From: Ismaƫl Bouya Date: Wed, 16 Oct 2019 11:49:24 +0000 (+0200) Subject: Add backup module X-Git-Url: https://git.immae.eu/?p=perso%2FImmae%2FConfig%2FNix.git;a=commitdiff_plain;h=6a8252b11bb02f3e67857d5a9d733b1affa6a625 Add backup module --- diff --git a/modules/backup/Eriomem_SAS.1.pem b/modules/backup/Eriomem_SAS.1.pem new file mode 100644 index 0000000..ab76ee0 --- /dev/null +++ b/modules/backup/Eriomem_SAS.1.pem @@ -0,0 +1,35 @@ +-----BEGIN CERTIFICATE----- +MIIGATCCA+mgAwIBAgIJAJjhCwfJd2HOMA0GCSqGSIb3DQEBCwUAMIGWMQswCQYD +VQQGEwJGUjEXMBUGA1UECAwOw45sZSBkZSBGcmFuY2UxDjAMBgNVBAcMBVBhcmlz +MRQwEgYDVQQKDAtFcmlvbWVtIFNBUzETMBEGA1UECwwKRXJpb21lbSBDQTEUMBIG +A1UEAwwLRXJpb21lbSBTQVMxHTAbBgkqhkiG9w0BCQEWDmNhQGVyaW9tZW0ubmV0 +MB4XDTE3MDEzMTE1NTUzOFoXDTM3MDEzMTE1NTUzOFowgZYxCzAJBgNVBAYTAkZS +MRcwFQYDVQQIDA7DjmxlIGRlIEZyYW5jZTEOMAwGA1UEBwwFUGFyaXMxFDASBgNV +BAoMC0VyaW9tZW0gU0FTMRMwEQYDVQQLDApFcmlvbWVtIENBMRQwEgYDVQQDDAtF +cmlvbWVtIFNBUzEdMBsGCSqGSIb3DQEJARYOY2FAZXJpb21lbS5uZXQwggIiMA0G +CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC9PesBee6dcEXLgLMEpfnmNTbMP7xs +EJGxEwcS7LLVsZu8bY5K4prCTErzc3nhmmOMIy/ZxVTlnTOPHFAUJ9EKI5cL0QfK +9DbBzjPBs5AqntlpFBpz6DopV3FOFj3rn0nb/g3KyD3tqnN/YHdBiStX//z+Lp3H +28M4ExpUFJBJrV3wboMzWgDnSirvJyLFbmeTPmUetYdC4hlSqr/Leo36da4CSl0X +wN/83Vrzy/Cqrcfso43Hs86Swmg9pJmqRifWPNrMne49IwnGP4hIQXcb9ilU1bMK +GzXor6I0yOYjuzvdg1k1KKvnHvO1U2cUV56MoTXmQHOt1yQr7fwiKyT0xiIgk5ou +QKbXbuHpf3KTwPmg1s7105T2lEhxNMNd+c2leRux3CJKsoi6GoUhiDIL1jPrWNS3 +ynYHJ1lcyoEsGeXwR9mDmVLhgRLDAHNDOeT9Z0/NpwoylNH+vgwzo9tV3btWRJgu +vB7TMDYdGsOd/OYNkQSiSUbtT8nm3xY2qGMC968GQieSCPW7a4n8MYhXW5Wa0/Ql +Sg58e03v26u0rUT+GK1EOOFF8tak4uKxxRL+WBT9VhK9dRq/PnA+xB6808Y8kMjQ +9HTnxCgHNcNn6Xj7DD5Rb/r5ppmMicoI3dF6xgMHHNTG3BMZS+CVzSbG1K+4mOxR +1r6wxKmskoszLwIDAQABo1AwTjAdBgNVHQ4EFgQU3cuB9G9fGroFF0VW21vHR9A/ +/IwwHwYDVR0jBBgwFoAU3cuB9G9fGroFF0VW21vHR9A//IwwDAYDVR0TBAUwAwEB +/zANBgkqhkiG9w0BAQsFAAOCAgEAGuL+CWzjOs9gydvkOsf0F0qoTS5mixe7v/ic +OKdZfvHvzs8kz9rNWa8Guj5h640Qv252KSmellqHyXZhQumoks2XmFItMLY08IYo +4MmT+sHXwx1x4Av/Sjj+b8VzP31v5EIXDVIS+/UTXzyoU1hgqzM9W937iaO2NVFL +V3kzURHVR1oMxJtSjhGkbfoXRhdNZUhjGaNz5wX0ILtQ+PK4LoYiCqRAthDUSIkW +mD/R6CV08tIFYKyf7sCx0updbIHPbqbZtPW4X4QULXMDQanDSwHzcxzrCFOMEwOm +A+HASceq2X9nMUvH97fGQ4YuyogS/XI1k8H7jU7vlxMA3EGf80HnYc02b0oGDN3c +bVHBE/Zexer51HHsQOGpyYDmaCVzd1qlcFhwS3BMMPVW6TEU4HCXaTK5ipdOqbAF +syx9OUviqw3fRmZORt6lrhBO9+V3WIKGxUET64GLRoC4F32CThOBKzFXvFcHik4n +1W44lGVAQp3B/Q55KzYOIQ3D3/N7cbxyPtw1dwW60lN/UWo7YZJJc+6GXjp6c4Cy +s2VEoUx4OIs1eba99O5fdQ5IpW3IK6Cb1WaajcusZX9/QTIsf3ntSNPCnoebgk0V +TOMpOOnKIbKYMjdxpKbYLpXFQzxy3WEi2PtmqgLAk+xwcmzz+3W2I0qKKTwGuaOZ +MnGrJwg= +-----END CERTIFICATE----- diff --git a/modules/backup/Eriomem_SAS.pem b/modules/backup/Eriomem_SAS.pem new file mode 100644 index 0000000..8d77f26 --- /dev/null +++ b/modules/backup/Eriomem_SAS.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEbjCCA1agAwIBAgIJAKQiaGqY4pkkMA0GCSqGSIb3DQEBBQUAMIGAMQswCQYD +VQQGEwJGUjEWMBQGA1UECBQNzmxlIGRlIEZyYW5jZTEOMAwGA1UEBxMFUGFyaXMx +FDASBgNVBAoTC0VyaW9tZW0gU0FTMRQwEgYDVQQDEwtFcmlvbWVtIFNBUzEdMBsG +CSqGSIb3DQEJARYOY2FAZXJpb21lbS5uZXQwHhcNMTQwNTEzMTgzMDMxWhcNMzQw +NTEzMTgzMDMxWjCBgDELMAkGA1UEBhMCRlIxFjAUBgNVBAgUDc5sZSBkZSBGcmFu +Y2UxDjAMBgNVBAcTBVBhcmlzMRQwEgYDVQQKEwtFcmlvbWVtIFNBUzEUMBIGA1UE +AxMLRXJpb21lbSBTQVMxHTAbBgkqhkiG9w0BCQEWDmNhQGVyaW9tZW0ubmV0MIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApVfR27JW3u3yvjdEEA8/mGlA +NMlurqteMnCXgPAKnkyU7xbuBWkNxs6FrcXvdpjomPQsDosLXOb4pV+4SxezApaY +XVqSzDWPV8M35QJjE8nOVuDvr3ziJfRITG9/WL2DpF9zpI6HpXVxdYNbZGxeCI2K +eSQ1pkc3574hDB1YB86TumcWPIYuw7cDFC9HB7htm2XYURt6o2jXbpNtdHWoEhWx +/m7cqpDCZmoBW1n3eApZac+4Im2bPXSQAqB/Lb0rgfsqJq3vEL4x12oC/5Ycn4cF +xti4AapPjC2GaPbybFLfBwMLu+lAgPJh3A4DC1DcQsxTuKPvUi/K00eCZDokewID +AQABo4HoMIHlMB0GA1UdDgQWBBRFwVSljClgTQxBTRvqftvJ3OE3xTCBtQYDVR0j +BIGtMIGqgBRFwVSljClgTQxBTRvqftvJ3OE3xaGBhqSBgzCBgDELMAkGA1UEBhMC +RlIxFjAUBgNVBAgUDc5sZSBkZSBGcmFuY2UxDjAMBgNVBAcTBVBhcmlzMRQwEgYD +VQQKEwtFcmlvbWVtIFNBUzEUMBIGA1UEAxMLRXJpb21lbSBTQVMxHTAbBgkqhkiG +9w0BCQEWDmNhQGVyaW9tZW0ubmV0ggkApCJoapjimSQwDAYDVR0TBAUwAwEB/zAN +BgkqhkiG9w0BAQUFAAOCAQEAKs7PMQ9HAKHY1seGRHEMivQGVzDDZ7nURBmTkEIl +549QEyQbrAkcHUjJdMAuIgnbPl4yJFEI97U21pXb3BeLxhKI6r09OgWwZEagrI44 +Ns9WbcNGtw5bkgyA4nn00w0ggAJLq9b0sToU2vK2x6g+1oXH8K7BbOu49/+NTzCa +fgBzFMi0P7FWGrE2rqh6gFBVJh8qBuK2+QG6Rnfdw+mHWsedc//NRFjPSC3ZWaPc +cu9s4+IkjOy3RhdkNrF3ieWitmGZi4mUZQ3qi+Np2Z+ekn0QmXjmLdbLFxKw8xoR +Ed36LPnGcmKQN72RikmNmx83i8CrOF6Or9auGE5O8+qpyw== +-----END CERTIFICATE----- diff --git a/modules/backup/default.nix b/modules/backup/default.nix new file mode 100644 index 0000000..7e0e4b2 --- /dev/null +++ b/modules/backup/default.nix @@ -0,0 +1,100 @@ +{ lib, pkgs, myconfig, config, ... }: + +let + cfg = myconfig.env.backup; + varDir = "/var/lib/duply"; + duplyProfile = profile: prefix: '' + GPG_PW="${cfg.password}" + TARGET="${cfg.remote}${prefix}" + export AWS_ACCESS_KEY_ID="${cfg.accessKeyId}" + export AWS_SECRET_ACCESS_KEY="${cfg.secretAccessKey}" + SOURCE="${profile.rootDir}" + FILENAME=".duplicity-ignore" + DUPL_PARAMS="$DUPL_PARAMS --exclude-if-present '$FILENAME'" + VERBOSITY=4 + ARCH_DIR="${varDir}/caches" + + # Do a full backup after 1 month + MAX_FULLBKP_AGE=1M + DUPL_PARAMS="$DUPL_PARAMS --full-if-older-than $MAX_FULLBKP_AGE " + # Backups older than 2months are deleted + MAX_AGE=2M + # Keep 2 full backups + MAX_FULL_BACKUPS=2 + MAX_FULLS_WITH_INCRS=2 + ''; + action = "bkp_purge_purgeFull_purgeIncr"; +in +{ + options = { + services.backup.enable = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Whether to enable remote backups. + ''; + }; + services.backup.profiles = lib.mkOption { + type = lib.types.attrsOf (lib.types.submodule { + options = { + rootDir = lib.mkOption { + type = lib.types.path; + description = '' + Path to backup + ''; + }; + excludeFile = lib.mkOption { + type = lib.types.lines; + default = ""; + description = '' + Content to put in exclude file + ''; + }; + }; + }); + }; + }; + + config = lib.mkIf config.services.backup.enable { + system.activationScripts.backup = '' + install -m 0700 -o root -g root -d ${varDir} ${varDir}/caches + ''; + secrets.keys = lib.flatten (lib.mapAttrsToList (k: v: [ + { + permissions = "0400"; + dest = "backup/${k}/conf"; + text = duplyProfile v "${k}/"; + } + { + permissions = "0400"; + dest = "backup/${k}/exclude"; + text = v.excludeFile; + } + ]) config.services.backup.profiles); + + services.cron = { + enable = true; + systemCronJobs = let + backups = pkgs.writeScript "backups" '' + #!${pkgs.stdenv.shell} + + ${builtins.concatStringsSep "\n" (lib.mapAttrsToList (k: v: + '' + touch ${varDir}/${k}.log + ${pkgs.duply}/bin/duply ${config.secrets.location}/backup/${k}/ ${action} --force >> ${varDir}/${k}.log + '' + ) config.services.backup.profiles)} + ''; + in + [ + "0 2 * * * root ${backups}" + ]; + + }; + + security.pki.certificates = [ + (builtins.readFile ./Eriomem_SAS.1.pem) + (builtins.readFile ./Eriomem_SAS.pem) + ]; + }; +} diff --git a/modules/default.nix b/modules/default.nix index 9e9c411..05f2bfe 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -13,6 +13,7 @@ opendmarc = ./opendmarc.nix; openarc = ./openarc.nix; + backup = ./backup; naemon = ./naemon; php-application = ./websites/php-application.nix; diff --git a/modules/myids.nix b/modules/myids.nix index ac9fd65..79610af 100644 --- a/modules/myids.nix +++ b/modules/myids.nix @@ -3,6 +3,7 @@ # Check that there is no clash with nixos/modules/misc/ids.nix config = { ids.uids = { + backup = 389; vhost = 390; openarc = 391; opendmarc = 392; @@ -15,6 +16,7 @@ }; ids.gids = { nagios = 11; # commented in the ids file + backup = 389; vhost = 390; openarc = 391; opendmarc = 392; diff --git a/modules/private/backup.nix b/modules/private/backup.nix new file mode 100644 index 0000000..6911750 --- /dev/null +++ b/modules/private/backup.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + config = { + services.backup.enable = true; + }; +} diff --git a/modules/private/buildbot/default.nix b/modules/private/buildbot/default.nix index f307606..88bab9b 100644 --- a/modules/private/buildbot/default.nix +++ b/modules/private/buildbot/default.nix @@ -24,6 +24,9 @@ in }; config = lib.mkIf config.myServices.buildbot.enable { + services.backup.profiles.buildbot = { + rootDir = varDir; + }; ids.uids.buildbot = myconfig.env.buildbot.user.uid; ids.gids.buildbot = myconfig.env.buildbot.user.gid; diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix index 2e40b3c..cb284fc 100644 --- a/modules/private/certificates.nix +++ b/modules/private/certificates.nix @@ -15,6 +15,9 @@ }; config = { + services.backup.profiles.system.excludeFile = '' + + ${config.security.acme.directory} + ''; services.websites.certs = config.services.myCertificates.certConfig; myServices.databasesCerts = config.services.myCertificates.certConfig; myServices.ircCerts = config.services.myCertificates.certConfig; diff --git a/modules/private/default.nix b/modules/private/default.nix index cf15499..6dd7358 100644 --- a/modules/private/default.nix +++ b/modules/private/default.nix @@ -65,6 +65,7 @@ set = { ftp = ./ftp.nix; mpd = ./mpd.nix; ssh = ./ssh; + backup = ./backup.nix; monitoring = ./monitoring; system = ./system.nix; diff --git a/modules/private/ftp.nix b/modules/private/ftp.nix index 59cae59..c6d7fbe 100644 --- a/modules/private/ftp.nix +++ b/modules/private/ftp.nix @@ -14,6 +14,9 @@ in }; config = lib.mkIf config.services.pure-ftpd.enable { + services.backup.profiles.ftp = { + rootDir = "/var/lib/ftp"; + }; security.acme.certs."ftp" = config.services.myCertificates.certConfig // { domain = "eldiron.immae.eu"; postRun = '' diff --git a/modules/private/gitolite/default.nix b/modules/private/gitolite/default.nix index b9914a1..dc068b7 100644 --- a/modules/private/gitolite/default.nix +++ b/modules/private/gitolite/default.nix @@ -11,6 +11,9 @@ in { }; config = lib.mkIf cfg.enable { + services.backup.profiles.gitolite = { + rootDir = cfg.gitoliteDir; + }; networking.firewall.allowedTCPPorts = [ 9418 ]; services.gitDaemon = { diff --git a/modules/private/irc.nix b/modules/private/irc.nix index b3fe91f..785b34d 100644 --- a/modules/private/irc.nix +++ b/modules/private/irc.nix @@ -17,6 +17,9 @@ in }; config = lib.mkIf cfg.enable { + services.backup.profiles.irc = { + rootDir = "/var/lib/bitlbee"; + }; security.acme.certs."irc" = config.myServices.ircCerts // { domain = "irc.immae.eu"; postRun = '' diff --git a/modules/private/mail/default.nix b/modules/private/mail/default.nix index ad2c684..ac8ad8c 100644 --- a/modules/private/mail/default.nix +++ b/modules/private/mail/default.nix @@ -9,4 +9,13 @@ mxs = map (zone: "mx-1.