Einrichtung Billy: Borg Backups

Einrichtung von billy, dem BorgBackup server auf case.

Proxmox

General:

Node: case
LXC Container
Hostname: billy
CT ID: 112
Unprivileged container: yes
Nesting: yes
SSH public key(s): T_X's key

Template:

Storage: local
Template: debian-12-standard_12.2-1_amd64.tar.zst

Disks:

rootfs:
- Disk Size: 4 GiB
- Storage: disks
mp0:
- Disk Size: 2048 GiB
- Storage: disks
- Path: /home
- Backup: 0

CPU:

Cores: 1

Memory:

Memory: 2048 MiB
Swap: 512 MiB (ToDo: increase/enable?)

Network:

Name: eth0
bridge: vmbr0
IPv4: static
- IPv4/CIDR: 172.23.208.77/23
IPv6: static
- IPv6/CIDR: 2a01:170:1112::4d/64
- Gateway: 2a01:170:1112:2::1

Debian

Also see: https://wiki.debian.org/LDAP/NSS#NSS_Setup_with_libnss-ldapd

$ apt-get update && apt-get dist-upgrade
$ apt-get install libnss-ldapd borgbackup quota vim

nslcd config prompt (to /etc/nslcd.conf):

LDAP server URI:
- ```
ldaps://ldap.chaotikum.net
```
- LDAP server search base: ou=users,ou=internal,dc=chaotikum,dc=org
- Check server's SSL certificate: demand (vs. never/allow/try)

libnss-ldapd config prompt (to /etc/nsswitch.conf):

Name services to configure: passwd, group, shadow

Further configuration:

$ sed -i "s/#binddn.*$/binddn uid=proxmox,ou=services,dc=chaotikum,dc=org/" /etc/nslcd.conf
$ sed -i "s/#bindpw.*$/bindpw <LDAP-BINDPW-HERE>/" /etc/nslcd.conf
$ sed -i "s=#tls_cacertfile.*$=tls_cacertfile /etc/ssl/certs/ca-certificates.crt=" /etc/nslcd.conf
[ ToDo: verify properly: ]
$ echo "pam_authz_search memberOf=cn=freigeschaltet,ou=groups,dc=chaotikum,dc=org" >> /etc/nslcd.conf
$ systemctl restart nslcd.service
$ sed -i "s/#HOME_MODE.*/HOME_MODE\t0700/" /etc/login.defs
$ pam-auth-update --enable mkhomedir
$ groupadd --gid 2000 member
[ Note/ToDo: this should instead, ideally come from LDAP?
  currently "getent group" with ldap for group
  /etc/nsswitch.conf would not show it though ]

SSH command restrictions

$ cat /etc/ssh/sshd_config.d/borg-restrictions.conf
Match Group member
        DisableForwarding yes
        PermitTTY no
        PermitUserRC no
        ForceCommand only borg ssh-add-authorized-keys

„only“ command adapted from:

https://at.magma-soft.at/sw/blog/posts/The_Only_Way_For_SSH_Forced_Commands/

$ cat /usr/local/bin/only
#!/bin/sh
cmds="$@"
set -- $SSH_ORIGINAL_COMMAND
for allowed in $cmds; do
    if [ "$allowed" = "$1" ]; then
    cmd="$(echo $@ | sed -nf ~/.onlyrules)"
    if [ -z "$cmd" ]; then
        break
    fi
        eval exec "$cmd"
    fi
done
echo you may only $cmds, denied: $@ >&2
exit 1
$ chmod +x /usr/local/bin/only

Also contains storage quota, 250G can be adjusted here in /etc/skel or in ~/.onlyrules later:

$ cat /etc/skel/.onlyrules
\:^ssh-add-authorized-keys$:p
/^borg serve.*\-\-storage-quota/ s/.*//; /^borg serve.*/ s/$/ --storage-quota 250G/p

$ cat /usr/local/bin/ssh-add-authorized-keys
#!/bin/sh
[ ! -d "$HOME/.ssh" ] && mkdir -m700 "$HOME/.ssh"

umask 0077
cat > "$HOME/.ssh/authorized_keys"
$ chmod +x /usr/local/bin/ssh-add-authorized-keys

Unattended updates

https://wiki.debian.org/UnattendedUpgrades

$ apt-get install unattended-upgrades apt-listchanges

/etc/apt/apt.conf.d/50unattended-upgrades

-> Unattended-Upgrade::Automatic-Reboot "true";
-> Unattended-Upgrade::Automatic-Reboot-Time "03:42";