Zrepl config with raspi

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2025-03-14 00:33:59 +0100
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2025-03-14 01:06:18 +0100
commit: 3556fca8370666371de613e6221d407bc553c902 (patch)
tree: beb10e4ab40078295d2d45566e48b9aa6e86616a /systems/dilion
parent: 70952c48b9895d587dd7f548e0bdb56d0a02818a (diff)
download: Nix-3556fca8370666371de613e6221d407bc553c902.tar.gz
Nix-3556fca8370666371de613e6221d407bc553c902.tar.zst
Nix-3556fca8370666371de613e6221d407bc553c902.zip
2 files changed, 56 insertions, 30 deletions
diff --git a/systems/dilion/base.nix b/systems/dilion/base.nix
index b47d928..05593aa 100644
--- a/systems/dilion/base.nix
+++ b/systems/dilion/base.nix
@@ -230,6 +230,7 @@
  systemd.services.zrepl.serviceConfig.User = "backup";
  systemd.services.zrepl.path = [ pkgs.openssh ];
+  systemd.services.zrepl.unitConfig.After = lib.mkForce [ "wg-quick-wg0.service" "zfs.target" ];
  # pour eldiron:
  # zfs allow backup create,mount,receive,destroy,rename,snapshot,hold,bookmark,release zpool/backup
  # pour flony:
@@ -242,44 +243,69 @@
      jobs = [
        {
          type = "sink";
-          # must not change
+          name = "backup-from-immae-eu";
-          name = "backup-from-eldiron";
          root_fs = "zpool/backup";
          serve.type = "tls";
-          serve.listen = ":19000";
+          serve.listen = "192.168.1.8:19000";
-          serve.ca = config.secrets.fullPaths."zrepl/certificates/eldiron.crt";
+          serve.ca = config.secrets.fullPaths."zrepl/certificates/ca.crt";
          serve.cert = config.secrets.fullPaths."zrepl/certificates/dilion.crt";
          serve.key = config.secrets.fullPaths."zrepl/dilion.key";
          serve.client_cns = [ "eldiron" ];
        }
        {
-          type = "source";
+          type = "push";
          # must not change
-          name = "backup-to-wd-zpool";
+          name = "backup-to-raspi-encrypted";
-          # not encrypted!
-          serve.type = "tls";
-          serve.listen = ":19001";
-          serve.ca = config.secrets.fullPaths."zrepl/certificates/flony.crt";
-          serve.cert = config.secrets.fullPaths."zrepl/certificates/dilion.crt";
-          serve.key = config.secrets.fullPaths."zrepl/dilion.key";
-          serve.client_cns = [ "flony" ];
-          filesystems."zpool/libvirt<" = true;
          filesystems."zpool/root<" = true;
-          snapshotting.type = "manual";
+          filesystems."zpool/root/tmp" = false;
+          connect = {
+            address = "192.168.44.101:19025";
+            type = "tls";
+            server_cn = "raspi";
+            ca = config.secrets.fullPaths."zrepl/certificates/ca.crt";
+            cert = config.secrets.fullPaths."zrepl/certificates/dilion.crt";
+            key = config.secrets.fullPaths."zrepl/dilion.key";
+          };
+          send.encrypted = true;
+          snapshotting = {
+            type = "cron";
+            prefix = "raspi_zrepl_";
+            cron = "30 1 * * *"; # Europe/Paris
+          };
+          pruning.keep_sender = [
+            { type = "regex"; negate = true; regex = "^raspi_zrepl_.*"; }
+            { type = "grid"; grid = "3x1d"; regex = "^raspi_zrepl_.*"; }
+          ];
+          pruning.keep_receiver = [
+            { type = "grid"; grid = "3x1d"; regex = "^raspi_zrepl_.*"; }
+          ];
        }
        {
-          type = "source";
+          type = "push";
          # must not change
-          name = "backup-to-wd-zpool-docker";
+          name = "backup-to-raspi-clear";
-          # not encrypted!
