modules/rsync-pull-targets: fix multiple pull targets with same user

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1769400154,
+        "lastModified": 1769510541,
-        "narHash": "sha256-K0OeXzFCUZTkCBxUDr3U3ah0odS/urtNVG09WDl+HAA=",
+        "narHash": "sha256-jxuQY0anT3YpwpnYB5w7p6EPS6UWIj4vGxzfsOJvC1I=",
         "ref": "main",
-        "rev": "8e84669d9bf963d5e46bac37fe9b0aa8e8be2d01",
+        "rev": "ec43f67e58f049a709fa2c19601b8c637f38126f",
-        "revCount": 230,
+        "revCount": 232,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/dibbler.git"
       },
@@ -174,11 +174,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768749374,
+        "lastModified": 1769500363,
-        "narHash": "sha256-dhXYLc64d7TKCnRPW4TlHGl6nLRNdabJB2DpJ8ffUw0=",
+        "narHash": "sha256-vFxmdsLBPdTy5j2bf54gbTQi1XnWbZDmeR/BBh8MFrw=",
         "ref": "main",
-        "rev": "040294f2e1df46e33d995add6944b25859654097",
+        "rev": "2618e434e40e109eaab6a0693313c7e0de7324a3",
-        "revCount": 37,
+        "revCount": 47,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
       },
@@ -217,11 +217,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768955766,
+        "lastModified": 1769018862,
-        "narHash": "sha256-V9ns1OII7sWSbIDwPkiqmJ3Xu/bHgQzj+asgH9cTpOo=",
+        "narHash": "sha256-x3eMpPQhZwEDunyaUos084Hx41XwYTi2uHY4Yc4YNlk=",
         "owner": "oddlama",
         "repo": "nix-topology",
-        "rev": "71f27de56a03f6d8a1a72cf4d0dfd780bcc075bc",
+        "rev": "a15cac71d3399a4c2d1a3482ae62040a3a0aa07f",
         "type": "github"
       },
       "original": {
@@ -233,11 +233,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1768877948,
+        "lastModified": 1769484787,
-        "narHash": "sha256-Bq9Hd6DWCBaZ2GkwvJCWGnpGOchaD6RWPSCFxmSmupw=",
+        "narHash": "sha256-ufhG9uSA8cCEk/97D/7xQEKcO/ftr4IPRH+HQFaKNdE=",
-        "rev": "43b2e61c9d09cf6c1c9c192fe6da08accc9bfb1d",
+        "rev": "999ca0e5484922624254294ea1adc2b90081579e",
         "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.4368.43b2e61c9d09/nixexprs.tar.xz"
+        "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.4804.999ca0e54849/nixexprs.tar.xz"
       },
       "original": {
         "type": "tarball",
@@ -261,11 +261,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1768886240,
+        "lastModified": 1769434638,
-        "narHash": "sha256-HUAAI7AF+/Ov1u3Vvjs4DL91zTxMkWLC4xJgQ9QxOUQ=",
+        "narHash": "sha256-u19M4QdjvjEySkGhP4fUNyY6rqAbPCdQf/AFw04CkQU=",
-        "rev": "80e4adbcf8992d3fd27ad4964fbb84907f9478b0",
+        "rev": "9c2822d7024c032e66000a8b8a47e91b4e63ffc8",
         "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre930839.80e4adbcf899/nixexprs.tar.xz"
+        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre935000.9c2822d7024c/nixexprs.tar.xz"
       },
       "original": {
         "type": "tarball",
@@ -300,11 +300,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768636400,
+        "lastModified": 1769009806,
-        "narHash": "sha256-AiSKT4/25LS1rUlPduBMogf4EbdMQYDY1rS7AvHFcxk=",
+        "narHash": "sha256-52xTtAOc9B+MBRMRZ8HI6ybNsRLMlHHLh+qwAbaJjRY=",
         "ref": "main",
-        "rev": "3a8f82b12a44e6c4ceacd6955a290a52d1ee2856",
+        "rev": "aa8adfc6a4d5b6222752e2d15d4a6d3b3b85252e",
-        "revCount": 573,
+        "revCount": 575,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
       },
@@ -364,11 +364,11 @@
         "rust-overlay": "rust-overlay_3"
       },
       "locked": {
-        "lastModified": 1768140181,
+        "lastModified": 1769325266,
-        "narHash": "sha256-HfZzup5/jlu8X5vMUglTovVTSwhHGHwwV1YOFIL/ksA=",
+        "narHash": "sha256-q2G2NG7I1tvfFK4GDnn3vt1CCg0GN4ncdo0NSY+Q2Nc=",
         "ref": "main",
-        "rev": "834463ed64773939798589ee6fd4adfe3a97dddd",
+        "rev": "23b163e828901cb981eec6f3262e922f437f850b",
-        "revCount": 43,
+        "revCount": 45,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
       },
@@ -428,11 +428,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1767322002,
+        "lastModified": 1769309768,
-        "narHash": "sha256-yHKXXw2OWfIFsyTjduB4EyFwR0SYYF0hK8xI9z4NIn0=",
+        "narHash": "sha256-AbOIlNO+JoqRJkK1VrnDXhxuX6CrdtIu2hSuy4pxi3g=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "03c6e38661c02a27ca006a284813afdc461e9f7e",
+        "rev": "140c9dc582cb73ada2d63a2180524fcaa744fad5",
         "type": "github"
       },
       "original": {
@@ -448,11 +448,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768863606,
+        "lastModified": 1769469829,
-        "narHash": "sha256-1IHAeS8WtBiEo5XiyJBHOXMzECD6aaIOJmpQKzRRl64=",
+        "narHash": "sha256-wFcr32ZqspCxk4+FvIxIL0AZktRs6DuF8oOsLt59YBU=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "c7067be8db2c09ab1884de67ef6c4f693973f4a2",
+        "rev": "c5eebd4eb2e3372fe12a8d70a248a6ee9dd02eff",
         "type": "github"
       },
       "original": {

