]> Git — Sourcephile - julm/julm-nix.git/blob - hosts/nan2gua1/syncoid.nix
sourcephile / git / julm / julm-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
nan2gua1: init host
[julm/julm-nix.git] / hosts / nan2gua1 / syncoid.nix
1 {
2 pkgs,
3 lib,
4 config,
5 inputs,
6 hostName,
7 ...
8 }:
9 let
10 inherit (config.users) users;
11 pumpkinBackupDataset = "off4";
12 pumpkin2off =
13 conf:
14 lib.mapAttrs (_n: v: lib.recursiveUpdate v conf) {
15 "${hostName}/root" =
16 let
17 targetHost = "aubergine.local";
18 in
19 {
20 target = "backup@${targetHost}:${pumpkinBackupDataset}/julm/backup/${hostName}";
21 sendOptions = "raw";
22 recursive = true;
23 extraArgs = [
24 "--create-bookmark"
25 "--no-sync-snap"
26 "--no-privilege-elevation"
27 "--preserve-properties"
28 "--preserve-recordsize"
29 "--recursive"
30 "--sendoptions=w"
31 "--recvoptions=u"
32 "--exclude"
33 "${hostName}/root/nix"
34 "--exclude"
35 "${hostName}/root/var/cache"
36 "--exclude"
37 "${hostName}/root/var/log"
38 "--exclude"
39 "${hostName}/root/home/julm/.cache"
40 "--exclude"
41 "${hostName}/root/home/julm/Downloads"
42 "--sshconfig"
43 "${pkgs.writeText "ssh-config" ''
44 Host *
45 Ciphers aes128-gcm@openssh.com
46 Compression no
47 StrictHostKeyChecking yes
48 UserKnownHostsFile ${pkgs.writeText "known_hosts" ''
49 ${targetHost} ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN/cT/L3dF7uoR3s7NB59NiKjuk35I6x+7MK5zhwOy6k
50 ''}
51 ''}"
52 ];
53 };
54 };
55 in
56 {
57 networking.nftables.ruleset = lib.mkAfter ''
58 table inet filter {
59 chain output-net {
60 skuid @nixos_syncoid_uids \
61 meta l4proto tcp \
62 counter accept \
63 comment "syncoid: SSH"
64 }
65 }
66 '';
67 systemd.tmpfiles.rules = [
68 "z /dev/zfs 0660 - ${config.users.groups."disk".name} -"
69 ];
70 # ExplanationNote: give access to /var/run/avahi-daemon/socket
71 # Using /var/run is not working due to RootDirectoryStartOnly=true
72 systemd.services.syncoid-pumpkin-root.serviceConfig.BindReadOnlyPaths = [ "/var/run" ];
73 systemd.services.syncoid-pumpkin-root.serviceConfig.RootDirectoryStartOnly = lib.mkForce false;
74 systemd.services.syncoid-pumpkin-root.serviceConfig.ExecStartPost =
75 pkgs.writeShellScript "zfs-fix-bookmarks" ''
76 set -ux
77 for s in $(zfs list -Hrpt snapshot -o name ${hostName}); do
78 zfs bookmark "$s" "''${s//@/#}" || true
79 done
80 '';
81 services.syncoid = {
82 enable = true;
83 interval = "*-*-* *:05:00";
84 #interval = "*:0/1";
85 sshKey = "ssh.key:${syncoid/ssh.key.cred}";
86 commonArgs = [
87 #"--debug"
88 "--no-sync-snap"
89 "--create-bookmark"
90 #"--no-privilege-elevation"
91 #"--no-stream"
92 #"--preserve-recordsize"
93 #"--preserve-properties"
94 ];
95 service = {
96 serviceConfig.Group = config.users.groups."disk".name;
97 };
98 commands = { } // pumpkin2off { };
99 };
100 programs.bash.interactiveShellInit = ''
101 backup-pumpkin () {
102 local -
103 set -x
104 dst=
105 if ! zpool list ${pumpkinBackupDataset}
106 then dst=aubergine.sp:
107 fi
108 sudo syncoid --sshkey ~julm/.ssh/id_ed25519 \
109 --create-bookmark --no-sync-snap --no-privilege-elevation \
110 --preserve-properties --preserve-recordsize \
111 --recursive --sendoptions=w --recvoptions=u \
112 --exclude ${hostName}/root/nix \
113 --exclude ${hostName}/root/var/cache \
114 --exclude ${hostName}/root/var/log \
115 --exclude ${hostName}/root/home/julm/.cache \
116 --exclude ${hostName}/root/home/julm/games \
117 --exclude ${hostName}/root/home/julm/Downloads \
118 ${hostName}/root \
119 ''${dst}${pumpkinBackupDataset}/julm/backup/${hostName}
120 zfs-fix-bookmarks ${hostName} 2>/dev/null
121 }
122 '';
123 }
julm's NixOS and home-manager configs