aboutsummaryrefslogtreecommitdiff
path: root/systems/dilion/base.nix
diff options
context:
space:
mode:
Diffstat (limited to 'systems/dilion/base.nix')
-rw-r--r--systems/dilion/base.nix76
1 files changed, 51 insertions, 25 deletions
diff --git a/systems/dilion/base.nix b/systems/dilion/base.nix
index b47d928..05593aa 100644
--- a/systems/dilion/base.nix
+++ b/systems/dilion/base.nix
@@ -230,6 +230,7 @@
230 230
231 systemd.services.zrepl.serviceConfig.User = "backup"; 231 systemd.services.zrepl.serviceConfig.User = "backup";
232 systemd.services.zrepl.path = [ pkgs.openssh ]; 232 systemd.services.zrepl.path = [ pkgs.openssh ];
233 systemd.services.zrepl.unitConfig.After = lib.mkForce [ "wg-quick-wg0.service" "zfs.target" ];
233 # pour eldiron: 234 # pour eldiron:
234 # zfs allow backup create,mount,receive,destroy,rename,snapshot,hold,bookmark,release zpool/backup 235 # zfs allow backup create,mount,receive,destroy,rename,snapshot,hold,bookmark,release zpool/backup
235 # pour flony: 236 # pour flony:
@@ -242,44 +243,69 @@
242 jobs = [ 243 jobs = [
243 { 244 {
244 type = "sink"; 245 type = "sink";
245 # must not change 246 name = "backup-from-immae-eu";
246 name = "backup-from-eldiron";
247 root_fs = "zpool/backup"; 247 root_fs = "zpool/backup";
248 serve.type = "tls"; 248 serve.type = "tls";
249 serve.listen = ":19000"; 249 serve.listen = "192.168.1.8:19000";
250 serve.ca = config.secrets.fullPaths."zrepl/certificates/eldiron.crt"; 250 serve.ca = config.secrets.fullPaths."zrepl/certificates/ca.crt";
251 serve.cert = config.secrets.fullPaths."zrepl/certificates/dilion.crt"; 251 serve.cert = config.secrets.fullPaths."zrepl/certificates/dilion.crt";
252 serve.key = config.secrets.fullPaths."zrepl/dilion.key"; 252 serve.key = config.secrets.fullPaths."zrepl/dilion.key";
253 serve.client_cns = [ "eldiron" ]; 253 serve.client_cns = [ "eldiron" ];
254 } 254 }
255 { 255 {
256 type = "source"; 256 type = "push";
257 # must not change 257 # must not change
258 name = "backup-to-wd-zpool"; 258 name = "backup-to-raspi-encrypted";
259 # not encrypted!
260 serve.type = "tls";
261 serve.listen = ":19001";
262 serve.ca = config.secrets.fullPaths."zrepl/certificates/flony.crt";
263 serve.cert = config.secrets.fullPaths."zrepl/certificates/dilion.crt";
264 serve.key = config.secrets.fullPaths."zrepl/dilion.key";
265 serve.client_cns = [ "flony" ];
266 filesystems."zpool/libvirt<" = true;
267 filesystems."zpool/root<" = true; 259 filesystems."zpool/root<" = true;
268 snapshotting.type = "manual"; 260 filesystems."zpool/root/tmp" = false;
261 connect = {
262 address = "192.168.44.101:19025";
263 type = "tls";
264 server_cn = "raspi";
265 ca = config.secrets.fullPaths."zrepl/certificates/ca.crt";
266 cert = config.secrets.fullPaths."zrepl/certificates/dilion.crt";
267 key = config.secrets.fullPaths."zrepl/dilion.key";
268 };
269 send.encrypted = true;
270 snapshotting = {
271 type = "cron";
272 prefix = "raspi_zrepl_";
273 cron = "30 1 * * *"; # Europe/Paris
274 };
275 pruning.keep_sender = [
276 { type = "regex"; negate = true; regex = "^raspi_zrepl_.*"; }
277 { type = "grid"; grid = "3x1d"; regex = "^raspi_zrepl_.*"; }
278 ];
279 pruning.keep_receiver = [
280 { type = "grid"; grid = "3x1d"; regex = "^raspi_zrepl_.*"; }
281 ];
269 } 282 }
270 { 283 {
271 type = "source"; 284 type = "push";
272 # must not change 285 # must not change
273 name = "backup-to-wd-zpool-docker"; 286 name = "backup-to-raspi-clear";
274 # not encrypted!
275 serve.type = "tls";
276 serve.listen = ":19002";
277 serve.ca = config.secrets.fullPaths."zrepl/certificates/flony.crt";
278 serve.cert = config.secrets.fullPaths."zrepl/certificates/dilion.crt";
279 serve.key = config.secrets.fullPaths."zrepl/dilion.key";
280 serve.client_cns = [ "flony" ];
281 filesystems."zpool/docker<" = true; 287 filesystems."zpool/docker<" = true;
282 snapshotting.type = "manual"; 288 filesystems."zpool/libvirt<" = true;
289 connect = {
290 address = "192.168.44.101:19025";
291 type = "tls";
292 server_cn = "raspi";
293 ca = config.secrets.fullPaths."zrepl/certificates/ca.crt";
294 cert = config.secrets.fullPaths."zrepl/certificates/dilion.crt";
295 key = config.secrets.fullPaths."zrepl/dilion.key";
296 };
297 snapshotting = {
298 type = "cron";
299 prefix = "raspi_zrepl_";
300 cron = "0 1 * * *"; # Europe/Paris
301 };
302 pruning.keep_sender = [
303 { type = "regex"; negate = true; regex = "^raspi_zrepl_.*"; }
304 { type = "grid"; grid = "3x1d"; regex = "^raspi_zrepl_.*"; }
305 ];
306 pruning.keep_receiver = [
307 { type = "grid"; grid = "3x1d"; regex = "^raspi_zrepl_.*"; }
308 ];
283 } 309 }
284 ]; 310 ];
285 }; 311 };
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-14 20:00:48 +0000