flake.nix

@@ -281,7 +281,16 @@
     };
 
     devShells = forAllSystems (system: {
-      default = nixpkgs-unstable.legacyPackages.${system}.callPackage ./shell.nix { };
+      default = let
+        pkgs = import nixpkgs-unstable {
+          inherit system;
+          overlays = [
+            (final: prev: {
+              inherit (inputs.disko.packages.${system}) disko;
+            })
+          ];
+        };
+      in pkgs.callPackage ./shell.nix { };
       cuda = let
         cuda-pkgs = import nixpkgs-unstable {
           inherit system;

hosts/bekkalokk/services/mediawiki/default.nix

@@ -52,7 +52,7 @@ in {
   services.rsync-pull-targets = {
     enable = true;
     locations.${cfg.uploadsDir} = {
-      user = config.services.root;
+      user = "root";
       rrsyncArgs.ro = true;
       authorizedKeysAttrs = [
         "restrict"
@@ -61,9 +61,7 @@ in {
         "no-pty"
         "no-X11-forwarding"
       ];
-      # TODO: create new key on principal
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICHFHa3Iq1oKPhbKCAIHgOoWOTkLmIc7yqxeTbut7ig/ mediawiki rsync backup";
-      enable = false;
-      publicKey = "";
     };
   };
 

hosts/bicep/services/matrix/synapse.nix

@@ -30,7 +30,7 @@ in {
   services.rsync-pull-targets = {
     enable = true;
     locations.${cfg.settings.media_store_path} = {
-      user = config.services.root;
+      user = "root";
       rrsyncArgs.ro = true;
       authorizedKeysAttrs = [
         "restrict"
@@ -39,9 +39,7 @@ in {
         "no-pty"
         "no-X11-forwarding"
       ];
-      # TODO: create new key on principal
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIASnjI9b3j4ZS3BL/D1ggHfws1BkE8iS0v0cGpEmbG+k matrix_media_store rsync backup";
-      enable = false;
-      publicKey = "";
     };
   };
 

hosts/bicep/services/minecraft-heatmap.nix

@@ -22,7 +22,7 @@ in
     };
   };
 
