Benutzer-Werkzeuge

Webseiten-Werkzeuge


infrastruktur:host:billy:billy-borg-server-setup

Einrichtung Billy: Borg Backups

Einrichtung von billy, dem BorgBackup server auf case.

Proxmox

General:

  • Node: case
  • LXC Container
  • Hostname: billy
  • CT ID: 112
  • Unprivileged container: yes
  • Nesting: yes
  • SSH public key(s): T_X's key

Template:

  • Storage: local
  • Template: debian-12-standard_12.2-1_amd64.tar.zst

Disks:

  • rootfs:
    • Disk Size: 4 GiB
    • Storage: disks
  • mp0:
    • Disk Size: 2048 GiB
    • Storage: disks
    • Path: /home
    • Backup: 0

CPU:

  • Cores: 1

Memory:

  • Memory: 2048 MiB
  • Swap: 512 MiB (ToDo: increase/enable?)

Network:

  • Name: eth0
  • bridge: vmbr0
  • IPv4: static
    • IPv4/CIDR: 172.23.208.77/23
  • IPv6: static
    • IPv6/CIDR: 2a01:170:1112::4d/64
    • Gateway: 2a01:170:1112:2::1

Debian

Also see: https://wiki.debian.org/LDAP/NSS#NSS_Setup_with_libnss-ldapd

$ apt-get update && apt-get dist-upgrade
$ apt-get install libnss-ldapd borgbackup quota vim

nslcd config prompt (to /etc/nslcd.conf):

  • LDAP server URI:
    • ldaps://ldap.chaotikum.net
    • LDAP server search base: ou=users,ou=internal,dc=chaotikum,dc=org
    • Check server's SSL certificate: demand (vs. never/allow/try)

libnss-ldapd config prompt (to /etc/nsswitch.conf):

  • Name services to configure: passwd, group, shadow

Further configuration:

$ sed -i "s/#binddn.*$/binddn uid=proxmox,ou=services,dc=chaotikum,dc=org/" /etc/nslcd.conf
$ sed -i "s/#bindpw.*$/bindpw <LDAP-BINDPW-HERE>/" /etc/nslcd.conf
$ sed -i "s=#tls_cacertfile.*$=tls_cacertfile /etc/ssl/certs/ca-certificates.crt=" /etc/nslcd.conf
[ ToDo: verify properly: ]
$ echo "pam_authz_search memberOf=cn=freigeschaltet,ou=groups,dc=chaotikum,dc=org" >> /etc/nslcd.conf
$ systemctl restart nslcd.service
$ sed -i "s/#HOME_MODE.*/HOME_MODE\t0700/" /etc/login.defs
$ pam-auth-update --enable mkhomedir
$ groupadd --gid 2000 member
[ Note/ToDo: this should instead, ideally come from LDAP?
  currently "getent group" with ldap for group
  /etc/nsswitch.conf would not show it though ]

SSH command restrictions

$ cat /etc/ssh/sshd_config.d/borg-restrictions.conf
Match Group member
        DisableForwarding yes
        PermitTTY no
        PermitUserRC no
        ForceCommand only borg ssh-add-authorized-keys

„only“ command adapted from:

https://at.magma-soft.at/sw/blog/posts/The_Only_Way_For_SSH_Forced_Commands/

$ cat /usr/local/bin/only
#!/bin/sh
cmds="$@"
set -- $SSH_ORIGINAL_COMMAND
for allowed in $cmds; do
    if [ "$allowed" = "$1" ]; then
    cmd="$(echo $@ | sed -nf ~/.onlyrules)"
    if [ -z "$cmd" ]; then
        break
    fi
        eval exec "$cmd"
    fi
done
echo you may only $cmds, denied: $@ >&2
exit 1
$ chmod +x /usr/local/bin/only

Also contains storage quota, 250G can be adjusted here in /etc/skel or in ~/.onlyrules later:

$ cat /etc/skel/.onlyrules
\:^ssh-add-authorized-keys$:p
/^borg serve.*\-\-storage-quota/ s/.*//; /^borg serve.*/ s/$/ --storage-quota 250G/p
$ cat /usr/local/bin/ssh-add-authorized-keys
#!/bin/sh
[ ! -d "$HOME/.ssh" ] && mkdir -m700 "$HOME/.ssh"

umask 0077
cat > "$HOME/.ssh/authorized_keys"
$ chmod +x /usr/local/bin/ssh-add-authorized-keys

Unattended updates

https://wiki.debian.org/UnattendedUpgrades

$ apt-get install unattended-upgrades apt-listchanges

/etc/apt/apt.conf.d/50unattended-upgrades

-> Unattended-Upgrade::Automatic-Reboot "true";
-> Unattended-Upgrade::Automatic-Reboot-Time "03:42";
infrastruktur/host/billy/billy-borg-server-setup.txt · Zuletzt geändert: 05.09.2024 02:19 von Linus Lüssing