Add backup module

diff --git a/modules/backup/Eriomem_SAS.1.pem b/modules/backup/Eriomem_SAS.1.pem
new file mode 100644 (file)
index 0000000..ab76ee0
--- /dev/null
+++ b/modules/backup/Eriomem_SAS.1.pem
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGATCCA+mgAwIBAgIJAJjhCwfJd2HOMA0GCSqGSIb3DQEBCwUAMIGWMQswCQYD
+VQQGEwJGUjEXMBUGA1UECAwOw45sZSBkZSBGcmFuY2UxDjAMBgNVBAcMBVBhcmlz
+MRQwEgYDVQQKDAtFcmlvbWVtIFNBUzETMBEGA1UECwwKRXJpb21lbSBDQTEUMBIG
+A1UEAwwLRXJpb21lbSBTQVMxHTAbBgkqhkiG9w0BCQEWDmNhQGVyaW9tZW0ubmV0
+MB4XDTE3MDEzMTE1NTUzOFoXDTM3MDEzMTE1NTUzOFowgZYxCzAJBgNVBAYTAkZS
+MRcwFQYDVQQIDA7DjmxlIGRlIEZyYW5jZTEOMAwGA1UEBwwFUGFyaXMxFDASBgNV
+BAoMC0VyaW9tZW0gU0FTMRMwEQYDVQQLDApFcmlvbWVtIENBMRQwEgYDVQQDDAtF
+cmlvbWVtIFNBUzEdMBsGCSqGSIb3DQEJARYOY2FAZXJpb21lbS5uZXQwggIiMA0G
+CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC9PesBee6dcEXLgLMEpfnmNTbMP7xs
+EJGxEwcS7LLVsZu8bY5K4prCTErzc3nhmmOMIy/ZxVTlnTOPHFAUJ9EKI5cL0QfK
+9DbBzjPBs5AqntlpFBpz6DopV3FOFj3rn0nb/g3KyD3tqnN/YHdBiStX//z+Lp3H
+28M4ExpUFJBJrV3wboMzWgDnSirvJyLFbmeTPmUetYdC4hlSqr/Leo36da4CSl0X
+wN/83Vrzy/Cqrcfso43Hs86Swmg9pJmqRifWPNrMne49IwnGP4hIQXcb9ilU1bMK
+GzXor6I0yOYjuzvdg1k1KKvnHvO1U2cUV56MoTXmQHOt1yQr7fwiKyT0xiIgk5ou
+QKbXbuHpf3KTwPmg1s7105T2lEhxNMNd+c2leRux3CJKsoi6GoUhiDIL1jPrWNS3
+ynYHJ1lcyoEsGeXwR9mDmVLhgRLDAHNDOeT9Z0/NpwoylNH+vgwzo9tV3btWRJgu
+vB7TMDYdGsOd/OYNkQSiSUbtT8nm3xY2qGMC968GQieSCPW7a4n8MYhXW5Wa0/Ql
+Sg58e03v26u0rUT+GK1EOOFF8tak4uKxxRL+WBT9VhK9dRq/PnA+xB6808Y8kMjQ
+9HTnxCgHNcNn6Xj7DD5Rb/r5ppmMicoI3dF6xgMHHNTG3BMZS+CVzSbG1K+4mOxR
+1r6wxKmskoszLwIDAQABo1AwTjAdBgNVHQ4EFgQU3cuB9G9fGroFF0VW21vHR9A/
+/IwwHwYDVR0jBBgwFoAU3cuB9G9fGroFF0VW21vHR9A//IwwDAYDVR0TBAUwAwEB
+/zANBgkqhkiG9w0BAQsFAAOCAgEAGuL+CWzjOs9gydvkOsf0F0qoTS5mixe7v/ic
+OKdZfvHvzs8kz9rNWa8Guj5h640Qv252KSmellqHyXZhQumoks2XmFItMLY08IYo
+4MmT+sHXwx1x4Av/Sjj+b8VzP31v5EIXDVIS+/UTXzyoU1hgqzM9W937iaO2NVFL
+V3kzURHVR1oMxJtSjhGkbfoXRhdNZUhjGaNz5wX0ILtQ+PK4LoYiCqRAthDUSIkW
+mD/R6CV08tIFYKyf7sCx0updbIHPbqbZtPW4X4QULXMDQanDSwHzcxzrCFOMEwOm
+A+HASceq2X9nMUvH97fGQ4YuyogS/XI1k8H7jU7vlxMA3EGf80HnYc02b0oGDN3c
+bVHBE/Zexer51HHsQOGpyYDmaCVzd1qlcFhwS3BMMPVW6TEU4HCXaTK5ipdOqbAF
+syx9OUviqw3fRmZORt6lrhBO9+V3WIKGxUET64GLRoC4F32CThOBKzFXvFcHik4n
+1W44lGVAQp3B/Q55KzYOIQ3D3/N7cbxyPtw1dwW60lN/UWo7YZJJc+6GXjp6c4Cy
+s2VEoUx4OIs1eba99O5fdQ5IpW3IK6Cb1WaajcusZX9/QTIsf3ntSNPCnoebgk0V
+TOMpOOnKIbKYMjdxpKbYLpXFQzxy3WEi2PtmqgLAk+xwcmzz+3W2I0qKKTwGuaOZ
+MnGrJwg=
+-----END CERTIFICATE-----

