]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/syncoid.nix
nsupdate: open nftables in the right module
[sourcephile-nix.git] / hosts / losurdo / syncoid.nix
1 { pkgs, lib, config, hostName, hosts, ... }:
2 let
3 inherit (config) networking;
4 inherit (config.services) syncoid;
5 inherit (config.security) gnupg;
6 inherit (config.users) groups;
7 in
8 {
9 networking.nftables.ruleset = ''
10 add rule inet filter fw2net \
11 skuid "${syncoid.user}" \
12 tcp dport 22 \
13 ip daddr ${hosts.mermet.extraArgs.ipv4} \
14 counter accept \
15 comment "SSH to mermet"
16 '';
17 security.gnupg.secrets."ssh/backup.ssh-ed25519" = {
18 user = syncoid.user;
19 };
20 users.groups.keys.members = [ syncoid.user ];
21 systemd.tmpfiles.rules = [
22 "z /dev/zfs 0660 - disk -"
23 ];
24 services.syncoid = {
25 enable = true;
26 interval = "*-*-* *:05:00";
27 group = "disk";
28 #interval = "*:0/1";
29 sshKey = gnupg.secrets."ssh/backup.ssh-ed25519".path;
30 commonArgs = [
31 "--no-sync-snap"
32 "--create-bookmark"
33 #"--no-privilege-elevation"
34 #"--no-stream"
35 ];
36 service = {
37 after = [ gnupg.secrets."ssh/backup.ssh-ed25519".service ];
38 wants = [ gnupg.secrets."ssh/backup.ssh-ed25519".service ];
39 };
40 commands = {
41 "${hostName}/home/julm/work" = {
42 sendOptions = "raw";
43 target = "backup@mermet.${networking.domain}:rpool/backup/${hostName}/home/julm/work";
44 };
45 "backup@mermet.${networking.domain}:rpool/var/mail" = {
46 sendOptions = "raw";
47 target = "${hostName}/backup/mermet/var/mail";
48 };
49 "backup@mermet.${networking.domain}:rpool/var/postgresql" = {
50 sendOptions = "raw";
51 target = "${hostName}/backup/mermet/var/postgresql";
52 };
53 "backup@mermet.${networking.domain}:rpool/var/prosody" = {
54 sendOptions = "raw";
55 target = "${hostName}/backup/mermet/var/prosody";
56 };
57 "backup@mermet.${networking.domain}:rpool/var/public-inbox" = {
58 sendOptions = "raw";
59 target = "${hostName}/backup/mermet/var/public-inbox";
60 };
61 "backup@mermet.${networking.domain}:rpool/var/www" = {
62 sendOptions = "raw";
63 target = "${hostName}/backup/mermet/var/www";
64 };
65 "backup@mermet.${networking.domain}:rpool/var/git" = {
66 sendOptions = "raw";
67 target = "${hostName}/backup/mermet/var/git";
68 };
69 "backup@mermet.${networking.domain}:rpool/var/redis-rspamd" = {
70 sendOptions = "raw";
71 target = "${hostName}/backup/mermet/var/redis-rspamd";
72 };
73 "backup@mermet.${networking.domain}:rpool/home/julm/mail" = {
74 sendOptions = "raw";
75 target = "${hostName}/backup/mermet/home/julm/mail";
76 };
77 "backup@mermet.${networking.domain}:rpool/home/julm/log" = {
78 sendOptions = "raw";
79 target = "${hostName}/backup/mermet/home/julm/log";
80 };
81 };
82 };
83 }