blob: d1075e29201d1e0349be6c312820cb60097419d6 (
plain) (
tree)
|
|
{ self, pkgs, config, lib, ... }:
let
sshPub = builtins.fromTOML (builtins.readFile "${self}/configs/ssh-pubkeys.toml");
secrets = config.age.secrets;
ssh-key-path = secrets."rsync.net/ssh-key".path;
backupDir = "/data/slow/backups/";
backupDest = "de2664@de2664.rsync.net";
in
{
# a user used only for backups
users.users.backup = {
uid = 991;
createHome = false;
isSystemUser = true;
group = "users";
home = "${backupDir}/hosts";
openssh.authorizedKeys.keys = with sshPub; [
restic
];
};
services.openssh.sftpServerExecutable = "internal-sftp";
services.openssh.extraConfig = ''
Match User backup
ChrootDirectory ${config.users.users.backup.home}
ForceCommand internal-sftp
AllowTcpForwarding no
'';
systemd.timers.rsync-backups = {
description = "synchronize restic repository to rsync.net";
wantedBy = [ "timers.target" ];
partOf = [ "rsync-backups.service" ];
timerConfig = {
OnCalendar = "04:00";
};
};
systemd.services.rsync-backups = {
description = "synchronize restic repository to rsync.net";
serviceConfig.Type = "oneshot";
script = ''
exec ${pkgs.rsync}/bin/rsync \
-azq --delete \
-e '${pkgs.openssh}/bin/ssh -i ${ssh-key-path}' \
${backupDir} ${backupDest}:backups/
'';
};
}
|