-  systemd.services.minecraft-heatmap-ingest-logs = {
+  systemd.services.minecraft-heatmap-ingest-logs = lib.mkIf cfg.enable {
     serviceConfig.LoadCredential = [
       "sshkey:${config.sops.secrets."minecraft-heatmap/ssh-key/private".path}"
     ];

hosts/bicep/services/mysql.nix

@@ -41,7 +41,23 @@ in
 
   services.mysqlBackup = lib.mkIf cfg.enable {
     enable = true;
-    location = "/var/lib/mysql/backups";
+    location = "/var/lib/mysql-backups";
+  };
+
+  services.rsync-pull-targets = lib.mkIf cfg.enable {
+    enable = true;
+    locations.${config.services.mysqlBackup.location} = {
+      user = "root";
+      rrsyncArgs.ro = true;
+      authorizedKeysAttrs = [
+        "restrict"
+        "no-agent-forwarding"
+        "no-port-forwarding"
+        "no-pty"
+        "no-X11-forwarding"
+      ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJgj55/7Cnj4cYMJ5sIkl+OwcGeBe039kXJTOf2wvo9j mysql rsync backup";
+    };
   };
 
   networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 3306 ];

hosts/bicep/services/postgres.nix

@@ -1,4 +1,7 @@
-{ config, pkgs, values, ... }:
+{ config, lib, pkgs, values, ... }:
+let
+  cfg = config.services.postgresql;
+in
 {
   services.postgresql = {
     enable = true;
@@ -74,13 +77,13 @@
     };
   };
 
-  systemd.tmpfiles.settings."10-postgresql"."/data/postgresql".d = {
+  systemd.tmpfiles.settings."10-postgresql"."/data/postgresql".d = lib.mkIf cfg.enable {
     user = config.systemd.services.postgresql.serviceConfig.User;
     group = config.systemd.services.postgresql.serviceConfig.Group;
     mode = "0700";
   };
 
-  systemd.services.postgresql-setup = {
+  systemd.services.postgresql-setup = lib.mkIf cfg.enable {
     after = [
       "systemd-tmpfiles-setup.service"
       "systemd-tmpfiles-resetup.service"
@@ -95,7 +98,7 @@
     };
   };
 
-  systemd.services.postgresql = {
+  systemd.services.postgresql = lib.mkIf cfg.enable {
     after = [
       "systemd-tmpfiles-setup.service"
       "systemd-tmpfiles-resetup.service"
@@ -110,18 +113,34 @@
     };
   };
 
-  environment.snakeoil-certs."/etc/certs/postgres" = {
+  environment.snakeoil-certs."/etc/certs/postgres" = lib.mkIf cfg.enable {
     owner = "postgres";
     group = "postgres";
     subject = "/C=NO/O=Programvareverkstedet/CN=postgres.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
   };
 
-  networking.firewall.allowedTCPPorts = [ 5432 ];
+  networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 5432 ];
-  networking.firewall.allowedUDPPorts = [ 5432 ];
+  networking.firewall.allowedUDPPorts = lib.mkIf cfg.enable [ 5432 ];
 