diff --git a/modules/backup/Eriomem_SAS.pem b/modules/backup/Eriomem_SAS.pem
new file mode 100644 (file)
index 0000000..8d77f26
--- /dev/null
+++ b/modules/backup/Eriomem_SAS.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEbjCCA1agAwIBAgIJAKQiaGqY4pkkMA0GCSqGSIb3DQEBBQUAMIGAMQswCQYD
+VQQGEwJGUjEWMBQGA1UECBQNzmxlIGRlIEZyYW5jZTEOMAwGA1UEBxMFUGFyaXMx
+FDASBgNVBAoTC0VyaW9tZW0gU0FTMRQwEgYDVQQDEwtFcmlvbWVtIFNBUzEdMBsG
+CSqGSIb3DQEJARYOY2FAZXJpb21lbS5uZXQwHhcNMTQwNTEzMTgzMDMxWhcNMzQw
+NTEzMTgzMDMxWjCBgDELMAkGA1UEBhMCRlIxFjAUBgNVBAgUDc5sZSBkZSBGcmFu
+Y2UxDjAMBgNVBAcTBVBhcmlzMRQwEgYDVQQKEwtFcmlvbWVtIFNBUzEUMBIGA1UE
+AxMLRXJpb21lbSBTQVMxHTAbBgkqhkiG9w0BCQEWDmNhQGVyaW9tZW0ubmV0MIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApVfR27JW3u3yvjdEEA8/mGlA
+NMlurqteMnCXgPAKnkyU7xbuBWkNxs6FrcXvdpjomPQsDosLXOb4pV+4SxezApaY
+XVqSzDWPV8M35QJjE8nOVuDvr3ziJfRITG9/WL2DpF9zpI6HpXVxdYNbZGxeCI2K
+eSQ1pkc3574hDB1YB86TumcWPIYuw7cDFC9HB7htm2XYURt6o2jXbpNtdHWoEhWx
+/m7cqpDCZmoBW1n3eApZac+4Im2bPXSQAqB/Lb0rgfsqJq3vEL4x12oC/5Ycn4cF
+xti4AapPjC2GaPbybFLfBwMLu+lAgPJh3A4DC1DcQsxTuKPvUi/K00eCZDokewID
+AQABo4HoMIHlMB0GA1UdDgQWBBRFwVSljClgTQxBTRvqftvJ3OE3xTCBtQYDVR0j
+BIGtMIGqgBRFwVSljClgTQxBTRvqftvJ3OE3xaGBhqSBgzCBgDELMAkGA1UEBhMC
+RlIxFjAUBgNVBAgUDc5sZSBkZSBGcmFuY2UxDjAMBgNVBAcTBVBhcmlzMRQwEgYD
+VQQKEwtFcmlvbWVtIFNBUzEUMBIGA1UEAxMLRXJpb21lbSBTQVMxHTAbBgkqhkiG
+9w0BCQEWDmNhQGVyaW9tZW0ubmV0ggkApCJoapjimSQwDAYDVR0TBAUwAwEB/zAN
+BgkqhkiG9w0BAQUFAAOCAQEAKs7PMQ9HAKHY1seGRHEMivQGVzDDZ7nURBmTkEIl
+549QEyQbrAkcHUjJdMAuIgnbPl4yJFEI97U21pXb3BeLxhKI6r09OgWwZEagrI44
+Ns9WbcNGtw5bkgyA4nn00w0ggAJLq9b0sToU2vK2x6g+1oXH8K7BbOu49/+NTzCa
+fgBzFMi0P7FWGrE2rqh6gFBVJh8qBuK2+QG6Rnfdw+mHWsedc//NRFjPSC3ZWaPc
+cu9s4+IkjOy3RhdkNrF3ieWitmGZi4mUZQ3qi+Np2Z+ekn0QmXjmLdbLFxKw8xoR
+Ed36LPnGcmKQN72RikmNmx83i8CrOF6Or9auGE5O8+qpyw==
+-----END CERTIFICATE-----

diff --git a/modules/backup/default.nix b/modules/backup/default.nix
new file mode 100644 (file)
index 0000000..7e0e4b2
--- /dev/null
+++ b/modules/backup/default.nix
@@ -0,0 +1,100 @@
+{ lib, pkgs, myconfig, config, ... }:
+
+let
+  cfg = myconfig.env.backup;
+  varDir = "/var/lib/duply";
+  duplyProfile = profile: prefix: ''
+    GPG_PW="${cfg.password}"
+    TARGET="${cfg.remote}${prefix}"
+    export AWS_ACCESS_KEY_ID="${cfg.accessKeyId}"
+    export AWS_SECRET_ACCESS_KEY="${cfg.secretAccessKey}"
+    SOURCE="${profile.rootDir}"
+    FILENAME=".duplicity-ignore"
+    DUPL_PARAMS="$DUPL_PARAMS --exclude-if-present '$FILENAME'"
+    VERBOSITY=4
+    ARCH_DIR="${varDir}/caches"
+
+    # Do a full backup after 1 month
+    MAX_FULLBKP_AGE=1M
+    DUPL_PARAMS="$DUPL_PARAMS --full-if-older-than $MAX_FULLBKP_AGE "
+    # Backups older than 2months are deleted
+    MAX_AGE=2M
+    # Keep 2 full backups
+    MAX_FULL_BACKUPS=2
+    MAX_FULLS_WITH_INCRS=2
+  '';
+  action = "bkp_purge_purgeFull_purgeIncr";
+in
+{
+  options = {
+    services.backup.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = ''
+        Whether to enable remote backups.
+      '';
+    };
+    services.backup.profiles = lib.mkOption {
+      type = lib.types.attrsOf (lib.types.submodule {
+        options = {
+          rootDir = lib.mkOption {
+            type = lib.types.path;
+            description = ''
+              Path to backup
+              '';
+          };
+          excludeFile = lib.mkOption {
+            type = lib.types.lines;
+            default = "";
+            description = ''
+              Content to put in exclude file
+              '';
+          };
+        };
+      });
+    };
+  };
+
+  config = lib.mkIf config.services.backup.enable {
+    system.activationScripts.backup = ''
+      install -m 0700 -o root -g root -d ${varDir} ${varDir}/caches
+      '';
+    secrets.keys = lib.flatten (lib.mapAttrsToList (k: v: [
+      {
+        permissions = "0400";
+        dest = "backup/${k}/conf";
+        text = duplyProfile v "${k}/";
+      }
+      {
+        permissions = "0400";
+        dest = "backup/${k}/exclude";
+        text = v.excludeFile;
+      }
+    ]) config.services.backup.profiles);
+
+    services.cron = {
+      enable = true;
+      systemCronJobs = let
+        backups = pkgs.writeScript "backups" ''
+          #!${pkgs.stdenv.shell}
+
+          ${builtins.concatStringsSep "\n" (lib.mapAttrsToList (k: v:
+            ''
+              touch ${varDir}/${k}.log
+              ${pkgs.duply}/bin/duply ${config.secrets.location}/backup/${k}/ ${action} --force >> ${varDir}/${k}.log
+            ''
+          ) config.services.backup.profiles)}
+        '';
+      in
+        [
+          "0 2 * * * root ${backups}"
+        ];
+
+    };
+
+    security.pki.certificates = [
+      (builtins.readFile ./Eriomem_SAS.1.pem)
+      (builtins.readFile ./Eriomem_SAS.pem)
+    ];
+  };
+}

