From 7e39bf3ba2a97688028baf8201ef76278f101459 Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Fri, 13 Feb 2026 18:24:41 +0900
Subject: [PATCH] bicep/matrix/ooye: add rsync pull target for principal
 backups

---
 .../services/matrix/out-of-your-element.nix   | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/hosts/bicep/services/matrix/out-of-your-element.nix b/hosts/bicep/services/matrix/out-of-your-element.nix
index b899278..16ec794 100644
--- a/hosts/bicep/services/matrix/out-of-your-element.nix
+++ b/hosts/bicep/services/matrix/out-of-your-element.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, fp, ... }:
+{ config, pkgs, lib, values, fp, ... }:
 let
   cfg = config.services.matrix-ooye;
 in
@@ -28,6 +28,23 @@ in
     };
   };
 
+  services.rsync-pull-targets = lib.mkIf cfg.enable {
+    enable = true;
+    locations."/var/lib/private/matrix-ooye" = {
+      user = "root";
+      rrsyncArgs.ro = true;
+      authorizedKeysAttrs = [
+        "restrict"
+        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
+        "no-agent-forwarding"
+        "no-port-forwarding"
+        "no-pty"
+        "no-X11-forwarding"
+      ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5koYfor5+kKB30Dugj3dAWvmj8h/akQQ2XYDvLobFL matrix_ooye rsync backup";
+    };
+  };
+
   services.matrix-ooye = {
     enable = true;
     homeserver = "https://matrix.pvv.ntnu.no";