In the case of a simple web-server with a MySQL database, the script has to dump the database, copy the web-server files and tar everything together. Then a NAS server Rsync the tar file via a "ssh-copy-id" done to a user "backup" that can only access it's own home folder where the backups are stored.
I know a feel things like store the credentials in a env file and limit the access to the script and the env file, but I have some doubts too:
1- Is it better to the root to access and execute the script and env file and then give the tar file to the backup user or let the backup user execute the script?
2- Is the Rsync via ssh key to a limited backup user the best way to export the backup file or is there a better way (in terms of security)?