Back up Knot DNSSEC keystore from ns1 to control via borgbackup
clan borgbackup instance: control serves repos, ns1 backs up its clan.core.state (the KASP keystore at /var/lib/knot) nightly over the mesh with repokey encryption. ns1 maps the control machine name to its ZeroTier address so the borg@control repo resolves. Run `clan vars generate ns1` before deploy to mint the borg keypair.
This commit is contained in:
Berwn
@@ -64,6 +64,16 @@ in
|
||||
emergency-access = {
|
||||
roles.default.tags.nixos = { };
|
||||
};
|
||||
|
||||
# Encrypted, deduplicating backups. control hosts the repos; ns1 is the
|
||||
# only client, backing up its declared clan.core.state (the Knot DNSSEC
|
||||
# keystore) over the mesh. Repo lives at /var/lib/borgbackup/ns1 on control.
|
||||
# Cross-host so an ns1 loss is recoverable; repokey encryption means control
|
||||
# never holds plaintext. Run `clan vars generate ns1` (YubiKey) before deploy.
|
||||
borgbackup = {
|
||||
roles.server.machines.control = { };
|
||||
roles.client.machines.ns1 = { };
|
||||
};
|
||||
};
|
||||
|
||||
machines = {
|
||||
|
||||
Reference in New Issue
Block a user