${zone.name}") zonesWithMx; in builtins.listToAttrs (map (mx: lib.attrsets.nameValuePair mx null) mxs); }; + config.services.backup.profiles = { + mail = { + rootDir = "/var/lib"; + excludeFile = lib.mkAfter '' + + /var/lib/vhost + - /var/lib + ''; + }; + }; } diff --git a/modules/private/mail/dovecot.nix b/modules/private/mail/dovecot.nix index 047d7d0..0d13a7b 100644 --- a/modules/private/mail/dovecot.nix +++ b/modules/private/mail/dovecot.nix @@ -12,6 +12,10 @@ let ''; in { + config.services.backup.profiles.mail.excludeFile = '' + + /var/lib/dhparams + + /var/lib/dovecot + ''; config.secrets.keys = [ { dest = "dovecot/ldap"; diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix index c2d0af6..edfd196 100644 --- a/modules/private/mail/postfix.nix +++ b/modules/private/mail/postfix.nix @@ -1,5 +1,8 @@ { lib, pkgs, config, myconfig, ... }: { + config.services.backup.profiles.mail.excludeFile = '' + + /var/lib/postfix + ''; config.secrets.keys = [ { dest = "postfix/mysql_alias_maps"; diff --git a/modules/private/mail/rspamd.nix b/modules/private/mail/rspamd.nix index 3a7a67c..af3541f 100644 --- a/modules/private/mail/rspamd.nix +++ b/modules/private/mail/rspamd.nix @@ -10,6 +10,9 @@ rspamd sockets ''; }; + config.services.backup.profiles.mail.excludeFile = '' + + /var/lib/rspamd + ''; config.services.cron.systemCronJobs = let cron_script = pkgs.runCommand "cron_script" { buildInputs = [ pkgs.makeWrapper ]; diff --git a/modules/private/monitoring/default.nix b/modules/private/monitoring/default.nix index d99124e..d9805ef 100644 --- a/modules/private/monitoring/default.nix +++ b/modules/private/monitoring/default.nix @@ -27,6 +27,9 @@ in }; config = lib.mkIf config.myServices.monitoring.enable { + services.backup.profiles.monitoring = { + rootDir = config.services.naemon.varDir; + }; security.sudo.extraRules = [ { commands = [ diff --git a/modules/private/mpd.nix b/modules/private/mpd.nix index 17454d7..b224165 100644 --- a/modules/private/mpd.nix +++ b/modules/private/mpd.nix @@ -1,6 +1,9 @@ { lib, pkgs, config, myconfig, ... }: { config = { + services.backup.profiles.mpd = { + rootDir = "/var/lib/mpd"; + }; secrets.keys = [ { dest = "mpd"; diff --git a/modules/private/pub/default.nix b/modules/private/pub/default.nix index c31c8eb..a193d17 100644 --- a/modules/private/pub/default.nix +++ b/modules/private/pub/default.nix @@ -11,6 +11,9 @@ }; config = lib.mkIf config.myServices.pub.enable { + services.backup.profiles.pub = { + rootDir = "/var/lib/pub"; + }; users.users.pub = let restrict = pkgs.runCommand "restrict" { file = ./restrict; diff --git a/modules/private/system.nix b/modules/private/system.nix index fba504e..c12c226 100644 --- a/modules/private/system.nix +++ b/modules/private/system.nix @@ -1,6 +1,17 @@ -{ pkgs, privateFiles, ... }: +{ pkgs, privateFiles, lib, ... }: { config = { + services.backup.profiles.system = { + rootDir = "/var/lib"; + excludeFile = lib.mkAfter '' + + /var/lib/nixos + + /var/lib/udev + + /var/lib/udisks2 + + /var/lib/systemd + + /var/lib/private/systemd + - /var/lib + ''; + }; nixpkgs.overlays = builtins.attrValues (import ../../overlays); _module.args = { pkgsNext = import {}; diff --git a/modules/private/tasks/default.nix b/modules/private/tasks/default.nix index a2da0c3..b2191c0 100644 --- a/modules/private/tasks/default.nix +++ b/modules/private/tasks/default.nix @@ -86,6 +86,15 @@ in { }; config = lib.mkIf cfg.enable { + services.backup.profiles.tasks = { + rootDir = "/var/lib"; + excludeFile = '' + + /var/lib/taskserver + + /var/lib/taskwarrior-web + - /var/lib + ''; + }; + secrets.keys = [{ dest = "webapps/tools-taskwarrior-web"; user = "wwwrun"; diff --git a/modules/private/websites/aten/integration.nix b/modules/private/websites/aten/integration.nix index 6768f80..0c92818 