I’m offering backup space with ZFS on Proxmox VE, datasets passed through to a container running sshd in sftp-only mode. Directory structure is /tank/backup/<username>, each <username> being their own dataset.
They are using rclone to access it for clientside encryption, so it is literally impossible for me to snoop in on them.
Only downside is having to manually chown the datasets to 101000 or whatever (would show up as 1000 inside the container) after creation, or use lxc.uidmap/gidmap, but I prefer manual chowning, it’s not too bad when the userbase is rather small.
I even created some powershell helper scripts to make setting up rclone easier, they are kind of janky though. Most useful one is the zfs snapshot browser, so they can recover files themselves if required (sanoid automatic snapshots). I probably can’t post links yet, but it’s under gist github com slash bindi
/etc/pve/lxc/<CTID>.conf: lxc.mount.entry: /tank/backup/ backup none rbind,create=dir,optional 0 0
This recursively mounts all datasets under /tank/backup
Inside the container /etc/ssh/sshd_config:
Subsystem sftp internal-sftp
Match Group sftponly
X11Forwarding no
AllowTcpForwarding no
AllowAgentForwarding no
ForceCommand internal-sftp -d /%u
ChrootDirectory /backup
I’m not that familiar with IPv6, but presumably it’s a dynamic address. I read something about it changing regularly for security reasons too. So how do I set up the VPN stuff that needs an IP address? Is there something like dynamic DNS for IPv6?
The other issue is that ideally the VPN would be for the backup app only. I don’t want them to accidentally leave it on and do general browsing, or browsing while the backup runs.
I think you would need to pay for static IPs, which are normally $5-10 a month extra on your bill. While ipv6 does have dynamic DNS, I dont think OpenVPN allows you to set a route to a URL. So if you told the VPN not to route all traffic through it and then only set up a single subnet or IP route to the server then it would only run the backup software through the VPN and not all traffic. But again, I dont think you can use a URL for the route setup in the VPN config.
Your OpenVPN routes should be to internal/private IPs, not to the public IP. Not only does this work with dynamic IP ranges, it also avoids some traffic going out over the internet in the clear if/when the VPN is down.
Each side has a sas card with external interfaces. Each party gets a x4 sas interface. each friend gets to get their own disk shelf with a sas expander.
on your computer you run something with zfs. Locally compute the replication so you can locally scrub and validate data, and replace drives without needing to run the data over the network.
export block devices.
When they mount them on their computers they make an encrypted disk on the remote block device.
The remote party can backup their encryption keys onto other services, but the hard drives stored at your house only contain the data, not the keys. If the cops come knocking, you can export the drives and give them the disk shelf.
Also your friend can create the initial backup at their house, then export the pool for you to import on your end later.
Part of the issue is that some of us have a lot of data. My Jottacloud account is already almost to 5TB, where the speed limits kick in. Other cloud options are very expensive.
HDDs are cheap though. We all have gigabit internet now.
