X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fbackup%2Fdefault.nix;fp=modules%2Fbackup%2Fdefault.nix;h=7e0e4b2c3e0abdab051e38e7b8559b408b4d6cc4;hb=245acb2459476f63db7311472ceb397f709c7671;hp=0000000000000000000000000000000000000000;hpb=4fa343dcd0b797d765ee8a3dfc14833d212b7491;p=perso%2FImmae%2FConfig%2FNix%2FNUR.git diff --git a/modules/backup/default.nix b/modules/backup/default.nix new file mode 100644 index 00000000..7e0e4b2c --- /dev/null +++ b/modules/backup/default.nix @@ -0,0 +1,100 @@ +{ lib, pkgs, myconfig, config, ... }: + +let + cfg = myconfig.env.backup; + varDir = "/var/lib/duply"; + duplyProfile = profile: prefix: '' + GPG_PW="${cfg.password}" + TARGET="${cfg.remote}${prefix}" + export AWS_ACCESS_KEY_ID="${cfg.accessKeyId}" + export AWS_SECRET_ACCESS_KEY="${cfg.secretAccessKey}" + SOURCE="${profile.rootDir}" + FILENAME=".duplicity-ignore" + DUPL_PARAMS="$DUPL_PARAMS --exclude-if-present '$FILENAME'" + VERBOSITY=4 + ARCH_DIR="${varDir}/caches" + + # Do a full backup after 1 month + MAX_FULLBKP_AGE=1M + DUPL_PARAMS="$DUPL_PARAMS --full-if-older-than $MAX_FULLBKP_AGE " + # Backups older than 2months are deleted + MAX_AGE=2M + # Keep 2 full backups + MAX_FULL_BACKUPS=2 + MAX_FULLS_WITH_INCRS=2 + ''; + action = "bkp_purge_purgeFull_purgeIncr"; +in +{ + options = { + services.backup.enable = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Whether to enable remote backups. + ''; + }; + services.backup.profiles = lib.mkOption { + type = lib.types.attrsOf (lib.types.submodule { + options = { + rootDir = lib.mkOption { + type = lib.types.path; + description = '' + Path to backup + ''; + }; + excludeFile = lib.mkOption { + type = lib.types.lines; + default = ""; + description = '' + Content to put in exclude file + ''; + }; + }; + }); + }; + }; + + config = lib.mkIf config.services.backup.enable { + system.activationScripts.backup = '' + install -m 0700 -o root -g root -d ${varDir} ${varDir}/caches + ''; + secrets.keys = lib.flatten (lib.mapAttrsToList (k: v: [ + { + permissions = "0400"; + dest = "backup/${k}/conf"; + text = duplyProfile v "${k}/"; + } + { + permissions = "0400"; + dest = "backup/${k}/exclude"; + text = v.excludeFile; + } + ]) config.services.backup.profiles); + + services.cron = { + enable = true; + systemCronJobs = let + backups = pkgs.writeScript "backups" '' + #!${pkgs.stdenv.shell} + + ${builtins.concatStringsSep "\n" (lib.mapAttrsToList (k: v: + '' + touch ${varDir}/${k}.log + ${pkgs.duply}/bin/duply ${config.secrets.location}/backup/${k}/ ${action} --force >> ${varDir}/${k}.log + '' + ) config.services.backup.profiles)} + ''; + in + [ + "0 2 * * * root ${backups}" + ]; + + }; + + security.pki.certificates = [ + (builtins.readFile ./Eriomem_SAS.1.pem) + (builtins.readFile ./Eriomem_SAS.pem) + ]; + }; +}