100644 --- a/modules/private/websites/aten/integration.nix +++ b/modules/private/websites/aten/integration.nix @@ -8,6 +8,7 @@ in { options.myServices.websites.aten.integration.enable = lib.mkEnableOption "enable Aten's website in integration"; config = lib.mkIf cfg.enable { + services.backup.profiles.aten_dev.rootDir = app.varDir; services.phpApplication.apps.aten_dev = { websiteEnv = "integration"; httpdUser = config.services.httpd.Inte.user; diff --git a/modules/private/websites/aten/production.nix b/modules/private/websites/aten/production.nix index 97f4a08..2ffcef3 100644 --- a/modules/private/websites/aten/production.nix +++ b/modules/private/websites/aten/production.nix @@ -8,6 +8,7 @@ in { options.myServices.websites.aten.production.enable = lib.mkEnableOption "enable Aten's website in production"; config = lib.mkIf cfg.enable { + services.backup.profiles.aten_prod.rootDir = app.varDir; services.webstats.sites = [ { name = "aten.pro"; } ]; services.phpApplication.apps.aten_prod = { websiteEnv = "production"; diff --git a/modules/private/websites/chloe/integration.nix b/modules/private/websites/chloe/integration.nix index 1f7ac31..75e25af 100644 --- a/modules/private/websites/chloe/integration.nix +++ b/modules/private/websites/chloe/integration.nix @@ -12,6 +12,7 @@ in { options.myServices.websites.chloe.integration.enable = lib.mkEnableOption "enable Chloe's website in integration"; config = lib.mkIf cfg.enable { + services.backup.profiles.chloe_dev.rootDir = chloe.app.varDir; secrets.keys = chloe.keys; systemd.services.phpfpm-chloe_dev.after = lib.mkAfter chloe.phpFpm.serviceDeps; systemd.services.phpfpm-chloe_dev.wants = chloe.phpFpm.serviceDeps; diff --git a/modules/private/websites/chloe/production.nix b/modules/private/websites/chloe/production.nix index 6cfdb7f..7c59806 100644 --- a/modules/private/websites/chloe/production.nix +++ b/modules/private/websites/chloe/production.nix @@ -12,6 +12,7 @@ in { options.myServices.websites.chloe.production.enable = lib.mkEnableOption "enable Chloe's website in production"; config = lib.mkIf cfg.enable { + services.backup.profiles.chloe_prod.rootDir = chloe.app.varDir; secrets.keys = chloe.keys; services.webstats.sites = [ { name = "osteopathe-cc.fr"; } ]; diff --git a/modules/private/websites/connexionswing/integration.nix b/modules/private/websites/connexionswing/integration.nix index 2ceaffa..fee8e4f 100644 --- a/modules/private/websites/connexionswing/integration.nix +++ b/modules/private/websites/connexionswing/integration.nix @@ -8,6 +8,7 @@ in { options.myServices.websites.connexionswing.integration.enable = lib.mkEnableOption "enable Connexionswing's website in integration"; config = lib.mkIf cfg.enable { + services.backup.profiles.connexionswing_dev.rootDir = app.varDir; services.phpApplication.apps.connexionswing_dev = { websiteEnv = "integration"; httpdUser = config.services.httpd.Inte.user; diff --git a/modules/private/websites/connexionswing/production.nix b/modules/private/websites/connexionswing/production.nix index 1427c8d..79e672a 100644 --- a/modules/private/websites/connexionswing/production.nix +++ b/modules/private/websites/connexionswing/production.nix @@ -8,6 +8,7 @@ in { options.myServices.websites.connexionswing.production.enable = lib.mkEnableOption "enable Connexionswing's website in production"; config = lib.mkIf cfg.enable { + services.backup.profiles.connexionswing_prod.rootDir = app.varDir; services.webstats.sites = [ { name = "connexionswing.com"; } ]; services.phpApplication.apps.connexionswing_prod = { websiteEnv = "production"; diff --git