Use zrepl to make zfs backups

[perso/Immae/Config/Nix.git] / modules / private / system / eldiron.nix

diff --git a/modules/private/system/eldiron.nix b/modules/private/system/eldiron.nix
index 8a5d11cd53da40215e66b80714205177d29482e0..83e52b8989636d50328060d97412329c2bfc0f66 100644 (file)
--- a/modules/private/system/eldiron.nix
+++ b/modules/private/system/eldiron.nix
@@ -19,9 +19,6 @@
   };
 
   services.zfs = {
-    autoSnapshot = {
-      enable = true;
-    };
     autoScrub = {
       enable = true;
     };
@@ -64,11 +61,11 @@
 
   secrets.keys = [
     {
-      dest = "rsync_backup/identity";
+      dest = "zrepl_backup/identity";
       user = "root";
       group = "root";
       permissions = "0400";
-      text = config.myEnv.rsync_backup.ssh_key.private;
+      text = config.myEnv.zrepl_backup.ssh_key.private;
     }
   ];
   programs.ssh.knownHosts.dilion = {
@@ -104,8 +101,6 @@
     mailto = "cron@immae.eu";
     systemCronJobs = [
       ''
-        # The star after /var/lib/* avoids deleting all folders in case of problem
-        0 3,9,15,21 * * * root rsync -e "ssh -i /var/secrets/rsync_backup/identity" --new-compress -aAXv --delete --numeric-ids --super --rsync-path="sudo rsync" /var/lib/* backup@dilion.immae.eu: > /dev/null
         0 0 * * * root journalctl -q --since="25 hours ago" -u postfix -t postfix/smtpd -g "immae.eu.*Recipient address rejected"
         # Need a way to blacklist properly
         # 0 0 * * * root journalctl -q --since="25 hours ago" -u postfix -t postfix/smtpd -g "NOQUEUE:"
@@ -121,6 +116,60 @@
   };
   environment.systemPackages = [ pkgs.bindfs ];
 
+  services.zrepl = {
+    enable = true;
+    config = let
+      redis_dump = pkgs.writeScript "redis-dump" ''
+        #! ${pkgs.stdenv.shell}
+        ${pkgs.redis}/bin/redis-cli bgsave
+      '';
+    in ''
+      jobs:
+        - type: push
+          # must not change
+          name: "backup-to-dilion"
+          filesystems:
+            "zpool/root": true
+            "zpool/root/etc": true
+            "zpool/root/var<": true
+          connect:
+            type: ssh+stdinserver
+            host: dilion.immae.eu
+            user: backup
+            port: 22
+            identity_file: ${config.secrets.fullPaths."zrepl_backup/identity"}
+          snapshotting:
+            type: periodic
+            prefix: zrepl_
+            interval: 15m
+            hooks:
+              - type: mysql-lock-tables
+                dsn: "${config.myEnv.zrepl_backup.mysql.user}:${config.myEnv.zrepl_backup.mysql.password}@tcp(localhost)/"
+                filesystems:
+                  "zpool/root/var": true
+              - type: command
+                path: ${redis_dump}
+                err_is_fatal: false
+                filesystems:
+                  "zpool/root/var": true
+          send:
+            encrypted: true
+          pruning:
+            keep_sender:
+              - type: not_replicated
+              - type: regex
+                regex: "^manual_.*"
+              - type: grid
+                grid: 1x1h(keep=all) | 24x1h | 7x1d | 4x7d | 6x30d
+                regex: "^zrepl_.*"
+            keep_receiver:
+              - type: regex
+                regex: "^manual_.*"
+              - type: grid
+                grid: 1x1h(keep=all) | 24x1h | 7x1d | 4x7d | 6x30d
+                regex: "^zrepl_.*"
+    '';
+  };
   # This value determines the NixOS release with which your system is
   # to be compatible, in order to avoid breaking some software such as
   # database servers. You should change this only after NixOS release