vor remote backups

BCNelson · Dec 2, 2023 · 231ba47 · 231ba47
1 parent 3502128
commit 231ba47
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 4 deletions.
diff --git a/nixos/romeo/backups.nix b/nixos/romeo/backups.nix
@@ -1,4 +1,4 @@
-_:
+{ lib, ... }:
 {
   services.sanoid = {
     enable = true;
@@ -51,6 +51,15 @@ _:
         yearly = 1;
         useTemplate = [ "common" ];
       };
+      "vault/remotebackups/VorNelsonData" = {
+        hourly = 72;
+        daily = 31;
+        weekly = 26;
+        monthly = 12;
+        yearly = 5;
+        useTemplate = [ "common" ];
+        autosnap = false;
+      };
     };
     templates = {
       "common" = {
@@ -60,4 +69,20 @@ _:
       };
     };
   };
+  services.syncoid = {
+    enable = true;
+    commonArgs = [ "--debug" ];
+    #https://github.com/NixOS/nixpkgs/pull/265543
+    service.serviceConfig.PrivateUsers = lib.mkForce false;
+    commands = {
+      "vor/vault/Backups/NelsonData" = {
+        source = "[email protected]:vault/Backups/NelsonData";
+        target = "vault/remotebackups/VorNelsonData";
+        extraArgs = [
+            "--compress=zstd-slow"
+            "--source-bwlimit=15m"
+        ];
+      };
+    };
+  };
 }
diff --git a/tailscale-acl.hujson b/tailscale-acl.hujson
@@ -14,7 +14,8 @@
 
 	// Declare convenient hostname aliases to use in place of IP addresses.
 	"hosts": {
-		"vor": "100.73.83.164"
+		"vor": "100.73.83.164",
+		"romeo": "100.76.49.168"
 	},
 
 	"tagOwners": {
@@ -27,15 +28,22 @@
 	"acls": [
 		// Match absolutely everything.
 		// Comment this section out if you want to define specific restrictions.
-		{"action": "accept", "users": ["group:admin"], "ports": ["*:*"]},
-		{"action": "accept", "users": ["group:nelsonFamily"], "ports": ["vor:445"]}
+		{"action": "accept", "src": ["group:admin"], "dst": ["*:*"]},
+		{"action": "accept", "src": ["group:nelsonFamily"], "dst": ["vor:445"]},
+		{"action": "accept", "src":["romeo"], "dst": ["vor:22"]}
 	],
 	"ssh": [
 		{
 			"action": "accept",
 			"src":    ["group:admin"],
 			"dst":    ["tag:server"],
 			"users":  ["autogroup:nonroot", "root"]
+		},
+		{
+			"action": "accept",
+			"src":    ["tag:server"],
+			"dst":    ["tag:server"],
+			"users":  ["syncoid"]
 		}
 	],
 	"tests": [
@@ -47,6 +55,11 @@
 			"src": "group:nelsonFamily",
 			"accept": ["vor:445"],
 			"deny": ["vor:22"]
+		},
+		//Romeo should be able to access vor:22 for backup replication
+		{
+			"src": "romeo",
+			"accept": ["vor:22"]
 		}
 	]
 }