diff --git a/modules/default.nix b/modules/default.nix
index 9e9c4111f60b30b15862d3a609fea0681ae1318c..05f2bfe0e14ee193b31f60baf3cb1638debfa3c5 100644 (file)
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -13,6 +13,7 @@
   opendmarc = ./opendmarc.nix;
   openarc = ./openarc.nix;
 
+  backup = ./backup;
   naemon = ./naemon;
 
   php-application = ./websites/php-application.nix;

diff --git a/modules/myids.nix b/modules/myids.nix
index ac9fd65e1eeff652eb75aaf6a030504031661afb..79610aff8799a1b4da9375cc9fad6b66d4fdd8ac 100644 (file)
--- a/modules/myids.nix
+++ b/modules/myids.nix
@@ -3,6 +3,7 @@
   # Check that there is no clash with nixos/modules/misc/ids.nix
   config = {
     ids.uids = {
+      backup = 389;
       vhost = 390;
       openarc = 391;
       opendmarc = 392;
@@ -15,6 +16,7 @@
     };
     ids.gids = {
       nagios = 11; # commented in the ids file
+      backup = 389;
       vhost = 390;
       openarc = 391;
       opendmarc = 392;

diff --git a/modules/private/backup.nix b/modules/private/backup.nix
new file mode 100644 (file)
index 0000000..6911750
--- /dev/null
+++ b/modules/private/backup.nix
@@ -0,0 +1,6 @@
+{ ... }:
+{
+  config = {
+    services.backup.enable = true;
+  };
+}

diff --git a/modules/private/buildbot/default.nix b/modules/private/buildbot/default.nix
index f307606b0958ae29dcbc70d371b33fff737b7c91..88bab9b687f88841e8db9cd76d28ae5ddfa65718 100644 (file)
--- a/modules/private/buildbot/default.nix
+++ b/modules/private/buildbot/default.nix
@@ -24,6 +24,9 @@ in
   };
 
   config = lib.mkIf config.myServices.buildbot.enable {
+    services.backup.profiles.buildbot = {
+      rootDir = varDir;
+    };
     ids.uids.buildbot = myconfig.env.buildbot.user.uid;
     ids.gids.buildbot = myconfig.env.buildbot.user.gid;
 

diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix
index 2e40b3cd7a7f27f2febb40ef2075a310036173a8..cb284fcaa78dcd04a3156ea370c565c9e67935c8 100644 (file)
--- a/modules/private/certificates.nix
+++ b/modules/private/certificates.nix
@@ -15,6 +15,9 @@
   };
 
   config = {
+    services.backup.profiles.system.excludeFile = ''
+      + ${config.security.acme.directory}
+      '';
     services.websites.certs = config.services.myCertificates.certConfig;
     myServices.databasesCerts = config.services.myCertificates.certConfig;
     myServices.ircCerts = config.services.myCertificates.certConfig;

diff --git a/modules/private/default.nix b/modules/private/default.nix
index cf15499849ef7f083811eb5e7d501ed24fd29617..6dd7358327c98d04f7d0b22e0a22d18ce2aaf231 100644 (file)
--- a/modules/private/default.nix
+++ b/modules/private/default.nix
@@ -65,6 +65,7 @@ set = {
   ftp = ./ftp.nix;
   mpd = ./mpd.nix;
   ssh = ./ssh;
+  backup = ./backup.nix;
   monitoring = ./monitoring;
 
   system = ./system.nix;

diff --git a/modules/private/ftp.nix b/modules/private/ftp.nix
index 59cae595bfe1c359aa6e6e7ef36a3c4a142a1937..c6d7fbee9dd0782c2f17cbe4560de6be9bb671c8 100644 (file)
--- a/modules/private/ftp.nix
+++ b/modules/private/ftp.nix
@@ -14,6 +14,9 @@ in
   };
 
   config = lib.mkIf config.services.pure-ftpd.enable {
+    services.backup.profiles.ftp = {
+      rootDir = "/var/lib/ftp";
+    };
     security.acme.certs."ftp" = config.services.myCertificates.certConfig // {
       domain = "eldiron.immae.eu";
       postRun = ''

