boot.kernelPackages = pkgs.linuxPackages_latest;
myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; };
+ fileSystems = {
+ "/" = lib.mkForce { fsType = "zfs"; device = "zpool/root"; };
+ "/boot" = { fsType = "ext4"; device = "/dev/disk/by-uuid/fd1c511e-2bc0-49d5-b8bb-95e7e8c8c816"; };
+ "/etc" = { fsType = "zfs"; device = "zpool/root/etc"; };
+ "/home" = { fsType = "zfs"; device = "zpool/root/home"; };
+ "/home/immae" = { fsType = "zfs"; device = "zpool/root/home/immae"; };
+ "/tmp" = { fsType = "zfs"; device = "zpool/root/tmp"; };
+ "/var" = { fsType = "zfs"; device = "zpool/root/var"; };
+ };
+ boot.initrd.secrets = {
+ "/boot/pass.key" = "/boot/pass.key";
+ };
+
networking = {
hostId = "27c3048d"; # generated with head -c4 /dev/urandom | od -A none -t x4
firewall.enable = false;
programs.zsh.enable = true;
users.users.backup = {
- home = "/var/lib/backup";
- createHome = true;
hashedPassword = "!";
isSystemUser = true;
+ extraGroups = [ "keys" ];
shell = pkgs.bashInteractive;
openssh.authorizedKeys.keys = let
+ zreplConfig = config.secrets.fullPaths."zrepl/zrepl.yml";
in
- ["command=\"${pkgs.rrsync_sudo}/bin/rrsync /var/lib/backup/eldiron/\" ${config.myEnv.rsync_backup.ssh_key.public}"];
+ ["command=\"${pkgs.zrepl}/bin/zrepl stdinserver --config ${zreplConfig} eldiron\",restrict ${config.myEnv.zrepl_backup.ssh_key.public}"];
};
security.sudo.extraRules = pkgs.lib.mkAfter [
- {
- commands = [
- { command = "${pkgs.rsync}/bin/rsync"; options = [ "NOPASSWD" ]; }
- ];
- users = [ "backup" ];
- runAs = "root";
- }
{
commands = [
{ command = "/home/immae/.nix-profile/root_scripts/*"; options = [ "NOPASSWD" ]; }
];
boot.kernel.sysctl."vm.nr_hugepages" = 256; # for xmr-stak
- system.activationScripts.backup_home = ''
- chown root:root /var/lib/backup
- install -m 0750 -o backup -g root -d /var/lib/backup/eldiron
- '';
-
system.activationScripts.libvirtd_exports = ''
install -m 0755 -o root -g root -d /var/lib/caldance
'';
virtualisation.docker.enable = true;
+ virtualisation.docker.storageDriver = "zfs";
virtualisation.libvirtd.enable = true;
users.extraUsers.immae.extraGroups = [ "libvirtd" "docker" ];
systemd.services.libvirtd.postStart = ''
user = config.services.nginx.user;
group = config.services.nginx.group;
extraDomains = {
- "discourse.immae.eu" = null;
- "discourse.cip-ca.fr" = null;
"dev.immae.eu" = null;
"caldance.immae.eu" = null;
};
forceSSL = true;
root = "/home/immae/www";
};
- "discourse.immae.eu" = {
- acmeRoot = config.myServices.certificates.webroot;
- useACMEHost = name;
- forceSSL = true;
- locations."/".proxyPass = "http://localhost:18031";
- };
- "discourse.cip-ca.fr" = {
- acmeRoot = config.myServices.certificates.webroot;
- useACMEHost = name;
- forceSSL = true;
- locations."/".proxyPass = "http://localhost:18031";
- };
"caldance.immae.eu" = {
acmeRoot = config.myServices.certificates.webroot;
useACMEHost = name;
};
};
+ systemd.services.zrepl.serviceConfig.RuntimeDirectory = lib.mkForce "zrepl zrepl/stdinserver";
+ systemd.services.zrepl.serviceConfig.User = "backup";
+ # zfs allow backup create,mount,receive,destroy,rename,snapshot,hold,bookmark,release zpool/backup
+ services.zrepl = {
+ enable = true;
+ config = ''
+ global:
+ control:
+ sockpath: /run/zrepl/control
+ serve:
+ stdinserver:
+ sockdir: /run/zrepl/stdinserver
+ jobs:
+ - type: sink
+ # must not change
+ name: "backup-from-eldiron"
+ root_fs: "zpool/backup"
+ serve:
+ type: stdinserver
+ client_identities:
+ - eldiron
+ '';
+ };
# This value determines the NixOS release with which your system is
# to be compatible, in order to avoid breaking some software such as
# database servers. You should change this only after NixOS release