Update cryochamber config

2025-09-03 09:48:08 -07:00 · 2025-09-03 09:48:08 -07:00 · d01e1586f6
commit d01e1586f6
parent 0bd148997c
2 changed files with 175 additions and 0 deletions
--- a/zfsrent/configuration.nix
+++ b/zfsrent/configuration.nix
@ -103,8 +103,40 @@ in
    zsh
    tmux
    docker-compose
+    lzop # for syncoid
+    pv # for syncoid
+    mbuffer # for syncoid
  ];

+  services.zfs.autoScrub = {
+    enable = true;
+    interval = "weekly";
+    pools = [ "tank" ];
+  };
+
+  services.sanoid = {
+    enable = true;
+
+    templates.backup = {
+      frequently = 0;
+      hourly = 0;
+      daily = 30;
+      monthly = 6;
+      yearly = 3;
+      autosnap = false;
+      autoprune = true;
+      recursive = true;
+    };
+
+    datasets."tank" = {
+      useTemplate = [ "backup" ];
+    };
+
+    datasets."rpool/safe" = {
+      useTemplate = [ "backup" ];
+    };
+  };
+
  # Define a user account
  users.users.hunner = {
    isNormalUser = true;
@ -126,8 +158,79 @@ in
      tldr
      unzip
      lsof
+      gnupg
    ];
  };
+  users.users.backup = {
+    isNormalUser = true;
+    description = "Backup replication user";
+    shell = pkgs.bash;
+    packages = with pkgs; [
+      sanoid
+    ];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDtgW+cxPjo70k6dkYPqzP0FR5G9zvbArp/85ZHRrMRL backup@cryochamber"
+    ];
+  };
+
+  #services.syncoid = {
+  #  enable = true;
+  #  user = "backup";
+  #  sshKey = "/var/lib/syncoid/.ssh/id_ed25519";
+  #  commonArgs = [
+  #    #"--sshoption=StrictHostKeyChecking=off"
+  #    "--sshoption=UserKnownHostsFile=/var/lib/syncoid/.ssh/known_hosts"
+  #    "--sshoption=IdentitiesOnly=yes"
+  #  ];
+  #  #commands."zima-bitrot" = {
+  #  #  source = "backup@zima:bitrot";
+  #  #  target = "tank/backups/zima/bitrot";
+  #  #  recursive = true;
+  #  #};
+  #  commands."zima-rpool-safe" = {
+  #    source = "backup@zima:rpool/safe";
+  #    target = "tank/backups/zima/rpool-safe";
+  #    recursive = true;
+  #  };
+  #};
+  #systemd.services.syncoid-zima-rpool-safe.serviceConfig = {
+  #  Environment = [
+  #    "HOME=/var/lib/syncoid"
+  #    "SSH_AUTH_SOCK="
+  #  ];
+  #  ExecStartPre = [
+  #    "+${pkgs.coreutils}/bin/mkdir -p /var/lib/syncoid/.ssh"
+  #    "+${pkgs.coreutils}/bin/cp /home/backup/.ssh/id_ed25519 /var/lib/syncoid/.ssh/"
+  #    "+${pkgs.coreutils}/bin/cp /home/backup/.ssh/known_hosts /var/lib/syncoid/.ssh/"
+  #    "+${pkgs.coreutils}/bin/chown -R backup:syncoid /var/lib/syncoid/.ssh"
+  #    "+${pkgs.coreutils}/bin/chmod 700 /var/lib/syncoid/.ssh"
+  #    "+${pkgs.coreutils}/bin/chmod 600 /var/lib/syncoid/.ssh/id_ed25519"
+  #  ];
+  #};
+
+  #systemd.services.syncoid-replication = {
+  #  description = "ZFS syncoid replication";
+  #  path = with pkgs; [ sanoid openssh zfs ];
+  #  wants = [ "network-online.target" ];
+  #  after = [ "network-online.target" "zfs.target" ];
+
+  #  startAt = "03:00";
+
+  #  serviceConfig = {
+  #    Type = "oneshot";
+  #    User = "backup";
+  #    ExecStart = ''
+  #      ${pkgs.sanoid}/bin/syncoid \
+  #        --recursive \
+  #        --create-bookmark \
+  #        --sendoptions=w \
+  #        --source-bwlimit=50000 \
+  #        backup@zima:rpool/safe \
+  #        tank/backups/zima/rpool-safe
+  #    '';
+  #    TimeoutStartSec = "6h";
+  #  };
+  #};

  programs.direnv = {
    enable = true;
@ -136,6 +239,14 @@ in
  programs.zsh.enable = true;
  services.openssh.enable = true;
  services.openssh.settings.PermitRootLogin = "prohibit-password";
+  services.openssh.settings.Macs = [
+    "hmac-sha2-512"
+    "hmac-sha2-512-etm@openssh.com"
+    "hmac-sha2-256-etm@openssh.com"
+    "umac-128-etm@openssh.com"
+  ];
+
+  services.tailscale.enable = true;

  nix.settings.experimental-features = [ "nix-command" "flakes" ];
  nixpkgs.config.allowUnfree = true;
--- a/zfsrent/hardware-configuration.nix
+++ b/zfsrent/hardware-configuration.nix
@ -0,0 +1,64 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "rpool/local/root";
+      fsType = "zfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/8553-FF36";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  fileSystems."/home" =
+    { device = "rpool/safe/home";
+      fsType = "zfs";
+    };
+
+  fileSystems."/nix" =
+    { device = "rpool/local/nix";
+      fsType = "zfs";
+    };
+
+  fileSystems."/persist" =
+    { device = "rpool/safe/persist";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/lib" =
+    { device = "rpool/local/var/lib";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/log" =
+    { device = "rpool/local/var/log";
+      fsType = "zfs";
+    };
+
+  #swapDevices =
+  #  [ { device = "/dev/disk/by-uuid/c9c11edf-7989-4141-b647-4dbac7de5293"; }
+  #  ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}