backups.nix

@@ -1,24 +0,0 @@
-{ lib, ... }: {
-  system.activationScripts.makeBackupDir = lib.stringAfter [ "var" ] ''
-    mkdir -p /var/lib/backup
-  '';
-
-  services.forgejo.dump = {
-    enable = true;
-    file = "forgejo-dump";
-    backupDir = "/var/lib/backup";
-  };
-
-  services.restic.backups.s3 = {
-    passwordFile = "/var/secrets/restic-backup";
-    environmentFile = "/var/secrets/restic-s3";
-    initialize = true;
-    repository = "s3:https://object.ceph-waw3.hswaw.net/cebulacamp-backups";
-    paths = [
-      "/var/lib/backup"
-      "/var/lib/postgresql"
-      "/var/lib/redis-authentik"
-      "/var/lib/nextcloud"
-    ];
-  };
-}

configuration.nix

@@ -13,7 +13,6 @@
       ./nextcloud.nix
       ./authentik.nix
       ./forgejo.nix
-      ./backups.nix
     ];
 
   boot.loader.systemd-boot.enable = true;
@@ -37,8 +36,36 @@
     "8.8.8.8"
   ];
 
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  # users.users.jane = {
+  #   isNormalUser = true;
+  #   extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
+  # };
+
+  users.users.root = {
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG599UildOrAq+LIOQjKqtGMwjgjIxozI1jtQQRKHtCP q3k@mimeomia"
+      "cert-authority ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFPt2EXhvAwjMZ+5j8P0dCMaUdXeUQePeTv8tBdHXNly mewp"
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQb3YQoiYFZLKwvHYKbu1bMqzNeDCAszQhAe1+QI5SLDOotclyY/vFmOReZOsmyMFl71G2d7d+FbYNusUnNNjTxRYQ021tVc+RkMdLJaORRURmQfEFEKbai6QSFTwErXzuoIzyEPK0lbsQuGgqT9WaVnRzHJ2Q/4+qQbxAS34PuR5NqEkmn4G6LMo3OyJ5mwPkCj9lsqz4BcxRaMWFO3mNcwGDfSW+sqgc3E8N6LKrTpZq3ke7xacpQmcG5DU9VO+2QVPdltl9jWbs3gXjmF92YRNOuKPVfAOZBBsp8JOznfx8s9wDgs7RwPmDpjIAJEyoABqW5hlXfqRbTnfnMvuR informatic@InformaticPC"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOccFr7RFddSB5kdvYCIdCyKgD3X79mC90cMImqziTd9 radex@radpro"
+    ];
+  };
   users.groups.ldap-access = {};
 
+  # users.ldap = {
+  #   enable = true;
+  #   loginPam = true;
+  #   nsswitch = true;
+  #   base = "ou=users,dc=cebula,dc=camp";
+  #   server = "ldap://10.88.0.1:389/";
+  #   timeLimit = 1;
+  #   daemon.enable = true;
+  #   bind = {
+  #     distinguishedName = "cn=ldap-access,ou=users,dc=cebula,dc=camp";
+  #     passwordFile = "/var/secrets/ldap-access";
+  #   };
+  # };
+
   services.sssd = {
     enable = true;
     sshAuthorizedKeysIntegration = true;
@@ -47,11 +74,20 @@
       serviceAccount = "ldap-access";
       allowedGroup = "cn=orga-infra,ou=groups,${baseDN}";
     in ''
+      [nss]
+      filter_groups = root
+      filter_users = root
+      reconnection_retries = 3
+
       [sssd]
       config_file_version = 2
+      reconnection_retries = 3
       domains = LDAP
       services = nss, pam, ssh
 
+      [pam]
+      reconnection_retries = 3
+
       [domain/LDAP]
       cache_credentials = True
       id_provider = ldap