diff --git a/modules/private/gitolite/default.nix b/modules/private/gitolite/default.nix
index b9914a16916f42df398d671a8c513cb9360871bb..dc068b750b27b2b6c70bb9e8f1ee41f4e6516255 100644 (file)
--- a/modules/private/gitolite/default.nix
+++ b/modules/private/gitolite/default.nix
@@ -11,6 +11,9 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
+    services.backup.profiles.gitolite = {
+      rootDir = cfg.gitoliteDir;
+    };
     networking.firewall.allowedTCPPorts = [ 9418 ];
 
     services.gitDaemon = {

diff --git a/modules/private/irc.nix b/modules/private/irc.nix
index b3fe91f40bd66d854e0f4e3deda73c5a70f90cf6..785b34d828047db8428d3e04a318bac090516c7f 100644 (file)
--- a/modules/private/irc.nix
+++ b/modules/private/irc.nix
@@ -17,6 +17,9 @@ in
   };
 
   config = lib.mkIf cfg.enable {
+    services.backup.profiles.irc = {
+      rootDir = "/var/lib/bitlbee";
+    };
     security.acme.certs."irc" = config.myServices.ircCerts // {
       domain = "irc.immae.eu";
       postRun = ''

diff --git a/modules/private/mail/default.nix b/modules/private/mail/default.nix
index ad2c6846ba9687672c2c72e704d1ef881738aa65..ac8ad8c88137387f97ff46bb8925df06c165ec64 100644 (file)
--- a/modules/private/mail/default.nix
+++ b/modules/private/mail/default.nix
@@ -9,4 +9,13 @@
       mxs = map (zone: "mx-1.${zone.name}") zonesWithMx;
     in builtins.listToAttrs (map (mx: lib.attrsets.nameValuePair mx null) mxs);
   };
+  config.services.backup.profiles = {
+    mail = {
+      rootDir = "/var/lib";
+      excludeFile = lib.mkAfter ''
+        + /var/lib/vhost
+        - /var/lib
+        '';
+    };
+  };
 }

diff --git a/modules/private/mail/dovecot.nix b/modules/private/mail/dovecot.nix
index 047d7d0b688549eb27e773e65c3c4b9cd2954341..0d13a7be769eb7f97b57895d47e34a53553660ef 100644 (file)
--- a/modules/private/mail/dovecot.nix
+++ b/modules/private/mail/dovecot.nix
@@ -12,6 +12,10 @@ let
     '';
 in
 {
+  config.services.backup.profiles.mail.excludeFile = ''
+    + /var/lib/dhparams
+    + /var/lib/dovecot
+    '';
   config.secrets.keys = [
     {
       dest = "dovecot/ldap";

diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix
index c2d0af699b07a5b7a837645ce5e618b5b2391346..edfd19652e88f46606e8b807221d70617ff44048 100644 (file)
--- a/modules/private/mail/postfix.nix
+++ b/modules/private/mail/postfix.nix
@@ -1,5 +1,8 @@
 { lib, pkgs, config, myconfig,  ... }:
 {
+  config.services.backup.profiles.mail.excludeFile = ''
+    + /var/lib/postfix
+    '';
   config.secrets.keys = [
     {
       dest = "postfix/mysql_alias_maps";

diff --git a/modules/private/mail/rspamd.nix b/modules/private/mail/rspamd.nix
index 3a7a67c718117f263efffe0131066492a13b6126..af3541f370101b2f932cfeecea64201c04e3308b 100644 (file)
--- a/modules/private/mail/rspamd.nix
+++ b/modules/private/mail/rspamd.nix
@@ -10,6 +10,9 @@
       rspamd sockets
       '';
   };
+  config.services.backup.profiles.mail.excludeFile = ''
+    + /var/lib/rspamd
+    '';
   config.services.cron.systemCronJobs = let
     cron_script = pkgs.runCommand "cron_script" {
       buildInputs = [ pkgs.makeWrapper ];

diff --git a/modules/private/monitoring/default.nix b/modules/private/monitoring/default.nix
index d99124e836da9511f957b227a34924580a27422f..d9805ef3153826525a66862bb4580a88b602d75f 100644 (file)
--- a/modules/private/monitoring/default.nix
+++ b/modules/private/monitoring/default.nix
@@ -27,6 +27,9 @@ in
   };
 
   config = lib.mkIf config.myServices.monitoring.enable {
+    services.backup.profiles.monitoring = {
+      rootDir = config.services.naemon.varDir;
+    };
     security.sudo.extraRules = [
       {
         commands = [

diff --git a/modules/private/mpd.nix b/modules/private/mpd.nix
index 17454d72aa9c1bdef74c8351b49b5a1eb6e1863b..b2241651921d93c36524b0d566a33dbadfae7683 100644 (file)
--- a/modules/private/mpd.nix
+++ b/modules/private/mpd.nix
@@ -1,6 +1,9 @@
 { lib, pkgs, config, myconfig,  ... }:
 {
   config = {
+    services.backup.profiles.mpd = {
+      rootDir = "/var/lib/mpd";
+    };
     secrets.keys = [
       {
         dest = "mpd";

diff --git a/modules/private/pub/default.nix b/modules/private/pub/default.nix
index c31c8eb0e40e8367838e270b1d6848562820c6c8..a193d17102222260b52de0b645c1b212b0eb07e0 100644 (file)
--- a/modules/private/pub/default.nix
+++ b/modules/private/pub/default.nix
@@ -11,6 +11,9 @@
   };
 
   config = lib.mkIf config.myServices.pub.enable {
+    services.backup.profiles.pub = {
+      rootDir = "/var/lib/pub";
+    };
     users.users.pub = let
       restrict = pkgs.runCommand "restrict" { 
         file = ./restrict;

