programs.zsh.enable = true;
users.users.backup = {
- home = "/var/lib/backup";
- createHome = true;
hashedPassword = "!";
isSystemUser = true;
+ extraGroups = [ "keys" ];
shell = pkgs.bashInteractive;
openssh.authorizedKeys.keys = let
+ zreplConfig = config.secrets.fullPaths."zrepl/zrepl.yml";
in
- ["command=\"${pkgs.rrsync_sudo}/bin/rrsync /var/lib/backup/eldiron/\" ${config.myEnv.rsync_backup.ssh_key.public}"];
+ ["command=\"${pkgs.zrepl}/bin/zrepl stdinserver --config ${zreplConfig} eldiron\",restrict ${config.myEnv.zrepl_backup.ssh_key.public}"];
};
security.sudo.extraRules = pkgs.lib.mkAfter [
- {
- commands = [
- { command = "${pkgs.rsync}/bin/rsync"; options = [ "NOPASSWD" ]; }
- ];
- users = [ "backup" ];
- runAs = "root";
- }
{
commands = [
{ command = "/home/immae/.nix-profile/root_scripts/*"; options = [ "NOPASSWD" ]; }
];
boot.kernel.sysctl."vm.nr_hugepages" = 256; # for xmr-stak
- system.activationScripts.backup_home = ''
- chown root:root /var/lib/backup
- install -m 0750 -o backup -g root -d /var/lib/backup/eldiron
- '';
-
system.activationScripts.libvirtd_exports = ''
install -m 0755 -o root -g root -d /var/lib/caldance
'';
user = config.services.nginx.user;
group = config.services.nginx.group;
extraDomains = {
- "discourse.immae.eu" = null;
- "discourse.cip-ca.fr" = null;
"dev.immae.eu" = null;
"caldance.immae.eu" = null;
};
forceSSL = true;
root = "/home/immae/www";
};
- "discourse.immae.eu" = {
- acmeRoot = config.myServices.certificates.webroot;
- useACMEHost = name;
- forceSSL = true;
- locations."/".proxyPass = "http://localhost:18031";
- };
- "discourse.cip-ca.fr" = {
- acmeRoot = config.myServices.certificates.webroot;
- useACMEHost = name;
- forceSSL = true;
- locations."/".proxyPass = "http://localhost:18031";
- };
"caldance.immae.eu" = {
acmeRoot = config.myServices.certificates.webroot;
useACMEHost = name;
};
};
+ systemd.services.zrepl.serviceConfig.RuntimeDirectory = lib.mkForce "zrepl zrepl/stdinserver";
+ systemd.services.zrepl.serviceConfig.User = "backup";
+ # zfs allow backup create,mount,receive,destroy,rename,snapshot,hold,bookmark,release zpool/backup
+ services.zrepl = {
+ enable = true;
+ config = ''
+ global:
+ control:
+ sockpath: /run/zrepl/control
+ serve:
+ stdinserver:
+ sockdir: /run/zrepl/stdinserver
+ jobs:
+ - type: sink
+ # must not change
+ name: "backup-from-eldiron"
+ root_fs: "zpool/backup"
+ serve:
+ type: stdinserver
+ client_identities:
+ - eldiron
+ '';
+ };
# This value determines the NixOS release with which your system is
# to be compatible, in order to avoid breaking some software such as
# database servers. You should change this only after NixOS release