From 6eb4e96b09643c72337156a5757d518b7bb5711b Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Tue, 9 Feb 2021 11:44:44 +0100 Subject: [PATCH] containers/backup-target: init This container is used as a backup target for backing up the other container volumes. --- nix/os/containers/backup-target.nix | 69 ++++++++++++++++++ nix/os/containers/backup.nix | 6 +- .../vmd32387.contaboserver.net/system.nix | 12 ++- nix/variables/passwords.crypt.nix | Bin 1031 -> 1098 bytes 4 files changed, 77 insertions(+), 10 deletions(-) create mode 100644 nix/os/containers/backup-target.nix diff --git a/nix/os/containers/backup-target.nix b/nix/os/containers/backup-target.nix new file mode 100644 index 0000000..0af7fb6 --- /dev/null +++ b/nix/os/containers/backup-target.nix @@ -0,0 +1,69 @@ +{ hostAddress +, localAddress +, containerBackupCfg +, sshPort ? containerBackupCfg.portInt +}: { + config = { config, pkgs, lib, ... }: { + imports = [ + ../profiles/containers/configuration.nix + ]; + + networking.firewall.enable = false; + + services.ddclientovh = { + enable = true; + domain = containerBackupCfg.addr; + }; + + services.openssh.enable = true; + + users.extraUsers."${containerBackupCfg.user}" = { + uid = 2000; + shell = pkgs.bashInteractive; + home = "/${containerBackupCfg.targetPath}"; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNI3H0BRSYOZ/MbTs9J80doJwSd1HymFOP5quNt0J48vxZ5FPVrT2FHpQiNrCcYbCKRsU4X8AiGUHiXC0PapQQ3JDkqp6WZoqBNDx6BI7RadyH1TqVQPlou3pQmCAogzfBInruR53YTDmQqXiPwfM0okPOXgiBNjDfZXOX4+CyUfkmZZwASoicTInqWGkn1sFnh4tyXIkgWflg0njlVmfkVvH71+evvKLYHtoNpVXazkQ0SXbyuW5f3mSta7TNkpC3HbBm+4n+WxYGySrlRLWQhTo+aoWUKk9h5zvECDNpwRtbqzt+bA9nKrdg180ceu8hruwvWNiC6PPA2GW9Z1+VKROviGu1C3dliE/pPCBtK+ZoRVv2CGE+pmAuQsB9Nif9tk5tY6HJhuLNxKYiMfQkiLsDYv6KdZXUIVK/4BIDkZuQNnjhdOQBLnea0ANOhutA9gnjxnsd3UT6ovfazg5gud7n3u4yBtzjTkRrqWZ63eM1NmUVOgMWHQ715pV+hJfOFGqzRBEe3g/p3bWNgpROBYJbG1H8l9DN7emG4FGWsb1HeNFwQ5lS0Zsezb7qzahr4vSmHNugVw7w8ONt5dPbPI9wQnWvkkuHH76P/NYy6OC6lHrN1rXyA1okqdPr06YAZnCot+Pqdgn/ijxgp06J3dtkhin+Q7PoQbGff3ERIw== bkp" + ]; + + packages = with pkgs; [ + btrfsProgs + # btrbk + ]; + }; + + security.sudo = { + enable = true; + extraRules = [ + { + users = [ "bkp" ]; + commands = [ + { command = "/etc/profiles/per-user/bkp/bin/btrfs"; options = [ "NOPASSWD" ]; } + { command = "/run/current-system/sw/bin/readlink"; options = [ "NOPASSWD" ]; } + { command = "/run/current-system/sw/bin/test"; options = [ "NOPASSWD" ]; } + ]; + } + ]; + }; + }; + + autoStart = true; + + bindMounts = { + "/${containerBackupCfg.targetPath}" = { + hostPath = "/var/lib/container-volumes/backup-target"; + isReadOnly = false; + }; + }; + + privateNetwork = true; + forwardPorts = [ + { + # ssh + containerPort = 22; + hostPort = sshPort; + protocol = "tcp"; + } + ]; + + inherit hostAddress localAddress; +} diff --git a/nix/os/containers/backup.nix b/nix/os/containers/backup.nix index 6e1a9b6..7660200 100644 --- a/nix/os/containers/backup.nix +++ b/nix/os/containers/backup.nix @@ -62,8 +62,8 @@ in { script = let btrbkConf = pkgs.writeText "cfg" '' timestamp_format long - ssh_identity ${passwords.storage.homeChBackup.keyPath} - ssh_user ${passwords.storage.homeChBackup.user} + ssh_identity ${passwords.storage.backupTarget.keyPath} + ssh_user ${passwords.storage.backupTarget.user} ssh_compression no backend_remote btrfs-progs-sudo compat_remote busybox @@ -75,7 +75,7 @@ in { target_preserve 7d 4w 12m *y volume ${subvolumeParentDir} - target ${passwords.storage.homeChBackup.target}/container-volumes/${targetPathSuffix} + target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix} ${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") "" subvolumes} ''; in '' diff --git a/nix/os/devices/vmd32387.contaboserver.net/system.nix b/nix/os/devices/vmd32387.contaboserver.net/system.nix index a29e3a7..a3305eb 100644 --- a/nix/os/devices/vmd32387.contaboserver.net/system.nix +++ b/nix/os/devices/vmd32387.contaboserver.net/system.nix @@ -5,6 +5,7 @@ let keys = import ../../../variables/keys.nix; + passwords = import ../../../variables/passwords.crypt.nix; in { # TASK: new device @@ -106,13 +107,10 @@ in { networking.useHostResolvConf = true; containers = { - backup = import ../../containers/backup.nix { - inherit config; - hostAddress = "192.168.100.16"; - localAddress = "192.168.100.17"; - subvolumes = [ - "backup" - ]; + bkpTarget = import ../../containers/backup-target.nix { + hostAddress = "192.168.100.18"; + localAddress = "192.168.100.19"; + containerBackupCfg = passwords.storage.backupTarget; }; }; diff --git a/nix/variables/passwords.crypt.nix b/nix/variables/passwords.crypt.nix index 98713c6e5605716f7be63bfe6928ad1e839d8d04..ff47308936660d77fca71ff0c5ff74fe8dfd3063 100644 GIT binary patch literal 1098 zcmZQ@_Y83kiVO&0xPJ4Boa=MNu)lA#tJUw9|Itcml$-tXq5Bsd&pnai?yP-1+c@Vt zn=#gid}RxseQZvqz_)$o-vTQ5Zn{5J+@xM#-{3Dj(O}Ai#dfbeS9vpCtFPzUZm_Fv zndgQd@~#XU@LQE- zO`U$M;^YN z%e%|FZLF;C#VPDed)A@!