a/modules/private/websites/default.nix b/modules/private/websites/default.nix index f55f7e3..e2bcef5 100644 --- a/modules/private/websites/default.nix +++ b/modules/private/websites/default.nix @@ -73,6 +73,9 @@ in }; config = { + services.backup.profiles.php = { + rootDir = "/var/lib/php"; + }; users.users.wwwrun.extraGroups = [ "keys" ]; networking.firewall.allowedTCPPorts = [ 80 443 ]; diff --git a/modules/private/websites/emilia/production.nix b/modules/private/websites/emilia/production.nix index 422bfd4..0dab316 100644 --- a/modules/private/websites/emilia/production.nix +++ b/modules/private/websites/emilia/production.nix @@ -43,6 +43,9 @@ in { options.myServices.websites.emilia.production.enable = lib.mkEnableOption "enable Emilia's website"; config = lib.mkIf cfg.enable { + services.backup.profiles.emilia_prod = { + rootDir = varDir; + }; system.activationScripts.emilia = '' install -m 0755 -o wwwrun -g wwwrun -d ${varDir} ''; diff --git a/modules/private/websites/florian/app.nix b/modules/private/websites/florian/app.nix index 3f44ec4..7e2c333 100644 --- a/modules/private/websites/florian/app.nix +++ b/modules/private/websites/florian/app.nix @@ -9,6 +9,7 @@ in { options.myServices.websites.florian.app.enable = lib.mkEnableOption "enable Florian's app in integration"; config = lib.mkIf cfg.enable { + services.backup.profiles.tellesflorian_dev.rootDir = app.varDir; services.phpApplication.apps.florian_dev = { websiteEnv = "integration"; httpdUser = config.services.httpd.Inte.user; diff --git a/modules/private/websites/ludivinecassal/integration.nix b/modules/private/websites/ludivinecassal/integration.nix index 55f2432..d1b8f9b 100644 --- a/modules/private/websites/ludivinecassal/integration.nix +++ b/modules/private/websites/ludivinecassal/integration.nix @@ -8,6 +8,7 @@ in { options.myServices.websites.ludivinecassal.integration.enable = lib.mkEnableOption "enable Ludivine's website in integration"; config = lib.mkIf cfg.enable { + services.backup.profiles.ludivinecassal_dev.rootDir = app.varDir; services.phpApplication.apps.ludivinecassal_dev = { websiteEnv = "integration"; httpdUser = config.services.httpd.Inte.user; diff --git a/modules/private/websites/ludivinecassal/production.nix b/modules/private/websites/ludivinecassal/production.nix index 82f6899..341fd6d 100644 --- a/modules/private/websites/ludivinecassal/production.nix +++ b/modules/private/websites/ludivinecassal/production.nix @@ -8,6 +8,7 @@ in { options.myServices.websites.ludivinecassal.production.enable = lib.mkEnableOption "enable Ludivine's website in production"; config = lib.mkIf cfg.enable { + services.backup.profiles.ludivinecassal_prod.rootDir = app.varDir; services.webstats.sites = [ { name = "ludivinecassal.com"; } ]; services.phpApplication.apps.ludivinecassal_prod = { websiteEnv = "production"; diff --git a/modules/private/websites/piedsjaloux/integration.nix b/modules/private/websites/piedsjaloux/integration.nix index 0a33bc0..853fcff 100644 --- a/modules/private/websites/piedsjaloux/integration.nix +++ b/modules/private/websites/piedsjaloux/integration.nix @@ -8,6 +8,7 @@ in { options.myServices.websites.piedsjaloux.integration.enable = lib.mkEnableOption "enable PiedsJaloux's website in integration"; config = lib.mkIf cfg.enable { + services.backup.profiles.piedsjaloux_dev.rootDir = app.varDir; services.phpApplication.apps.piedsjaloux_dev = { websiteEnv = "integration"; httpdUser = config.services.httpd.Inte.user; diff --git a/modules/private/websites/piedsjaloux/production.nix b/modules/private/websites/piedsjaloux/production.nix index 