Add backup module

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-10-16 13:49:24 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-10-16 13:49:24 +0200
commit: 6a8252b11bb02f3e67857d5a9d733b1affa6a625 (patch)
tree: 175cb91c386b444ce951361baaa4875136d5c9e4
parent: 5304a64b84c5a84525c96419cc6126775af306e0 (diff)
download: Nix-6a8252b11bb02f3e67857d5a9d733b1affa6a625.tar.gz
Nix-6a8252b11bb02f3e67857d5a9d733b1affa6a625.tar.zst
Nix-6a8252b11bb02f3e67857d5a9d733b1affa6a625.zip
47 files changed, 325 insertions, 1 deletions
diff --git a/modules/backup/Eriomem_SAS.1.pem b/modules/backup/Eriomem_SAS.1.pem
new file mode 100644
index 0000000..ab76ee0
--- /dev/null
+++ b/modules/backup/Eriomem_SAS.1.pem
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGATCCA+mgAwIBAgIJAJjhCwfJd2HOMA0GCSqGSIb3DQEBCwUAMIGWMQswCQYD
+VQQGEwJGUjEXMBUGA1UECAwOw45sZSBkZSBGcmFuY2UxDjAMBgNVBAcMBVBhcmlz
+MRQwEgYDVQQKDAtFcmlvbWVtIFNBUzETMBEGA1UECwwKRXJpb21lbSBDQTEUMBIG
+A1UEAwwLRXJpb21lbSBTQVMxHTAbBgkqhkiG9w0BCQEWDmNhQGVyaW9tZW0ubmV0
+MB4XDTE3MDEzMTE1NTUzOFoXDTM3MDEzMTE1NTUzOFowgZYxCzAJBgNVBAYTAkZS
+MRcwFQYDVQQIDA7DjmxlIGRlIEZyYW5jZTEOMAwGA1UEBwwFUGFyaXMxFDASBgNV
+BAoMC0VyaW9tZW0gU0FTMRMwEQYDVQQLDApFcmlvbWVtIENBMRQwEgYDVQQDDAtF
+cmlvbWVtIFNBUzEdMBsGCSqGSIb3DQEJARYOY2FAZXJpb21lbS5uZXQwggIiMA0G
+CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC9PesBee6dcEXLgLMEpfnmNTbMP7xs
+EJGxEwcS7LLVsZu8bY5K4prCTErzc3nhmmOMIy/ZxVTlnTOPHFAUJ9EKI5cL0QfK
+9DbBzjPBs5AqntlpFBpz6DopV3FOFj3rn0nb/g3KyD3tqnN/YHdBiStX//z+Lp3H
+28M4ExpUFJBJrV3wboMzWgDnSirvJyLFbmeTPmUetYdC4hlSqr/Leo36da4CSl0X
+wN/83Vrzy/Cqrcfso43Hs86Swmg9pJmqRifWPNrMne49IwnGP4hIQXcb9ilU1bMK
+GzXor6I0yOYjuzvdg1k1KKvnHvO1U2cUV56MoTXmQHOt1yQr7fwiKyT0xiIgk5ou
+QKbXbuHpf3KTwPmg1s7105T2lEhxNMNd+c2leRux3CJKsoi6GoUhiDIL1jPrWNS3
+ynYHJ1lcyoEsGeXwR9mDmVLhgRLDAHNDOeT9Z0/NpwoylNH+vgwzo9tV3btWRJgu
+vB7TMDYdGsOd/OYNkQSiSUbtT8nm3xY2qGMC968GQieSCPW7a4n8MYhXW5Wa0/Ql
+Sg58e03v26u0rUT+GK1EOOFF8tak4uKxxRL+WBT9VhK9dRq/PnA+xB6808Y8kMjQ
