lytedev/nix
1
0
Fork 1
Code Issues Pull requests 1 Actions Packages Projects Releases Wiki Activity

Working on backups to rascal...
Some checks failed
/ check (push) Failing after 3m20s
Details

Browse source
This commit is contained in:
Daniel Flanagan 2024-09-12 14:47:21 -05:00
parent b7925c965e
commit 2fc5333362
2 changed files with 22 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
nixos/beefcake.nix
View file

@ -699,9 +699,18 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
users.users.restic = {
# used for other machines to backup to
isSystemUser = true;
createHome = true;
home = "/storage/backups/restic";
group = "restic";
extraGroups = ["sftponly"];
openssh.authorizedKeys.keys = [] ++ config.users.users.daniel.openssh.authorizedKeys.keys;
};
services.openssh.extraConfig = ''
Match Group sftponly
ChrootDirectory /storage/backups/%u
ForceCommand internal-sftp
AllowTcpForwarding no
'';
systemd.tmpfiles.settings = {
"10-backups-local" = {
"/storage/backups/local" = {
@ -714,6 +723,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
};
};
services.restic.backups = let
# TODO: How do I set things up so that a compromised server doesn't have access to my backups so that it can corrupt or ransomware them?
defaults = {
passwordFile = config.sops.secrets.restic-rascal-passphrase.path;
paths =
@ -736,7 +746,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
defaults
// {
extraOptions = [
"sftp.command='ssh beefcake@rascal -i /root/.ssh/id_ed25519 -s sftp'"
''sftp.command="ssh beefcake@rascal -i ${config.sops.secrets.restic-rascal-ssh-private-key.path} -s sftp"''
];
repository = "sftp://beefcake@rascal://storage/backups/beefcake";
};

14
nixos/rascal.nix
View file

@ -27,9 +27,10 @@
users.users = {
beefcake = {
# used for restic backups
# TODO: can this be a system user?
isNormalUser = true;
isSystemUser = true;
createHome = true;
home = "/storage/backups/beefcake";
extraGroups = ["sftponly"];
openssh.authorizedKeys.keys =
config.users.users.daniel.openssh.authorizedKeys.keys
++ [
@ -52,6 +53,13 @@
};
};
services.openssh.extraConfig = ''
Match Group sftponly
ChrootDirectory /storage/backups/%u
ForceCommand internal-sftp
AllowTcpForwarding no
'';
networking = {
hostName = "rascal";
networkmanager.enable = true;