hosts/pumpkin/syncoid.nix

   1 { pkgs, lib, config, inputs, hostName, ... }:
   2 let
   3   inherit (config.users) users;
   4   pumpkin2off2 = conf: lib.mapAttrs (_n: v: lib.recursiveUpdate v conf) {
   5     "pumpkin/root" = let targetHost = "aubergine.local"; in {
   6       target = "backup@${targetHost}:off2/julm/backup/pumpkin";
   7       sendOptions = "raw";
   8       recursive = true;
   9       extraArgs = [
  10         "--create-bookmark" "--no-sync-snap" "--no-privilege-elevation"
  11         "--preserve-properties" "--preserve-recordsize"
  12         "--recursive" "--sendoptions=w" "--recvoptions=u"
  13         "--exclude" "pumpkin/root/nix"
  14         "--exclude" "pumpkin/root/var/cache"
  15         "--exclude" "pumpkin/root/var/log"
  16         "--exclude" "pumpkin/root/home/julm/.cache"
  17         "--sshconfig" "${pkgs.writeText "ssh-config" ''
  18             Host *
  19               Ciphers aes128-gcm@openssh.com
  20               Compression no
  21               StrictHostKeyChecking yes
  22               UserKnownHostsFile ${pkgs.writeText "known_hosts" ''
  23                 ${targetHost} ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN/cT/L3dF7uoR3s7NB59NiKjuk35I6x+7MK5zhwOy6k
  24               ''}
  25         ''}"
  26       ];
  27     };
  28   };
  29 in
  30 {
  31   networking.nftables.ruleset = lib.mkAfter ''
  32     table inet filter {
  33       chain output-net {
  34         skuid @nixos_syncoid_uids \
  35           meta l4proto tcp \
  36           counter accept \
  37           comment "syncoid: SSH"
  38       }
  39     }
  40   '';
  41   systemd.tmpfiles.rules = [
  42     "z /dev/zfs 0660 - ${config.users.groups."disk".name}  -"
  43   ];
  44   # ExplanationNote: give access to /var/run/avahi-daemon/socket
  45   # Using /var/run is not working due to RootDirectoryStartOnly=true
  46   systemd.services.syncoid-pumpkin-root.serviceConfig.BindReadOnlyPaths = [ "/var/run" ];
  47   systemd.services.syncoid-pumpkin-root.serviceConfig.RootDirectoryStartOnly = lib.mkForce false;
  48   services.syncoid = {
  49     enable = true;
  50     interval = "*-*-* *:05:00";
  51     #interval = "*:0/1";
  52     sshKey = "ssh.key:${syncoid/ssh.key.cred}";
  53     commonArgs = [
  54       #"--debug"
  55       "--no-sync-snap"
  56       "--create-bookmark"
  57       #"--no-privilege-elevation"
  58       #"--no-stream"
  59       #"--preserve-recordsize"
  60       #"--preserve-properties"
  61     ];
  62     service = {
  63       serviceConfig.Group = config.users.groups."disk".name;
  64     };
  65     commands = { }
  66     // pumpkin2off2 { }
  67     ;
  68   };
  69 }