[perso/Immae/Config/Nix.git] / modules / duply_backup / default.nix

{ lib, pkgs, config, name, ... }:

let
  cfg = config.myEnv.backup;
  varDir = "/var/lib/duply";
  duplyProfile = profile: remote: prefix: ''
    GPG_PW="${cfg.password}"
    TARGET="${cfg.remotes.${remote}.remote profile.bucket}${prefix}"
    export AWS_ACCESS_KEY_ID="${cfg.remotes.${remote}.accessKeyId}"
    export AWS_SECRET_ACCESS_KEY="${cfg.remotes.${remote}.secretAccessKey}"
    SOURCE="${profile.rootDir}"
    FILENAME=".duplicity-ignore"
    DUPL_PARAMS="$DUPL_PARAMS --exclude-if-present '$FILENAME'"
    VERBOSITY=4
    ARCH_DIR="${varDir}/caches"

    # Do a full backup after 1 month
    MAX_FULLBKP_AGE=1M
    DUPL_PARAMS="$DUPL_PARAMS --allow-source-mismatch --exclude-other-filesystems --full-if-older-than $MAX_FULLBKP_AGE "
    # Backups older than 2months are deleted
    MAX_AGE=2M
    # Keep 2 full backups
    MAX_FULL_BACKUPS=2
    MAX_FULLS_WITH_INCRS=2
  '';
  action = "bkp_purge_purgeFull_purgeIncr";
  varName = k: remoteName:
    if remoteName == "eriomem" then k else remoteName + "_" + k;
in
{
  options = {
    services.duplyBackup.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = ''
        Whether to enable remote backups.
      '';
    };
    services.duplyBackup.profiles = lib.mkOption {
      type = lib.types.attrsOf (lib.types.submodule {
        options = {
          rootDir = lib.mkOption {
            type = lib.types.path;
            description = ''
              Path to backup
              '';
          };
          bucket = lib.mkOption {
            type = lib.types.str;
            default = "immae-${name}";
            description = ''
              Bucket to use
              '';
          };
          remotes = lib.mkOption {
            type = lib.types.listOf lib.types.str;
            default = ["eriomem"];
            description = ''
              Remotes to use for backup
              '';
          };
          excludeFile = lib.mkOption {
            type = lib.types.lines;
            default = "";
            description = ''
              Content to put in exclude file
              '';
          };
        };
      });
    };
  };

  config = lib.mkIf config.services.duplyBackup.enable {
    system.activationScripts.backup = ''
      install -m 0700 -o root -g root -d ${varDir} ${varDir}/caches
      '';
    secrets.keys = lib.listToAttrs (lib.flatten (lib.mapAttrsToList (k: v:
      map (remote: [
        (lib.nameValuePair "backup/${varName k remote}/conf" {
          permissions = "0400";
          text = duplyProfile v remote "${k}/";
        })
        (lib.nameValuePair "backup/${varName k remote}/exclude" {
          permissions = "0400";
          text = v.excludeFile;
        })
        (lib.nameValuePair "backup/${varName k remote}" {
          permissions = "0500";
          isDir = true;
        })
    ]) v.remotes) config.services.duplyBackup.profiles));

    services.cron = {
      enable = true;
      systemCronJobs = let
        backups = pkgs.writeScript "backups" ''
          #!${pkgs.stdenv.shell}

          ${builtins.concatStringsSep "\n" (lib.flatten (lib.mapAttrsToList (k: v:
            map (remote: [
            ''
              touch ${varDir}/${varName k remote}.log
              ${pkgs.duply}/bin/duply ${config.secrets.fullPaths."backup/${varName k remote}"}/ ${action} --force >> ${varDir}/${varName k remote}.log
              [[ $? = 0 ]] || echo -e "Error when doing backup for ${varName k remote}, see above\n---------------------------------------" >&2
            ''
            ]) v.remotes
          ) config.services.duplyBackup.profiles))}
        '';
      in
        [
          "0 2 * * * root ${backups}"
        ];

    };

