--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIIGATCCA+mgAwIBAgIJAJjhCwfJd2HOMA0GCSqGSIb3DQEBCwUAMIGWMQswCQYD
+VQQGEwJGUjEXMBUGA1UECAwOw45sZSBkZSBGcmFuY2UxDjAMBgNVBAcMBVBhcmlz
+MRQwEgYDVQQKDAtFcmlvbWVtIFNBUzETMBEGA1UECwwKRXJpb21lbSBDQTEUMBIG
+A1UEAwwLRXJpb21lbSBTQVMxHTAbBgkqhkiG9w0BCQEWDmNhQGVyaW9tZW0ubmV0
+MB4XDTE3MDEzMTE1NTUzOFoXDTM3MDEzMTE1NTUzOFowgZYxCzAJBgNVBAYTAkZS
+MRcwFQYDVQQIDA7DjmxlIGRlIEZyYW5jZTEOMAwGA1UEBwwFUGFyaXMxFDASBgNV
+BAoMC0VyaW9tZW0gU0FTMRMwEQYDVQQLDApFcmlvbWVtIENBMRQwEgYDVQQDDAtF
+cmlvbWVtIFNBUzEdMBsGCSqGSIb3DQEJARYOY2FAZXJpb21lbS5uZXQwggIiMA0G
+CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC9PesBee6dcEXLgLMEpfnmNTbMP7xs
+EJGxEwcS7LLVsZu8bY5K4prCTErzc3nhmmOMIy/ZxVTlnTOPHFAUJ9EKI5cL0QfK
+9DbBzjPBs5AqntlpFBpz6DopV3FOFj3rn0nb/g3KyD3tqnN/YHdBiStX//z+Lp3H
+28M4ExpUFJBJrV3wboMzWgDnSirvJyLFbmeTPmUetYdC4hlSqr/Leo36da4CSl0X
+wN/83Vrzy/Cqrcfso43Hs86Swmg9pJmqRifWPNrMne49IwnGP4hIQXcb9ilU1bMK
+GzXor6I0yOYjuzvdg1k1KKvnHvO1U2cUV56MoTXmQHOt1yQr7fwiKyT0xiIgk5ou
+QKbXbuHpf3KTwPmg1s7105T2lEhxNMNd+c2leRux3CJKsoi6GoUhiDIL1jPrWNS3
+ynYHJ1lcyoEsGeXwR9mDmVLhgRLDAHNDOeT9Z0/NpwoylNH+vgwzo9tV3btWRJgu
+vB7TMDYdGsOd/OYNkQSiSUbtT8nm3xY2qGMC968GQieSCPW7a4n8MYhXW5Wa0/Ql
+Sg58e03v26u0rUT+GK1EOOFF8tak4uKxxRL+WBT9VhK9dRq/PnA+xB6808Y8kMjQ
+9HTnxCgHNcNn6Xj7DD5Rb/r5ppmMicoI3dF6xgMHHNTG3BMZS+CVzSbG1K+4mOxR
+1r6wxKmskoszLwIDAQABo1AwTjAdBgNVHQ4EFgQU3cuB9G9fGroFF0VW21vHR9A/
+/IwwHwYDVR0jBBgwFoAU3cuB9G9fGroFF0VW21vHR9A//IwwDAYDVR0TBAUwAwEB
+/zANBgkqhkiG9w0BAQsFAAOCAgEAGuL+CWzjOs9gydvkOsf0F0qoTS5mixe7v/ic
+OKdZfvHvzs8kz9rNWa8Guj5h640Qv252KSmellqHyXZhQumoks2XmFItMLY08IYo
+4MmT+sHXwx1x4Av/Sjj+b8VzP31v5EIXDVIS+/UTXzyoU1hgqzM9W937iaO2NVFL
+V3kzURHVR1oMxJtSjhGkbfoXRhdNZUhjGaNz5wX0ILtQ+PK4LoYiCqRAthDUSIkW
+mD/R6CV08tIFYKyf7sCx0updbIHPbqbZtPW4X4QULXMDQanDSwHzcxzrCFOMEwOm
+A+HASceq2X9nMUvH97fGQ4YuyogS/XI1k8H7jU7vlxMA3EGf80HnYc02b0oGDN3c
+bVHBE/Zexer51HHsQOGpyYDmaCVzd1qlcFhwS3BMMPVW6TEU4HCXaTK5ipdOqbAF
+syx9OUviqw3fRmZORt6lrhBO9+V3WIKGxUET64GLRoC4F32CThOBKzFXvFcHik4n
+1W44lGVAQp3B/Q55KzYOIQ3D3/N7cbxyPtw1dwW60lN/UWo7YZJJc+6GXjp6c4Cy
+s2VEoUx4OIs1eba99O5fdQ5IpW3IK6Cb1WaajcusZX9/QTIsf3ntSNPCnoebgk0V
+TOMpOOnKIbKYMjdxpKbYLpXFQzxy3WEi2PtmqgLAk+xwcmzz+3W2I0qKKTwGuaOZ
+MnGrJwg=
+-----END CERTIFICATE-----
--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIIEbjCCA1agAwIBAgIJAKQiaGqY4pkkMA0GCSqGSIb3DQEBBQUAMIGAMQswCQYD
+VQQGEwJGUjEWMBQGA1UECBQNzmxlIGRlIEZyYW5jZTEOMAwGA1UEBxMFUGFyaXMx
+FDASBgNVBAoTC0VyaW9tZW0gU0FTMRQwEgYDVQQDEwtFcmlvbWVtIFNBUzEdMBsG
+CSqGSIb3DQEJARYOY2FAZXJpb21lbS5uZXQwHhcNMTQwNTEzMTgzMDMxWhcNMzQw
+NTEzMTgzMDMxWjCBgDELMAkGA1UEBhMCRlIxFjAUBgNVBAgUDc5sZSBkZSBGcmFu
+Y2UxDjAMBgNVBAcTBVBhcmlzMRQwEgYDVQQKEwtFcmlvbWVtIFNBUzEUMBIGA1UE
+AxMLRXJpb21lbSBTQVMxHTAbBgkqhkiG9w0BCQEWDmNhQGVyaW9tZW0ubmV0MIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApVfR27JW3u3yvjdEEA8/mGlA
+NMlurqteMnCXgPAKnkyU7xbuBWkNxs6FrcXvdpjomPQsDosLXOb4pV+4SxezApaY
+XVqSzDWPV8M35QJjE8nOVuDvr3ziJfRITG9/WL2DpF9zpI6HpXVxdYNbZGxeCI2K