-          serve.type = "tls";
-          serve.listen = ":19002";
-          serve.ca = config.secrets.fullPaths."zrepl/certificates/flony.crt";
-          serve.cert = config.secrets.fullPaths."zrepl/certificates/dilion.crt";
-          serve.key = config.secrets.fullPaths."zrepl/dilion.key";
-          serve.client_cns = [ "flony" ];
          filesystems."zpool/docker<" = true;
-          snapshotting.type = "manual";
+          filesystems."zpool/libvirt<" = true;
+          connect = {
+            address = "192.168.44.101:19025";
+            type = "tls";
+            server_cn = "raspi";
+            ca = config.secrets.fullPaths."zrepl/certificates/ca.crt";
+            cert = config.secrets.fullPaths."zrepl/certificates/dilion.crt";
+            key = config.secrets.fullPaths."zrepl/dilion.key";
+          };
+          snapshotting = {
+            type = "cron";
+            prefix = "raspi_zrepl_";
+            cron = "0 1 * * *"; # Europe/Paris
+          };
+          pruning.keep_sender = [
+            { type = "regex"; negate = true; regex = "^raspi_zrepl_.*"; }
+            { type = "grid"; grid = "3x1d"; regex = "^raspi_zrepl_.*"; }
+          ];
+          pruning.keep_receiver = [
+            { type = "grid"; grid = "3x1d"; regex = "^raspi_zrepl_.*"; }
+          ];
        }
      ];
    };
diff --git a/systems/dilion/flake.lock b/systems/dilion/flake.lock
index 71557c0..0a03786 100644
--- a/systems/dilion/flake.lock
+++ b/systems/dilion/flake.lock
@@ -59,7 +59,7 @@
    "environment": {
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-TsRuohxw/zmZy1PV2kyraE9VbLULWOyad2jir8O9UbQ=",
+        "narHash": "sha256-6HzZMgW6wsSkeN87+OcMhVnWxUKFT2C9EMXvmMfxRzc=",
        "path": "../../flakes/private/environment",
        "type": "path"
      },
@@ -71,7 +71,7 @@
    "environment_2": {
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-TsRuohxw/zmZy1PV2kyraE9VbLULWOyad2jir8O9UbQ=",
+        "narHash": "sha256-6HzZMgW6wsSkeN87+OcMhVnWxUKFT2C9EMXvmMfxRzc=",
        "path": "../environment",
        "type": "path"
      },
@@ -83,7 +83,7 @@
    "environment_3": {
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-TsRuohxw/zmZy1PV2kyraE9VbLULWOyad2jir8O9UbQ=",
+        "narHash": "sha256-6HzZMgW6wsSkeN87+OcMhVnWxUKFT2C9EMXvmMfxRzc=",
        "path": "../environment",
        "type": "path"
      },
@@ -207,7 +207,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-UtTwF1ni+Qy4n65KjH2WLtb263VIf7fnvVWExxSMR6U=",
+        "narHash": "sha256-7tqKXf2kdZ2wIEQTJud7gdN+/eOkXxeQeT03KwmfTwQ=",
        "path": "../../flakes/private/monitoring",
        "type": "path"
      },
@@ -599,7 +599,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-InNiobFoX6ugM50G4xuWHJrFjqkRTXixxvTjj69wfuw=",
+        "narHash": "sha256-VUtVclRBHcgFrAuf3tdhcA/f1h7U1gBj7KFu0lAnP34=",
        "path": "../../flakes/private/system",
        "type": "path"
      },
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2025-03-14 00:33:59 +0100
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2025-03-14 01:06:18 +0100
commit	3556fca8370666371de613e6221d407bc553c902 (patch)
tree	beb10e4ab40078295d2d45566e48b9aa6e86616a /systems/dilion
parent	70952c48b9895d587dd7f548e0bdb56d0a02818a (diff)
download	Nix-3556fca8370666371de613e6221d407bc553c902.tar.gz Nix-3556fca8370666371de613e6221d407bc553c902.tar.zst Nix-3556fca8370666371de613e6221d407bc553c902.zip