From 25224d5d871455f909b0208ad838c146dda3b4b6 Mon Sep 17 00:00:00 2001
From: Philipp Hochkamp <git@phochkamp.de>
Date: Thu, 8 Dec 2022 05:10:53 +0100
Subject: [PATCH] fix syncoid

---
 hosts/ds9/default.nix          |  25 +++++++++++++++++++++----
 nixos-modules/system/fs.nix    |  12 ------------
 secrets/gatebridgeHostKeys.age | Bin 0 -> 1709 bytes
 secrets/secrets.nix            |   1 +
 4 files changed, 22 insertions(+), 16 deletions(-)
 create mode 100644 secrets/gatebridgeHostKeys.age

diff --git a/hosts/ds9/default.nix b/hosts/ds9/default.nix
index c8e96771..fd6da7bc 100644
--- a/hosts/ds9/default.nix
+++ b/hosts/ds9/default.nix
@@ -20,9 +20,8 @@ in
   services.syncthing.user = "ragon";
 
   ragon.agenix.secrets."ds9OffsiteBackupSSH" = { owner = config.services.syncoid.user; };
-  services.syncoid.enable = true;
-  services.syncoid.sshKey = lib.mkForce "${config.age.secrets.ds9OffsiteBackupSSH.path}";
-  services.syncoid.commands =
+  ragon.agenix.secrets."gatebridgeHostKeys" = { owner = config.services.syncoid.user; };
+  services.syncoid =
     let
       datasets = {
         backups = "rpool/content/local/backups";
@@ -31,7 +30,25 @@ in
         hassosvm = "spool/safe/vms/hassos";
       };
     in
-    builtins.mapAttrs (n: v: { target = "root@gatebridge:backup/${n}"; source = v; sendOptions = "w"; }) datasets;
+
+    lib.mkMerge (
+      [{
+        localSourceAllow = [
+          "hold"
+          "send"
+          "snapshot"
+          "destroy"
+          "mount"
+        ];
+        enable = true;
+        interval = "*-*-* 2:15:00";
+        commonArgs = [ "--sshoption" "GlobalKnownHostsFile=${config.age.secrets.gatebridgeHostKeys.path}" ];
+        sshKey = lib.mkForce "${config.age.secrets.ds9OffsiteBackupSSH.path}";
+      }] ++
+      (builtins.attrValues
+        (builtins.mapAttrs (n: v: { commands.${n} = { target = "root@gatebridge:backup/${n}"; source = v; sendOptions = "w"; }; }) (datasets))
+      )
+    );
 