+eSQ1pkc3574hDB1YB86TumcWPIYuw7cDFC9HB7htm2XYURt6o2jXbpNtdHWoEhWx
+/m7cqpDCZmoBW1n3eApZac+4Im2bPXSQAqB/Lb0rgfsqJq3vEL4x12oC/5Ycn4cF
+xti4AapPjC2GaPbybFLfBwMLu+lAgPJh3A4DC1DcQsxTuKPvUi/K00eCZDokewID
+AQABo4HoMIHlMB0GA1UdDgQWBBRFwVSljClgTQxBTRvqftvJ3OE3xTCBtQYDVR0j
+BIGtMIGqgBRFwVSljClgTQxBTRvqftvJ3OE3xaGBhqSBgzCBgDELMAkGA1UEBhMC
+RlIxFjAUBgNVBAgUDc5sZSBkZSBGcmFuY2UxDjAMBgNVBAcTBVBhcmlzMRQwEgYD
+VQQKEwtFcmlvbWVtIFNBUzEUMBIGA1UEAxMLRXJpb21lbSBTQVMxHTAbBgkqhkiG
+9w0BCQEWDmNhQGVyaW9tZW0ubmV0ggkApCJoapjimSQwDAYDVR0TBAUwAwEB/zAN
+BgkqhkiG9w0BAQUFAAOCAQEAKs7PMQ9HAKHY1seGRHEMivQGVzDDZ7nURBmTkEIl
+549QEyQbrAkcHUjJdMAuIgnbPl4yJFEI97U21pXb3BeLxhKI6r09OgWwZEagrI44
+Ns9WbcNGtw5bkgyA4nn00w0ggAJLq9b0sToU2vK2x6g+1oXH8K7BbOu49/+NTzCa
+fgBzFMi0P7FWGrE2rqh6gFBVJh8qBuK2+QG6Rnfdw+mHWsedc//NRFjPSC3ZWaPc
+cu9s4+IkjOy3RhdkNrF3ieWitmGZi4mUZQ3qi+Np2Z+ekn0QmXjmLdbLFxKw8xoR
+Ed36LPnGcmKQN72RikmNmx83i8CrOF6Or9auGE5O8+qpyw==
+-----END CERTIFICATE-----
--- /dev/null
+{ lib, pkgs, myconfig, config, ... }:
+
+let
+ cfg = myconfig.env.backup;
+ varDir = "/var/lib/duply";
+ duplyProfile = profile: prefix: ''
+ GPG_PW="${cfg.password}"
+ TARGET="${cfg.remote}${prefix}"
+ export AWS_ACCESS_KEY_ID="${cfg.accessKeyId}"
+ export AWS_SECRET_ACCESS_KEY="${cfg.secretAccessKey}"
+ SOURCE="${profile.rootDir}"
+ FILENAME=".duplicity-ignore"
+ DUPL_PARAMS="$DUPL_PARAMS --exclude-if-present '$FILENAME'"
+ VERBOSITY=4
+ ARCH_DIR="${varDir}/caches"
+
+ # Do a full backup after 1 month
+ MAX_FULLBKP_AGE=1M
+ DUPL_PARAMS="$DUPL_PARAMS --full-if-older-than $MAX_FULLBKP_AGE "
+ # Backups older than 2months are deleted
+ MAX_AGE=2M
+ # Keep 2 full backups
+ MAX_FULL_BACKUPS=2
+ MAX_FULLS_WITH_INCRS=2
+ '';
+ action = "bkp_purge_purgeFull_purgeIncr";
+in
+{
+ options = {
+ services.backup.enable = lib.mkOption {
+ type = lib.types.bool;
+ default = false;
+ description = ''
+ Whether to enable remote backups.
+ '';
+ };
+ services.backup.profiles = lib.mkOption {
+ type = lib.types.attrsOf (lib.types.submodule {
+ options = {
+ rootDir = lib.mkOption {
+ type = lib.types.path;
+ description = ''
+ Path to backup
+ '';
+ };
+ excludeFile = lib.mkOption {
+ type = lib.types.lines;
+ default = "";
+ description = ''
+ Content to put in exclude file
+ '';
+ };
+ };
+ });
+ };
+ };
+
+ config = lib.mkIf config.services.backup.enable {
+ system.activationScripts.backup = ''
+ install -m 0700 -o root -g root -d ${varDir} ${varDir}/caches
+ '';
+ secrets.keys = lib.flatten (lib.mapAttrsToList (k: v: [
+ {
+ permissions = "0400";
+ dest = "backup/${k}/conf";
+ text = duplyProfile v "${k}/";
+ }
+ {
+ permissions = "0400";
+ dest = "backup/${k}/exclude";
+ text = v.excludeFile;
+ }
+ ]) config.services.backup.profiles);
+
+ services.cron = {
+ enable = true;
+ systemCronJobs = let
+ backups = pkgs.writeScript "backups" ''
+ #!${pkgs.stdenv.shell}
+
+ ${builtins.concatStringsSep "\n" (lib.mapAttrsToList (k: v:
+ ''
+ touch ${varDir}/${k}.log
