X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;ds=sidebyside;f=modules%2Fprivate%2Fsystem%2Fdilion.nix;h=cc4297e0f4e7ce2f74dcc4abbb2dc5f23c30d89c;hb=5dda316b382211733cda7163b33bf388dd052671;hp=14155efc50ee22119f9e736c72869263057c7a38;hpb=740a6506f419bdcfb082f1cfde7553735dfd0570;p=perso%2FImmae%2FConfig%2FNix.git

diff --git a/modules/private/system/dilion.nix b/modules/private/system/dilion.nix
index 14155ef..cc4297e 100644
--- a/modules/private/system/dilion.nix
+++ b/modules/private/system/dilion.nix
@@ -59,23 +59,16 @@
   programs.zsh.enable = true;
 
   users.users.backup = {
-    home = "/var/lib/backup";
-    createHome = true;
     hashedPassword = "!";
     isSystemUser = true;
+    extraGroups = [ "keys" ];
     shell = pkgs.bashInteractive;
     openssh.authorizedKeys.keys = let
+      zreplConfig = config.secrets.fullPaths."zrepl/zrepl.yml";
     in
-      ["command=\"${pkgs.rrsync_sudo}/bin/rrsync /var/lib/backup/eldiron/\"  ${config.myEnv.rsync_backup.ssh_key.public}"];
+      ["command=\"${pkgs.zrepl}/bin/zrepl stdinserver --config ${zreplConfig} eldiron\",restrict ${config.myEnv.zrepl_backup.ssh_key.public}"];
   };
   security.sudo.extraRules = pkgs.lib.mkAfter [
-    {
-      commands = [
-        { command = "${pkgs.rsync}/bin/rsync"; options = [ "NOPASSWD" ]; }
-      ];
-      users = [ "backup" ];
-      runAs = "root";
-    }
     {
       commands = [
         { command = "/home/immae/.nix-profile/root_scripts/*"; options = [ "NOPASSWD" ]; }
@@ -86,11 +79,6 @@
   ];
 
   boot.kernel.sysctl."vm.nr_hugepages" = 256; # for xmr-stak
-  system.activationScripts.backup_home = ''
-    chown root:root /var/lib/backup
-    install -m 0750 -o backup -g root -d /var/lib/backup/eldiron
-  '';
-
   system.activationScripts.libvirtd_exports = ''
     install -m 0755 -o root -g root -d /var/lib/caldance
   '';
@@ -192,6 +180,29 @@
     };
   };
 
+  systemd.services.zrepl.serviceConfig.RuntimeDirectory = lib.mkForce "zrepl zrepl/stdinserver";
+  systemd.services.zrepl.serviceConfig.User = "backup";
+  # zfs allow backup create,mount,receive,destroy,rename,snapshot,hold,bookmark,release zpool/backup
+  services.zrepl = {
+    enable = true;
+    config = ''
+      global:
+        control:
+          sockpath: /run/zrepl/control
+        serve:
+          stdinserver:
+            sockdir: /run/zrepl/stdinserver
+      jobs:
+        - type: sink
+          # must not change
+          name: "backup-from-eldiron"
+          root_fs: "zpool/backup"
+          serve:
+            type: stdinserver
+            client_identities:
+              - eldiron
+    '';
+  };
   # This value determines the NixOS release with which your system is
   # to be compatible, in order to avoid breaking some software such as
   # database servers. You should change this only after NixOS release