+9HTnxCgHNcNn6Xj7DD5Rb/r5ppmMicoI3dF6xgMHHNTG3BMZS+CVzSbG1K+4mOxR
+1r6wxKmskoszLwIDAQABo1AwTjAdBgNVHQ4EFgQU3cuB9G9fGroFF0VW21vHR9A/
+/IwwHwYDVR0jBBgwFoAU3cuB9G9fGroFF0VW21vHR9A//IwwDAYDVR0TBAUwAwEB
+/zANBgkqhkiG9w0BAQsFAAOCAgEAGuL+CWzjOs9gydvkOsf0F0qoTS5mixe7v/ic
+OKdZfvHvzs8kz9rNWa8Guj5h640Qv252KSmellqHyXZhQumoks2XmFItMLY08IYo
+4MmT+sHXwx1x4Av/Sjj+b8VzP31v5EIXDVIS+/UTXzyoU1hgqzM9W937iaO2NVFL
+V3kzURHVR1oMxJtSjhGkbfoXRhdNZUhjGaNz5wX0ILtQ+PK4LoYiCqRAthDUSIkW
+mD/R6CV08tIFYKyf7sCx0updbIHPbqbZtPW4X4QULXMDQanDSwHzcxzrCFOMEwOm
+A+HASceq2X9nMUvH97fGQ4YuyogS/XI1k8H7jU7vlxMA3EGf80HnYc02b0oGDN3c
+bVHBE/Zexer51HHsQOGpyYDmaCVzd1qlcFhwS3BMMPVW6TEU4HCXaTK5ipdOqbAF
+syx9OUviqw3fRmZORt6lrhBO9+V3WIKGxUET64GLRoC4F32CThOBKzFXvFcHik4n
+1W44lGVAQp3B/Q55KzYOIQ3D3/N7cbxyPtw1dwW60lN/UWo7YZJJc+6GXjp6c4Cy
+s2VEoUx4OIs1eba99O5fdQ5IpW3IK6Cb1WaajcusZX9/QTIsf3ntSNPCnoebgk0V
+TOMpOOnKIbKYMjdxpKbYLpXFQzxy3WEi2PtmqgLAk+xwcmzz+3W2I0qKKTwGuaOZ
+MnGrJwg=
+-----END CERTIFICATE-----
diff --git a/modules/backup/Eriomem_SAS.pem b/modules/backup/Eriomem_SAS.pem
new file mode 100644
index 0000000..8d77f26
--- /dev/null
+++ b/modules/backup/Eriomem_SAS.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEbjCCA1agAwIBAgIJAKQiaGqY4pkkMA0GCSqGSIb3DQEBBQUAMIGAMQswCQYD
+VQQGEwJGUjEWMBQGA1UECBQNzmxlIGRlIEZyYW5jZTEOMAwGA1UEBxMFUGFyaXMx
+FDASBgNVBAoTC0VyaW9tZW0gU0FTMRQwEgYDVQQDEwtFcmlvbWVtIFNBUzEdMBsG
+CSqGSIb3DQEJARYOY2FAZXJpb21lbS5uZXQwHhcNMTQwNTEzMTgzMDMxWhcNMzQw
+NTEzMTgzMDMxWjCBgDELMAkGA1UEBhMCRlIxFjAUBgNVBAgUDc5sZSBkZSBGcmFu
+Y2UxDjAMBgNVBAcTBVBhcmlzMRQwEgYDVQQKEwtFcmlvbWVtIFNBUzEUMBIGA1UE
+AxMLRXJpb21lbSBTQVMxHTAbBgkqhkiG9w0BCQEWDmNhQGVyaW9tZW0ubmV0MIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApVfR27JW3u3yvjdEEA8/mGlA
+NMlurqteMnCXgPAKnkyU7xbuBWkNxs6FrcXvdpjomPQsDosLXOb4pV+4SxezApaY
+XVqSzDWPV8M35QJjE8nOVuDvr3ziJfRITG9/WL2DpF9zpI6HpXVxdYNbZGxeCI2K
+eSQ1pkc3574hDB1YB86TumcWPIYuw7cDFC9HB7htm2XYURt6o2jXbpNtdHWoEhWx
+/m7cqpDCZmoBW1n3eApZac+4Im2bPXSQAqB/Lb0rgfsqJq3vEL4x12oC/5Ycn4cF