+ ${pkgs.duply}/bin/duply ${config.secrets.location}/backup/${k}/ ${action} --force >> ${varDir}/${k}.log
+ ''
+ ) config.services.backup.profiles)}
+ '';
+ in
+ [
+ "0 2 * * * root ${backups}"
+ ];
+
+ };
+
+ security.pki.certificates = [
+ (builtins.readFile ./Eriomem_SAS.1.pem)
+ (builtins.readFile ./Eriomem_SAS.pem)
+ ];
+ };
+}
opendmarc = ./opendmarc.nix;
openarc = ./openarc.nix;
+ backup = ./backup;
naemon = ./naemon;
php-application = ./websites/php-application.nix;
# Check that there is no clash with nixos/modules/misc/ids.nix
config = {
ids.uids = {
+ backup = 389;
vhost = 390;
openarc = 391;
opendmarc = 392;
};
ids.gids = {
nagios = 11; # commented in the ids file
+ backup = 389;
vhost = 390;
openarc = 391;
opendmarc = 392;
--- /dev/null
+{ ... }:
+{
+ config = {
+ services.backup.enable = true;
+ };
+}
};
config = lib.mkIf config.myServices.buildbot.enable {
+ services.backup.profiles.buildbot = {
+ rootDir = varDir;
+ };
ids.uids.buildbot = myconfig.env.buildbot.user.uid;
ids.gids.buildbot = myconfig.env.buildbot.user.gid;
};
config = {
+ services.backup.profiles.system.excludeFile = ''
+ + ${config.security.acme.directory}
+ '';
services.websites.certs = config.services.myCertificates.certConfig;
myServices.databasesCerts = config.services.myCertificates.certConfig;
myServices.ircCerts = config.services.myCertificates.certConfig;
ftp = ./ftp.nix;
mpd = ./mpd.nix;
ssh = ./ssh;
+ backup = ./backup.nix;
monitoring = ./monitoring;
system = ./system.nix;
};
config = lib.mkIf config.services.pure-ftpd.enable {
+ services.backup.profiles.ftp = {
+ rootDir = "/var/lib/ftp";
+ };
security.acme.certs."ftp" = config.services.myCertificates.certConfig // {
domain = "eldiron.immae.eu";
postRun = ''
};
config = lib.mkIf cfg.enable {
+ services.backup.profiles.gitolite = {
+ rootDir = cfg.gitoliteDir;
+ };
networking.firewall.allowedTCPPorts = [ 9418 ];
services.gitDaemon = {
};
config = lib.mkIf cfg.enable {
+ services.backup.profiles.irc = {
+ rootDir = "/var/lib/bitlbee";
+ };
security.acme.certs."irc" = config.myServices.ircCerts // {
domain = "irc.immae.eu";
postRun = ''
mxs = map (zone: "mx-1.${zone.name}") zonesWithMx;
in builtins.listToAttrs (map (mx: lib.attrsets.nameValuePair mx null) mxs);
};
+ config.services.backup.profiles = {
+ mail = {
+ rootDir = "/var/lib";
+ excludeFile = lib.mkAfter ''
+ + /var/lib/vhost
+ - /var/lib
+ '';
+ };
+ };
}
'';
in
{
+ config.services.backup.profiles.mail.excludeFile = ''
+ + /var/lib/dhparams
+ + /var/lib/dovecot
+ '';
config.secrets.keys = [
{
dest = "dovecot/ldap";
{ lib, pkgs, config, myconfig, ... }:
{
+ config.services.backup.profiles.mail.excludeFile = ''
+ + /var/lib/postfix
+ '';
config.secrets.keys = [
{
dest = "postfix/mysql_alias_maps";
rspamd sockets
'';
};
+ config.services.backup.profiles.mail.excludeFile = ''
+ + /var/lib/rspamd
+ '';
config.services.cron.systemCronJobs = let
cron_script = pkgs.runCommand "cron_script" {
