Add given password for hosts/mermet/knot/autogeree.net/lebureau.conf to store.

[sourcephile-nix.git] / hosts / losurdo / syncoid.nix

diff --git a/hosts/losurdo/syncoid.nix b/hosts/losurdo/syncoid.nix
index 1ee8606138292fd4570652a4a5cd91451218c590..ca92a5e5e16003e20992a733e3429ec3169953de 100644 (file)
--- a/hosts/losurdo/syncoid.nix
+++ b/hosts/losurdo/syncoid.nix
@@ -1,83 +1,93 @@
-{ pkgs, lib, config, hostName, hosts, ... }:
+{
+  lib,
+  config,
+  inputs,
+  hostName,
+  ...
+}:
 let
   inherit (config) networking;
   inherit (config.services) syncoid;
-  inherit (config.security) gnupg;
   inherit (config.users) groups;
+  losurdo2das1 =
+    path: conf:
+    lib.mapAttrs (_n: v: lib.recursiveUpdate v conf) {
+      "${hostName}/${path}2das1" = {
+        source = "${hostName}/${path}";
+        target = "das1/julm/backup/losurdo/${path}";
+        sendOptions = "raw";
+        recursive = true;
+      };
+    };
+  mermet2losurdo =
+    path: conf:
+    lib.mapAttrs (_n: v: lib.recursiveUpdate v conf) {
+      /*
+        "backup@mermet.${networking.domain}:rpool/${path}" = {
+        target = "${hostName}/backup/mermet/${path}";
+        sendOptions = "raw";
+        recursive = true;
+        };
+        "${hostName}/backup/mermet/${path}" = {
+      */
+      "backup@mermet.${networking.domain}:rpool/${path}" = {
+        target = "das1/julm/backup/mermet/${path}";
+        sendOptions = "raw";
+        recursive = true;
+      };
+    };
 in
 {
-networking.nftables.ruleset = ''
-  add rule inet filter fw2net \
-    skuid "${syncoid.user}" \
-    tcp dport 22 \
-    ip daddr ${hosts.mermet.extraArgs.ipv4} \
-    counter accept \
-    comment "SSH to mermet"
-'';
-security.gnupg.secrets."ssh/backup.ssh-ed25519" = {
-  user = syncoid.user;
-};
-users.groups.keys.members = [ syncoid.user ];
-systemd.tmpfiles.rules = [
-  "z /dev/zfs 0660 - disk  -"
-];
-services.syncoid = {
-  enable = true;
-  interval = "*-*-* *:05:00";
-  group = "disk";
-  #interval = "*:0/1";
-  sshKey = gnupg.secrets."ssh/backup.ssh-ed25519".path;
-  commonArgs = [
-    "--no-sync-snap"
-    "--create-bookmark"
-    #"--no-privilege-elevation"
-    #"--no-stream"
+  networking.nftables.ruleset = ''
+    table inet filter {
+      chain output-net {
+        skuid @nixos_syncoid_uids \
+          meta l4proto tcp \
+          counter accept \
+          comment "syncoid: SSH"
+      }
+    }
+  '';
+  systemd.tmpfiles.rules = [
+    "z /dev/zfs 0660 - disk  -"
   ];
-  service = {
-    after = [ gnupg.secrets."ssh/backup.ssh-ed25519".service ];
-    wants = [ gnupg.secrets."ssh/backup.ssh-ed25519".service ];
-  };
-  commands = {
-    "${hostName}/home/julm/work" = {
-      sendOptions = "raw";
-      target = "backup@mermet.${networking.domain}:rpool/backup/${hostName}/home/julm/work";
-    };
-    "backup@mermet.${networking.domain}:rpool/var/mail" = {
-      sendOptions = "raw";
-      target = "${hostName}/backup/mermet/var/mail";
-    };
-    "backup@mermet.${networking.domain}:rpool/var/postgresql" = {
-      sendOptions = "raw";
-      target = "${hostName}/backup/mermet/var/postgresql";
-    };
-    "backup@mermet.${networking.domain}:rpool/var/prosody" = {
-      sendOptions = "raw";
-      target = "${hostName}/backup/mermet/var/prosody";
-    };
-    "backup@mermet.${networking.domain}:rpool/var/public-inbox" = {
-      sendOptions = "raw";
-      target = "${hostName}/backup/mermet/var/public-inbox";
-    };
-    "backup@mermet.${networking.domain}:rpool/var/www" = {
-      sendOptions = "raw";
-      target = "${hostName}/backup/mermet/var/www";
-    };
-    "backup@mermet.${networking.domain}:rpool/var/git" = {
-      sendOptions = "raw";
-      target = "${hostName}/backup/mermet/var/git";
-    };
-    "backup@mermet.${networking.domain}:rpool/var/redis-rspamd" = {
-      sendOptions = "raw";
-      target = "${hostName}/backup/mermet/var/redis-rspamd";
-    };
-    "backup@mermet.${networking.domain}:rpool/home/julm/mail" = {
-      sendOptions = "raw";
-      target = "${hostName}/backup/mermet/home/julm/mail";
-    };
-    "backup@mermet.${networking.domain}:rpool/home/julm/log" = {
-      sendOptions = "raw";
-      target = "${hostName}/backup/mermet/home/julm/log";
+  services.syncoid = {
+    enable = true;
+    interval = "*-*-* *:05:00";
+    #interval = "*:0/1";
+    sshKey = "sshKey:${syncoid/sshKey.cred}";
+    commonArgs = [
+      #"--debug"
+      "--no-sync-snap"
+      "--create-bookmark"
+      #"--no-privilege-elevation"
+      #"--no-stream"
+      #"--preserve-recordsize"
+      #"--preserve-properties"
+    ];
+    service = {
+      serviceConfig.Group = groups."disk".name;
     };
+    commands =
+      {
+        "${hostName}/home/julm/work" = {
+          sendOptions = "raw";
+          target = "backup@mermet.${networking.domain}:rpool/backup/${hostName}/home/julm/work";
+        };
+      }
+      // mermet2losurdo "var" {
+        extraArgs = [
+          "--skip-parent"
+          "--exclude=rpool/var/cache"
+          "--exclude=rpool/var/lib/nginx"
+          "--exclude=rpool/var/log"
+          "--exclude=rpool/var/tmp"
+        ];
+      }
+      // mermet2losurdo "home/julm/mail" { }
+      // mermet2losurdo "home/julm/log" { }
+      // losurdo2das1 "home/julm/work" { }
+      // losurdo2das1 "var/sftp" { }
+      // losurdo2das1 "var/git" { };
   };
-};
 }