnly = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINlnGOV58Ks9lu+WTI4F7QAHtDrJq2jY8ZocITZG8K0+ Yibb-Tstll Backup"
];
path = "/var/lib/backups/yibb-tstll";
allowSubRepos = true;
};
};
};
};
}