buildInputs = [ pkgs.makeWrapper ];
};
config = lib.mkIf config.myServices.monitoring.enable {
+ services.backup.profiles.monitoring = {
+ rootDir = config.services.naemon.varDir;
+ };
security.sudo.extraRules = [
{
commands = [
{ lib, pkgs, config, myconfig, ... }:
{
config = {
+ services.backup.profiles.mpd = {
+ rootDir = "/var/lib/mpd";
+ };
secrets.keys = [
{
dest = "mpd";
};
config = lib.mkIf config.myServices.pub.enable {
+ services.backup.profiles.pub = {
+ rootDir = "/var/lib/pub";
+ };
users.users.pub = let
restrict = pkgs.runCommand "restrict" {
file = ./restrict;
-{ pkgs, privateFiles, ... }:
+{ pkgs, privateFiles, lib, ... }:
{
config = {
+ services.backup.profiles.system = {
+ rootDir = "/var/lib";
+ excludeFile = lib.mkAfter ''
+ + /var/lib/nixos
+ + /var/lib/udev
+ + /var/lib/udisks2
+ + /var/lib/systemd
+ + /var/lib/private/systemd
+ - /var/lib
+ '';
+ };
nixpkgs.overlays = builtins.attrValues (import ../../overlays);
_module.args = {
pkgsNext = import <nixpkgsNext> {};
};
config = lib.mkIf cfg.enable {
+ services.backup.profiles.tasks = {
+ rootDir = "/var/lib";
+ excludeFile = ''
+ + /var/lib/taskserver
+ + /var/lib/taskwarrior-web
+ - /var/lib
+ '';
+ };
+
secrets.keys = [{
dest = "webapps/tools-taskwarrior-web";
user = "wwwrun";
options.myServices.websites.aten.integration.enable = lib.mkEnableOption "enable Aten's website in integration";
config = lib.mkIf cfg.enable {
+ services.backup.profiles.aten_dev.rootDir = app.varDir;
services.phpApplication.apps.aten_dev = {
websiteEnv = "integration";
httpdUser = config.services.httpd.Inte.user;
options.myServices.websites.aten.production.enable = lib.mkEnableOption "enable Aten's website in production";
config = lib.mkIf cfg.enable {
+ services.backup.profiles.aten_prod.rootDir = app.varDir;
services.webstats.sites = [ { name = "aten.pro"; } ];
services.phpApplication.apps.aten_prod = {
websiteEnv = "production";
options.myServices.websites.chloe.integration.enable = lib.mkEnableOption "enable Chloe's website in integration";
config = lib.mkIf cfg.enable {
+ services.backup.profiles.chloe_dev.rootDir = chloe.app.varDir;
secrets.keys = chloe.keys;
systemd.services.phpfpm-chloe_dev.after = lib.mkAfter chloe.phpFpm.serviceDeps;
systemd.services.phpfpm-chloe_dev.wants = chloe.phpFpm.serviceDeps;
options.myServices.websites.chloe.production.enable = lib.mkEnableOption "enable Chloe's website in production";
config = lib.mkIf cfg.enable {
+ services.backup.profiles.chloe_prod.rootDir = chloe.app.varDir;
secrets.keys = chloe.keys;
services.webstats.sites = [ { name = "osteopathe-cc.fr"; } ];
options.myServices.websites.connexionswing.integration.enable = lib.mkEnableOption "enable Connexionswing's website in integration";
config = lib.mkIf cfg.enable {
+ services.backup.profiles.connexionswing_dev.rootDir = app.varDir;
services.phpApplication.apps.connexionswing_dev = {
websiteEnv = "integration";