diff --git a/modules/private/system.nix b/modules/private/system.nix
index fba504e9a584dafb1fae8c609bd8439075a61a92..c12c2267887ed115a1675a44f6f2476e9f93a990 100644 (file)
--- a/modules/private/system.nix
+++ b/modules/private/system.nix
@@ -1,6 +1,17 @@
-{ pkgs, privateFiles, ... }:
+{ pkgs, privateFiles, lib, ... }:
 {
   config = {
+    services.backup.profiles.system = {
+      rootDir = "/var/lib";
+      excludeFile = lib.mkAfter ''
+        + /var/lib/nixos
+        + /var/lib/udev
+        + /var/lib/udisks2
+        + /var/lib/systemd
+        + /var/lib/private/systemd
+        - /var/lib
+        '';
+    };
     nixpkgs.overlays = builtins.attrValues (import ../../overlays);
     _module.args = {
       pkgsNext = import <nixpkgsNext> {};

diff --git a/modules/private/tasks/default.nix b/modules/private/tasks/default.nix
index a2da0c3e92d456251cd4d9c6f2f1b2c5bcb95fbe..b2191c0e025a393555711a240d9b093064102bab 100644 (file)
--- a/modules/private/tasks/default.nix
+++ b/modules/private/tasks/default.nix
@@ -86,6 +86,15 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
+    services.backup.profiles.tasks = {
+      rootDir = "/var/lib";
+      excludeFile = ''
+        + /var/lib/taskserver
+        + /var/lib/taskwarrior-web
+        - /var/lib
+        '';
+    };
+
     secrets.keys = [{
       dest = "webapps/tools-taskwarrior-web";
       user = "wwwrun";

diff --git a/modules/private/websites/aten/integration.nix b/modules/private/websites/aten/integration.nix
index 6768f80b592dd0b520f5f98f1a9984338c6a5add..0c92818e71a77f25d837214b1f967a83635be6c0 100644 (file)
--- a/modules/private/websites/aten/integration.nix
+++ b/modules/private/websites/aten/integration.nix
@@ -8,6 +8,7 @@ in {
   options.myServices.websites.aten.integration.enable = lib.mkEnableOption "enable Aten's website in integration";
 
   config = lib.mkIf cfg.enable {
+    services.backup.profiles.aten_dev.rootDir = app.varDir;
     services.phpApplication.apps.aten_dev = {
       websiteEnv = "integration";
       httpdUser = config.services.httpd.Inte.user;

diff --git a/modules/private/websites/aten/production.nix b/modules/private/websites/aten/production.nix
index 97f4a0822ddd4bbd203a864d37ee5bc3c73fdf28..2ffcef339f6cf4b607aad8ffdaae7f3ae966ec6f 100644 (file)
--- a/modules/private/websites/aten/production.nix
+++ b/modules/private/websites/aten/production.nix
@@ -8,6 +8,7 @@ in {
   options.myServices.websites.aten.production.enable = lib.mkEnableOption "enable Aten's website in production";
 
   config = lib.mkIf cfg.enable {
+    services.backup.profiles.aten_prod.rootDir = app.varDir;
     services.webstats.sites = [ { name = "aten.pro"; } ];
     services.phpApplication.apps.aten_prod = {
       websiteEnv = "production";

diff --git a/modules/private/websites/chloe/integration.nix b/modules/private/websites/chloe/integration.nix
index 1f7ac3121e7dc84013e8d1bfffe1fcc8bc078ea0..75e25afbae83ad4aa5a7c7057c6624a67c2d5ed2 100644 (file)
--- a/modules/private/websites/chloe/integration.nix
+++ b/modules/private/websites/chloe/integration.nix
@@ -12,6 +12,7 @@ in {
   options.myServices.websites.chloe.integration.enable = lib.mkEnableOption "enable Chloe's website in integration";
 
   config = lib.mkIf cfg.enable {
+    services.backup.profiles.chloe_dev.rootDir = chloe.app.varDir;
     secrets.keys = chloe.keys;
     systemd.services.phpfpm-chloe_dev.after = lib.mkAfter chloe.phpFpm.serviceDeps;
     systemd.services.phpfpm-chloe_dev.wants = chloe.phpFpm.serviceDeps;

diff --git a/modules/private/websites/chloe/production.nix b/modules/private/websites/chloe/production.nix
index 6cfdb7f381580a05196207f24c571ab25f71dd4f..7c59806c988cfb268f6c3463f1c67434b1197bc8 100644 (file)
--- a/modules/private/websites/chloe/production.nix
+++ b/modules/private/websites/chloe/production.nix
@@ -12,6 +12,7 @@ in {
   options.myServices.websites.chloe.production.enable = lib.mkEnableOption "enable Chloe's website in production";
 
   config = lib.mkIf cfg.enable {
+    services.backup.profiles.chloe_prod.rootDir = chloe.app.varDir;
     secrets.keys = chloe.keys;
     services.webstats.sites = [ { name = "osteopathe-cc.fr"; } ];
 

diff --git a/modules/private/websites/connexionswing/integration.nix b/modules/private/websites/connexionswing/integration.nix
index 2ceaffaea05d479d4af03a21e08d6d9a7d87e2d5..fee8e4f140b393e8aceb41560695db4584d31a74 100644 (file)
--- a/modules/private/websites/connexionswing/integration.nix
+++ b/modules/private/websites/connexionswing/integration.nix
@@ -8,6 +8,7 @@ in {
   options.myServices.websites.connexionswing.integration.enable = lib.mkEnableOption "enable Connexionswing's website in integration";
 
