hosts/losurdo/syncoid.nix

   1 { pkgs, lib, config, hostName, hosts, ... }:
   2 let
   3   inherit (config) networking;
   4   inherit (config.services) syncoid;
   5   inherit (config.security) gnupg;
   6   inherit (config.users) groups;
   7 in
   8 {
   9 networking.nftables.ruleset = ''
  10   add rule inet filter fw2net \
  11     meta skuid @nixos-syncoid-uids \
  12     meta l4proto tcp \
  13     counter accept \
  14     comment "syncoid: allow SSH"
  15 '';
  16 security.gnupg.secrets."ssh/backup.ssh-ed25519" = {};
  17 systemd.tmpfiles.rules = [
  18   "z /dev/zfs 0660 - disk  -"
  19 ];
  20 services.syncoid = {
  21   enable = true;
  22   interval = "*-*-* *:05:00";
  23   #interval = "*:0/1";
  24   sshKey = gnupg.secrets."ssh/backup.ssh-ed25519".path;
  25   commonArgs = [
  26     #"--debug"
  27     "--no-sync-snap"
  28     "--create-bookmark"
  29     #"--no-privilege-elevation"
  30     #"--no-stream"
  31   ];
  32   service = {
  33     after = [ gnupg.secrets."ssh/backup.ssh-ed25519".service ];
  34     wants = [ gnupg.secrets."ssh/backup.ssh-ed25519".service ];
  35     serviceConfig.Group = groups."disk".name;
  36   };
  37   commands = {
  38     "${hostName}/home/julm/work" = {
  39       sendOptions = "raw";
  40       target = "backup@mermet.${networking.domain}:rpool/backup/${hostName}/home/julm/work";
  41     };
  42     "backup@mermet.${networking.domain}:rpool/var/mail" = {
  43       sendOptions = "raw";
  44       target = "${hostName}/backup/mermet/var/mail";
  45     };
  46     "backup@mermet.${networking.domain}:rpool/var/postgresql" = {
  47       sendOptions = "raw";
  48       target = "${hostName}/backup/mermet/var/postgresql";
  49     };
  50     "backup@mermet.${networking.domain}:rpool/var/prosody" = {
  51       sendOptions = "raw";
  52       target = "${hostName}/backup/mermet/var/prosody";
  53     };
  54     "backup@mermet.${networking.domain}:rpool/var/public-inbox" = {
  55       sendOptions = "raw";
  56       target = "${hostName}/backup/mermet/var/public-inbox";
  57     };
  58     "backup@mermet.${networking.domain}:rpool/var/www" = {
  59       sendOptions = "raw";
  60       target = "${hostName}/backup/mermet/var/www";
  61     };
  62     "backup@mermet.${networking.domain}:rpool/var/git" = {
  63       sendOptions = "raw";
  64       target = "${hostName}/backup/mermet/var/git";
  65     };
  66     "backup@mermet.${networking.domain}:rpool/var/redis-rspamd" = {
  67       sendOptions = "raw";
  68       target = "${hostName}/backup/mermet/var/redis-rspamd";
  69     };
  70     "backup@mermet.${networking.domain}:rpool/home/julm/mail" = {
  71       sendOptions = "raw";
  72       target = "${hostName}/backup/mermet/home/julm/mail";
  73     };
  74     "backup@mermet.${networking.domain}:rpool/home/julm/log" = {
  75       sendOptions = "raw";
  76       target = "${hostName}/backup/mermet/home/julm/log";
  77     };
  78   };
  79 };
  80 }