    security.pki.certificateFiles = [
      (pkgs.fetchurl {
        url = "http://downloads.e.eriomem.net/eriomemca.pem";
        sha256 = "1ixx4c6j3m26j8dp9a3dkvxc80v1nr5aqgmawwgs06bskasqkvvh";
      })
    ];
  };
}
Commit	Line	Data
5a61f6ad	1	{ lib, pkgs, config, name, ... }:
6a8252b1 IB	2
6a8252b1 IB	3	let
ab8f306d	4	cfg = config.myEnv.backup;
6a8252b1	5	varDir = "/var/lib/duply";
5a61f6ad	6	duplyProfile = profile: remote: prefix: ''
6a8252b1	7	GPG_PW="${cfg.password}"
5a61f6ad IB	8	TARGET="${cfg.remotes.${remote}.remote profile.bucket}${prefix}"
	9	export AWS_ACCESS_KEY_ID="${cfg.remotes.${remote}.accessKeyId}"
	10	export AWS_SECRET_ACCESS_KEY="${cfg.remotes.${remote}.secretAccessKey}"
6a8252b1 IB	11	SOURCE="${profile.rootDir}"
	12	FILENAME=".duplicity-ignore"
	13	DUPL_PARAMS="$DUPL_PARAMS --exclude-if-present '$FILENAME'"
	14	VERBOSITY=4
	15	ARCH_DIR="${varDir}/caches"
	16
	17	# Do a full backup after 1 month
	18	MAX_FULLBKP_AGE=1M
64517bbc	19	DUPL_PARAMS="$DUPL_PARAMS --allow-source-mismatch --exclude-other-filesystems --full-if-older-than $MAX_FULLBKP_AGE "
6a8252b1 IB	20	# Backups older than 2months are deleted
	21	MAX_AGE=2M
	22	# Keep 2 full backups
	23	MAX_FULL_BACKUPS=2
	24	MAX_FULLS_WITH_INCRS=2
	25	'';
	26	action = "bkp_purge_purgeFull_purgeIncr";
5a61f6ad IB	27	varName = k: remoteName:
5a61f6ad IB	28	if remoteName == "eriomem" then k else remoteName + "_" + k;
6a8252b1 IB	29	in
	30	{
	31	options = {
d2e703c5	32	services.duplyBackup.enable = lib.mkOption {
6a8252b1 IB	33	type = lib.types.bool;
	34	default = false;
	35	description = ''
	36	Whether to enable remote backups.
	37	'';
	38	};
d2e703c5	39	services.duplyBackup.profiles = lib.mkOption {
6a8252b1 IB	40	type = lib.types.attrsOf (lib.types.submodule {
	41	options = {
	42	rootDir = lib.mkOption {
	43	type = lib.types.path;
	44	description = ''
	45	Path to backup
	46	'';
	47	};
5a61f6ad IB	48	bucket = lib.mkOption {
	49	type = lib.types.str;
	50	default = "immae-${name}";
	51	description = ''
	52	Bucket to use
	53	'';
	54	};
	55	remotes = lib.mkOption {
	56	type = lib.types.listOf lib.types.str;
	57	default = ["eriomem"];
	58	description = ''
	59	Remotes to use for backup
	60	'';
	61	};
6a8252b1 IB	62	excludeFile = lib.mkOption {
	63	type = lib.types.lines;
	64	default = "";
	65	description = ''
	66	Content to put in exclude file
	67	'';
	68	};
	69	};
	70	});
	71	};
	72	};
	73
d2e703c5	74	config = lib.mkIf config.services.duplyBackup.enable {
6a8252b1 IB	75	system.activationScripts.backup = ''
	76	install -m 0700 -o root -g root -d ${varDir} ${varDir}/caches
	77	'';
4c4652aa	78	secrets.keys = lib.listToAttrs (lib.flatten (lib.mapAttrsToList (k: v:
5a61f6ad	79	map (remote: [
4c4652aa	80	(lib.nameValuePair "backup/${varName k remote}/conf" {
5a61f6ad	81	permissions = "0400";
5a61f6ad	82	text = duplyProfile v remote "${k}/";
4c4652aa IB	83	})
4c4652aa IB	84	(lib.nameValuePair "backup/${varName k remote}/exclude" {
5a61f6ad	85	permissions = "0400";
5a61f6ad	86	text = v.excludeFile;
4c4652aa IB	87	})
4c4652aa IB	88	(lib.nameValuePair "backup/${varName k remote}" {
da30ae4f	89	permissions = "0500";
da30ae4f	90	isDir = true;
4c4652aa IB	91	})
4c4652aa IB	92	]) v.remotes) config.services.duplyBackup.profiles));
6a8252b1 IB	93
	94	services.cron = {
	95	enable = true;
	96	systemCronJobs = let
	97	backups = pkgs.writeScript "backups" ''
	98	#!${pkgs.stdenv.shell}
	99
5a61f6ad IB	100	${builtins.concatStringsSep "\n" (lib.flatten (lib.mapAttrsToList (k: v:
5a61f6ad IB	101	map (remote: [
6a8252b1	102	''
5a61f6ad	103	touch ${varDir}/${varName k remote}.log
da30ae4f	104	${pkgs.duply}/bin/duply ${config.secrets.fullPaths."backup/${varName k remote}"}/ ${action} --force >> ${varDir}/${varName k remote}.log
5a61f6ad	105	[[ $? = 0 ]] \|\| echo -e "Error when doing backup for ${varName k remote}, see above\n---------------------------------------" >&2
6a8252b1	106	''
5a61f6ad IB	107	]) v.remotes
5a61f6ad IB	108	) config.services.duplyBackup.profiles))}
6a8252b1 IB	109	'';
	110	in
	111	[
	112	"0 2 * * * root ${backups}"
	113	];
	114
	115	};
	116
56b07e8d IB	117	security.pki.certificateFiles = [
56b07e8d IB	118	(pkgs.fetchurl {
c29c32be IB	119	url = "http://downloads.e.eriomem.net/eriomemca.pem";
c29c32be IB	120	sha256 = "1ixx4c6j3m26j8dp9a3dkvxc80v1nr5aqgmawwgs06bskasqkvvh";
56b07e8d	121	})
6a8252b1 IB	122	];
	123	};
	124	}