   config = lib.mkIf cfg.enable {
+    services.backup.profiles.connexionswing_dev.rootDir = app.varDir;
     services.phpApplication.apps.connexionswing_dev = {
       websiteEnv = "integration";
       httpdUser = config.services.httpd.Inte.user;

diff --git a/modules/private/websites/connexionswing/production.nix b/modules/private/websites/connexionswing/production.nix
index 1427c8ded77dfb2831ea3ab0c0c073c24f573f90..79e672a254a891dc672b729793656d74807deed6 100644 (file)
--- a/modules/private/websites/connexionswing/production.nix
+++ b/modules/private/websites/connexionswing/production.nix
@@ -8,6 +8,7 @@ in {
   options.myServices.websites.connexionswing.production.enable = lib.mkEnableOption "enable Connexionswing's website in production";
 
   config = lib.mkIf cfg.enable {
+    services.backup.profiles.connexionswing_prod.rootDir = app.varDir;
     services.webstats.sites = [ { name = "connexionswing.com"; } ];
     services.phpApplication.apps.connexionswing_prod = {
       websiteEnv = "production";

diff --git a/modules/private/websites/default.nix b/modules/private/websites/default.nix
index f55f7e3e120331b8869141c6b0da22a3ab464f08..e2bcef5269aac642ca39ecb4dff7ffe1134e4a8a 100644 (file)
--- a/modules/private/websites/default.nix
+++ b/modules/private/websites/default.nix
@@ -73,6 +73,9 @@ in
   };
 
   config = {
+    services.backup.profiles.php = {
+      rootDir = "/var/lib/php";
+    };
     users.users.wwwrun.extraGroups = [ "keys" ];
     networking.firewall.allowedTCPPorts = [ 80 443 ];
 

diff --git a/modules/private/websites/emilia/production.nix b/modules/private/websites/emilia/production.nix
index 422bfd464423cf712b5747c8e058efcaac87c7bc..0dab316489f723b13d052c7ab4f53a4eb737a225 100644 (file)
--- a/modules/private/websites/emilia/production.nix
+++ b/modules/private/websites/emilia/production.nix
@@ -43,6 +43,9 @@ in {
   options.myServices.websites.emilia.production.enable = lib.mkEnableOption "enable Emilia's website";
 
   config = lib.mkIf cfg.enable {
+    services.backup.profiles.emilia_prod = {
+      rootDir = varDir;
+    };
     system.activationScripts.emilia = ''
       install -m 0755 -o wwwrun -g wwwrun -d ${varDir}
       '';

diff --git a/modules/private/websites/florian/app.nix b/modules/private/websites/florian/app.nix
index 3f44ec4385d3fdaa564da664a922dbaa509ca5cb..7e2c33390faf5eb2834947d2b2c5952e067ad068 100644 (file)
--- a/modules/private/websites/florian/app.nix
+++ b/modules/private/websites/florian/app.nix
@@ -9,6 +9,7 @@ in {
   options.myServices.websites.florian.app.enable = lib.mkEnableOption "enable Florian's app in integration";
 
   config = lib.mkIf cfg.enable {
+    services.backup.profiles.tellesflorian_dev.rootDir = app.varDir;
     services.phpApplication.apps.florian_dev = {
       websiteEnv = "integration";
       httpdUser = config.services.httpd.Inte.user;

diff --git a/modules/private/websites/ludivinecassal/integration.nix b/modules/private/websites/ludivinecassal/integration.nix
index 55f243274ce9218e6d3740c3af5e5ea18bfa9be5..d1b8f9b846bf2b5b4bf0db009eec9266521482db 100644 (file)
--- a/modules/private/websites/ludivinecassal/integration.nix
+++ b/modules/private/websites/ludivinecassal/integration.nix
@@ -8,6 +8,7 @@ in {
   options.myServices.websites.ludivinecassal.integration.enable = lib.mkEnableOption "enable Ludivine's website in integration";
 
   config = lib.mkIf cfg.enable {
+    services.backup.profiles.ludivinecassal_dev.rootDir = app.varDir;
     services.phpApplication.apps.ludivinecassal_dev = {
       websiteEnv = "integration";
       httpdUser = config.services.httpd.Inte.user;

diff --git a/modules/private/websites/ludivinecassal/production.nix b/modules/private/websites/ludivinecassal/production.nix
index 82f6899cdbee4554147b0989cf668dcb1a124375..341fd6d97d22dbd905bc788e4b84da582fb2a0e9 100644 (file)
--- a/modules/private/websites/ludivinecassal/production.nix
+++ b/modules/private/websites/ludivinecassal/production.nix
@@ -8,6 +8,7 @@ in {
   options.myServices.websites.ludivinecassal.production.enable = lib.mkEnableOption "enable Ludivine's website in production";
 
   config = lib.mkIf cfg.enable {
+    services.backup.profiles.ludivinecassal_prod.rootDir = app.varDir;
     services.webstats.sites = [ { name = "ludivinecassal.com"; } ];
     services.phpApplication.apps.ludivinecassal_prod = {
       websiteEnv = "production";

diff --git a/modules/private/websites/piedsjaloux/integration.nix b/modules/private/websites/piedsjaloux/integration.nix
index 0a33bc0a095d716910cdcc092e1d957dd7e4ea1e..853fcff2bc60a7f8bedc4f1b14d1619cffe9be47 100644 (file)
--- a/modules/private/websites/piedsjaloux/integration.nix
+++ b/modules/private/websites/piedsjaloux/integration.nix
@@ -8,6 +8,7 @@ in {
   options.myServices.websites.piedsjaloux.integration.enable = lib.mkEnableOption "enable PiedsJaloux's website in integration";
 
