};
services.zfs = {
- autoSnapshot = {
- enable = true;
- };
autoScrub = {
enable = true;
};
secrets.keys = [
{
- dest = "rsync_backup/identity";
+ dest = "zrepl_backup/identity";
user = "root";
group = "root";
permissions = "0400";
- text = config.myEnv.rsync_backup.ssh_key.private;
+ text = config.myEnv.zrepl_backup.ssh_key.private;
}
];
programs.ssh.knownHosts.dilion = {
mailto = "cron@immae.eu";
systemCronJobs = [
''
- # The star after /var/lib/* avoids deleting all folders in case of problem
- 0 3,9,15,21 * * * root rsync -e "ssh -i /var/secrets/rsync_backup/identity" --new-compress -aAXv --delete --numeric-ids --super --rsync-path="sudo rsync" /var/lib/* backup@dilion.immae.eu: > /dev/null
0 0 * * * root journalctl -q --since="25 hours ago" -u postfix -t postfix/smtpd -g "immae.eu.*Recipient address rejected"
# Need a way to blacklist properly
# 0 0 * * * root journalctl -q --since="25 hours ago" -u postfix -t postfix/smtpd -g "NOQUEUE:"
};
environment.systemPackages = [ pkgs.bindfs ];
+ services.zrepl = {
+ enable = true;
+ config = let
+ redis_dump = pkgs.writeScript "redis-dump" ''
+ #! ${pkgs.stdenv.shell}
+ ${pkgs.redis}/bin/redis-cli bgsave
+ '';
+ in ''
+ jobs:
+ - type: push
+ # must not change
+ name: "backup-to-dilion"
+ filesystems:
+ "zpool/root": true
+ "zpool/root/etc": true
+ "zpool/root/var<": true
+ connect:
+ type: ssh+stdinserver
+ host: dilion.immae.eu
+ user: backup
+ port: 22
+ identity_file: ${config.secrets.fullPaths."zrepl_backup/identity"}
+ snapshotting:
+ type: periodic
+ prefix: zrepl_
+ interval: 15m
+ hooks:
+ - type: mysql-lock-tables
+ dsn: "${config.myEnv.zrepl_backup.mysql.user}:${config.myEnv.zrepl_backup.mysql.password}@tcp(localhost)/"
+ filesystems:
+ "zpool/root/var": true
+ - type: command
+ path: ${redis_dump}
+ err_is_fatal: false
+ filesystems:
+ "zpool/root/var": true
+ send:
+ encrypted: true
+ pruning:
+ keep_sender:
+ - type: not_replicated
+ - type: regex
+ regex: "^manual_.*"
+ - type: grid
+ grid: 1x1h(keep=all) | 24x1h | 7x1d | 4x7d | 6x30d
+ regex: "^zrepl_.*"
+ keep_receiver:
+ - type: regex
+ regex: "^manual_.*"
+ - type: grid
+ grid: 1x1h(keep=all) | 24x1h | 7x1d | 4x7d | 6x30d
+ regex: "^zrepl_.*"
+ '';
+ };
# This value determines the NixOS release with which your system is
# to be compatible, in order to avoid breaking some software such as
# database servers. You should change this only after NixOS release