-  services.postgresqlBackup = {
+  services.postgresqlBackup = lib.mkIf cfg.enable {
     enable = true;
-    location = "/var/lib/postgres/backups";
+    location = "/var/lib/postgres-backups";
     backupAll = true;
   };
+
+  services.rsync-pull-targets = lib.mkIf cfg.enable {
+    enable = true;
+    locations.${config.services.postgresqlBackup.location} = {
+      user = "root";
+      rrsyncArgs.ro = true;
+      authorizedKeysAttrs = [
+        "restrict"
+        "no-agent-forwarding"
+        "no-port-forwarding"
+        "no-pty"
+        "no-X11-forwarding"
+      ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGvO7QX7QmwSiGLXEsaxPIOpAqnJP3M+qqQRe5dzf8gJ postgresql rsync backup";
+    };
+  };
 }

hosts/kommode/disks.nix

@@ -21,11 +21,11 @@
                 #     name = lib.replaceString "/" "-" subvolPath;
                 #   in {
                 #     "@${name}/active" = {
-                #       mountPoint = subvolPath;
+                #       mountpoint = subvolPath;
                 #       inherit mountOptions;
                 #     };
                 #     "@${name}/snapshots" = {
-                #       mountPoint = "${subvolPath}/.snapshots";
+                #       mountpoint = "${subvolPath}/.snapshots";
                 #       inherit mountOptions;
                 #     };
                 #   };

hosts/kommode/services/gitea/default.nix

@@ -195,6 +195,22 @@ in {
 
   networking.firewall.allowedTCPPorts = [ sshPort ];
 
+  services.rsync-pull-targets = {
+    enable = true;
+    locations.${cfg.dump.backupDir} = {
+      user = "root";
+      rrsyncArgs.ro = true;
+      authorizedKeysAttrs = [
+        "restrict"
+        "no-agent-forwarding"
+        "no-port-forwarding"
+        "no-pty"
+        "no-X11-forwarding"
+      ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGpMVrOppyqYaDiAhqmAuOaRsubFvcQGBGyz+NHB6+0o gitea rsync backup";
+    };
+  };
+
   systemd.services.gitea-dump = {
     serviceConfig.ExecStart = let
       args = lib.cli.toGNUCommandLineShell { } {

modules/rsync-pull-targets.nix

@@ -124,16 +124,22 @@ in
     services.openssh.enable = true;
     users.users = lib.pipe cfg.locations [
       (lib.filterAttrs (_: value: value.enable))
-      (lib.mapAttrs' (_: { user, location, rrsyncPackage, rrsyncArgs, authorizedKeysAttrs, publicKey, ... }: let
+
-        rrsyncArgString = lib.cli.toCommandLineShellGNU {
+      lib.attrValues
-          isLong = _: false;
+
-        } rrsyncArgs;
+      # Index locations by SSH user
-        # TODO: handle " in location
+      (lib.foldl (acc: location: acc // {
-      in {
+        ${location.user} = (acc.${location.user} or [ ]) ++ [ location ];
-        name = user;
+      }) { })
-        value.openssh.authorizedKeys.keys = [
+
-          "command=\"${lib.getExe rrsyncPackage} ${rrsyncArgString} ${location}\",${lib.concatStringsSep "," authorizedKeysAttrs} ${publicKey}"
+      (lib.mapAttrs (_name: locations: {
-        ];
+        openssh.authorizedKeys.keys = map ({ user, location, rrsyncPackage, rrsyncArgs, authorizedKeysAttrs, publicKey, ... }: let
+          rrsyncArgString = lib.cli.toCommandLineShellGNU {
+            isLong = _: false;
+          } rrsyncArgs;
+          # TODO: handle " in location
+        in "command=\"${lib.getExe rrsyncPackage} ${rrsyncArgString} ${location}\",${lib.concatStringsSep "," authorizedKeysAttrs} ${publicKey}"
+        ) locations;
       }))
     ];
   };

shell.nix

@@ -1,15 +1,16 @@
 { pkgs ? import <nixpkgs> {} }:
 pkgs.mkShellNoCC {
   packages = with pkgs; [
-    just
+    disko
-    jq
+    editorconfig-checker
+    gnupg
     gum
+    jq
+    just
+    openstackclient
     sops
     ssh-to-age
-    gnupg
     statix
-    openstackclient
-    editorconfig-checker
   ];
 
   env = {