   config = lib.mkIf cfg.enable {
+    services.backup.profiles.piedsjaloux_dev.rootDir = app.varDir;
     services.phpApplication.apps.piedsjaloux_dev = {
       websiteEnv = "integration";
       httpdUser = config.services.httpd.Inte.user;

diff --git a/modules/private/websites/piedsjaloux/production.nix b/modules/private/websites/piedsjaloux/production.nix
index 9007f1906c2cdc4b332000b4839ebda268b2d86a..9e64fca7b864c1372c4743d1523cb79aad7dd860 100644 (file)
--- a/modules/private/websites/piedsjaloux/production.nix
+++ b/modules/private/websites/piedsjaloux/production.nix
@@ -8,6 +8,7 @@ in {
   options.myServices.websites.piedsjaloux.production.enable = lib.mkEnableOption "enable PiedsJaloux's website in production";
 
   config = lib.mkIf cfg.enable {
+    services.backup.profiles.piedsjaloux_prod.rootDir = app.varDir;
     services.webstats.sites = [ { name = "piedsjaloux.fr"; } ];
     services.phpApplication.apps.piedsjaloux_prod = {
       websiteEnv = "production";

diff --git a/modules/private/websites/tools/diaspora/default.nix b/modules/private/websites/tools/diaspora/default.nix
index 17a6a099fb87285ec7a2ea077225a9d31855bd76..24d3d51046bf1c3cf044d346c511b2dfe095d7ba 100644 (file)
--- a/modules/private/websites/tools/diaspora/default.nix
+++ b/modules/private/websites/tools/diaspora/default.nix
@@ -10,6 +10,9 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
+    services.backup.profiles.diaspora = {
+      rootDir = dcfg.dataDir;
+    };
     users.users.diaspora.extraGroups = [ "keys" ];
 
     secrets.keys = [

diff --git a/modules/private/websites/tools/ether/default.nix b/modules/private/websites/tools/ether/default.nix
index c03852812143ce8281104272f4d3c42656faa625..600254b74865ba8021f0854977ca859cf695ee41 100644 (file)
--- a/modules/private/websites/tools/ether/default.nix
+++ b/modules/private/websites/tools/ether/default.nix
@@ -12,6 +12,9 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
+    services.backup.profiles.etherpad-lite = {
+      rootDir = "/var/lib/private/etherpad-lite";
+    };
     secrets.keys = [
       {
         dest = "webapps/tools-etherpad-apikey";

diff --git a/modules/private/websites/tools/mail/default.nix b/modules/private/websites/tools/mail/default.nix
index ea0a27fc7079f587647bceb3efa160fafc7b7997..35711af355a5796a87d7da39c3afc5b317fcbe7d 100644 (file)
--- a/modules/private/websites/tools/mail/default.nix
+++ b/modules/private/websites/tools/mail/default.nix
@@ -17,6 +17,10 @@ in
   ];
 
   config = lib.mkIf cfg.enable {
+    services.backup.profiles.mail.excludeFile = ''
+      + ${rainloop.varDir}
+      + ${roundcubemail.varDir}
+      '';
     secrets.keys = roundcubemail.keys;
 
     services.websites.env.tools.modules =

diff --git a/modules/private/websites/tools/mastodon/default.nix b/modules/private/websites/tools/mastodon/default.nix
index d67ae2bcb35580dd3ae46c1ea5bc0eefe6514802..2236bd55b78b6c391643591a237c8ad6acf493b3 100644 (file)
--- a/modules/private/websites/tools/mastodon/default.nix
+++ b/modules/private/websites/tools/mastodon/default.nix
@@ -10,6 +10,9 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
+    services.backup.profiles.mastodon = {
+      rootDir = mcfg.dataDir;
+    };
     secrets.keys = [{
       dest = "webapps/tools-mastodon";
       user = "mastodon";

diff --git a/modules/private/websites/tools/tools/default.nix b/modules/private/websites/tools/tools/default.nix
index e17c708e0912208c84806c361da2e67ea03681b6..6f27b0be818d1b648dc94e1e42c3d8139efd4828 100644 (file)
--- a/modules/private/websites/tools/tools/default.nix
+++ b/modules/private/websites/tools/tools/default.nix
@@ -51,6 +51,15 @@ in {
       ++ wallabag.keys
       ++ yourls.keys;
 
+    services.backup.profiles = {
+      dokuwiki = dokuwiki.backups;
+      kanboard = kanboard.backups;
+      rompr = rompr.backups;
+      shaarli = shaarli.backups;
+      ttrss = ttrss.backups;
+      wallabag = wallabag.backups;
+    };
+
     services.websites.env.tools.modules =
       [ "proxy_fcgi" ]
       ++ adminer.apache.modules

diff --git a/modules/private/websites/tools/tools/dokuwiki.nix b/modules/private/websites/tools/tools/dokuwiki.nix
index c61d15f2547a0e91410240b855b99ad675c350f0..e40d671d9b506cd176d9f65776d54e747bd18682 100644 (file)
--- a/modules/private/websites/tools/tools/dokuwiki.nix
+++ b/modules/private/websites/tools/tools/dokuwiki.nix
@@ -1,5 +1,8 @@
 { lib, stdenv, dokuwiki, dokuwiki-plugins }:
 rec {
+  backups = {
+    rootDir = varDir;
+  };
   varDir = "/var/lib/dokuwiki";
   activationScript = {
     deps = [ "wrappers" ];

