--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIIGATCCA+mgAwIBAgIJAJjhCwfJd2HOMA0GCSqGSIb3DQEBCwUAMIGWMQswCQYD
+VQQGEwJGUjEXMBUGA1UECAwOw45sZSBkZSBGcmFuY2UxDjAMBgNVBAcMBVBhcmlz
+MRQwEgYDVQQKDAtFcmlvbWVtIFNBUzETMBEGA1UECwwKRXJpb21lbSBDQTEUMBIG
+A1UEAwwLRXJpb21lbSBTQVMxHTAbBgkqhkiG9w0BCQEWDmNhQGVyaW9tZW0ubmV0
+MB4XDTE3MDEzMTE1NTUzOFoXDTM3MDEzMTE1NTUzOFowgZYxCzAJBgNVBAYTAkZS
+MRcwFQYDVQQIDA7DjmxlIGRlIEZyYW5jZTEOMAwGA1UEBwwFUGFyaXMxFDASBgNV
+BAoMC0VyaW9tZW0gU0FTMRMwEQYDVQQLDApFcmlvbWVtIENBMRQwEgYDVQQDDAtF
+cmlvbWVtIFNBUzEdMBsGCSqGSIb3DQEJARYOY2FAZXJpb21lbS5uZXQwggIiMA0G
+CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC9PesBee6dcEXLgLMEpfnmNTbMP7xs
+EJGxEwcS7LLVsZu8bY5K4prCTErzc3nhmmOMIy/ZxVTlnTOPHFAUJ9EKI5cL0QfK
+9DbBzjPBs5AqntlpFBpz6DopV3FOFj3rn0nb/g3KyD3tqnN/YHdBiStX//z+Lp3H
+28M4ExpUFJBJrV3wboMzWgDnSirvJyLFbmeTPmUetYdC4hlSqr/Leo36da4CSl0X
+wN/83Vrzy/Cqrcfso43Hs86Swmg9pJmqRifWPNrMne49IwnGP4hIQXcb9ilU1bMK
+GzXor6I0yOYjuzvdg1k1KKvnHvO1U2cUV56MoTXmQHOt1yQr7fwiKyT0xiIgk5ou
+QKbXbuHpf3KTwPmg1s7105T2lEhxNMNd+c2leRux3CJKsoi6GoUhiDIL1jPrWNS3
+ynYHJ1lcyoEsGeXwR9mDmVLhgRLDAHNDOeT9Z0/NpwoylNH+vgwzo9tV3btWRJgu
+vB7TMDYdGsOd/OYNkQSiSUbtT8nm3xY2qGMC968GQieSCPW7a4n8MYhXW5Wa0/Ql
+Sg58e03v26u0rUT+GK1EOOFF8tak4uKxxRL+WBT9VhK9dRq/PnA+xB6808Y8kMjQ
+9HTnxCgHNcNn6Xj7DD5Rb/r5ppmMicoI3dF6xgMHHNTG3BMZS+CVzSbG1K+4mOxR
+1r6wxKmskoszLwIDAQABo1AwTjAdBgNVHQ4EFgQU3cuB9G9fGroFF0VW21vHR9A/
+/IwwHwYDVR0jBBgwFoAU3cuB9G9fGroFF0VW21vHR9A//IwwDAYDVR0TBAUwAwEB
+/zANBgkqhkiG9w0BAQsFAAOCAgEAGuL+CWzjOs9gydvkOsf0F0qoTS5mixe7v/ic
+OKdZfvHvzs8kz9rNWa8Guj5h640Qv252KSmellqHyXZhQumoks2XmFItMLY08IYo
+4MmT+sHXwx1x4Av/Sjj+b8VzP31v5EIXDVIS+/UTXzyoU1hgqzM9W937iaO2NVFL
+V3kzURHVR1oMxJtSjhGkbfoXRhdNZUhjGaNz5wX0ILtQ+PK4LoYiCqRAthDUSIkW
+mD/R6CV08tIFYKyf7sCx0updbIHPbqbZtPW4X4QULXMDQanDSwHzcxzrCFOMEwOm
+A+HASceq2X9nMUvH97fGQ4YuyogS/XI1k8H7jU7vlxMA3EGf80HnYc02b0oGDN3c
+bVHBE/Zexer51HHsQOGpyYDmaCVzd1qlcFhwS3BMMPVW6TEU4HCXaTK5ipdOqbAF
+syx9OUviqw3fRmZORt6lrhBO9+V3WIKGxUET64GLRoC4F32CThOBKzFXvFcHik4n
+1W44lGVAQp3B/Q55KzYOIQ3D3/N7cbxyPtw1dwW60lN/UWo7YZJJc+6GXjp6c4Cy
+s2VEoUx4OIs1eba99O5fdQ5IpW3IK6Cb1WaajcusZX9/QTIsf3ntSNPCnoebgk0V
+TOMpOOnKIbKYMjdxpKbYLpXFQzxy3WEi2PtmqgLAk+xwcmzz+3W2I0qKKTwGuaOZ
+MnGrJwg=
+-----END CERTIFICATE-----
--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIIEbjCCA1agAwIBAgIJAKQiaGqY4pkkMA0GCSqGSIb3DQEBBQUAMIGAMQswCQYD
+VQQGEwJGUjEWMBQGA1UECBQNzmxlIGRlIEZyYW5jZTEOMAwGA1UEBxMFUGFyaXMx
