profiles/backup.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

{ self, pkgs, config, lib, ... }:
let
  sshPub = builtins.fromTOML (builtins.readFile "${self}/configs/ssh-pubkeys.toml");
  secrets = config.age.secrets;
  ssh-key-path = secrets."rsync.net/ssh-key".path;
  backupDir = "/data/slow/backups/";
  backupDest = "de2664@de2664.rsync.net";
in
{
  # a user used only for backups
  users.users.backup = {
    uid = 991;
    createHome = false;
    isSystemUser = true;
    group = "users";
    home = "${backupDir}/hosts";
    openssh.authorizedKeys.keys = with sshPub; [
      restic
    ];
  };

  services.openssh.sftpServerExecutable = "internal-sftp";
  services.openssh.extraConfig = ''
    Match User backup
      ChrootDirectory ${config.users.users.backup.home}
      ForceCommand internal-sftp
      AllowTcpForwarding no
  '';

  systemd.timers.rsync-backups = {
    description = "synchronize restic repository to rsync.net";
    wantedBy = [ "timers.target" ];
    partOf = [ "rsync-backups.service" ];
    timerConfig = {
      OnCalendar = "04:00";
    };
  };

  systemd.services.rsync-backups = {
    description = "synchronize restic repository to rsync.net";
    serviceConfig.Type = "oneshot";
    script = ''
      exec ${pkgs.rsync}/bin/rsync \
        -azq --delete \
        -e '${pkgs.openssh}/bin/ssh -i ${ssh-key-path}' \
        ${backupDir} ${backupDest}:backups/
    '';
  };
}