This commit is contained in:
parent
b7925c965e
commit
2fc5333362
2 changed files with 22 additions and 4 deletions
|
@ -699,9 +699,18 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
|
||||||
users.users.restic = {
|
users.users.restic = {
|
||||||
# used for other machines to backup to
|
# used for other machines to backup to
|
||||||
isSystemUser = true;
|
isSystemUser = true;
|
||||||
|
createHome = true;
|
||||||
|
home = "/storage/backups/restic";
|
||||||
group = "restic";
|
group = "restic";
|
||||||
|
extraGroups = ["sftponly"];
|
||||||
openssh.authorizedKeys.keys = [] ++ config.users.users.daniel.openssh.authorizedKeys.keys;
|
openssh.authorizedKeys.keys = [] ++ config.users.users.daniel.openssh.authorizedKeys.keys;
|
||||||
};
|
};
|
||||||
|
services.openssh.extraConfig = ''
|
||||||
|
Match Group sftponly
|
||||||
|
ChrootDirectory /storage/backups/%u
|
||||||
|
ForceCommand internal-sftp
|
||||||
|
AllowTcpForwarding no
|
||||||
|
'';
|
||||||
systemd.tmpfiles.settings = {
|
systemd.tmpfiles.settings = {
|
||||||
"10-backups-local" = {
|
"10-backups-local" = {
|
||||||
"/storage/backups/local" = {
|
"/storage/backups/local" = {
|
||||||
|
@ -714,6 +723,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
services.restic.backups = let
|
services.restic.backups = let
|
||||||
|
# TODO: How do I set things up so that a compromised server doesn't have access to my backups so that it can corrupt or ransomware them?
|
||||||
defaults = {
|
defaults = {
|
||||||
passwordFile = config.sops.secrets.restic-rascal-passphrase.path;
|
passwordFile = config.sops.secrets.restic-rascal-passphrase.path;
|
||||||
paths =
|
paths =
|
||||||
|
@ -736,7 +746,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
|
||||||
defaults
|
defaults
|
||||||
// {
|
// {
|
||||||
extraOptions = [
|
extraOptions = [
|
||||||
"sftp.command='ssh beefcake@rascal -i /root/.ssh/id_ed25519 -s sftp'"
|
''sftp.command="ssh beefcake@rascal -i ${config.sops.secrets.restic-rascal-ssh-private-key.path} -s sftp"''
|
||||||
];
|
];
|
||||||
repository = "sftp://beefcake@rascal://storage/backups/beefcake";
|
repository = "sftp://beefcake@rascal://storage/backups/beefcake";
|
||||||
};
|
};
|
||||||
|
|
|
@ -27,9 +27,10 @@
|
||||||
|
|
||||||
users.users = {
|
users.users = {
|
||||||
beefcake = {
|
beefcake = {
|
||||||
# used for restic backups
|
isSystemUser = true;
|
||||||
# TODO: can this be a system user?
|
createHome = true;
|
||||||
isNormalUser = true;
|
home = "/storage/backups/beefcake";
|
||||||
|
extraGroups = ["sftponly"];
|
||||||
openssh.authorizedKeys.keys =
|
openssh.authorizedKeys.keys =
|
||||||
config.users.users.daniel.openssh.authorizedKeys.keys
|
config.users.users.daniel.openssh.authorizedKeys.keys
|
||||||
++ [
|
++ [
|
||||||
|
@ -52,6 +53,13 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.openssh.extraConfig = ''
|
||||||
|
Match Group sftponly
|
||||||
|
ChrootDirectory /storage/backups/%u
|
||||||
|
ForceCommand internal-sftp
|
||||||
|
AllowTcpForwarding no
|
||||||
|
'';
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
hostName = "rascal";
|
hostName = "rascal";
|
||||||
networkmanager.enable = true;
|
networkmanager.enable = true;
|
||||||
|
|
Loading…
Reference in a new issue