fix syncoid

2022-12-08 05:10:53 +01:00 · 2022-12-08 05:10:53 +01:00 · 25224d5d87
commit 25224d5d87
parent 5f47648835
4 changed files with 22 additions and 16 deletions
--- a/hosts/ds9/default.nix
+++ b/hosts/ds9/default.nix
@ -20,9 +20,8 @@ in
  services.syncthing.user = "ragon";
  ragon.agenix.secrets."ds9OffsiteBackupSSH" = { owner = config.services.syncoid.user; };
-  services.syncoid.enable = true;
+  ragon.agenix.secrets."gatebridgeHostKeys" = { owner = config.services.syncoid.user; };
-  services.syncoid.sshKey = lib.mkForce "${config.age.secrets.ds9OffsiteBackupSSH.path}";
+  services.syncoid =
  services.syncoid.commands =
    let
      datasets = {
        backups = "rpool/content/local/backups";
@ -31,7 +30,25 @@ in
        hassosvm = "spool/safe/vms/hassos";
      };
    in
-    builtins.mapAttrs (n: v: { target = "root@gatebridge:backup/${n}"; source = v; sendOptions = "w"; }) datasets;
+
    lib.mkMerge (
      [{
        localSourceAllow = [
          "hold"
          "send"
          "snapshot"
          "destroy"
          "mount"
        ];
        enable = true;
        interval = "*-*-* 2:15:00";
        commonArgs = [ "--sshoption" "GlobalKnownHostsFile=${config.age.secrets.gatebridgeHostKeys.path}" ];
        sshKey = lib.mkForce "${config.age.secrets.ds9OffsiteBackupSSH.path}";
      }] ++
      (builtins.attrValues
        (builtins.mapAttrs (n: v: { commands.${n} = { target = "root@gatebridge:backup/${n}"; source = v; sendOptions = "w"; }; }) (datasets))
      )
    );
  programs.mosh.enable = true;
  security.sudo.wheelNeedsPassword = false;
--- a/nixos-modules/system/fs.nix
+++ b/nixos-modules/system/fs.nix
@ -39,18 +39,6 @@ in
    services.sanoid = {
      enable = mkDefault persistentSnapshot;
    } // (if persistentSnapshot then { datasets."${persistent}" = { }; } else { });
    services.syncoid = {
      user = "root";
      group = "root";
      sshKey = /persistent/root/.ssh/id_rsa;
      enable = mkDefault true;
      commonArgs = [
      ];
      commands."${persistent}" = {
        target = "ragon@ds9:rpool/content/local/backups/${hostName}"; # FIXME extra user
        recvOptions = "x encryption";
      };
    };
    boot.kernelParams = [ "zfs.zfs_arc_max=${toString (arcSize * 1024 * 1024 * 1024)}" ];
    fileSystems."/" =
      {
--- a/secrets/gatebridgeHostKeys.age
+++ b/secrets/gatebridgeHostKeys.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -14,6 +14,7 @@ in
  "paperlessAdminPW.age".publicKeys = pubkeys.ragon.host "ds9";
  "photoprismEnv.age".publicKeys = pubkeys.ragon.host "ds9";
  "ds9OffsiteBackupSSH.age".publicKeys = pubkeys.ragon.host "ds9";
  "gatebridgeHostKeys.age".publicKeys = pubkeys.ragon.host "ds9";
  "hedgedocSecret.age".publicKeys = pubkeys.ragon.host "picard";
  "mailmoverConf.age".publicKeys = pubkeys.ragon.host "picard";
  "matrixSecrets.age".publicKeys = pubkeys.ragon.host "picard";