From 70481fab46f4ef07f0638f9c03a0f6a7f98324de Mon Sep 17 00:00:00 2001 From: Franck Cuny Date: Fri, 12 May 2023 11:23:15 -0700 Subject: profiles/backup: configure the backup server It creates the user, ensure sftp is configured correctly, and rsync the backups to rsync.net once a day. --- hosts/tahoe/default.nix | 16 +---------- hosts/tahoe/services.nix | 16 ----------- modules/services/backup/default.nix | 2 -- modules/services/backup/rsync.nix | 57 ------------------------------------- profiles/backup.nix | 49 +++++++++++++++++++++++++++++++ 5 files changed, 50 insertions(+), 90 deletions(-) delete mode 100644 modules/services/backup/rsync.nix create mode 100644 profiles/backup.nix diff --git a/hosts/tahoe/default.nix b/hosts/tahoe/default.nix index 0f5dec0..ae4bef8 100644 --- a/hosts/tahoe/default.nix +++ b/hosts/tahoe/default.nix @@ -1,7 +1,4 @@ { config, pkgs, hostname, self, ... }: -let - sshPub = builtins.fromTOML (builtins.readFile ../../configs/ssh-pubkeys.toml); -in { imports = [ ./boot.nix @@ -14,23 +11,12 @@ in "${self}/profiles/nginx.nix" "${self}/profiles/unifi.nix" "${self}/profiles/samba.nix" + "${self}/profiles/backup.nix" "${self}/profiles/git-server.nix" "${self}/profiles/music-server.nix" "${self}/profiles/hardware/amd.nix" ]; - # a user used only for backups - users.users.backup = { - createHome = false; - uid = 991; - isSystemUser = true; - group = "users"; - home = "/data/slow/backups/hosts"; - openssh.authorizedKeys.keys = with sshPub; [ - restic - ]; - }; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/hosts/tahoe/services.nix b/hosts/tahoe/services.nix index 058d31c..4b29870 100644 --- a/hosts/tahoe/services.nix +++ b/hosts/tahoe/services.nix @@ -38,22 +38,6 @@ in ]; exclude = [ ]; }; - - backup.rsync = { - enable = true; - timerConfig = { OnCalendar = "00:15"; }; - sourceDir = "/data/slow/backups/"; - destination = "de2664@de2664.rsync.net:backups/"; - }; - sendsms.enable = true; }; - - services.openssh.sftpServerExecutable = "internal-sftp"; - services.openssh.extraConfig = '' - Match User backup - ChrootDirectory ${config.users.users.backup.home} - ForceCommand internal-sftp - AllowTcpForwarding no - ''; } diff --git a/modules/services/backup/default.nix b/modules/services/backup/default.nix index c9cce53..3481f3f 100644 --- a/modules/services/backup/default.nix +++ b/modules/services/backup/default.nix @@ -7,8 +7,6 @@ let + (writeText "excludes.txt" (concatStringsSep "\n" cfg.exclude)); in { - imports = [ ./rsync.nix ]; - options.my.services.backup = with lib; { enable = mkEnableOption "Enable backups for this host"; diff --git a/modules/services/backup/rsync.nix b/modules/services/backup/rsync.nix deleted file mode 100644 index d58dfe9..0000000 --- a/modules/services/backup/rsync.nix +++ /dev/null @@ -1,57 +0,0 @@ -{ config, pkgs, lib, ... }: -let - cfg = config.my.services.backup.rsync; - secrets = config.age.secrets; - ssh-key-path = secrets."rsync.net/ssh-key".path; -in -{ - options.my.services.backup.rsync = with lib; { - enable = mkEnableOption "rsync backup service"; - - sourceDir = mkOption { - type = types.path; - example = "/data/slow/backups"; - description = "The directory to synchronize"; - }; - - destination = mkOption { - type = types.str; - example = "de2664@de2664.rsync.net:backups/"; - description = "The destination"; - }; - - timerConfig = mkOption { - default = { OnCalendar = "daily"; }; - example = { - OnCalendar = "00:05"; - RandomizedDelaySec = "5h"; - }; - description = '' - When to run rsync. See man systemd.timer for details. - ''; - }; - }; - - config = lib.mkIf cfg.enable { - systemd = { - timers.rsync-backups = { - description = "synchronize restic repository to rsync.net"; - wantedBy = [ "timers.target" ]; - partOf = [ "rsync-backups.service" ]; - timerConfig = cfg.timerConfig; - }; - services.rsync-backups = { - description = "synchronize restic repository to rsync.net"; - serviceConfig = { - Type = "oneshot"; - }; - script = '' - exec ${pkgs.rsync}/bin/rsync \ - -azq --delete \ - -e '${pkgs.openssh}/bin/ssh -i ${ssh-key-path}' \ - ${cfg.sourceDir} ${cfg.destination} - ''; - }; - }; - }; -} diff --git a/profiles/backup.nix b/profiles/backup.nix new file mode 100644 index 0000000..59b4c18 --- /dev/null +++ b/profiles/backup.nix @@ -0,0 +1,49 @@ +{ pkgs, config, lib, ... }: +let + sshPub = builtins.fromTOML (builtins.readFile ../../configs/ssh-pubkeys.toml); + secrets = config.age.secrets; + ssh-key-path = secrets."rsync.net/ssh-key".path; + backupDir = "/data/slow/backups/"; + backupDest = "de2664@de2664.rsync.net"; +in +{ + # a user used only for backups + users.users.backup = { + uid = 991; + createHome = false; + isSystemUser = true; + group = "users"; + home = "${backupDir}/hosts"; + openssh.authorizedKeys.keys = with sshPub; [ + restic + ]; + }; + + services.openssh.sftpServerExecutable = "internal-sftp"; + services.openssh.extraConfig = '' + Match User backup + ChrootDirectory ${config.users.users.backup.home} + ForceCommand internal-sftp + AllowTcpForwarding no + ''; + + systemd.timers.rsync-backups = { + description = "synchronize restic repository to rsync.net"; + wantedBy = [ "timers.target" ]; + partOf = [ "rsync-backups.service" ]; + timerConfig = { + OnCalendar = "04:00"; + }; + }; + + systemd.services.rsync-backups = { + description = "synchronize restic repository to rsync.net"; + serviceConfig.Type = "oneshot"; + script = '' + exec ${pkgs.rsync}/bin/rsync \ + -azq --delete \ + -e '${pkgs.openssh}/bin/ssh -i ${ssh-key-path}' \ + ${backupDir} ${backupDest}:backups/ + ''; + }; +} -- cgit 1.4.1