diff --git a/modules/private/websites/tools/tools/kanboard.nix b/modules/private/websites/tools/tools/kanboard.nix
index 68f92b81a1325e1bd747d3c77f2d6a660ded5fb5..68c3a1081c530fdb01ffe58f805668025c72a97e 100644 (file)
--- a/modules/private/websites/tools/tools/kanboard.nix
+++ b/modules/private/websites/tools/tools/kanboard.nix
@@ -1,5 +1,8 @@
 { env, kanboard }:
 rec {
+  backups = {
+    rootDir = varDir;
+  };
   varDir = "/var/lib/kanboard";
   activationScript = {
     deps = [ "wrappers" ];

diff --git a/modules/private/websites/tools/tools/rompr.nix b/modules/private/websites/tools/tools/rompr.nix
index fea59fc9957ba664f98f02db6722292433fa3211..74034f04617fb1a29a35beefbc607a348e3ab6c3 100644 (file)
--- a/modules/private/websites/tools/tools/rompr.nix
+++ b/modules/private/websites/tools/tools/rompr.nix
@@ -1,5 +1,8 @@
 { lib, env, rompr }:
 rec {
+  backups = {
+    rootDir = varDir;
+  };
   varDir = "/var/lib/rompr";
   activationScript = ''
     install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \

diff --git a/modules/private/websites/tools/tools/shaarli.nix b/modules/private/websites/tools/tools/shaarli.nix
index 2e89a473837a24918eb53e8301df250681a4576f..28041ba994976df3c41201a1a88caa30719b1bd7 100644 (file)
--- a/modules/private/websites/tools/tools/shaarli.nix
+++ b/modules/private/websites/tools/tools/shaarli.nix
@@ -2,6 +2,9 @@
 let
   varDir = "/var/lib/shaarli";
 in rec {
+  backups = {
+    rootDir = varDir;
+  };
   activationScript = ''
     install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \
       ${varDir}/cache ${varDir}/pagecache ${varDir}/tmp ${varDir}/data \

diff --git a/modules/private/websites/tools/tools/ttrss.nix b/modules/private/websites/tools/tools/ttrss.nix
index 05c8cab04452831878754e25e9594892105b4c8b..598cc3a1168fbfa7ed13188deb52a80f9c365248 100644 (file)
--- a/modules/private/websites/tools/tools/ttrss.nix
+++ b/modules/private/websites/tools/tools/ttrss.nix
@@ -1,5 +1,8 @@
 { php, env, ttrss, ttrss-plugins }:
 rec {
+  backups = {
+    rootDir = varDir;
+  };
   varDir = "/var/lib/ttrss";
   activationScript = {
     deps = [ "wrappers" ];

diff --git a/modules/private/websites/tools/tools/wallabag.nix b/modules/private/websites/tools/tools/wallabag.nix
index 2912b2c9b3ef0692b9c09fdaf05bc624b1d56519..8572d64ca02405b3e86f75e6a005ff1b03400f53 100644 (file)
--- a/modules/private/websites/tools/tools/wallabag.nix
+++ b/modules/private/websites/tools/tools/wallabag.nix
@@ -1,5 +1,8 @@
 { env, wallabag, mylibs }:
 rec {
+  backups = {
+    rootDir = varDir;
+  };
   varDir = "/var/lib/wallabag";
   keys = [{
     dest = "webapps/tools-wallabag";

diff --git a/modules/webapps/mastodon.nix b/modules/webapps/mastodon.nix
index 26d5238f118968878e1c0c920a9d1c0992a10ac3..eed9e3f60d46760286adddace29cb791e4850f77 100644 (file)
--- a/modules/webapps/mastodon.nix
+++ b/modules/webapps/mastodon.nix
@@ -190,6 +190,36 @@ in
       unitConfig.RequiresMountsFor = cfg.dataDir;
     };
 
+    systemd.services.mastodon-cleanup = {
+      description = "Cleanup mastodon";
+      startAt = "daily";
+      restartIfChanged = false;
+
+      environment.RAILS_ENV = "production";
+      environment.BUNDLE_PATH = "${cfg.workdir.gems}/${cfg.workdir.gems.ruby.gemPath}";
+      environment.BUNDLE_GEMFILE = "${cfg.workdir.gems.confFiles}/Gemfile";
+      environment.SOCKET = cfg.sockets.rails;
+
+      path = [ cfg.workdir.gems cfg.workdir.gems.ruby pkgs.file ];
+
+      script = ''
+        exec ./bin/tootctl media remove --days 30
+      '';
+
+      serviceConfig = {
+        User = cfg.user;
+        EnvironmentFile = cfg.configFile;
+        PrivateTmp = true;
+        Type = "oneshot";
+        WorkingDirectory = cfg.workdir;
+        StateDirectory = cfg.systemdStateDirectory;
+        RuntimeDirectory = cfg.systemdRuntimeDirectory;
+        RuntimeDirectoryPreserve = "yes";
+      };
+
+      unitConfig.RequiresMountsFor = cfg.dataDir;
+    };
+
     systemd.services.mastodon-sidekiq = {
       description = "Mastodon Sidekiq";
       wantedBy = [ "multi-user.target" ];

diff --git a/modules/webapps/webstats/default.nix b/modules/webapps/webstats/default.nix
index 924d72debdf591af8a5fd4e3fa672fccffa6cca5..6771f015189adeb0da10de88edb9dcb47c20ff5a 100644 (file)
--- a/modules/webapps/webstats/default.nix
+++ b/modules/webapps/webstats/default.nix
@@ -37,6 +37,9 @@ in {
   };
 
   config = lib.mkIf (builtins.length cfg.sites > 0) {
+    services.backup.profiles.goaccess = {
+      rootDir = cfg.dataDir;
+    };
     users.users.root.packages = [
       pkgs.goaccess
     ];