]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/syncoid.nix
mermet: nftables: use meta l4proto
[sourcephile-nix.git] / hosts / losurdo / syncoid.nix
1 { pkgs, lib, config, hostName, hosts, ... }:
2 let
3 inherit (config) networking;
4 inherit (config.services) syncoid;
5 inherit (config.security) gnupg;
6 inherit (config.users) groups;
7 losurdo2das1 = path: conf: lib.mapAttrs (n: v: lib.recursiveUpdate v conf) {
8 "${hostName}/${path}2das1" = {
9 source = "${hostName}/${path}";
10 target = "das1/julm/backup/losurdo/${path}";
11 sendOptions = "raw";
12 recursive = true;
13 };
14 };
15 mermet2losurdo = path: conf: lib.mapAttrs (n: v: lib.recursiveUpdate v conf) {
16 "backup@mermet.${networking.domain}:rpool/${path}" = {
17 target = "${hostName}/backup/mermet/${path}";
18 sendOptions = "raw";
19 recursive = true;
20 };
21 "${hostName}/backup/mermet/${path}" = {
22 target = "das1/julm/backup/mermet/${path}";
23 sendOptions = "raw";
24 recursive = true;
25 };
26 };
27 in
28 {
29 networking.nftables.ruleset = lib.mkAfter ''
30 add rule inet filter fw2net \
31 meta skuid @nixos-syncoid-uids \
32 meta l4proto tcp \
33 counter accept \
34 comment "syncoid: allow SSH"
35 '';
36 security.gnupg.secrets."ssh/backup.ssh-ed25519" = {};
37 systemd.tmpfiles.rules = [
38 "z /dev/zfs 0660 - disk -"
39 ];
40 services.syncoid = {
41 enable = true;
42 nftables.enable = true;
43 interval = "*-*-* *:05:00";
44 #interval = "*:0/1";
45 sshKey = gnupg.secrets."ssh/backup.ssh-ed25519".path;
46 commonArgs = [
47 #"--debug"
48 "--no-sync-snap"
49 "--create-bookmark"
50 #"--no-privilege-elevation"
51 #"--no-stream"
52 ];
53 service = {
54 after = [ gnupg.secrets."ssh/backup.ssh-ed25519".service ];
55 wants = [ gnupg.secrets."ssh/backup.ssh-ed25519".service ];
56 serviceConfig.Group = groups."disk".name;
57 };
58 commands = {
59 "${hostName}/home/julm/work" = {
60 sendOptions = "raw";
61 target = "backup@mermet.${networking.domain}:rpool/backup/${hostName}/home/julm/work";
62 };
63 }
64 // mermet2losurdo "var" {
65 extraArgs = [
66 "--skip-parent"
67 "--exclude=rpool/var/cache"
68 "--exclude=rpool/var/log"
69 "--exclude=rpool/var/tmp"
70 ];
71 }
72 // mermet2losurdo "home/julm/mail" {}
73 // mermet2losurdo "home/julm/log" {}
74 // losurdo2das1 "home/julm/work" {}
75 // losurdo2das1 "var/sftp" {}
76 // losurdo2das1 "var/git" {}
77 ;
78 };
79 }