-{ pkgs, lib, config, hostName, hosts, ... }:
+{ lib, config, inputs, hostName, ... }:
let
inherit (config) networking;
inherit (config.services) syncoid;
- inherit (config.security) gnupg;
inherit (config.users) groups;
- losurdo2das1 = path: conf: lib.mapAttrs (n: v: lib.recursiveUpdate v conf) {
+ losurdo2das1 = path: conf: lib.mapAttrs (_n: v: lib.recursiveUpdate v conf) {
"${hostName}/${path}2das1" = {
source = "${hostName}/${path}";
target = "das1/julm/backup/losurdo/${path}";
recursive = true;
};
};
- mermet2losurdo = path: conf: lib.mapAttrs (n: v: lib.recursiveUpdate v conf) {
+ mermet2losurdo = path: conf: lib.mapAttrs (_n: v: lib.recursiveUpdate v conf) {
"backup@mermet.${networking.domain}:rpool/${path}" = {
target = "${hostName}/backup/mermet/${path}";
sendOptions = "raw";
};
in
{
-networking.nftables.ruleset = lib.mkAfter ''
- add rule inet filter fw2net \
- meta skuid @nixos-syncoid-uids \
- meta l4proto tcp \
- counter accept \
- comment "syncoid: allow SSH"
-'';
-security.gnupg.secrets."ssh/backup.ssh-ed25519" = {};
-systemd.tmpfiles.rules = [
- "z /dev/zfs 0660 - disk -"
-];
-services.syncoid = {
- enable = true;
- nftables.enable = true;
- interval = "*-*-* *:05:00";
- #interval = "*:0/1";
- sshKey = gnupg.secrets."ssh/backup.ssh-ed25519".path;
- commonArgs = [
- #"--debug"
- "--no-sync-snap"
- "--create-bookmark"
- #"--no-privilege-elevation"
- #"--no-stream"
+ networking.nftables.ruleset = ''
+ table inet filter {
+ chain output-net {
+ skuid @nixos-syncoid-uids \
+ meta l4proto tcp \
+ counter accept \
+ comment "syncoid: SSH"
+ }
+ }
+ '';
+ systemd.tmpfiles.rules = [
+ "z /dev/zfs 0660 - disk -"
];
- service = {
- after = [ gnupg.secrets."ssh/backup.ssh-ed25519".service ];
- wants = [ gnupg.secrets."ssh/backup.ssh-ed25519".service ];
- serviceConfig.Group = groups."disk".name;
- };
- commands = {
- "${hostName}/home/julm/work" = {
- sendOptions = "raw";
- target = "backup@mermet.${networking.domain}:rpool/backup/${hostName}/home/julm/work";
- };
- }
- // mermet2losurdo "var" {
- extraArgs = [
- "--skip-parent"
- "--exclude=rpool/var/cache"
- "--exclude=rpool/var/log"
- "--exclude=rpool/var/tmp"
+ services.syncoid = {
+ enable = true;
+ nftables.enable = true;
+ interval = "*-*-* *:05:00";
+ #interval = "*:0/1";
+ sshKey = "sshKey:${syncoid/sshKey.cred}";
+ commonArgs = [
+ #"--debug"
+ "--no-sync-snap"
+ "--create-bookmark"
+ #"--no-privilege-elevation"
+ #"--no-stream"
+ #"--preserve-recordsize"
+ #"--preserve-properties"
];
- }
- // mermet2losurdo "home/julm/mail" {}
- // mermet2losurdo "home/julm/log" {}
- // losurdo2das1 "home/julm/work" {}
- // losurdo2das1 "var/sftp" {}
- // losurdo2das1 "var/git" {}
- ;
-};
+ service = {
+ serviceConfig.Group = groups."disk".name;
+ };
+ commands = {
+ "${hostName}/home/julm/work" = {
+ sendOptions = "raw";
+ target = "backup@mermet.${networking.domain}:rpool/backup/${hostName}/home/julm/work";
+ };
+ }
+ // mermet2losurdo "var" {
+ extraArgs = [
+ "--skip-parent"
+ "--exclude=rpool/var/cache"
+ "--exclude=rpool/var/lib/nginx"
+ "--exclude=rpool/var/log"
+ "--exclude=rpool/var/tmp"
+ ];
+ }
+ // mermet2losurdo "home/julm/mail" { }
+ // mermet2losurdo "home/julm/log" { }
+ // losurdo2das1 "home/julm/work" { }
+ // losurdo2das1 "var/sftp" { }
+ // losurdo2das1 "var/git" { }
+ ;
+ };
}
sourcephile / git / sourcephile-nix.git / blobdiff