[perso/Immae/Config/Nix.git] / modules / duply_backup / default.nix

{ lib, pkgs, myconfig, config, ... }:

let
  cfg = myconfig.env.backup;
  varDir = "/var/lib/duply";
  duplyProfile = profile: prefix: ''
    GPG_PW="${cfg.password}"
    TARGET="${cfg.remote}${prefix}"
    export AWS_ACCESS_KEY_ID="${cfg.accessKeyId}"
    export AWS_SECRET_ACCESS_KEY="${cfg.secretAccessKey}"
    SOURCE="${profile.rootDir}"
    FILENAME=".duplicity-ignore"
    DUPL_PARAMS="$DUPL_PARAMS --exclude-if-present '$FILENAME'"
    VERBOSITY=4
    ARCH_DIR="${varDir}/caches"

    # Do a full backup after 1 month
    MAX_FULLBKP_AGE=1M
    DUPL_PARAMS="$DUPL_PARAMS --full-if-older-than $MAX_FULLBKP_AGE "
    # Backups older than 2months are deleted
    MAX_AGE=2M
    # Keep 2 full backups
    MAX_FULL_BACKUPS=2
    MAX_FULLS_WITH_INCRS=2
  '';
  action = "bkp_purge_purgeFull_purgeIncr";
in
{
  options = {
    services.duplyBackup.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = ''
        Whether to enable remote backups.
      '';
    };
    services.duplyBackup.profiles = lib.mkOption {
      type = lib.types.attrsOf (lib.types.submodule {
        options = {
          rootDir = lib.mkOption {
            type = lib.types.path;
            description = ''
              Path to backup
              '';
          };
          excludeFile = lib.mkOption {
            type = lib.types.lines;
            default = "";
            description = ''
              Content to put in exclude file
              '';
          };
        };
      });
    };
  };

  config = lib.mkIf config.services.duplyBackup.enable {
    system.activationScripts.backup = ''
      install -m 0700 -o root -g root -d ${varDir} ${varDir}/caches
      '';
    secrets.keys = lib.flatten (lib.mapAttrsToList (k: v: [
      {
        permissions = "0400";
        dest = "backup/${k}/conf";
        text = duplyProfile v "${k}/";
      }
      {
        permissions = "0400";
        dest = "backup/${k}/exclude";
        text = v.excludeFile;
      }
    ]) config.services.duplyBackup.profiles);

    services.cron = {
      enable = true;
      systemCronJobs = let
        backups = pkgs.writeScript "backups" ''
          #!${pkgs.stdenv.shell}

          ${builtins.concatStringsSep "\n" (lib.mapAttrsToList (k: v:
            ''
              touch ${varDir}/${k}.log
              ${pkgs.duply}/bin/duply ${config.secrets.location}/backup/${k}/ ${action} --force >> ${varDir}/${k}.log
            ''
          ) config.services.duplyBackup.profiles)}
        '';
      in
        [
          "0 2 * * * root ${backups}"
        ];

    };

    security.pki.certificates = let
      cert = pkgs.fetchurl {
        url = "http://downloads.e.eriomem.net/eriomemca.pem";
        sha256 = "1ixx4c6j3m26j8dp9a3dkvxc80v1nr5aqgmawwgs06bskasqkvvh";
      };
    in [
      (builtins.readFile cert)
    ];
  };
}
Commit	Line	Data
6a8252b1 IB	1	{ lib, pkgs, myconfig, config, ... }:
	2
	3	let
	4	cfg = myconfig.env.backup;
	5	varDir = "/var/lib/duply";
	6	duplyProfile = profile: prefix: ''
	7	GPG_PW="${cfg.password}"
	8	TARGET="${cfg.remote}${prefix}"
	9	export AWS_ACCESS_KEY_ID="${cfg.accessKeyId}"
	10	export AWS_SECRET_ACCESS_KEY="${cfg.secretAccessKey}"
	11	SOURCE="${profile.rootDir}"
	12	FILENAME=".duplicity-ignore"
	13	DUPL_PARAMS="$DUPL_PARAMS --exclude-if-present '$FILENAME'"
	14	VERBOSITY=4
	15	ARCH_DIR="${varDir}/caches"
	16
	17	# Do a full backup after 1 month
	18	MAX_FULLBKP_AGE=1M
	19	DUPL_PARAMS="$DUPL_PARAMS --full-if-older-than $MAX_FULLBKP_AGE "
	20	# Backups older than 2months are deleted
	21	MAX_AGE=2M
	22	# Keep 2 full backups
	23	MAX_FULL_BACKUPS=2
	24	MAX_FULLS_WITH_INCRS=2
	25	'';
	26	action = "bkp_purge_purgeFull_purgeIncr";
	27	in
	28	{
	29	options = {
d2e703c5	30	services.duplyBackup.enable = lib.mkOption {
6a8252b1 IB	31	type = lib.types.bool;
	32	default = false;
	33	description = ''
	34	Whether to enable remote backups.
	35	'';
	36	};
d2e703c5	37	services.duplyBackup.profiles = lib.mkOption {
6a8252b1 IB	38	type = lib.types.attrsOf (lib.types.submodule {
	39	options = {
	40	rootDir = lib.mkOption {
	41	type = lib.types.path;
	42	description = ''
	43	Path to backup
	44	'';
	45	};
	46	excludeFile = lib.mkOption {
	47	type = lib.types.lines;
	48	default = "";
	49	description = ''
	50	Content to put in exclude file
	51	'';
	52	};
	53	};
	54	});
	55	};
	56	};
	57
d2e703c5	58	config = lib.mkIf config.services.duplyBackup.enable {
6a8252b1 IB	59	system.activationScripts.backup = ''
	60	install -m 0700 -o root -g root -d ${varDir} ${varDir}/caches
	61	'';
	62	secrets.keys = lib.flatten (lib.mapAttrsToList (k: v: [
	63	{
	64	permissions = "0400";
	65	dest = "backup/${k}/conf";
	66	text = duplyProfile v "${k}/";
	67	}
	68	{
	69	permissions = "0400";
	70	dest = "backup/${k}/exclude";
	71	text = v.excludeFile;
	72	}
d2e703c5	73	]) config.services.duplyBackup.profiles);
6a8252b1 IB	74
	75	services.cron = {
	76	enable = true;
	77	systemCronJobs = let
	78	backups = pkgs.writeScript "backups" ''
	79	#!${pkgs.stdenv.shell}
	80
	81	${builtins.concatStringsSep "\n" (lib.mapAttrsToList (k: v:
	82	''
	83	touch ${varDir}/${k}.log
	84	${pkgs.duply}/bin/duply ${config.secrets.location}/backup/${k}/ ${action} --force >> ${varDir}/${k}.log
	85	''
d2e703c5	86	) config.services.duplyBackup.profiles)}
6a8252b1 IB	87	'';
	88	in
	89	[
	90	"0 2 * * * root ${backups}"
	91	];
	92
	93	};
	94
c29c32be IB	95	security.pki.certificates = let
	96	cert = pkgs.fetchurl {
	97	url = "http://downloads.e.eriomem.net/eriomemca.pem";
	98	sha256 = "1ixx4c6j3m26j8dp9a3dkvxc80v1nr5aqgmawwgs06bskasqkvvh";
	99	};
	100	in [
	101	(builtins.readFile cert)
6a8252b1 IB	102	];
	103	};
	104	}