+xti4AapPjC2GaPbybFLfBwMLu+lAgPJh3A4DC1DcQsxTuKPvUi/K00eCZDokewID
+AQABo4HoMIHlMB0GA1UdDgQWBBRFwVSljClgTQxBTRvqftvJ3OE3xTCBtQYDVR0j
+BIGtMIGqgBRFwVSljClgTQxBTRvqftvJ3OE3xaGBhqSBgzCBgDELMAkGA1UEBhMC
+RlIxFjAUBgNVBAgUDc5sZSBkZSBGcmFuY2UxDjAMBgNVBAcTBVBhcmlzMRQwEgYD
+VQQKEwtFcmlvbWVtIFNBUzEUMBIGA1UEAxMLRXJpb21lbSBTQVMxHTAbBgkqhkiG
+9w0BCQEWDmNhQGVyaW9tZW0ubmV0ggkApCJoapjimSQwDAYDVR0TBAUwAwEB/zAN
+BgkqhkiG9w0BAQUFAAOCAQEAKs7PMQ9HAKHY1seGRHEMivQGVzDDZ7nURBmTkEIl
+549QEyQbrAkcHUjJdMAuIgnbPl4yJFEI97U21pXb3BeLxhKI6r09OgWwZEagrI44
+Ns9WbcNGtw5bkgyA4nn00w0ggAJLq9b0sToU2vK2x6g+1oXH8K7BbOu49/+NTzCa
+fgBzFMi0P7FWGrE2rqh6gFBVJh8qBuK2+QG6Rnfdw+mHWsedc//NRFjPSC3ZWaPc
+cu9s4+IkjOy3RhdkNrF3ieWitmGZi4mUZQ3qi+Np2Z+ekn0QmXjmLdbLFxKw8xoR
+Ed36LPnGcmKQN72RikmNmx83i8CrOF6Or9auGE5O8+qpyw==
+-----END CERTIFICATE-----
diff --git a/modules/backup/default.nix b/modules/backup/default.nix
new file mode 100644
index 0000000..7e0e4b2
--- /dev/null
+++ b/modules/backup/default.nix
@@ -0,0 +1,100 @@
+{ lib, pkgs, myconfig, config, ... }:
+let
+  cfg = myconfig.env.backup;
+  varDir = "/var/lib/duply";
+  duplyProfile = profile: prefix: ''
+    GPG_PW="${cfg.password}"
+    TARGET="${cfg.remote}${prefix}"
+    export AWS_ACCESS_KEY_ID="${cfg.accessKeyId}"
+    export AWS_SECRET_ACCESS_KEY="${cfg.secretAccessKey}"
+    SOURCE="${profile.rootDir}"
+    FILENAME=".duplicity-ignore"
+    DUPL_PARAMS="$DUPL_PARAMS --exclude-if-present '$FILENAME'"
+    VERBOSITY=4
+    ARCH_DIR="${varDir}/caches"
+    # Do a full backup after 1 month
+    MAX_FULLBKP_AGE=1M
+    DUPL_PARAMS="$DUPL_PARAMS --full-if-older-than $MAX_FULLBKP_AGE "
+    # Backups older than 2months are deleted
+    MAX_AGE=2M
+    # Keep 2 full backups
+    MAX_FULL_BACKUPS=2
+    MAX_FULLS_WITH_INCRS=2
+  '';
+  action = "bkp_purge_purgeFull_purgeIncr";
+in
+{
+  options = {
+    services.backup.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = ''
+        Whether to enable remote backups.