9007f19..9e64fca 100644 --- a/modules/private/websites/piedsjaloux/production.nix +++ b/modules/private/websites/piedsjaloux/production.nix @@ -8,6 +8,7 @@ in { options.myServices.websites.piedsjaloux.production.enable = lib.mkEnableOption "enable PiedsJaloux's website in production"; config = lib.mkIf cfg.enable { + services.backup.profiles.piedsjaloux_prod.rootDir = app.varDir; services.webstats.sites = [ { name = "piedsjaloux.fr"; } ]; services.phpApplication.apps.piedsjaloux_prod = { websiteEnv = "production"; diff --git a/modules/private/websites/tools/diaspora/default.nix b/modules/private/websites/tools/diaspora/default.nix index 17a6a09..24d3d51 100644 --- a/modules/private/websites/tools/diaspora/default.nix +++ b/modules/private/websites/tools/diaspora/default.nix @@ -10,6 +10,9 @@ in { }; config = lib.mkIf cfg.enable { + services.backup.profiles.diaspora = { + rootDir = dcfg.dataDir; + }; users.users.diaspora.extraGroups = [ "keys" ]; secrets.keys = [ diff --git a/modules/private/websites/tools/ether/default.nix b/modules/private/websites/tools/ether/default.nix index c038528..600254b 100644 --- a/modules/private/websites/tools/ether/default.nix +++ b/modules/private/websites/tools/ether/default.nix @@ -12,6 +12,9 @@ in { }; config = lib.mkIf cfg.enable { + services.backup.profiles.etherpad-lite = { + rootDir = "/var/lib/private/etherpad-lite"; + }; secrets.keys = [ { dest = "webapps/tools-etherpad-apikey"; diff --git a/modules/private/websites/tools/mail/default.nix b/modules/private/websites/tools/mail/default.nix index ea0a27f..35711af 100644 --- a/modules/private/websites/tools/mail/default.nix +++ b/modules/private/websites/tools/mail/default.nix @@ -17,6 +17,10 @@ in ]; config = lib.mkIf cfg.enable { + services.backup.profiles.mail.excludeFile = '' + + ${rainloop.varDir} + + ${roundcubemail.varDir} + ''; secrets.keys = roundcubemail.keys; services.websites.env.tools.modules = diff --git a/modules/private/websites/tools/mastodon/default.nix b/modules/private/websites/tools/mastodon/default.nix index d67ae2b..2236bd5 100644 --- a/modules/private/websites/tools/mastodon/default.nix +++ b/modules/private/websites/tools/mastodon/default.nix @@ -10,6 +10,9 @@ in { }; config = lib.mkIf cfg.enable { + services.backup.profiles.mastodon = { + rootDir = mcfg.dataDir; + }; secrets.keys = [{ dest = "webapps/tools-mastodon"; user = "mastodon"; diff --git a/modules/private/websites/tools/tools/default.nix b/modules/private/websites/tools/tools/default.nix index e17c708..6f27b0b 100644 --- a/modules/private/websites/tools/tools/default.nix +++ b/modules/private/websites/tools/tools/default.nix @@ -51,6 +51,15 @@ in { ++ wallabag.keys ++ yourls.keys; + services.backup.profiles = { + dokuwiki = dokuwiki.backups; + kanboard = kanboard.backups; + rompr = rompr.backups; + shaarli = shaarli.backups; + ttrss = ttrss.backups; + wallabag = wallabag.backups; + }; + services.websites.env.tools.modules = [ "proxy_fcgi" ] ++ adminer.apache.modules diff --git a/modules/private/websites/tools/tools/dokuwiki.nix b/modules/private/websites/tools/tools/dokuwiki.nix index c61d15f..e40d671 100644 --- a/modules/private/websites/tools/tools/dokuwiki.nix +++ b/modules/private/websites/tools/tools/dokuwiki.nix @@ -1,5 +1,8 @@ { lib, stdenv, dokuwiki, dokuwiki-plugins }: rec { + backups = { + rootDir = varDir; + }; varDir = "/var/lib/dokuwiki"; activationScript = { deps = [ "wrappers" ]; diff --git a/modules/private/websites/tools/tools/kanboard.nix b/modules/private/websites/tools/tools/kanboard.nix index 68f92b8..68c3a10 100644 --- a/modules/private/websites/tools/tools/kanboard.nix +++ b/modules/private/websites/tools/tools/kanboard.nix @@ -1,5 +1,8 @@ { env, kanboard }: rec { + backups = { + rootDir = varDir; + }; varDir = "/var/lib/kanboard"; activationScript = { deps = [ "wrappers" ]; diff --git a/modules/private/websites/tools/tools/rompr.nix b/modules/private/websites/tools/tools/rompr.nix index fea59fc..74034f0 100644 --- a/modules/private/websites/tools/tools/rompr.nix +++ b/modules/private/websites/tools/tools/rompr.nix @@ -1,5 +1,8 @@ { lib, env, rompr }: rec { + backups = { + rootDir = varDir; + }; varDir = "/var/lib/rompr"; activationScript = '' install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \ diff --git a/modules/private/websites/tools/tools/shaarli.nix b/modules/private/websites/tools/tools/shaarli.nix index 2e89a47..28041ba 100644 --- a/modules/private/websites/tools/tools/shaarli.nix +++ b/modules/private/websites/tools/tools/shaarli.nix @@ -2,6 +2,9 @@ let varDir = "/var/lib/shaarli"; in rec { + backups = { + rootDir = varDir; + }; activationScript = '' install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \ ${varDir}/cache ${varDir}/pagecache ${varDir}/tmp ${varDir}/data \ diff --git a/modules/private/websites/tools/tools/ttrss.nix b/modules/private/websites/tools/tools/ttrss.nix index 05c8cab..598cc3a 100644 --- a/modules/private/websites/tools/tools/ttrss.nix +++ b/modules/private/websites/tools/tools/ttrss.nix @@ -1,5 +1,8 @@ { php, env, ttrss, ttrss-plugins }: rec { + backups = { + rootDir = varDir; + }; varDir = "/var/lib/ttrss"; activationScript = { deps = [ "wrappers" ]; diff --git a/modules/private/websites/tools/tools/wallabag.nix b/modules/private/websites/tools/tools/wallabag.nix index 2912b2c..8572d64 100644 --- a/modules/private/websites/tools/tools/wallabag.nix +++ b/modules/private/websites/tools/tools/wallabag.nix @@ -1,5 +1,8 @@ { env, wallabag, mylibs }: rec { + backups = { + rootDir = varDir; + }; varDir = "/var/lib/wallabag"; keys = [{ dest = "webapps/tools-wallabag"; diff --git a/modules/webapps/mastodon.nix b/modules/webapps/mastodon.nix index 26d5238..eed9e3f 100644 --- a/modules/webapps/mastodon.nix +++ b/modules/webapps/mastodon.nix @@ -190,6 +190,36 @@ in unitConfig.RequiresMountsFor = cfg.dataDir; }; + systemd.services.mastodon-cleanup = { + description = "Cleanup mastodon"; + startAt = "daily"; + restartIfChanged = false; + + environment.RAILS_ENV = "production"; + environment.BUNDLE_PATH = "${cfg.workdir.gems}/${cfg.workdir.gems.ruby.gemPath}"; + environment.BUNDLE_GEMFILE = "${cfg.workdir.gems.confFiles}/Gemfile"; + environment.SOCKET = cfg.sockets.rails; + + path = [ cfg.workdir.gems cfg.workdir.gems.ruby pkgs.file ]; + + script = '' + exec ./bin/tootctl media remove --days 30 + ''; + + serviceConfig = { + User = cfg.user; + EnvironmentFile = cfg.configFile; + PrivateTmp = true; + Type = "oneshot"; + WorkingDirectory = cfg.workdir; + StateDirectory = cfg.systemdStateDirectory; + RuntimeDirectory = cfg.systemdRuntimeDirectory; + RuntimeDirectoryPreserve = "yes"; + }; + + unitConfig.RequiresMountsFor = cfg.dataDir; + }; + systemd.services.mastodon-sidekiq = { description = "Mastodon Sidekiq"; wantedBy = [ "multi-user.target" ]; diff --git a/modules/webapps/webstats/default.nix b/modules/webapps/webstats/default.nix index 924d72d..6771f01 100644 --- a/modules/webapps/webstats/default.nix +++ b/modules/webapps/webstats/default.nix @@ -37,6 +37,9 @@ in { }; config = lib.mkIf (builtins.length cfg.sites > 0) { + services.backup.profiles.goaccess = { + rootDir = cfg.dataDir; + }; users.users.root.packages = [ pkgs.goaccess ];