hosts/nan2gua1/syncoid.nix

   1 {
   2   pkgs,
   3   lib,
   4   config,
   5   hostName,
   6   ...
   7 }:
   8 let
   9   inherit (config.users) users;
  10   backupTarget = "off4";
  11   backupConf =
  12     conf:
  13     lib.concatMapAttrs
  14       (targetHost: c: {
  15         "${hostName}/root-to-${targetHost}" = lib.recursiveUpdate {
  16           source = "${hostName}/root";
  17           target = "backup@${targetHost}:${backupTarget}/julm/backup/${hostName}";
  18           sendOptions = "raw";
  19           recursive = true;
  20           extraArgs = [
  21             "--create-bookmark"
  22             "--no-sync-snap"
  23             "--no-privilege-elevation"
  24             "--preserve-properties"
  25             "--preserve-recordsize"
  26             "--recursive"
  27             "--sendoptions=w"
  28             "--recvoptions=u"
  29             "--exclude-datasets"
  30             "${hostName}/root/nix"
  31             "--exclude-datasets"
  32             "${hostName}/root/var/cache"
  33             "--exclude-datasets"
  34             "${hostName}/root/var/log"
  35             "--exclude-datasets"
  36             "${hostName}/root/home/julm/.cache"
  37             "--exclude-datasets"
  38             "${hostName}/root/home/julm/Downloads"
  39             "--sshconfig"
  40             "${pkgs.writeText "ssh-config" ''
  41               Host *
  42                 Ciphers aes128-gcm@openssh.com
  43                 Compression no
  44                 StrictHostKeyChecking yes
  45             ''}"
  46           ];
  47         } c;
  48       })
  49       {
  50         "aubergine.local" = { };
  51         "blackberry.local" = { };
  52         "nan2gua1.local" = { };
  53       };
  54 in
  55 {
  56   imports = [
  57     ../../nixos/profiles/avahi.nix
  58   ];
  59   users.users.backup = {
  60     isSystemUser = true;
  61     shell = users.root.shell;
  62     group = config.users.groups.disk.name;
  63     openssh.authorizedKeys.keys = [
  64       (lib.readFile ../pumpkin/syncoid/ssh.key.pub)
  65       (lib.readFile ../nan2gua1/syncoid/ssh.key.pub)
  66     ];
  67   };
  68   systemd.services."zfs-import@".serviceConfig.ExecStartPost =
  69     pkgs.writeShellScript "zfs-allow" ''
  70       set -eux
  71       pool="$1"
  72       case "$pool" in
  73         (off2) zfs allow -u ${users.backup.name} change-key,compression,create,destroy,mount,mountpoint,receive,rollback,userprop "$pool"/julm/backup;;
  74         (off4) zfs allow -u ${users.backup.name} change-key,compression,create,destroy,mount,mountpoint,receive,rollback,userprop "$pool"/julm/backup;;
  75       esac
  76     ''
  77     + " %I";
  78   networking.nftables.ruleset = lib.mkAfter ''
  79     table inet filter {
  80       chain input-lan {
  81         tcp dport 22 counter accept comment "syncoid: SSH"
  82       }
  83       chain output-net {
  84         skuid @nixos_syncoid_uids \
  85           meta l4proto tcp \
  86           counter accept \
  87           comment "syncoid: SSH"
  88       }
  89     }
  90   '';
  91   systemd.tmpfiles.rules = [
  92     "z /dev/zfs 0660 - ${config.users.groups."disk".name}  -"
  93   ];
  94   systemd.services."syncoid-${hostName}-root".serviceConfig = {
  95     # Explanation: give access to /var/run/avahi-daemon/socket
  96     # Using /var/run is not working due to RootDirectoryStartOnly=true
  97     BindReadOnlyPaths = [ "/var/run" ];
  98     RootDirectoryStartOnly = lib.mkForce false;
  99
 100     ExecStartPost = pkgs.writeShellScript "zfs-fix-bookmarks" ''
 101       set -ux
 102       for s in $(zfs list -Hrpt snapshot -o name ${hostName}/root); do
 103         zfs bookmark "$s" "''${s//@/#}" || true
 104       done
 105     '';
 106   };
 107   services.syncoid = {
 108     enable = true;
 109     interval = "*-*-* *:05:00";
 110     #interval = "*:0/1";
 111     sshKey = "ssh.key:${syncoid/ssh.key.cred}";
 112     commonArgs = [
 113       #"--debug"
 114       "--no-sync-snap"
 115       "--create-bookmark"
 116       #"--no-privilege-elevation"
 117       #"--no-stream"
 118       #"--preserve-recordsize"
 119       #"--preserve-properties"
 120     ];
 121     service = {
 122       serviceConfig.Group = config.users.groups."disk".name;
 123     };
 124     commands = { } // backupConf { };
 125   };
 126   programs.bash.interactiveShellInit = ''
 127     zfs-backup () {
 128       local -
 129       set -x
 130       dst=
 131       if ! zpool list ${backupTarget}
 132         then dst=aubergine.sp:
 133         fi
 134       sudo syncoid --sshkey ~julm/.ssh/id_ed25519 \
 135         --create-bookmark --no-sync-snap --no-privilege-elevation \
 136         --preserve-properties --preserve-recordsize \
 137         --recursive --sendoptions=w --recvoptions=u \
 138         --exclude-datasets ${hostName}/root/nix \
 139         --exclude-datasets ${hostName}/root/var/cache \
 140         --exclude-datasets ${hostName}/root/var/log \
 141         --exclude-datasets ${hostName}/root/home/julm/.cache \
 142         --exclude-datasets ${hostName}/root/home/julm/Downloads \
 143         ${hostName}/root \
 144         ''${dst}${backupTarget}/julm/backup/${hostName}
 145       zfs-fix-bookmarks ${hostName}/root 2>/dev/null
 146     }
 147   '';
 148 }