@A1L!_j-6k>$2V)c|CK`-{y zvd=!3Zrkd-nXyXrP$+{ezsk8g@ytS#GPlV4XE_PZS*sPxR4u(Nx+E>e`VikEHIE?C zbzMtV9BT}an*Dr{X5FWkxjp;m-hB~#K1@2`>~VdKpan7$*d}YQDwyGzWiC56=|Y0Y znIE5@cKdrUCB|Rs;#9n_^$~aGhWexGqSwv-RxR@5G~c+xY0iO+PyJdKaxxwtp0c*_ zn$M3JRx4S#Zl%udmd?9VUCaM($J>Jfm)O>SUlk%PV6f**)O{Qs=i`Oi@z|*~F3Pe(nO}Nm+rsY3Cw2nOgpRWwCv3`!QAM&DnAb^O6u| zewK$F&jSU`HoA3g{~G#7Mx|di(Pw7;hM&E{_4S5pt+(s#eSb~%=ET6s3%V*d`i9In zf9U<2!_g|-xA{vCtcaZTSW~+0{*uk+(We5eSSCfRx%771>`s}*T9d9wO?)Ju$Ml3% z`qt!U37M;8{&d#8mEM1Qx!^O?lgrP~JuAE3cnWmU+EjR-#YLzWmW2yi2FC}SG4SGkk6}1|5Dk1a$dwCfwdo(=(KfA zPkE-&k-4PBYk$B+%{1rc65c~`Q+Mz7(2IHSIBoXUXt#RreZ|IR_jZ*EX3l;5obS&r zL0Ps$naLb%pDWxIU>LzyJ83`*XC!KHYh*7`ozMj@I;Zxd&7))}B0U^7OI4 zg6BM~1GNi-7RTPx<`FP6V}07-@w@o<47Nu%AKlvAkWs&J&7>glEETIyq1!CBrLKRx zc$-q}Lp$y8jaL_iaP2jedU#HD2GiVG(MloJ%kJv<|NQ@9+4-E%fQan7V(sUiJ?d1s z{ci76#xp7R4QKZM;+8jBwS=4Xfa*m1Cf5lr|NVR3rT)nc7Vd8?@VX%7`G1-9q(nXc zgMw8?|Gn3li5#0K{jco2?PeE=4S`FU_hwE%wV*twLf|BOy}I9@u2*v3Sa1JJ416?& zb#DARk5k*@=g)Z){y=ouS#7gm>lue1F7vWUy?EiUN|JhK`@Ab$bGX)|^Eift{F3hT V`k`2n7?daSeb>K}t!KQfl>tVj942I_Z1EQO}93LKouJmpuHuv3&mH%=kS~t9m3lmNr+_1q(ik z$_c6Q=hj-55Vm~QwZCkF^RK(L&-M`(?DAFP?3W3-Ryeyafra$ z&4I>$b2H_pu{ksU$|?9~-jdEHe<7L6O!C$p-n$mx7b(;nvv2;X>hnQ-3HRMwS6geH z>>|qBcJT#N-(7XdRyFPV!j&xsRXZi@a=TAeW}h&1&ey42*1T)=rti7MOGA4;I=ndk z$834c%L(#PE3SX7%xU^8eE#(GE4R!~v3|L+`i%5nCWk6ZDX%jgGd%(wGz6Ouy{bA} z892fG_6dXaS6dGqW=S>qV!8g;#PEF+d0H$tKKfayaD!>jw{U~L&-P!rbVC)yInOe<@y(t|9rp?5zev-J|LU(Nh@rFa^wG zaep{}>(ZM|jQ20IKdu%{Nv`~0{!6K5_u_|AWof79acI3{J+8a%ILB|3MK8l#R0N&l zJ#{+8l#cGXHh=5&E9+*Q-FoP7vSYDZdZ(_0hJx&$Y2Hs$FV-u1wcS2-h^=+Ssx8X@ zqgl?*H+ySTAmWg}t?S|&L0`tyLZ@w(Q+m}ViyfWUJn6sv)(a6{(Q~+rpDT*`av5Lg zO1N;{IL>r3`<~eS-pAz1Eq&!@E@F7fl%i94OgO|)igme|=IuuHdv7Hi-7-6uM-)$8 z_H)jXH)5Z<=83hPn4NWb%S_hPdhw*P-Di_J-H%jfsCoQqKK9TeNkqe>EQn?2kGt0v z2q%i!cgeF{IyLRqGp0r56Q?yUy0hSn*vhAC_h(lvTJpihaq-i?r#5C?QGdz9ayxcg zbk&3E)4q)QRq}Zsk1Cc`nM|tZ+N3w(`^;CGttC3k1#{17R!)2ILGFmt0>4+5k(%$$ z$a20}vF_n4$&>$Y=O*UtD17yKqS3*Oqv?mfti1fY)A+`6k9KbVr;6v;R#`QxB?seslEPJiDfYm6wjDPrdur?pL$e9M!8VdZlX%b39*E{yUrXuo?he CSOVq% -- 2.49.0