From c75cf3456bfd62f7aba992e56fd01be020d5c7b3 Mon Sep 17 00:00:00 2001 From: Sebastien Bourdeauducq Date: Tue, 16 Nov 2021 14:21:56 +0800 Subject: [PATCH] nixbld: improve backup include Mattermost attachments stop using expensive and insecure dropbox --- nixbld-etc-nixos/backup-module.nix | 7 ++++--- nixbld-etc-nixos/configuration.nix | 7 +++++++ nixbld-etc-nixos/secret_permissions.txt | 1 - 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/nixbld-etc-nixos/backup-module.nix b/nixbld-etc-nixos/backup-module.nix index 159cea6d..2804c8d1 100644 --- a/nixbld-etc-nixos/backup-module.nix +++ b/nixbld-etc-nixos/backup-module.nix @@ -15,14 +15,15 @@ let ${config.services.mysql.package}/bin/mysqldump --single-transaction flarum > flarum.sql ${pkgs.sudo}/bin/sudo -u mattermost ${config.services.postgresql.package}/bin/pg_dump mattermost > mattermost.sql - ${pkgs.gnutar}/bin/tar cf - --exclude "/var/lib/gitea/repositories/*/*.git/archives" /etc/nixos /var/lib/gitea flarum.sql mattermost.sql | \ + ${pkgs.gnutar}/bin/tar cf - --exclude "/var/lib/gitea/repositories/*/*.git/archives" /etc/nixos /var/lib/gitea /var/lib/mattermost/data flarum.sql mattermost.sql | \ ${pkgs.bzip2}/bin/bzip2 | \ - ${pkgs.gnupg}/bin/gpg --symmetric --batch --passphrase-file /etc/nixos/secret/backup-passphrase | \ - ${pkgs.rclone}/bin/rclone rcat --config /etc/nixos/secret/rclone.conf dropbox:$FILENAME + ${pkgs.gnupg}/bin/gpg --symmetric --batch --passphrase-file /etc/nixos/secret/backup-passphrase > /home/backupdl/$FILENAME popd rm -rf $DBDUMPDIR + chown backupdl.users /home/backupdl/$FILENAME + echo Backup done ''; cfg = config.services.mlabs-backup; diff --git a/nixbld-etc-nixos/configuration.nix b/nixbld-etc-nixos/configuration.nix index 2bd68aee..f4321af3 100644 --- a/nixbld-etc-nixos/configuration.nix +++ b/nixbld-etc-nixos/configuration.nix @@ -267,6 +267,13 @@ in isNormalUser = true; extraGroups = ["wheel"]; }; + users.extraUsers.backupdl = { + isNormalUser = true; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyPk5WyFoWSvF4ozehxcVBoZ+UHgrI7VW/OoQfFFwIQe0qvetUZBMZwR2FwkLPAMZV8zz1v4EfncudEkVghy4P+/YVLlDjqDq9zwZnh8Nd/ifu84wmcNWHT2UcqnhjniCdshL8a44memzABnxfLLv+sXhP2x32cJAamo5y6fukr2qLp2jbXzR+3sv3klE0ruUXis/BR1lLqNJEYP8jB6fLn2sLKinnZPfn6DwVOk10mGeQsdME/eGl3phpjhODH9JW5V2V5nJBbC0rBnq+78dyArKVqjPSmIcSy72DEIpTctnMEN1W34BGrnsDd5Xd/DKxKxHKTMCHtZRwLC2X0NWN" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1" + ]; + }; users.extraUsers.harry = { isNormalUser = true; extraGroups = ["hkadmin" "lp" "scanner"]; diff --git a/nixbld-etc-nixos/secret_permissions.txt b/nixbld-etc-nixos/secret_permissions.txt index acbcc4f3..14c7dd7f 100644 --- a/nixbld-etc-nixos/secret_permissions.txt +++ b/nixbld-etc-nixos/secret_permissions.txt @@ -8,6 +8,5 @@ -rw------- 1 nginx nginx muninpasswd -rw-rw---- 1 hydra hydra nixbld.m-labs.hk-1 -rw-rw---- 1 hydra hydra nix_id_rsa --rw------- 1 root root rclone.conf -rw------- 1 root root wifi_password.nix -rw------- 1 sb users wifi_ext_password.nix