httpdUser = config.services.httpd.Inte.user;
options.myServices.websites.connexionswing.production.enable = lib.mkEnableOption "enable Connexionswing's website in production";
config = lib.mkIf cfg.enable {
+ services.backup.profiles.connexionswing_prod.rootDir = app.varDir;
services.webstats.sites = [ { name = "connexionswing.com"; } ];
services.phpApplication.apps.connexionswing_prod = {
websiteEnv = "production";
};
config = {
+ services.backup.profiles.php = {
+ rootDir = "/var/lib/php";
+ };
users.users.wwwrun.extraGroups = [ "keys" ];
networking.firewall.allowedTCPPorts = [ 80 443 ];
options.myServices.websites.emilia.production.enable = lib.mkEnableOption "enable Emilia's website";
config = lib.mkIf cfg.enable {
+ services.backup.profiles.emilia_prod = {
+ rootDir = varDir;
+ };
system.activationScripts.emilia = ''
install -m 0755 -o wwwrun -g wwwrun -d ${varDir}
'';
options.myServices.websites.florian.app.enable = lib.mkEnableOption "enable Florian's app in integration";
config = lib.mkIf cfg.enable {
+ services.backup.profiles.tellesflorian_dev.rootDir = app.varDir;
services.phpApplication.apps.florian_dev = {
websiteEnv = "integration";
httpdUser = config.services.httpd.Inte.user;
options.myServices.websites.ludivinecassal.integration.enable = lib.mkEnableOption "enable Ludivine's website in integration";
config = lib.mkIf cfg.enable {
+ services.backup.profiles.ludivinecassal_dev.rootDir = app.varDir;
services.phpApplication.apps.ludivinecassal_dev = {
websiteEnv = "integration";
httpdUser = config.services.httpd.Inte.user;
options.myServices.websites.ludivinecassal.production.enable = lib.mkEnableOption "enable Ludivine's website in production";
config = lib.mkIf cfg.enable {
+ services.backup.profiles.ludivinecassal_prod.rootDir = app.varDir;
services.webstats.sites = [ { name = "ludivinecassal.com"; } ];
services.phpApplication.apps.ludivinecassal_prod = {
websiteEnv = "production";
options.myServices.websites.piedsjaloux.integration.enable = lib.mkEnableOption "enable PiedsJaloux's website in integration";
config = lib.mkIf cfg.enable {
+ services.backup.profiles.piedsjaloux_dev.rootDir = app.varDir;
services.phpApplication.apps.piedsjaloux_dev = {
websiteEnv = "integration";
httpdUser = config.services.httpd.Inte.user;
options.myServices.websites.piedsjaloux.production.enable = lib.mkEnableOption "enable PiedsJaloux's website in production";
config = lib.mkIf cfg.enable {
+ services.backup.profiles.piedsjaloux_prod.rootDir = app.varDir;
services.webstats.sites = [ { name = "piedsjaloux.fr"; } ];
services.phpApplication.apps.piedsjaloux_prod = {
websiteEnv = "production";
};
config = lib.mkIf cfg.enable {
+ services.backup.profiles.diaspora = {
+ rootDir = dcfg.dataDir;
+ };
users.users.diaspora.extraGroups = [ "keys" ];
secrets.keys = [
};
config = lib.mkIf cfg.enable {
+ services.backup.profiles.etherpad-lite = {
+ rootDir = "/var/lib/private/etherpad-lite";
+ };
secrets.keys = [