+FDASBgNVBAoTC0VyaW9tZW0gU0FTMRQwEgYDVQQDEwtFcmlvbWVtIFNBUzEdMBsG
+CSqGSIb3DQEJARYOY2FAZXJpb21lbS5uZXQwHhcNMTQwNTEzMTgzMDMxWhcNMzQw
+NTEzMTgzMDMxWjCBgDELMAkGA1UEBhMCRlIxFjAUBgNVBAgUDc5sZSBkZSBGcmFu
+Y2UxDjAMBgNVBAcTBVBhcmlzMRQwEgYDVQQKEwtFcmlvbWVtIFNBUzEUMBIGA1UE
+AxMLRXJpb21lbSBTQVMxHTAbBgkqhkiG9w0BCQEWDmNhQGVyaW9tZW0ubmV0MIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApVfR27JW3u3yvjdEEA8/mGlA
+NMlurqteMnCXgPAKnkyU7xbuBWkNxs6FrcXvdpjomPQsDosLXOb4pV+4SxezApaY
+XVqSzDWPV8M35QJjE8nOVuDvr3ziJfRITG9/WL2DpF9zpI6HpXVxdYNbZGxeCI2K
+eSQ1pkc3574hDB1YB86TumcWPIYuw7cDFC9HB7htm2XYURt6o2jXbpNtdHWoEhWx
+/m7cqpDCZmoBW1n3eApZac+4Im2bPXSQAqB/Lb0rgfsqJq3vEL4x12oC/5Ycn4cF
+xti4AapPjC2GaPbybFLfBwMLu+lAgPJh3A4DC1DcQsxTuKPvUi/K00eCZDokewID
+AQABo4HoMIHlMB0GA1UdDgQWBBRFwVSljClgTQxBTRvqftvJ3OE3xTCBtQYDVR0j
+BIGtMIGqgBRFwVSljClgTQxBTRvqftvJ3OE3xaGBhqSBgzCBgDELMAkGA1UEBhMC
+RlIxFjAUBgNVBAgUDc5sZSBkZSBGcmFuY2UxDjAMBgNVBAcTBVBhcmlzMRQwEgYD
+VQQKEwtFcmlvbWVtIFNBUzEUMBIGA1UEAxMLRXJpb21lbSBTQVMxHTAbBgkqhkiG
+9w0BCQEWDmNhQGVyaW9tZW0ubmV0ggkApCJoapjimSQwDAYDVR0TBAUwAwEB/zAN
+BgkqhkiG9w0BAQUFAAOCAQEAKs7PMQ9HAKHY1seGRHEMivQGVzDDZ7nURBmTkEIl
+549QEyQbrAkcHUjJdMAuIgnbPl4yJFEI97U21pXb3BeLxhKI6r09OgWwZEagrI44
+Ns9WbcNGtw5bkgyA4nn00w0ggAJLq9b0sToU2vK2x6g+1oXH8K7BbOu49/+NTzCa
+fgBzFMi0P7FWGrE2rqh6gFBVJh8qBuK2+QG6Rnfdw+mHWsedc//NRFjPSC3ZWaPc
+cu9s4+IkjOy3RhdkNrF3ieWitmGZi4mUZQ3qi+Np2Z+ekn0QmXjmLdbLFxKw8xoR
+Ed36LPnGcmKQN72RikmNmx83i8CrOF6Or9auGE5O8+qpyw==
+-----END CERTIFICATE-----
--- /dev/null
+{ lib, pkgs, myconfig, config, ... }:
+
+let
+ cfg = myconfig.env.backup;
+ varDir = "/var/lib/duply";
+ duplyProfile = profile: prefix: ''
+ GPG_PW="${cfg.password}"
+ TARGET="${cfg.remote}${prefix}"
+ export AWS_ACCESS_KEY_ID="${cfg.accessKeyId}"
+ export AWS_SECRET_ACCESS_KEY="${cfg.secretAccessKey}"
+ SOURCE="${profile.rootDir}"
+ FILENAME=".duplicity-ignore"
+ DUPL_PARAMS="$DUPL_PARAMS --exclude-if-present '$FILENAME'"
+ VERBOSITY=4
+ ARCH_DIR="${varDir}/caches"
+
+ # Do a full backup after 1 month
+ MAX_FULLBKP_AGE=1M
+ DUPL_PARAMS="$DUPL_PARAMS --full-if-older-than $MAX_FULLBKP_AGE "
+ # Backups older than 2months are deleted
+ MAX_AGE=2M
+ # Keep 2 full backups
+ MAX_FULL_BACKUPS=2
+ MAX_FULLS_WITH_INCRS=2
+ '';
+ action = "bkp_purge_purgeFull_purgeIncr";
+in
+{
+ options = {
+ services.backup.enable = lib.mkOption {
+ type = lib.types.bool;
+ default = false;
+ description = ''
+ Whether to enable remote backups.
