diff options
Diffstat (limited to 'modules/private/system/eldiron.nix')
-rw-r--r-- | modules/private/system/eldiron.nix | 63 |
1 files changed, 56 insertions, 7 deletions
diff --git a/modules/private/system/eldiron.nix b/modules/private/system/eldiron.nix index 8a5d11c..83e52b8 100644 --- a/modules/private/system/eldiron.nix +++ b/modules/private/system/eldiron.nix | |||
@@ -19,9 +19,6 @@ | |||
19 | }; | 19 | }; |
20 | 20 | ||
21 | services.zfs = { | 21 | services.zfs = { |
22 | autoSnapshot = { | ||
23 | enable = true; | ||
24 | }; | ||
25 | autoScrub = { | 22 | autoScrub = { |
26 | enable = true; | 23 | enable = true; |
27 | }; | 24 | }; |
@@ -64,11 +61,11 @@ | |||
64 | 61 | ||
65 | secrets.keys = [ | 62 | secrets.keys = [ |
66 | { | 63 | { |
67 | dest = "rsync_backup/identity"; | 64 | dest = "zrepl_backup/identity"; |
68 | user = "root"; | 65 | user = "root"; |
69 | group = "root"; | 66 | group = "root"; |
70 | permissions = "0400"; | 67 | permissions = "0400"; |
71 | text = config.myEnv.rsync_backup.ssh_key.private; | 68 | text = config.myEnv.zrepl_backup.ssh_key.private; |
72 | } | 69 | } |
73 | ]; | 70 | ]; |
74 | programs.ssh.knownHosts.dilion = { | 71 | programs.ssh.knownHosts.dilion = { |
@@ -104,8 +101,6 @@ | |||
104 | mailto = "cron@immae.eu"; | 101 | mailto = "cron@immae.eu"; |
105 | systemCronJobs = [ | 102 | systemCronJobs = [ |
106 | '' | 103 | '' |
107 | # The star after /var/lib/* avoids deleting all folders in case of problem | ||
108 | 0 3,9,15,21 * * * root rsync -e "ssh -i /var/secrets/rsync_backup/identity" --new-compress -aAXv --delete --numeric-ids --super --rsync-path="sudo rsync" /var/lib/* backup@dilion.immae.eu: > /dev/null | ||
109 | 0 0 * * * root journalctl -q --since="25 hours ago" -u postfix -t postfix/smtpd -g "immae.eu.*Recipient address rejected" | 104 | 0 0 * * * root journalctl -q --since="25 hours ago" -u postfix -t postfix/smtpd -g "immae.eu.*Recipient address rejected" |
110 | # Need a way to blacklist properly | 105 | # Need a way to blacklist properly |
111 | # 0 0 * * * root journalctl -q --since="25 hours ago" -u postfix -t postfix/smtpd -g "NOQUEUE:" | 106 | # 0 0 * * * root journalctl -q --since="25 hours ago" -u postfix -t postfix/smtpd -g "NOQUEUE:" |
@@ -121,6 +116,60 @@ | |||
121 | }; | 116 | }; |
122 | environment.systemPackages = [ pkgs.bindfs ]; | 117 | environment.systemPackages = [ pkgs.bindfs ]; |
123 | 118 | ||
119 | services.zrepl = { | ||
120 | enable = true; | ||
121 | config = let | ||
122 | redis_dump = pkgs.writeScript "redis-dump" '' | ||
123 | #! ${pkgs.stdenv.shell} | ||
124 | ${pkgs.redis}/bin/redis-cli bgsave | ||
125 | ''; | ||
126 | in '' | ||
127 | jobs: | ||
128 | - type: push | ||
129 | # must not change | ||
130 | name: "backup-to-dilion" | ||
131 | filesystems: | ||
132 | "zpool/root": true | ||
133 | "zpool/root/etc": true | ||
134 | "zpool/root/var<": true | ||
135 | connect: | ||
136 | type: ssh+stdinserver | ||
137 | host: dilion.immae.eu | ||
138 | user: backup | ||
139 | port: 22 | ||
140 | identity_file: ${config.secrets.fullPaths."zrepl_backup/identity"} | ||
141 | snapshotting: | ||
142 | type: periodic | ||
143 | prefix: zrepl_ | ||
144 | interval: 15m | ||
145 | hooks: | ||
146 | - type: mysql-lock-tables | ||
147 | dsn: "${config.myEnv.zrepl_backup.mysql.user}:${config.myEnv.zrepl_backup.mysql.password}@tcp(localhost)/" | ||
148 | filesystems: | ||
149 | "zpool/root/var": true | ||
150 | - type: command | ||
151 | path: ${redis_dump} | ||
152 | err_is_fatal: false | ||
153 | filesystems: | ||
154 | "zpool/root/var": true | ||
155 | send: | ||
156 | encrypted: true | ||
157 | pruning: | ||
158 | keep_sender: | ||
159 | - type: not_replicated | ||
160 | - type: regex | ||
161 | regex: "^manual_.*" | ||
162 | - type: grid | ||
163 | grid: 1x1h(keep=all) | 24x1h | 7x1d | 4x7d | 6x30d | ||
164 | regex: "^zrepl_.*" | ||
165 | keep_receiver: | ||
166 | - type: regex | ||
167 | regex: "^manual_.*" | ||
168 | - type: grid | ||
169 | grid: 1x1h(keep=all) | 24x1h | 7x1d | 4x7d | 6x30d | ||
170 | regex: "^zrepl_.*" | ||
171 | ''; | ||
172 | }; | ||
124 | # This value determines the NixOS release with which your system is | 173 | # This value determines the NixOS release with which your system is |
125 | # to be compatible, in order to avoid breaking some software such as | 174 | # to be compatible, in order to avoid breaking some software such as |
126 | # database servers. You should change this only after NixOS release | 175 | # database servers. You should change this only after NixOS release |