+      '';
+    };
+    services.backup.profiles = lib.mkOption {
+      type = lib.types.attrsOf (lib.types.submodule {
+        options = {
+          rootDir = lib.mkOption {
+            type = lib.types.path;
+            description = ''
+              Path to backup
+              '';
+          };
+          excludeFile = lib.mkOption {
+            type = lib.types.lines;
+            default = "";
+            description = ''
+              Content to put in exclude file
+              '';
+          };
+        };
+      });
+    };
+  };
+  config = lib.mkIf config.services.backup.enable {
+    system.activationScripts.backup = ''
+      install -m 0700 -o root -g root -d ${varDir} ${varDir}/caches
+      '';
+    secrets.keys = lib.flatten (lib.mapAttrsToList (k: v: [
+      {
+        permissions = "0400";
+        dest = "backup/${k}/conf";
+        text = duplyProfile v "${k}/";
+      }
+      {
+        permissions = "0400";
+        dest = "backup/${k}/exclude";
+        text = v.excludeFile;
+      }
+    ]) config.services.backup.profiles);
+    services.cron = {
+      enable = true;
+      systemCronJobs = let
+        backups = pkgs.writeScript "backups" ''
+          #!${pkgs.stdenv.shell}
+          ${builtins.concatStringsSep "\n" (lib.mapAttrsToList (k: v:
+            ''
+              touch ${varDir}/${k}.log
+              ${pkgs.duply}/bin/duply ${config.secrets.location}/backup/${k}/ ${action} --force >> ${varDir}/${k}.log
+            ''
+          ) config.services.backup.profiles)}
+        '';
+      in
+        [
+          "0 2 * * * root ${backups}"
+        ];
+    };
+    security.pki.certificates = [
+      (builtins.readFile ./Eriomem_SAS.1.pem)
+      (builtins.readFile ./Eriomem_SAS.pem)
+    ];
+  };
+}
diff --git a/modules/default.nix b/modules/default.nix
index 9e9c411..05f2bfe 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -13,6 +13,7 @@
  opendmarc = ./opendmarc.nix;
  openarc = ./openarc.nix;
+  backup = ./backup;
  naemon = ./naemon;
  php-application = ./websites/php-application.nix;
diff --git a/modules/myids.nix b/modules/myids.nix
index ac9fd65..79610af 100644
--- a/modules/myids.nix
+++ b/modules/myids.nix
@@ -3,6 +3,7 @@
  # Check that there is no clash with nixos/modules/misc/ids.nix
  config = {
    ids.uids = {
+      backup = 389;
      vhost = 390;
      openarc = 391;
      opendmarc = 392;
@@ -15,6 +16,7 @@
    };
    ids.gids = {
      nagios = 11; # commented in the ids file
+      backup = 389;
      vhost = 390;
      openarc = 391;
      opendmarc = 392;
diff --git a/modules/private/backup.nix b/modules/private/backup.nix
new file mode 100644
index 0000000..6911750
--- /dev/null
+++ b/modules/private/backup.nix
@@ -0,0 +1,6 @@
+{ ... }:
+{
+  config = {
+    services.backup.enable = true;
+  };
+}
diff --git a/modules/private/buildbot/default.nix b/modules/private/buildbot/default.nix
index f307606..88bab9b 100644
--- a/modules/private/buildbot/default.nix
+++ b/modules/private/buildbot/default.nix
@@ -24,6 +24,9 @@ in
  };
  config = lib.mkIf config.myServices.buildbot.enable {
+    services.backup.profiles.buildbot = {
+      rootDir = varDir;
+    };
    ids.uids.buildbot = myconfig.env.buildbot.user.uid;
    ids.gids.buildbot = myconfig.env.buildbot.user.gid;
diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix
index 2e40b3c..cb284fc 100644
--- a/modules/private/certificates.nix
+++ b/modules/private/certificates.nix
@@ -15,6 +15,9 @@
  };
  config = {
+    services.backup.profiles.system.excludeFile = ''
+      + ${config.security.acme.directory}
+      '';
    services.websites.certs = config.services.myCertificates.certConfig;
    myServices.databasesCerts = config.services.myCertificates.certConfig;
    myServices.ircCerts = config.services.myCertificates.certConfig;
diff --git a/modules/private/default.nix b/modules/private/default.nix
index cf15499..6dd7358 100644
--- a/modules/private/default.nix
+++ b/modules/private/default.nix
@@ -65,6 +65,7 @@ set = {
  ftp = ./ftp.nix;
  mpd = ./mpd.nix;
  ssh = ./ssh;
+  backup = ./backup.nix;
  monitoring = ./monitoring;
  system = ./system.nix;
