hosts/pumpkin/syncoid.nix

   1 {
   2   pkgs,
   3   lib,
   4   config,
   5   hostName,
   6   ...
   7 }:
   8 let
   9   inherit (config.users) users;
  10   backupTarget = "off4";
  11   backupConf =
  12     conf:
  13     lib.concatMapAttrs
  14       (targetHost: c: {
  15         "${hostName}/root-to-${targetHost}" = lib.recursiveUpdate {
  16           source = "${hostName}/root";
  17           target = "backup@${targetHost}:${backupTarget}/julm/backup/${hostName}";
  18           sendOptions = "raw";
  19           recursive = true;
  20           extraArgs = [
  21             "--create-bookmark"
  22             "--no-sync-snap"
  23             "--no-privilege-elevation"
  24             "--preserve-properties"
  25             "--preserve-recordsize"
  26             "--recursive"
  27             "--sendoptions=w"
  28             "--recvoptions=u"
  29             "--exclude-datasets"
  30             "${hostName}/root/nix"
  31             "--exclude-datasets"
  32             "${hostName}/root/var/cache"
  33             "--exclude-datasets"
  34             "${hostName}/root/var/log"
  35             "--exclude-datasets"
  36             "${hostName}/root/home/julm/.cache"
  37             "--exclude-datasets"
  38             "${hostName}/root/home/julm/Downloads"
  39             "--sshconfig"
  40             "${pkgs.writeText "ssh-config" ''
  41               Host *
  42                 Ciphers aes128-gcm@openssh.com
  43                 Compression no
  44                 StrictHostKeyChecking yes
  45             ''}"
  46           ];
  47         } c;
  48       })
  49       {
  50         "aubergine.local" = { };
  51         "blackberry.local" = { };
  52         "nan2gua1.local" = { };
  53       };
  54 in
  55 {
  56   services.avahi = {
  57     enable = true;
  58     openFirewall = true;
  59     publish = {
  60       enable = true;
  61       addresses = true;
  62       domain = true;
  63       hinfo = true;
  64       userServices = true;
  65       workstation = true;
  66     };
  67     reflector = true;
  68   };
  69   users.users.backup = {
  70     isSystemUser = true;
  71     shell = users.root.shell;
  72     group = config.users.groups.disk.name;
  73     openssh.authorizedKeys.keys = [
  74       (lib.readFile ../pumpkin/syncoid/ssh.key.pub)
  75       (lib.readFile ../nan2gua1/syncoid/ssh.key.pub)
  76     ];
  77   };
  78   systemd.services."zfs-import@".serviceConfig.ExecStartPost =
  79     pkgs.writeShellScript "zfs-allow" ''
  80       set -eux
  81       pool="$1"
  82       case "$pool" in
  83         (off2) zfs allow -u ${users.backup.name} change-key,compression,create,destroy,mount,mountpoint,receive,rollback,userprop "$pool"/julm/backup;;
  84         (off4) zfs allow -u ${users.backup.name} change-key,compression,create,destroy,mount,mountpoint,receive,rollback,userprop "$pool"/julm/backup;;
  85       esac
  86     ''
  87     + " %I";
  88   networking.nftables.ruleset = lib.mkAfter ''
  89     table inet filter {
  90       chain input-lan {
  91         tcp dport 22 counter accept comment "syncoid: SSH"
  92       }
  93       chain output-net {
  94         skuid @nixos_syncoid_uids \
  95           meta l4proto tcp \
  96           counter accept \
  97           comment "syncoid: SSH"
  98       }
  99     }
 100   '';
 101   systemd.tmpfiles.rules = [
 102     "z /dev/zfs 0660 - ${config.users.groups."disk".name}  -"
 103   ];
 104   systemd.services."syncoid-${hostName}-root".serviceConfig = {
 105     # Explanation: give access to /var/run/avahi-daemon/socket
 106     # Using /var/run is not working due to RootDirectoryStartOnly=true
 107     BindReadOnlyPaths = [ "/var/run" ];
 108     RootDirectoryStartOnly = lib.mkForce false;
 109
 110     ExecStartPost = pkgs.writeShellScript "zfs-fix-bookmarks" ''
 111       set -ux
 112       for s in $(zfs list -Hrpt snapshot -o name ${hostName}/root); do
 113         zfs bookmark "$s" "''${s//@/#}" || true
 114       done
 115     '';
 116   };
 117   services.syncoid = {
 118     enable = true;
 119     interval = "*-*-* *:05:00";
 120     #interval = "*:0/1";
 121     sshKey = "ssh.key:${syncoid/ssh.key.cred}";
 122     commonArgs = [
 123       #"--debug"
 124       "--no-sync-snap"
 125       "--create-bookmark"
 126       #"--no-privilege-elevation"
 127       #"--no-stream"
 128       #"--preserve-recordsize"
 129       #"--preserve-properties"
 130     ];
 131     service = {
 132       serviceConfig.Group = config.users.groups."disk".name;
 133     };
 134     commands = { } // backupConf { };
 135   };
 136   programs.bash.interactiveShellInit = ''
 137     zfs-backup () {
 138       local -
 139       set -x
 140       dst=
 141       if ! zpool list ${backupTarget}
 142         then dst=aubergine.sp:
 143         fi
 144       sudo syncoid --sshkey ~julm/.ssh/id_ed25519 \
 145         --create-bookmark --no-sync-snap --no-privilege-elevation \
 146         --preserve-properties --preserve-recordsize \
 147         --recursive --sendoptions=w --recvoptions=u \
 148         --exclude-datasets ${hostName}/root/nix \
 149         --exclude-datasets ${hostName}/root/var/cache \
 150         --exclude-datasets ${hostName}/root/var/log \
 151         --exclude-datasets ${hostName}/root/home/julm/.cache \
 152         --exclude-datasets ${hostName}/root/home/julm/Downloads \
 153         ${hostName}/root \
 154         ''${dst}${backupTarget}/julm/backup/${hostName}
 155       zfs-fix-bookmarks ${hostName}/root 2>/dev/null
 156     }
 157   '';
 158 }