Jan/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
nixos-config/hosts/vm-oddjob/configuration.nix
Jan-Bulthuis 06eaf13ec0 Limit amount of open file handles for backup job
2025-06-20 00:27:04 +02:00

89 lines
2.5 KiB
Nix
Raw Blame History

{
inputs,
lib,
pkgs,
config,
...
}:
{
# State version
system.stateVersion = "24.11";
# Machine hostname
networking.hostName = "vm-oddjob";
# Enabled modules
modules = {
profiles.vm.enable = true;
};
# Setup NAS backups
environment.systemPackages = with pkgs; [
keyutils
];
environment.etc."request-key.d/cifs.spnego.conf".text = ''
create cifs.spnego * * ${pkgs.cifs-utils}/bin/cifs.upcall -t %k
'';
environment.etc."request-key.d/cifs.idmap.conf".text = ''
create cifs.idmap * * ${pkgs.cifs-utils}/bin/cifs.idmap %k
'';
sops.secrets."smb-credentials" = {
sopsFile = "${inputs.secrets}/secrets/vm-oddjob.enc.yaml";
};
sops.secrets."backup-script-env" = {
sopsFile = "${inputs.secrets}/secrets/vm-oddjob.enc.yaml";
};
systemd.services.mnt-nas-krb5 = {
description = "Set up Kerberos credentials for mnt-nas";
before = [ "mnt-nas.mount" ];
requiredBy = [ "mnt-nas.mount" ];
after = [ "network-online.target" ];
requires = [ "network-online.target" ];
serviceConfig.Type = "oneshot";
script = ''
. ${config.sops.secrets."smb-credentials".path}
echo $password | ${pkgs.krb5}/bin/kinit $username
'';
};
services.cron = {
enable = true;
systemCronJobs =
let
script = pkgs.writeShellScript "backup-script" (
lib.concatStrings (
[
''
. ${config.sops.secrets."backup-script-env".path}
export PBS_REPOSITORY=$PBS_REPOSITORY
export PBS_NAMESPACE=$PBS_NAMESPACE
export PBS_PASSWORD=$PBS_PASSWORD
export PBS_FINGERPRINT=$PBS_FINGERPRINT
''
]
++ lib.map (share: ''
${pkgs.util-linux}/bin/prlimit --nofile=1024:1024 ${pkgs.proxmox-backup-client}/bin/proxmox-backup-client backup nfs.pxar:/mnt/${share} --ns $PBS_NAMESPACE --backup-id share-${share} --change-detection-mode=metadata --exclude "#recycle"
'') inputs.secrets.lab.nas.backupShares
)
);
in
[
"0 0 * * * ${script} "
];
};
# Mount filesystems
fileSystems = lib.listToAttrs (
lib.map (share: {
name = "/mnt/${share}";
value = {
device = "//${inputs.secrets.lab.nas.host}/${share}";
fsType = "cifs";
options = [
"sec=krb5,credentials=${config.sops.secrets."smb-credentials".path}"
];
};
}) inputs.secrets.lab.nas.backupShares
);
}
Reference in New Issue View Git Blame Copy Permalink