====== Einrichtung Billy: Borg Backups ======
Einrichtung von [[infrastruktur:host:billy]], dem BorgBackup server auf [[infrastruktur:server:case]].
===== Proxmox =====
General:
* Node: case
* LXC Container
* Hostname: billy
* CT ID: 112
* Unprivileged container: yes
* Nesting: yes
* SSH public key(s): T_X's key
Template:
* Storage: local
* Template: debian-12-standard_12.2-1_amd64.tar.zst
Disks:
* rootfs:
* Disk Size: 4 GiB
* Storage: disks
* mp0:
* Disk Size: 2048 GiB
* Storage: disks
* Path: /home
* Backup: 0
CPU:
* Cores: 1
Memory:
* Memory: 2048 MiB
* Swap: 512 MiB (ToDo: increase/enable?)
Network:
* Name: eth0
* bridge: vmbr0
* IPv4: static
* IPv4/CIDR: 172.23.208.77/23
* IPv6: static
* IPv6/CIDR: 2a01:170:1112::4d/64
* Gateway: 2a01:170:1112:2::1
===== Debian =====
Also see: https://wiki.debian.org/LDAP/NSS#NSS_Setup_with_libnss-ldapd
$ apt-get update && apt-get dist-upgrade
$ apt-get install libnss-ldapd borgbackup quota vim
nslcd config prompt (to /etc/nslcd.conf):
* LDAP server URI:
* ldaps://ldap.chaotikum.net
* LDAP server search base: ou=users,ou=internal,dc=chaotikum,dc=org
* Check server's SSL certificate: demand (vs. never/allow/try)
libnss-ldapd config prompt (to /etc/nsswitch.conf):
* Name services to configure: passwd, group, shadow
Further configuration:
$ sed -i "s/#binddn.*$/binddn uid=proxmox,ou=services,dc=chaotikum,dc=org/" /etc/nslcd.conf
$ sed -i "s/#bindpw.*$/bindpw /" /etc/nslcd.conf
$ sed -i "s=#tls_cacertfile.*$=tls_cacertfile /etc/ssl/certs/ca-certificates.crt=" /etc/nslcd.conf
[ ToDo: verify properly: ]
$ echo "pam_authz_search memberOf=cn=freigeschaltet,ou=groups,dc=chaotikum,dc=org" >> /etc/nslcd.conf
$ systemctl restart nslcd.service
$ sed -i "s/#HOME_MODE.*/HOME_MODE\t0700/" /etc/login.defs
$ pam-auth-update --enable mkhomedir
$ groupadd --gid 2000 member
[ Note/ToDo: this should instead, ideally come from LDAP?
currently "getent group" with ldap for group
/etc/nsswitch.conf would not show it though ]
===== SSH command restrictions =====
$ cat /etc/ssh/sshd_config.d/borg-restrictions.conf
Match Group member
DisableForwarding yes
PermitTTY no
PermitUserRC no
ForceCommand only borg ssh-add-authorized-keys
"only" command adapted from:
https://at.magma-soft.at/sw/blog/posts/The_Only_Way_For_SSH_Forced_Commands/
$ cat /usr/local/bin/only
#!/bin/sh
cmds="$@"
set -- $SSH_ORIGINAL_COMMAND
for allowed in $cmds; do
if [ "$allowed" = "$1" ]; then
cmd="$(echo $@ | sed -nf ~/.onlyrules)"
if [ -z "$cmd" ]; then
break
fi
eval exec "$cmd"
fi
done
echo you may only $cmds, denied: $@ >&2
exit 1
$ chmod +x /usr/local/bin/only
Also contains storage quota, 250G can be adjusted
here in /etc/skel or in ~/.onlyrules later:
$ cat /etc/skel/.onlyrules
\:^ssh-add-authorized-keys$:p
/^borg serve.*\-\-storage-quota/ s/.*//; /^borg serve.*/ s/$/ --storage-quota 250G/p
$ cat /usr/local/bin/ssh-add-authorized-keys
#!/bin/sh
[ ! -d "$HOME/.ssh" ] && mkdir -m700 "$HOME/.ssh"
umask 0077
cat > "$HOME/.ssh/authorized_keys"
$ chmod +x /usr/local/bin/ssh-add-authorized-keys
===== Unattended updates =====
https://wiki.debian.org/UnattendedUpgrades
$ apt-get install unattended-upgrades apt-listchanges
/etc/apt/apt.conf.d/50unattended-upgrades
-> Unattended-Upgrade::Automatic-Reboot "true";
-> Unattended-Upgrade::Automatic-Reboot-Time "03:42";