Benutzer-Werkzeuge

Webseiten-Werkzeuge

infrastruktur:host:billy:billy-borg-server-setup

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen der Seite angezeigt.

Link zu der Vergleichsansicht

Beide Seiten, vorherige ÜberarbeitungVorherige Überarbeitung
infrastruktur:host:billy:billy-borg-server-setup [05.09.2024 02:19] – gelöscht - Externe Bearbeitung (Unknown date) 127.0.0.1infrastruktur:host:billy:billy-borg-server-setup [05.09.2024 02:19] (aktuell) – ↷ Seitename wurde von infrastruktur:host:billy:billy-setup auf infrastruktur:host:billy:billy-borg-server-setup geändert Linus Lüssing
Zeile 1: Zeile 1:
 +====== Einrichtung Billy: Borg Backups ======
  
 +Einrichtung von [[infrastruktur:host:billy]], dem BorgBackup server auf [[infrastruktur:server:case]].
 +
 +===== Proxmox =====
 +
 +General:
 +
 +  * Node: case
 +  * LXC Container
 +  * Hostname: billy
 +  * CT ID: 112
 +  * Unprivileged container: yes
 +  * Nesting: yes
 +  * SSH public key(s): T_X's key
 +
 +Template:
 +
 +  * Storage: local
 +  * Template: debian-12-standard_12.2-1_amd64.tar.zst
 +
 +Disks:
 +
 +  * rootfs:
 +    * Disk Size: 4 GiB
 +    * Storage: disks
 +  * mp0:
 +    * Disk Size: 2048 GiB
 +    * Storage: disks
 +    * Path: /home
 +    * Backup: 0
 +
 +CPU:
 +
 +  * Cores: 1
 +
 +Memory:
 +
 +  * Memory: 2048 MiB
 +  * Swap: 512 MiB (ToDo: increase/enable?)
 +
 +Network:
 +
 +  * Name: eth0
 +  * bridge: vmbr0
 +  * IPv4: static
 +    * IPv4/CIDR: 172.23.208.77/23
 +  * IPv6: static
 +    * IPv6/CIDR: 2a01:170:1112::4d/64
 +    * Gateway: 2a01:170:1112:2::1
 +
 +===== Debian =====
 +
 +Also see: https://wiki.debian.org/LDAP/NSS#NSS_Setup_with_libnss-ldapd
 +
 +<code>
 +$ apt-get update && apt-get dist-upgrade
 +$ apt-get install libnss-ldapd borgbackup quota vim
 +</code>
 +
 +nslcd config prompt (to /etc/nslcd.conf):
 +
 +  * LDAP server URI:
 +    * <code>ldaps://ldap.chaotikum.net</code>
 +    * LDAP server search base: ou=users,ou=internal,dc=chaotikum,dc=org
 +    * Check server's SSL certificate: demand (vs. never/allow/try)
 +
 +libnss-ldapd config prompt (to /etc/nsswitch.conf):
 +
 +  * Name services to configure: passwd, group, shadow
 +
 +Further configuration:
 +
 +<code>
 +$ sed -i "s/#binddn.*$/binddn uid=proxmox,ou=services,dc=chaotikum,dc=org/" /etc/nslcd.conf
 +$ sed -i "s/#bindpw.*$/bindpw <LDAP-BINDPW-HERE>/" /etc/nslcd.conf
 +$ sed -i "s=#tls_cacertfile.*$=tls_cacertfile /etc/ssl/certs/ca-certificates.crt=" /etc/nslcd.conf
 +[ ToDo: verify properly: ]
 +$ echo "pam_authz_search memberOf=cn=freigeschaltet,ou=groups,dc=chaotikum,dc=org" >> /etc/nslcd.conf
 +$ systemctl restart nslcd.service
 +$ sed -i "s/#HOME_MODE.*/HOME_MODE\t0700/" /etc/login.defs
 +$ pam-auth-update --enable mkhomedir
 +$ groupadd --gid 2000 member
 +[ Note/ToDo: this should instead, ideally come from LDAP?
 +  currently "getent group" with ldap for group
 +  /etc/nsswitch.conf would not show it though ]
 +</code>
 +
 +===== SSH command restrictions =====
 +
 +<code>
 +$ cat /etc/ssh/sshd_config.d/borg-restrictions.conf
 +Match Group member
 +        DisableForwarding yes
 +        PermitTTY no
 +        PermitUserRC no
 +        ForceCommand only borg ssh-add-authorized-keys
 +</code>
 +
 +"only" command adapted from:
 +
 +https://at.magma-soft.at/sw/blog/posts/The_Only_Way_For_SSH_Forced_Commands/
 +
 +<code>
 +$ cat /usr/local/bin/only
 +#!/bin/sh
 +cmds="$@"
 +set -- $SSH_ORIGINAL_COMMAND
 +for allowed in $cmds; do
 +    if [ "$allowed" = "$1" ]; then
 +    cmd="$(echo $@ | sed -nf ~/.onlyrules)"
 +    if [ -z "$cmd" ]; then
 +        break
 +    fi
 +        eval exec "$cmd"
 +    fi
 +done
 +echo you may only $cmds, denied: $@ >&2
 +exit 1
 +$ chmod +x /usr/local/bin/only
 +</code>
 +
 +Also contains storage quota, 250G can be adjusted
 +here in /etc/skel or in ~/.onlyrules later:
 +
 +<code>
 +$ cat /etc/skel/.onlyrules
 +\:^ssh-add-authorized-keys$:p
 +/^borg serve.*\-\-storage-quota/ s/.*//; /^borg serve.*/ s/$/ --storage-quota 250G/p
 +</code>
 +
 +<code>
 +$ cat /usr/local/bin/ssh-add-authorized-keys
 +#!/bin/sh
 +[ ! -d "$HOME/.ssh" ] && mkdir -m700 "$HOME/.ssh"
 +
 +umask 0077
 +cat > "$HOME/.ssh/authorized_keys"
 +$ chmod +x /usr/local/bin/ssh-add-authorized-keys
 +</code>
 +
 +===== Unattended updates =====
 +
 +https://wiki.debian.org/UnattendedUpgrades
 +
 +$ apt-get install unattended-upgrades apt-listchanges
 +
 +/etc/apt/apt.conf.d/50unattended-upgrades
 +
 +<code>
 +-> Unattended-Upgrade::Automatic-Reboot "true";
 +-> Unattended-Upgrade::Automatic-Reboot-Time "03:42";
 +</code>

Seiten-Werkzeuge

Falls nicht anders bezeichnet, ist der Inhalt dieses Wikis unter der folgenden Lizenz veröffentlicht: CC Attribution 4.0 International