-{ pkgs, lib, config, hostName, hosts, ... }:
+{ lib, config, inputs, hostName, ... }:
let
inherit (config) networking;
inherit (config.services) syncoid;
- inherit (config.security) gnupg;
inherit (config.users) groups;
-in
-{
-networking.nftables.ruleset = lib.mkAfter ''
- add rule inet filter fw2net \
- meta skuid @nixos-syncoid-uids \
- meta l4proto tcp \
- counter accept \
- comment "syncoid: allow SSH"
-'';
-security.gnupg.secrets."ssh/backup.ssh-ed25519" = {};
-systemd.tmpfiles.rules = [
- "z /dev/zfs 0660 - disk -"
-];
-services.syncoid = {
- enable = true;
- nftables.enable = true;
- interval = "*-*-* *:05:00";
- #interval = "*:0/1";
- sshKey = gnupg.secrets."ssh/backup.ssh-ed25519".path;
- commonArgs = [
- #"--debug"
- "--no-sync-snap"
- "--create-bookmark"
- #"--no-privilege-elevation"
- #"--no-stream"
- ];
- service = {
- after = [ gnupg.secrets."ssh/backup.ssh-ed25519".service ];
- wants = [ gnupg.secrets."ssh/backup.ssh-ed25519".service ];
- serviceConfig.Group = groups."disk".name;
- };
- commands = {
- "${hostName}/home/julm/work" = {
- sendOptions = "raw";
- target = "backup@mermet.${networking.domain}:rpool/backup/${hostName}/home/julm/work";
- };
- "backup@mermet.${networking.domain}:rpool/var/mail" = {
- sendOptions = "raw";
- target = "${hostName}/backup/mermet/var/mail";
- };
- "backup@mermet.${networking.domain}:rpool/var/postgresql" = {
- sendOptions = "raw";
- target = "${hostName}/backup/mermet/var/postgresql";
- };
- "backup@mermet.${networking.domain}:rpool/var/prosody" = {
- sendOptions = "raw";
- target = "${hostName}/backup/mermet/var/prosody";
- };
- "backup@mermet.${networking.domain}:rpool/var/public-inbox" = {
- sendOptions = "raw";
- target = "${hostName}/backup/mermet/var/public-inbox";
- };
- "backup@mermet.${networking.domain}:rpool/var/www" = {
+ losurdo2das1 = path: conf: lib.mapAttrs (_n: v: lib.recursiveUpdate v conf) {
+ "${hostName}/${path}2das1" = {
+ source = "${hostName}/${path}";
+ target = "das1/julm/backup/losurdo/${path}";
sendOptions = "raw";
- target = "${hostName}/backup/mermet/var/www";
+ recursive = true;
};
- "backup@mermet.${networking.domain}:rpool/var/git" = {
- sendOptions = "raw";
- target = "${hostName}/backup/mermet/var/git";
- };
- "backup@mermet.${networking.domain}:rpool/var/redis-rspamd" = {
+ };
+ mermet2losurdo = path: conf: lib.mapAttrs (_n: v: lib.recursiveUpdate v conf) {
+ "backup@mermet.${networking.domain}:rpool/${path}" = {
+ target = "${hostName}/backup/mermet/${path}";
sendOptions = "raw";
- target = "${hostName}/backup/mermet/var/redis-rspamd";
+ recursive = true;
};
- "backup@mermet.${networking.domain}:rpool/home/julm/mail" = {
+ "${hostName}/backup/mermet/${path}" = {
+ target = "das1/julm/backup/mermet/${path}";
sendOptions = "raw";
- target = "${hostName}/backup/mermet/home/julm/mail";
+ recursive = true;
};
- "backup@mermet.${networking.domain}:rpool/home/julm/log" = {
- sendOptions = "raw";
- target = "${hostName}/backup/mermet/home/julm/log";
+ };
+in
+{
+ networking.nftables.ruleset = ''
+ table inet filter {
+ chain output-net {
+ skuid @nixos-syncoid-uids \
+ meta l4proto tcp \
+ counter accept \
+ comment "syncoid: SSH"
+ }
+ }
+ '';
+ systemd.tmpfiles.rules = [
+ "z /dev/zfs 0660 - disk -"
+ ];
+ services.syncoid = {
+ enable = true;
+ nftables.enable = true;
+ interval = "*-*-* *:05:00";
+ #interval = "*:0/1";
+ sshKey = "sshKey:${syncoid/sshKey.cred}";
+ commonArgs = [
+ #"--debug"
+ "--no-sync-snap"
+ "--create-bookmark"
+ #"--no-privilege-elevation"
+ #"--no-stream"
+ ];
+ service = {
+ serviceConfig.Group = groups."disk".name;
};
+ commands = {
+ "${hostName}/home/julm/work" = {
+ sendOptions = "raw";
+ target = "backup@mermet.${networking.domain}:rpool/backup/${hostName}/home/julm/work";
+ };
+ }
+ // mermet2losurdo "var" {
+ extraArgs = [
+ "--skip-parent"
+ "--exclude=rpool/var/cache"
+ "--exclude=rpool/var/lib/nginx"
+ "--exclude=rpool/var/log"
+ "--exclude=rpool/var/tmp"
+ ];
+ }
+ // mermet2losurdo "home/julm/mail" { }
+ // mermet2losurdo "home/julm/log" { }
+ // losurdo2das1 "home/julm/work" { }
+ // losurdo2das1 "var/sftp" { }
+ // losurdo2das1 "var/git" { }
+ ;
};
-};
}
sourcephile / git / sourcephile-nix.git / blobdiff