]> Git — Sourcephile - julm/julm-nix.git/blob - hosts/pumpkin/syncoid.nix
sourcephile / git / julm / julm-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
libreoffice: --enable-report-builder is not longer supported
[julm/julm-nix.git] / hosts / pumpkin / syncoid.nix
1 {
2 pkgs,
3 lib,
4 config,
5 inputs,
6 hostName,
7 ...
8 }:
9 let
10 inherit (config.users) users;
11 pumpkin2off2 =
12 conf:
13 lib.mapAttrs (_n: v: lib.recursiveUpdate v conf) {
14 "pumpkin/root" =
15 let
16 targetHost = "aubergine.local";
17 in
18 {
19 target = "backup@${targetHost}:off2/julm/backup/pumpkin";
20 sendOptions = "raw";
21 recursive = true;
22 extraArgs = [
23 "--create-bookmark"
24 "--no-sync-snap"
25 "--no-privilege-elevation"
26 "--preserve-properties"
27 "--preserve-recordsize"
28 "--recursive"
29 "--sendoptions=w"
30 "--recvoptions=u"
31 "--exclude"
32 "pumpkin/root/nix"
33 "--exclude"
34 "pumpkin/root/var/cache"
35 "--exclude"
36 "pumpkin/root/var/log"
37 "--exclude"
38 "pumpkin/root/home/julm/.cache"
39 "--exclude"
40 "pumpkin/root/home/julm/games"
41 "--exclude"
42 "pumpkin/root/home/julm/Downloads"
43 "--sshconfig"
44 "${pkgs.writeText "ssh-config" ''
45 Host *
46 Ciphers aes128-gcm@openssh.com
47 Compression no
48 StrictHostKeyChecking yes
49 UserKnownHostsFile ${pkgs.writeText "known_hosts" ''
50 ${targetHost} ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN/cT/L3dF7uoR3s7NB59NiKjuk35I6x+7MK5zhwOy6k
51 ''}
52 ''}"
53 ];
54 };
55 };
56 in
57 {
58 networking.nftables.ruleset = lib.mkAfter ''
59 table inet filter {
60 chain output-net {
61 skuid @nixos_syncoid_uids \
62 meta l4proto tcp \
63 counter accept \
64 comment "syncoid: SSH"
65 }
66 }
67 '';
68 systemd.tmpfiles.rules = [
69 "z /dev/zfs 0660 - ${config.users.groups."disk".name} -"
70 ];
71 # ExplanationNote: give access to /var/run/avahi-daemon/socket
72 # Using /var/run is not working due to RootDirectoryStartOnly=true
73 systemd.services.syncoid-pumpkin-root.serviceConfig.BindReadOnlyPaths = [ "/var/run" ];
74 systemd.services.syncoid-pumpkin-root.serviceConfig.RootDirectoryStartOnly = lib.mkForce false;
75 systemd.services.syncoid-pumpkin-root.serviceConfig.ExecStartPost =
76 pkgs.writeShellScript "zfs-fix-bookmarks" ''
77 set -ux
78 for s in $(zfs list -Hrpt snapshot -o name pumpkin); do
79 zfs bookmark "$s" "''${s//@/#}" || true
80 done
81 '';
82 services.syncoid = {
83 enable = true;
84 interval = "*-*-* *:05:00";
85 #interval = "*:0/1";
86 sshKey = "ssh.key:${syncoid/ssh.key.cred}";
87 commonArgs = [
88 #"--debug"
89 "--no-sync-snap"
90 "--create-bookmark"
91 #"--no-privilege-elevation"
92 #"--no-stream"
93 #"--preserve-recordsize"
94 #"--preserve-properties"
95 ];
96 service = {
97 serviceConfig.Group = config.users.groups."disk".name;
98 };
99 commands = { } // pumpkin2off2 { };
100 };
101 programs.bash.interactiveShellInit = ''
102 backup-pumpkin () {
103 local -
104 set -x
105 dst=
106 if ! zpool list off2
107 then dst=aubergine.sp:
108 fi
109 sudo syncoid --sshkey ~julm/.ssh/id_ed25519 \
110 --create-bookmark --no-sync-snap --no-privilege-elevation \
111 --preserve-properties --preserve-recordsize \
112 --recursive --sendoptions=w --recvoptions=u \
113 --exclude pumpkin/root/nix \
114 --exclude pumpkin/root/var/cache \
115 --exclude pumpkin/root/var/log \
116 --exclude pumpkin/root/home/julm/.cache \
117 --exclude pumpkin/root/home/julm/games \
118 --exclude pumpkin/root/home/julm/Downloads \
119 pumpkin/root \
120 ''${dst}off2/julm/backup/pumpkin
121 zfs-fix-bookmarks pumpkin 2>/dev/null
122 }
123 '';
124 }
julm's NixOS and home-manager configs