diff options
| author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-02-13 13:07:06 +0100 |
|---|---|---|
| committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-02-13 13:07:06 +0100 |
| commit | 8bf83d7a27c08599820f145c073d979744b81c63 (patch) | |
| tree | 978f08d6dd4c7f4db72d9926309c6f1a455608a1 | |
| parent | 6191bdeb78947a3590b9c3cfeeacd9c9168367c4 (diff) | |
| download | Nix-8bf83d7a27c08599820f145c073d979744b81c63.tar.gz Nix-8bf83d7a27c08599820f145c073d979744b81c63.tar.zst Nix-8bf83d7a27c08599820f145c073d979744b81c63.zip | |
Add rsync backup via dilion
| -rw-r--r-- | modules/private/system/dilion.nix | 25 | ||||
| -rw-r--r-- | modules/private/system/eldiron.nix | 19 | ||||
| -rw-r--r-- | pkgs/default.nix | 1 | ||||
| -rw-r--r-- | pkgs/rrsync_sudo/default.nix | 8 | ||||
| -rw-r--r-- | pkgs/rrsync_sudo/sudo.patch | 20 |
5 files changed, 72 insertions, 1 deletions
diff --git a/modules/private/system/dilion.nix b/modules/private/system/dilion.nix index 258506b..dbfd38f 100644 --- a/modules/private/system/dilion.nix +++ b/modules/private/system/dilion.nix | |||
| @@ -41,6 +41,31 @@ | |||
| 41 | 41 | ||
| 42 | programs.zsh.enable = true; | 42 | programs.zsh.enable = true; |
| 43 | 43 | ||
| 44 | users.users.backup = { | ||
| 45 | home = "/var/lib/backup"; | ||
| 46 | createHome = true; | ||
| 47 | hashedPassword = "!"; | ||
| 48 | isSystemUser = true; | ||
| 49 | shell = pkgs.bashInteractive; | ||
| 50 | openssh.authorizedKeys.keys = let | ||
| 51 | in | ||
| 52 | ["command=\"${pkgs.rrsync_sudo}/bin/rrsync /var/lib/backup/eldiron/\" ${config.myEnv.rsync_backup.ssh_key.public}"]; | ||
| 53 | }; | ||
| 54 | security.sudo.extraRules = [ | ||
| 55 | { | ||
| 56 | commands = [ | ||
| 57 | { command = "${pkgs.rsync}/bin/rsync"; options = [ "NOPASSWD" ]; } | ||
| 58 | ]; | ||
| 59 | users = [ "backup" ]; | ||
| 60 | runAs = "root"; | ||
| 61 | } | ||
| 62 | ]; | ||
| 63 | |||
| 64 | system.activationScripts.backup_home = '' | ||
| 65 | chown root:root /var/lib/backup | ||
| 66 | install -m 0750 -o backup -g root -d /var/lib/backup/eldiron | ||
| 67 | ''; | ||
| 68 | |||
| 44 | time.timeZone = "Europe/Paris"; | 69 | time.timeZone = "Europe/Paris"; |
| 45 | nix = { | 70 | nix = { |
| 46 | useSandbox = "relaxed"; | 71 | useSandbox = "relaxed"; |
diff --git a/modules/private/system/eldiron.nix b/modules/private/system/eldiron.nix index 5e3d45c..ab48ab4 100644 --- a/modules/private/system/eldiron.nix +++ b/modules/private/system/eldiron.nix | |||
| @@ -39,6 +39,23 @@ | |||
| 39 | services.duplyBackup.enable = true; | 39 | services.duplyBackup.enable = true; |
| 40 | services.duplyBackup.profiles.oldies.rootDir = "/var/lib/oldies"; | 40 | services.duplyBackup.profiles.oldies.rootDir = "/var/lib/oldies"; |
| 41 | 41 | ||
| 42 | secrets.keys = [ | ||
| 43 | { | ||
| 44 | dest = "rsync_backup/identity"; | ||
| 45 | user = "root"; | ||
| 46 | group = "root"; | ||
| 47 | permissions = "0400"; | ||
| 48 | text = config.myEnv.rsync_backup.ssh_key.private; | ||
| 49 | } | ||
| 50 | ]; | ||
| 51 | programs.ssh.knownHosts.dilion = { | ||
| 52 | hostNames = ["dilion.immae.eu"]; | ||
| 53 | publicKey = let | ||
| 54 | profile = config.myEnv.rsync_backup.profiles.dilion; | ||
| 55 | in | ||
| 56 | "${profile.host_key_type} ${profile.host_key}"; | ||
| 57 | }; | ||
| 58 | |||
| 42 | deployment = { | 59 | deployment = { |
| 43 | targetEnv = "hetzner"; | 60 | targetEnv = "hetzner"; |
| 44 | hetzner = { | 61 | hetzner = { |
| @@ -65,7 +82,7 @@ | |||
| 65 | systemCronJobs = [ | 82 | systemCronJobs = [ |
| 66 | '' | 83 | '' |
| 67 | # The star after /var/lib/* avoids deleting all folders in case of problem | 84 | # The star after /var/lib/* avoids deleting all folders in case of problem |
