profiles/backup: configure the backup server

It creates the user, ensure sftp is configured correctly, and rsync the
backups to rsync.net once a day.

1 files changed, 49 insertions, 0 deletions

diff --git a/profiles/backup.nix b/profiles/backup.nix
new file mode 100644
index 0000000..59b4c18
--- /dev/null
+++ b/profiles/backup.nix
@@ -0,0 +1,49 @@
+{ pkgs, config, lib, ... }:
+let
+  sshPub = builtins.fromTOML (builtins.readFile ../../configs/ssh-pubkeys.toml);
+  secrets = config.age.secrets;
+  ssh-key-path = secrets."rsync.net/ssh-key".path;
+  backupDir = "/data/slow/backups/";
+  backupDest = "de2664@de2664.rsync.net";
+in
+{
+  # a user used only for backups
+  users.users.backup = {
+    uid = 991;
+    createHome = false;
+    isSystemUser = true;
+    group = "users";
+    home = "${backupDir}/hosts";
+    openssh.authorizedKeys.keys = with sshPub; [
+      restic
+    ];
+  };
+
+  services.openssh.sftpServerExecutable = "internal-sftp";
+  services.openssh.extraConfig = ''
+    Match User backup
+      ChrootDirectory ${config.users.users.backup.home}
+      ForceCommand internal-sftp
+      AllowTcpForwarding no
+  '';
+
+  systemd.timers.rsync-backups = {
+    description = "synchronize restic repository to rsync.net";
+    wantedBy = [ "timers.target" ];
+    partOf = [ "rsync-backups.service" ];
+    timerConfig = {
+      OnCalendar = "04:00";
+    };
+  };
+
+  systemd.services.rsync-backups = {
+    description = "synchronize restic repository to rsync.net";
+    serviceConfig.Type = "oneshot";
+    script = ''
+      exec ${pkgs.rsync}/bin/rsync \
+        -azq --delete \
+        -e '${pkgs.openssh}/bin/ssh -i ${ssh-key-path}' \
+        ${backupDir} ${backupDest}:backups/
+    '';
+  };
+}