+ '';
+ };
+ services.backup.profiles = lib.mkOption {
+ type = lib.types.attrsOf (lib.types.submodule {
+ options = {
+ rootDir = lib.mkOption {
+ type = lib.types.path;
+ description = ''
+ Path to backup
+ '';
+ };
+ excludeFile = lib.mkOption {
+ type = lib.types.lines;
+ default = "";
+ description = ''
+ Content to put in exclude file
+ '';
+ };
+ };
+ });
+ };
+ };
+
+ config = lib.mkIf config.services.backup.enable {
+ system.activationScripts.backup = ''
+ install -m 0700 -o root -g root -d ${varDir} ${varDir}/caches
+ '';
+ secrets.keys = lib.flatten (lib.mapAttrsToList (k: v: [
+ {
+ permissions = "0400";
+ dest = "backup/${k}/conf";
+ text = duplyProfile v "${k}/";
+ }
+ {
+ permissions = "0400";
+ dest = "backup/${k}/exclude";
+ text = v.excludeFile;
+ }
+ ]) config.services.backup.profiles);
+
+ services.cron = {
+ enable = true;
+ systemCronJobs = let
+ backups = pkgs.writeScript "backups" ''
+ #!${pkgs.stdenv.shell}
+
+ ${builtins.concatStringsSep "\n" (lib.mapAttrsToList (k: v:
+ ''
+ touch ${varDir}/${k}.log
+ ${pkgs.duply}/bin/duply ${config.secrets.location}/backup/${k}/ ${action} --force >> ${varDir}/${k}.log
+ ''
+ ) config.services.backup.profiles)}
+ '';
+ in
+ [
+ "0 2 * * * root ${backups}"
+ ];
+
+ };
+
+ security.pki.certificates = [
+ (builtins.readFile ./Eriomem_SAS.1.pem)
+ (builtins.readFile ./Eriomem_SAS.pem)
+ ];
+ };
+}
opendmarc = ./opendmarc.nix;
openarc = ./openarc.nix;
+ backup = ./backup;
naemon = ./naemon;
php-application = ./websites/php-application.nix;
# Check that there is no clash with nixos/modules/misc/ids.nix
config = {
ids.uids = {
+ backup = 389;
vhost = 390;
openarc = 391;
opendmarc = 392;
};
ids.gids = {
nagios = 11; # commented in the ids file
+ backup = 389;
vhost = 390;
openarc = 391;
opendmarc = 392;
unitConfig.RequiresMountsFor = cfg.dataDir;
};
+ systemd.services.mastodon-cleanup = {
+ description = "Cleanup mastodon";
+ startAt = "daily";
+ restartIfChanged = false;
+
+ environment.RAILS_ENV = "production";
+ environment.BUNDLE_PATH = "${cfg.workdir.gems}/${cfg.workdir.gems.ruby.gemPath}";
+ environment.BUNDLE_GEMFILE = "${cfg.workdir.gems.confFiles}/Gemfile";
+ environment.SOCKET = cfg.sockets.rails;
+
+ path = [ cfg.workdir.gems cfg.workdir.gems.ruby pkgs.file ];
+
+ script = ''
+ exec ./bin/tootctl media remove --days 30
+ '';
+
+ serviceConfig = {
+ User = cfg.user;
+ EnvironmentFile = cfg.configFile;
+ PrivateTmp = true;
+ Type = "oneshot";
+ WorkingDirectory = cfg.workdir;
+ StateDirectory = cfg.systemdStateDirectory;
+ RuntimeDirectory = cfg.systemdRuntimeDirectory;
+ RuntimeDirectoryPreserve = "yes";
+ };
+
+ unitConfig.RequiresMountsFor = cfg.dataDir;
+ };
+
systemd.services.mastodon-sidekiq = {
description = "Mastodon Sidekiq";
wantedBy = [ "multi-user.target" ];
};
config = lib.mkIf (builtins.length cfg.sites > 0) {
+ services.backup.profiles.goaccess = {
+ rootDir = cfg.dataDir;
+ };
users.users.root.packages = [
pkgs.goaccess
];
projects / perso / Immae / Config / Nix / NUR.git / commitdiff
