]> Git — Sourcephile - julm/julm-nix.git/blob - hosts/nan2gua1/syncoid.nix
sourcephile / git / julm / julm-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
git: enable jujutsu
[julm/julm-nix.git] / hosts / nan2gua1 / syncoid.nix
1 {
2 pkgs,
3 lib,
4 config,
5 inputs,
6 hostName,
7 ...
8 }:
9 let
10 inherit (config.users) users;
11 backupTarget = "off4";
12 backupConf =
13 conf:
14 lib.mapAttrs (_n: v: lib.recursiveUpdate v conf) {
15 "${hostName}/root" =
16 let
17 targetHost = "aubergine.local";
18 in
19 {
20 target = "backup@${targetHost}:${backupTarget}/julm/backup/${hostName}";
21 sendOptions = "raw";
22 recursive = true;
23 extraArgs = [
24 "--create-bookmark"
25 "--no-sync-snap"
26 "--no-privilege-elevation"
27 "--preserve-properties"
28 "--preserve-recordsize"
29 "--recursive"
30 "--sendoptions=w"
31 "--recvoptions=u"
32 "--exclude"
33 "${hostName}/root/nix"
34 "--exclude"
35 "${hostName}/root/var/cache"
36 "--exclude"
37 "${hostName}/root/var/log"
38 "--exclude"
39 "${hostName}/root/home/julm/.cache"
40 "--exclude"
41 "${hostName}/root/home/julm/Downloads"
42 "--sshconfig"
43 "${pkgs.writeText "ssh-config" ''
44 Host *
45 Ciphers aes128-gcm@openssh.com
46 Compression no
47 StrictHostKeyChecking yes
48 UserKnownHostsFile ${pkgs.writeText "known_hosts" ''
49 ${targetHost} ${lib.readFile ../aubergine/ssh/host.key.pub}
50 ''}
51 ''}"
52 ];
53 };
54 };
55 in
56 {
57 networking.nftables.ruleset = lib.mkAfter ''
58 table inet filter {
59 chain output-net {
60 skuid @nixos_syncoid_uids \
61 meta l4proto tcp \
62 counter accept \
63 comment "syncoid: SSH"
64 }
65 }
66 '';
67 systemd.tmpfiles.rules = [
68 "z /dev/zfs 0660 - ${config.users.groups."disk".name} -"
69 ];
70 # ExplanationNote: give access to /var/run/avahi-daemon/socket
71 # Using /var/run is not working due to RootDirectoryStartOnly=true
72 systemd.services."syncoid-${hostName}-root".serviceConfig = {
73 BindReadOnlyPaths = [ "/var/run" ];
74 RootDirectoryStartOnly = lib.mkForce false;
75 ExecStartPost = pkgs.writeShellScript "zfs-fix-bookmarks" ''
76 set -ux
77 for s in $(zfs list -Hrpt snapshot -o name ${hostName}/root); do
78 zfs bookmark "$s" "''${s//@/#}" || true
79 done
80 '';
81 };
82 services.syncoid = {
83 enable = true;
84 interval = "*-*-* *:05:00";
85 #interval = "*:0/1";
86 sshKey = "ssh.key:${syncoid/ssh.key.cred}";
87 commonArgs = [
88 #"--debug"
89 "--no-sync-snap"
90 "--create-bookmark"
91 #"--no-privilege-elevation"
92 #"--no-stream"
93 #"--preserve-recordsize"
94 #"--preserve-properties"
95 ];
96 service = {
97 serviceConfig.Group = config.users.groups."disk".name;
98 };
99 commands = { } // backupConf { };
100 };
101 programs.bash.interactiveShellInit = ''
102 zfs-backup () {
103 local -
104 set -x
105 dst=
106 if ! zpool list ${backupTarget}
107 then dst=aubergine.sp:
108 fi
109 sudo syncoid --sshkey ~julm/.ssh/id_ed25519 \
110 --create-bookmark --no-sync-snap --no-privilege-elevation \
111 --preserve-properties --preserve-recordsize \
112 --recursive --sendoptions=w --recvoptions=u \
113 --exclude ${hostName}/root/nix \
114 --exclude ${hostName}/root/var/cache \
115 --exclude ${hostName}/root/var/log \
116 --exclude ${hostName}/root/home/julm/.cache \
117 --exclude ${hostName}/root/home/julm/Downloads \
118 ${hostName}/root \
119 ''${dst}${backupTarget}/julm/backup/${hostName}
120 zfs-fix-bookmarks ${hostName}/root 2>/dev/null
121 }
122 '';
123 }
julm's NixOS and home-manager configs