{
dest = "webapps/tools-etherpad-apikey";
];
config = lib.mkIf cfg.enable {
+ services.backup.profiles.mail.excludeFile = ''
+ + ${rainloop.varDir}
+ + ${roundcubemail.varDir}
+ '';
secrets.keys = roundcubemail.keys;
services.websites.env.tools.modules =
};
config = lib.mkIf cfg.enable {
+ services.backup.profiles.mastodon = {
+ rootDir = mcfg.dataDir;
+ };
secrets.keys = [{
dest = "webapps/tools-mastodon";
user = "mastodon";
++ wallabag.keys
++ yourls.keys;
+ services.backup.profiles = {
+ dokuwiki = dokuwiki.backups;
+ kanboard = kanboard.backups;
+ rompr = rompr.backups;
+ shaarli = shaarli.backups;
+ ttrss = ttrss.backups;
+ wallabag = wallabag.backups;
+ };
+
services.websites.env.tools.modules =
[ "proxy_fcgi" ]
++ adminer.apache.modules
{ lib, stdenv, dokuwiki, dokuwiki-plugins }:
rec {
+ backups = {
+ rootDir = varDir;
+ };
varDir = "/var/lib/dokuwiki";
activationScript = {
deps = [ "wrappers" ];
{ env, kanboard }:
rec {
+ backups = {
+ rootDir = varDir;
+ };
varDir = "/var/lib/kanboard";
activationScript = {
deps = [ "wrappers" ];
{ lib, env, rompr }:
rec {
+ backups = {
+ rootDir = varDir;
+ };
varDir = "/var/lib/rompr";
activationScript = ''
install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \
let
varDir = "/var/lib/shaarli";
in rec {
+ backups = {
+ rootDir = varDir;
+ };
activationScript = ''
install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \
${varDir}/cache ${varDir}/pagecache ${varDir}/tmp ${varDir}/data \
{ php, env, ttrss, ttrss-plugins }:
rec {
+ backups = {
+ rootDir = varDir;
+ };
varDir = "/var/lib/ttrss";
activationScript = {
deps = [ "wrappers" ];
{ env, wallabag, mylibs }:
rec {
+ backups = {
+ rootDir = varDir;
+ };
varDir = "/var/lib/wallabag";
keys = [{
dest = "webapps/tools-wallabag";
unitConfig.RequiresMountsFor = cfg.dataDir;
};
+ systemd.services.mastodon-cleanup = {
+ description = "Cleanup mastodon";
+ startAt = "daily";
+ restartIfChanged = false;
+
+ environment.RAILS_ENV = "production";
+ environment.BUNDLE_PATH = "${cfg.workdir.gems}/${cfg.workdir.gems.ruby.gemPath}";
+ environment.BUNDLE_GEMFILE = "${cfg.workdir.gems.confFiles}/Gemfile";
+ environment.SOCKET = cfg.sockets.rails;
+
+ path = [ cfg.workdir.gems cfg.workdir.gems.ruby pkgs.file ];
+
+ script = ''
+ exec ./bin/tootctl media remove --days 30
+ '';
+
+ serviceConfig = {
+ User = cfg.user;
+ EnvironmentFile = cfg.configFile;
+ PrivateTmp = true;
+ Type = "oneshot";
+ WorkingDirectory = cfg.workdir;
+ StateDirectory = cfg.systemdStateDirectory;
+ RuntimeDirectory = cfg.systemdRuntimeDirectory;
+ RuntimeDirectoryPreserve = "yes";
+ };
+
+ unitConfig.RequiresMountsFor = cfg.dataDir;
+ };
+
systemd.services.mastodon-sidekiq = {
description = "Mastodon Sidekiq";
wantedBy = [ "multi-user.target" ];
};
config = lib.mkIf (builtins.length cfg.sites > 0) {
+ services.backup.profiles.goaccess = {
+ rootDir = cfg.dataDir;
+ };
users.users.root.packages = [
pkgs.goaccess
];