fix syncoid

2022-12-08 05:10:53 +01:00 · 2022-12-08 05:10:53 +01:00 · 25224d5d87
commit 25224d5d87
parent 5f47648835
4 changed files with 22 additions and 16 deletions
--- a/hosts/ds9/default.nix
+++ b/hosts/ds9/default.nix
@ -20,9 +20,8 @@ in
  services.syncthing.user = "ragon";

  ragon.agenix.secrets."ds9OffsiteBackupSSH" = { owner = config.services.syncoid.user; };
-  services.syncoid.enable = true;
-  services.syncoid.sshKey = lib.mkForce "${config.age.secrets.ds9OffsiteBackupSSH.path}";
-  services.syncoid.commands =
+  ragon.agenix.secrets."gatebridgeHostKeys" = { owner = config.services.syncoid.user; };
+  services.syncoid =
    let
      datasets = {
        backups = "rpool/content/local/backups";
@ -31,7 +30,25 @@ in
        hassosvm = "spool/safe/vms/hassos";
      };
    in
-    builtins.mapAttrs (n: v: { target = "root@gatebridge:backup/${n}"; source = v; sendOptions = "w"; }) datasets;
+
+    lib.mkMerge (
+      [{
+        localSourceAllow = [
+          "hold"
+          "send"
+          "snapshot"
+          "destroy"
+          "mount"
+        ];
+        enable = true;
+        interval = "*-*-* 2:15:00";
+        commonArgs = [ "--sshoption" "GlobalKnownHostsFile=${config.age.secrets.gatebridgeHostKeys.path}" ];
+        sshKey = lib.mkForce "${config.age.secrets.ds9OffsiteBackupSSH.path}";
+      }] ++
+      (builtins.attrValues
+        (builtins.mapAttrs (n: v: { commands.${n} = { target = "root@gatebridge:backup/${n}"; source = v; sendOptions = "w"; }; }) (datasets))
+      )
+    );

  programs.mosh.enable = true;
  security.sudo.wheelNeedsPassword = false;
--- a/nixos-modules/system/fs.nix
+++ b/nixos-modules/system/fs.nix
@ -39,18 +39,6 @@ in
    services.sanoid = {
      enable = mkDefault persistentSnapshot;
    } // (if persistentSnapshot then { datasets."${persistent}" = { }; } else { });
-    services.syncoid = {
-      user = "root";
-      group = "root";
-      sshKey = /persistent/root/.ssh/id_rsa;
-      enable = mkDefault true;
-      commonArgs = [
-      ];
-      commands."${persistent}" = {
-        target = "ragon@ds9:rpool/content/local/backups/${hostName}"; # FIXME extra user
-        recvOptions = "x encryption";
-      };
-    };
    boot.kernelParams = [ "zfs.zfs_arc_max=${toString (arcSize * 1024 * 1024 * 1024)}" ];
    fileSystems."/" =
      {
--- a/secrets/gatebridgeHostKeys.age
+++ b/secrets/gatebridgeHostKeys.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -14,6 +14,7 @@ in
  "paperlessAdminPW.age".publicKeys = pubkeys.ragon.host "ds9";
  "photoprismEnv.age".publicKeys = pubkeys.ragon.host "ds9";
  "ds9OffsiteBackupSSH.age".publicKeys = pubkeys.ragon.host "ds9";
+  "gatebridgeHostKeys.age".publicKeys = pubkeys.ragon.host "ds9";
  "hedgedocSecret.age".publicKeys = pubkeys.ragon.host "picard";
  "mailmoverConf.age".publicKeys = pubkeys.ragon.host "picard";
  "matrixSecrets.age".publicKeys = pubkeys.ragon.host "picard";