]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/sanoid.nix
losurdo: acme: move to LoadCredentialEncrypted=
[sourcephile-nix.git] / hosts / mermet / sanoid.nix
1 { pkgs, lib, config, inputs, ... }:
2 let
3 inherit (builtins) readFile;
4 inherit (config.users) users groups;
5 in
6 {
7 users.users.backup = {
8 isSystemUser = true;
9 shell = users.root.shell;
10 group = groups.disk.name;
11 openssh.authorizedKeys.keys = [
12 (readFile (inputs.secrets + "/hosts/losurdo/ssh/backup.ssh-ed25519.pub"))
13 ] ++ users."julm".openssh.authorizedKeys.keys;
14 };
15 systemd.tmpfiles.rules = [
16 "z /dev/zfs 0660 - ${groups."disk".name} -"
17 ];
18 system.activationScripts.backup = ''
19 # This one should not be necessary
20 /run/booted-system/sw/bin/zfs allow -u ${users.backup.name} bookmark,hold,send rpool
21 /run/booted-system/sw/bin/zfs allow -u ${users.backup.name} receive,create,mount,rollback rpool/backup
22 '';
23
24 systemd.services.sanoid.serviceConfig.SupplementaryGroups = [ groups."disk".name ];
25 services.sanoid = {
26 enable = true;
27 templates = {
28 snap = {
29 autosnap = true;
30 autoprune = true;
31 yearly = 0;
32 monthly = 3;
33 daily = 31;
34 hourly = 0;
35 frequently = 0;
36 };
37 prune = {
38 autosnap = false;
39 autoprune = true;
40 yearly = 0;
41 monthly = 3;
42 daily = 31;
43 hourly = 24;
44 frequently = 0;
45 };
46 };
47 extraArgs = [
48 "--verbose"
49 #"--debug"
50 ];
51 datasets = {
52 "rpool/backup/losurdo/var/postgresql" = {
53 use_template = [ "prune" ];
54 };
55 "rpool/backup/losurdo/var/cryptpad" = {
56 use_template = [ "prune" ];
57 };
58 };
59 };
60 }