   programs.mosh.enable = true;
   security.sudo.wheelNeedsPassword = false;
diff --git a/nixos-modules/system/fs.nix b/nixos-modules/system/fs.nix
index 951579b3..b197945c 100644
--- a/nixos-modules/system/fs.nix
+++ b/nixos-modules/system/fs.nix
@@ -39,18 +39,6 @@ in
     services.sanoid = {
       enable = mkDefault persistentSnapshot;
     } // (if persistentSnapshot then { datasets."${persistent}" = { }; } else { });
-    services.syncoid = {
-      user = "root";
-      group = "root";
-      sshKey = /persistent/root/.ssh/id_rsa;
-      enable = mkDefault true;
-      commonArgs = [
-      ];
-      commands."${persistent}" = {
-        target = "ragon@ds9:rpool/content/local/backups/${hostName}"; # FIXME extra user
-        recvOptions = "x encryption";
-      };
-    };
     boot.kernelParams = [ "zfs.zfs_arc_max=${toString (arcSize * 1024 * 1024 * 1024)}" ];
     fileSystems."/" =
       {
diff --git a/secrets/gatebridgeHostKeys.age b/secrets/gatebridgeHostKeys.age
new file mode 100644
index 0000000000000000000000000000000000000000..dd1dca83f30f07dcd3ac725633c56a36200ffd85
GIT binary patch
literal 1709
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCUlOp2&TD_2NycQ!UO
zGz%}abV)5q&2YC!N^~*OH!(?dEUhff(ROzAPs|Mqa!*Y22;>U$_wY|~H1^7@$_xzj
zOLR64D2niPHFS0faB<2tFANP#4|gl`O|z&nPe-?{G~FXSyj;OA%QMogtUNL;J2Wq`
zDm2y9ysRK3!^_FJ(8bB6Fvzi>yt2wGt0*rlG@Yx|IIP?vG|k&PD#WYIBEZ8ZBC5*S
zr^-A>-y^NmJj27W$THWWsz~40BM{xT&``^uU`K_LtYlYn{nEg4gTPeh%Amr4s^B6o
z_agrgXFpT72y^Z1bW0b{QWJ~pj7ToWQnOMYUxUm<)54T2qcX?ra<lT#w6KWGAfE!C
ztnxs=w1{w%vK$|SKv#6zDhqRsO&t|H3XIJ4O`@_wf_*H*4E00&ql(ItbF;H8({svP
zgCq4bO$y7+5-Zb6!n3&&gQI-HGK+kCoeVt<Bb*|g%(b1e1C0#IJYB;aOGDgCT>boV
z%nK^~@*P38h5G8I7o{c^rz-fDC+CJKL{^&ya=E5Q6*}i6I+aER`&Sy~d6cAw8M#HI
z`4k%agqItKW?NJ^Ipt(ncvbmkmxa2Rc(@c)MCMrf`FjV2T6iQIr*N5Pn<N(b1!Whz
z<R@1aJ30sCW*S&nCS{m;M^&16XQk!1_!}k%Bs;tMB<E(7dzXg0`FNOQ_?MO&W=54b
z=NfYPnwnH{>FVk#6b0sZxmT5$c%|eO`MH=y80WcIL<MPA1tn{nrTQl38%L%a7ZqfL
zm1Y-n>A%_io9lQq>u=qp^H=5jCnqit=Q<ksFH`j3m5)a1*M%1*HT{rZY{>jQ)6s|f
z%<NAod!#>{=QZxQJ3+mALgjU<lA~v=1kVYJ{4rQLXIXVAM^xM$h3KP>qUYLk?rWBL
z++F5iqjH^R<K+Jq8gGhh)}FAmmw7s`coLh5L$sMryw%K>5{3Kr3Xfv>fA)C2so(2V
zm4CAG`iaR*W*I_PCPneeeqykSlqx-cFYEHG=C6C+ruS<7E8|*c_j<CEshddA@}^bC
z>R3~vGhe=!X8-f5z2xZshX-RgRZp7d1b#V|pyYOQ!q4{O$BLJ3w^w5BSuZ$eVkh&W
zHB(lfir9HNed>aOaJB{WXY9V3ETSa(Eyw;`hVl1LJMBwSOiJed>YIEc<4e_CtHw@)
zINNQHmj19?^*Q*@j=3%I+RWlVQ-67`SZf^ReSTZPe~xQQ-<p2jbhmbYL)puthME2M
z6V_*!zCHRj`Ok8N*~hIH@7%re_e?p-<!4i^=d%gv)IE^just^SaY~nO%Cm!wdm4Y_
z-Z|8td^f?-S0()7W49*{&p16^*r_9QLcVc-i&w-S@3;9rEg>RT7adY)=lq;L=eCLa
zH|HbW3;6fDTQ9%yN%w{6&-rUUZv1>?=Tu2G;g@qxFL<G8;yBCb_d=7V7q9t+o-V$<
zu)TJo_OhI#inIB7CpZgaeo2hk*UhNT^&pJ9=7;*nSuaHAZ`raksLGtpI&Wv=Tt;z?
z>vQ}Qf|+}&U(0pAQkI{r*81#yFbhkwub`5*wY<zsGXZu#?HYS)=k(5Vt|2!zUHEkU
z(JrTH9}8R(OK!@43SwF$XtPLKY~d%%=I2|qI=|XCt!)y&@JQ7AU2SZzNb5ZB%6Rsc
z%?+<OJm2Z*?X_bS_q*}fpmE|$#gFOD|JT1R&G0|xRGrmly6e{M?xTlx-UvVM7o;lo
zu`rYI!@63&BL7WGo~)aD$@Y9tUH{qWZ?nsO?_s?cpzpFcCVrOU{X3^m7>O~)>6}`0
z>v8+%o5z2@UEcptP(=6D%NVh0<-0F~x?GrLAEo$zZT$NC+FSWMPP4D?nmL6*J?yLj
z6MOQlO52T%s;w@6n@UpTuH{@;HC%ILYh^*lx~;k%>Q_yUT5EF8SGC-*bpNM@Uxz=h
zid5e7{-tW$R)s}AjT7_JQ??mDxG2wkM2y39zq8!_nOmI%x7R$?IInZM{<z(Sv(^a_
z9LIte+cgBv{diOGc`WC|>ZXU1JNloRSxj5C_LPdA>MkaBKe11X#Dr|GEh*01c7MXU
zv=u!MT;6S!4~r;@WzDu%>5s4EeJ?ssT*~VDx7ztjqmJZ=xLxk7U|7e|#IP&+^v4$>
zr9mH-G*0Z>=)R=D!&v5*MNRc_l~w%9x4&U*@bj+}N!==SR%X@Z>N8%94QnJk^#uer
NrG5A(VCNb08vwIq+Nb~k

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 9fa6db24..35296dac 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -14,6 +14,7 @@ in
   "paperlessAdminPW.age".publicKeys = pubkeys.ragon.host "ds9";
   "photoprismEnv.age".publicKeys = pubkeys.ragon.host "ds9";
   "ds9OffsiteBackupSSH.age".publicKeys = pubkeys.ragon.host "ds9";
+  "gatebridgeHostKeys.age".publicKeys = pubkeys.ragon.host "ds9";
   "hedgedocSecret.age".publicKeys = pubkeys.ragon.host "picard";
   "mailmoverConf.age".publicKeys = pubkeys.ragon.host "picard";
   "matrixSecrets.age".publicKeys = pubkeys.ragon.host "picard";