]> Git — Sourcephile - julm/julm-nix.git/blob - hosts/pumpkin/syncoid.nix
sourcephile / git / julm / julm-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
gnupg-agent: fix option name
[julm/julm-nix.git] / hosts / pumpkin / syncoid.nix
1 {
2 pkgs,
3 lib,
4 config,
5 inputs,
6 hostName,
7 ...
8 }:
9 let
10 inherit (config.users) users;
11 pumpkinBackupDataset = "off4";
12 pumpkin2off =
13 conf:
14 lib.mapAttrs (_n: v: lib.recursiveUpdate v conf) {
15 "pumpkin/root" =
16 let
17 targetHost = "aubergine.local";
18 in
19 {
20 target = "backup@${targetHost}:${pumpkinBackupDataset}/julm/backup/pumpkin";
21 sendOptions = "raw";
22 recursive = true;
23 extraArgs = [
24 "--create-bookmark"
25 "--no-sync-snap"
26 "--no-privilege-elevation"
27 "--preserve-properties"
28 "--preserve-recordsize"
29 "--recursive"
30 "--sendoptions=w"
31 "--recvoptions=u"
32 "--exclude"
33 "pumpkin/root/nix"
34 "--exclude"
35 "pumpkin/root/var/cache"
36 "--exclude"
37 "pumpkin/root/var/log"
38 "--exclude"
39 "pumpkin/root/home/julm/.cache"
40 "--exclude"
41 "pumpkin/root/home/julm/games"
42 "--exclude"
43 "pumpkin/root/home/julm/Downloads"
44 "--sshconfig"
45 "${pkgs.writeText "ssh-config" ''
46 Host *
47 Ciphers aes128-gcm@openssh.com
48 Compression no
49 StrictHostKeyChecking yes
50 UserKnownHostsFile ${pkgs.writeText "known_hosts" ''
51 ${targetHost} ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN/cT/L3dF7uoR3s7NB59NiKjuk35I6x+7MK5zhwOy6k
52 ''}
53 ''}"
54 ];
55 };
56 };
57 in
58 {
59 networking.nftables.ruleset = lib.mkAfter ''
60 table inet filter {
61 chain output-net {
62 skuid @nixos_syncoid_uids \
63 meta l4proto tcp \
64 counter accept \
65 comment "syncoid: SSH"
66 }
67 }
68 '';
69 systemd.tmpfiles.rules = [
70 "z /dev/zfs 0660 - ${config.users.groups."disk".name} -"
71 ];
72 # ExplanationNote: give access to /var/run/avahi-daemon/socket
73 # Using /var/run is not working due to RootDirectoryStartOnly=true
74 systemd.services.syncoid-pumpkin-root.serviceConfig.BindReadOnlyPaths = [ "/var/run" ];
75 systemd.services.syncoid-pumpkin-root.serviceConfig.RootDirectoryStartOnly = lib.mkForce false;
76 systemd.services.syncoid-pumpkin-root.serviceConfig.ExecStartPost =
77 pkgs.writeShellScript "zfs-fix-bookmarks" ''
78 set -ux
79 for s in $(zfs list -Hrpt snapshot -o name pumpkin); do
80 zfs bookmark "$s" "''${s//@/#}" || true
81 done
82 '';
83 services.syncoid = {
84 enable = true;
85 interval = "*-*-* *:05:00";
86 #interval = "*:0/1";
87 sshKey = "ssh.key:${syncoid/ssh.key.cred}";
88 commonArgs = [
89 #"--debug"
90 "--no-sync-snap"
91 "--create-bookmark"
92 #"--no-privilege-elevation"
93 #"--no-stream"
94 #"--preserve-recordsize"
95 #"--preserve-properties"
96 ];
97 service = {
98 serviceConfig.Group = config.users.groups."disk".name;
99 };
100 commands = { } // pumpkin2off { };
101 };
102 programs.bash.interactiveShellInit = ''
103 backup-pumpkin () {
104 local -
105 set -x
106 dst=
107 if ! zpool list ${pumpkinBackupDataset}
108 then dst=aubergine.sp:
109 fi
110 sudo syncoid --sshkey ~julm/.ssh/id_ed25519 \
111 --create-bookmark --no-sync-snap --no-privilege-elevation \
112 --preserve-properties --preserve-recordsize \
113 --recursive --sendoptions=w --recvoptions=u \
114 --exclude pumpkin/root/nix \
115 --exclude pumpkin/root/var/cache \
116 --exclude pumpkin/root/var/log \
117 --exclude pumpkin/root/home/julm/.cache \
118 --exclude pumpkin/root/home/julm/games \
119 --exclude pumpkin/root/home/julm/Downloads \
120 pumpkin/root \
121 ''${dst}${pumpkinBackupDataset}/julm/backup/pumpkin
122 zfs-fix-bookmarks pumpkin 2>/dev/null
123 }
124 '';
125 }
julm's NixOS and home-manager configs