| 68 | 0 3,9,15,21 * * * root rsync -e "ssh -i /root/.ssh/id_charon_vpn" --new-compress -aAXv --delete --numeric-ids --super --rsync-path="sudo rsync" /var/lib/* immae@immae.eu: > /dev/null | 85 | 0 3,9,15,21 * * * root rsync -e "ssh -i /var/secrets/rsync_backup/identity" --new-compress -aAXv --delete --numeric-ids --super --rsync-path="sudo rsync" /var/lib/* backup@dilion.immae.eu: > /dev/null |
| 69 | 0 0 * * * root journalctl -q --since="25 hours ago" -u postfix -g "immae.eu.*Recipient address rejected" | 86 | 0 0 * * * root journalctl -q --since="25 hours ago" -u postfix -g "immae.eu.*Recipient address rejected" |
| 70 | '' | 87 | '' |
| 71 | ]; | 88 | ]; |
diff --git a/pkgs/default.nix b/pkgs/default.nix index 2ad79a2..b6f9eae 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix | |||
| @@ -24,6 +24,7 @@ rec { | |||
| 24 | pg_activity = callPackage ../pkgs/pg_activity { inherit mylibs; }; | 24 | pg_activity = callPackage ../pkgs/pg_activity { inherit mylibs; }; |
| 25 | pgloader = callPackage ../pkgs/pgloader {}; | 25 | pgloader = callPackage ../pkgs/pgloader {}; |
| 26 | predixy = callPackage ../pkgs/predixy { inherit mylibs; }; | 26 | predixy = callPackage ../pkgs/predixy { inherit mylibs; }; |
| 27 | rrsync_sudo = callPackage ../pkgs/rrsync_sudo {}; | ||
| 27 | telegram-cli = callPackage ../pkgs/telegram-cli { inherit mylibs; }; | 28 | telegram-cli = callPackage ../pkgs/telegram-cli { inherit mylibs; }; |
| 28 | telegram-history-dump = callPackage ../pkgs/telegram-history-dump { inherit mylibs; }; | 29 | telegram-history-dump = callPackage ../pkgs/telegram-history-dump { inherit mylibs; }; |
| 29 | telegramircd = callPackage ../pkgs/telegramircd { inherit mylibs; telethon = callPackage ../pkgs/telethon_sync {}; }; | 30 | telegramircd = callPackage ../pkgs/telegramircd { inherit mylibs; telethon = callPackage ../pkgs/telethon_sync {}; }; |
diff --git a/pkgs/rrsync_sudo/default.nix b/pkgs/rrsync_sudo/default.nix new file mode 100644 index 0000000..7a47320 --- /dev/null +++ b/pkgs/rrsync_sudo/default.nix | |||
| @@ -0,0 +1,8 @@ | |||
| 1 | { rrsync }: | ||
| 2 | |||
| 3 | rrsync.overrideAttrs(old: { | ||
| 4 | patches = old.patches or [] ++ [ ./sudo.patch ]; | ||
| 5 | postPatch = old.postPatch + '' | ||
| 6 | substituteInPlace support/rrsync --replace /usr/bin/sudo /run/wrappers/bin/sudo | ||
| 7 | ''; | ||
| 8 | }) | ||
diff --git a/pkgs/rrsync_sudo/sudo.patch b/pkgs/rrsync_sudo/sudo.patch new file mode 100644 index 0000000..6de9cc9 --- /dev/null +++ b/pkgs/rrsync_sudo/sudo.patch | |||
| @@ -0,0 +1,20 @@ | |||
| 1 | --- a/support/rrsync 2015-09-14 01:23:54.000000000 +0200 | ||
| 2 | +++ b/support/rrsync 2020-02-08 13:55:14.302163313 +0100 | ||
| 3 | @@ -48,7 +48,7 @@ | ||
| 4 | |||
| 5 | my $command = $ENV{SSH_ORIGINAL_COMMAND}; | ||
| 6 | die "$0: Not invoked via sshd\n$Usage" unless defined $command; | ||
| 7 | -die "$0: SSH_ORIGINAL_COMMAND='$command' is not rsync\n" unless $command =~ s/^rsync\s+//; | ||
| 8 | +die "$0: SSH_ORIGINAL_COMMAND='$command' is not rsync\n" unless $command =~ s/^sudo rsync\s+//; | ||
| 9 | die "$0: --server option is not first\n" unless $command =~ /^--server\s/; | ||
| 10 | our $am_sender = $command =~ /^--server\s+--sender\s/; # Restrictive on purpose! | ||
| 11 | die "$0 sending to read-only server not allowed\n" if $only eq 'r' && !$am_sender; | ||
| 12 | @@ -227,7 +227,7 @@ | ||
| 13 | } | ||
| 14 | |||
| 15 | # Note: This assumes that the rsync protocol will not be maliciously hijacked. | ||
| 16 | -exec(RSYNC, @opts, @args) or die "exec(rsync @opts @args) failed: $? $!"; | ||
| 17 | +exec("/usr/bin/sudo", RSYNC, @opts, @args) or die "exec(sudo rsync @opts @args) failed: $? $!"; | ||
| 18 | |||
| 19 | sub check_arg | ||
| 20 | { | ||