From 2fc5333362900836b048bbd591a32a12c1f451ec Mon Sep 17 00:00:00 2001
From: Daniel Flanagan <daniel@lyte.dev>
Date: Thu, 12 Sep 2024 14:47:21 -0500
Subject: [PATCH] Working on backups to rascal...

---
 nixos/beefcake.nix | 12 +++++++++++-
 nixos/rascal.nix   | 14 +++++++++++---
 2 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/nixos/beefcake.nix b/nixos/beefcake.nix
index 52e6434..a77a7bf 100644
--- a/nixos/beefcake.nix
+++ b/nixos/beefcake.nix
@@ -699,9 +699,18 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
       users.users.restic = {
         # used for other machines to backup to
         isSystemUser = true;
+        createHome = true;
+        home = "/storage/backups/restic";
         group = "restic";
+        extraGroups = ["sftponly"];
         openssh.authorizedKeys.keys = [] ++ config.users.users.daniel.openssh.authorizedKeys.keys;
       };
+      services.openssh.extraConfig = ''
+        Match Group sftponly
+          ChrootDirectory /storage/backups/%u
+          ForceCommand internal-sftp
+          AllowTcpForwarding no
+      '';
       systemd.tmpfiles.settings = {
         "10-backups-local" = {
           "/storage/backups/local" = {
@@ -714,6 +723,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
         };
       };
       services.restic.backups = let
+        # TODO: How do I set things up so that a compromised server doesn't have access to my backups so that it can corrupt or ransomware them?
         defaults = {
           passwordFile = config.sops.secrets.restic-rascal-passphrase.path;
           paths =
@@ -736,7 +746,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
           defaults
           // {
             extraOptions = [
-              "sftp.command='ssh beefcake@rascal -i /root/.ssh/id_ed25519 -s sftp'"
+              ''sftp.command="ssh beefcake@rascal -i ${config.sops.secrets.restic-rascal-ssh-private-key.path} -s sftp"''
             ];
             repository = "sftp://beefcake@rascal://storage/backups/beefcake";
           };
diff --git a/nixos/rascal.nix b/nixos/rascal.nix
index bdb3a09..a35f601 100644
--- a/nixos/rascal.nix
+++ b/nixos/rascal.nix
@@ -27,9 +27,10 @@
 
   users.users = {
     beefcake = {
-      # used for restic backups
-      # TODO: can this be a system user?
-      isNormalUser = true;
+      isSystemUser = true;
+      createHome = true;
+      home = "/storage/backups/beefcake";
+      extraGroups = ["sftponly"];
       openssh.authorizedKeys.keys =
         config.users.users.daniel.openssh.authorizedKeys.keys
         ++ [
@@ -52,6 +53,13 @@
     };
   };
 
+  services.openssh.extraConfig = ''
+    Match Group sftponly
+      ChrootDirectory /storage/backups/%u
+      ForceCommand internal-sftp
+      AllowTcpForwarding no
+  '';
+
   networking = {
     hostName = "rascal";
     networkmanager.enable = true;