};
supportedFilesystems = [ "zfs" ];
kernelParams = ["zfs.zfs_arc_max=6442450944"];
- kernelPackages = pkgs.linuxPackages_latest;
+ kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
initrd.availableKernelModules = [ "ahci" "sd_mod" ];
initrd.secrets = {
"/boot/pass.key" = "/boot/pass.key";
services.udev.extraRules = ''
ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="c8:60:00:56:a0:88", NAME="eth0"
'';
- nix.maxJobs = 8;
+ nix.settings.max-jobs = 8;
powerManagement.cpuFreqGovernor = "powersave";
myEnv = import ../../../nixops/secrets/environment.nix;
networking = {
hostId = "8262ca33"; # generated with head -c4 /dev/urandom | od -A none -t x4
firewall.enable = true;
+ firewall.allowedTCPPorts = [ config.myEnv.ports.zrepl_flony ];
# FIXME: on next reboot, remove the /27 and the localCommands
interfaces."eth0".ipv4.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
(n: ips: map (ip: { address = ip; prefixLength = 32; }) (ips.ip4 or []))
services.netdata.config.health."enabled" = "no";
services.netdata.config.web.mode = "none";
users.users."${config.services.netdata.user}".extraGroups = [ "keys" ];
- environment.etc."netdata/stream.conf".source = config.secrets.fullPaths."netdata-stream.conf";
+ services.netdata.configDir."stream.conf" = config.secrets.fullPaths."netdata-stream.conf";
secrets.keys = {
"netdata-stream.conf" = {
user = config.services.netdata.user;
};
};
programs.ssh.knownHosts.dilion = {
- hostNames = ["dilion.immae.eu"];
+ extraHostNames = ["dilion.immae.eu"];
publicKey = let
profile = config.myEnv.rsync_backup.profiles.dilion;
in
environment.systemPackages = [ pkgs.bindfs ];
- services.zrepl = {
+ immaeServices.zrepl = {
enable = true;
config = let
redis_dump = pkgs.writeScript "redis-dump" ''
"zpool/root/etc": true
"zpool/root/var<": true
connect:
- type: ssh+stdinserver
- host: dilion.immae.eu
- user: backup
- port: 22
- identity_file: ${config.secrets.fullPaths."zrepl_backup/identity"}
+ address: dilion.immae.eu:19000
+ type: tls
+ server_cn: dilion
+ ca: ${config.secrets.fullPaths."zrepl/certificates/dilion.crt"}
+ cert: ${config.secrets.fullPaths."zrepl/certificates/eldiron.crt"}
+ key: ${config.secrets.fullPaths."zrepl/eldiron.key"}
snapshotting:
type: periodic
prefix: zrepl_
- type: grid
grid: 6x4h | 7x1d | 4x7d | 6x30d
regex: "^zrepl_.*"
+ - type: source
+ # must not change
+ name: "backup-to-wd-zpool"
+ serve:
+ type: tls
+ listen: :${builtins.toString config.myEnv.ports.zrepl_flony}
+ ca: ${config.secrets.fullPaths."zrepl/certificates/flony.crt"}
+ cert: ${config.secrets.fullPaths."zrepl/certificates/eldiron.crt"}
+ key: ${config.secrets.fullPaths."zrepl/eldiron.key"}
+ client_cns:
+ - flony
+ filesystems:
+ "zpool/root": true
+ "zpool/root/etc": true
+ "zpool/root/var<": true
+ "zfast/root/var<": true
+ send:
+ encrypted: true
+ snapshotting:
+ type: manual
'';
};
# This value determines the NixOS release with which your system is