diff --git a/modules/private/ftp.nix b/modules/private/ftp.nix
index 59cae59..c6d7fbe 100644
--- a/modules/private/ftp.nix
+++ b/modules/private/ftp.nix
@@ -14,6 +14,9 @@ in
  };
  config = lib.mkIf config.services.pure-ftpd.enable {
+    services.backup.profiles.ftp = {
+      rootDir = "/var/lib/ftp";
+    };
    security.acme.certs."ftp" = config.services.myCertificates.certConfig // {
      domain = "eldiron.immae.eu";
      postRun = ''
diff --git a/modules/private/gitolite/default.nix b/modules/private/gitolite/default.nix
index b9914a1..dc068b7 100644
--- a/modules/private/gitolite/default.nix
+++ b/modules/private/gitolite/default.nix
@@ -11,6 +11,9 @@ in {
  };
  config = lib.mkIf cfg.enable {
+    services.backup.profiles.gitolite = {
+      rootDir = cfg.gitoliteDir;
+    };
    networking.firewall.allowedTCPPorts = [ 9418 ];
    services.gitDaemon = {
diff --git a/modules/private/irc.nix b/modules/private/irc.nix
index b3fe91f..785b34d 100644
--- a/modules/private/irc.nix
+++ b/modules/private/irc.nix
@@ -17,6 +17,9 @@ in
  };
  config = lib.mkIf cfg.enable {
+    services.backup.profiles.irc = {
+      rootDir = "/var/lib/bitlbee";
+    };
    security.acme.certs."irc" = config.myServices.ircCerts // {
      domain = "irc.immae.eu";
      postRun = ''
diff --git a/modules/private/mail/default.nix b/modules/private/mail/default.nix
index ad2c684..ac8ad8c 100644
--- a/modules/private/mail/default.nix
+++ b/modules/private/mail/default.nix
@@ -9,4 +9,13 @@
      mxs = map (zone: "mx-1.${zone.name}") zonesWithMx;
    in builtins.listToAttrs (map (mx: lib.attrsets.nameValuePair mx null) mxs);
  };
+  config.services.backup.profiles = {
+    mail = {
+      rootDir = "/var/lib";
+      excludeFile = lib.mkAfter ''
+        + /var/lib/vhost
+        - /var/lib
+        '';
+    };
+  };
 }
diff --git a/modules/private/mail/dovecot.nix b/modules/private/mail/dovecot.nix
index 047d7d0..0d13a7b 100644
--- a/modules/private/mail/dovecot.nix
+++ b/modules/private/mail/dovecot.nix
@@ -12,6 +12,10 @@ let
    '';
 in
 {
+  config.services.backup.profiles.mail.excludeFile = ''
+    + /var/lib/dhparams
+    + /var/lib/dovecot
+    '';
  config.secrets.keys = [
    {
      dest = "dovecot/ldap";
diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix
index c2d0af6..edfd196 100644
--- a/modules/private/mail/postfix.nix
+++ b/modules/private/mail/postfix.nix
@@ -1,5 +1,8 @@
 { lib, pkgs, config, myconfig,  ... }:
 {
+  config.services.backup.profiles.mail.excludeFile = ''
+    + /var/lib/postfix
+    '';
  config.secrets.keys = [
    {
      dest = "postfix/mysql_alias_maps";
diff --git a/modules/private/mail/rspamd.nix b/modules/private/mail/rspamd.nix
index 3a7a67c..af3541f 100644
--- a/modules/private/mail/rspamd.nix
+++ b/modules/private/mail/rspamd.nix
@@ -10,6 +10,9 @@
      rspamd sockets
      '';
  };
+  config.services.backup.profiles.mail.excludeFile = ''
+    + /var/lib/rspamd
+    '';
  config.services.cron.systemCronJobs = let
    cron_script = pkgs.runCommand "cron_script" {
      buildInputs = [ pkgs.makeWrapper ];
diff --git a/modules/private/monitoring/default.nix b/modules/private/monitoring/default.nix
index d99124e..d9805ef 100644
--- a/modules/private/monitoring/default.nix
+++ b/modules/private/monitoring/default.nix
@@ -27,6 +27,9 @@ in
  };
  config = lib.mkIf config.myServices.monitoring.enable {
+    services.backup.profiles.monitoring = {
+      rootDir = config.services.naemon.varDir;
+    };
    security.sudo.extraRules = [
      {
        commands = [
diff --git a/modules/private/mpd.nix b/modules/private/mpd.nix
index 17454d7..b224165 100644
--- a/modules/private/mpd.nix
+++ b/modules/private/mpd.nix
@@ -1,6 +1,9 @@
 { lib, pkgs, config, myconfig,  ... }:
 {
  config = {
+    services.backup.profiles.mpd = {
+      rootDir = "/var/lib/mpd";
+    };
    secrets.keys = [
      {
        dest = "mpd";
diff --git a/modules/private/pub/default.nix b/modules/private/pub/default.nix
index c31c8eb..a193d17 100644
--- a/modules/private/pub/default.nix
+++ b/modules/private/pub/default.nix
@@ -11,6 +11,9 @@
  };
  config = lib.mkIf config.myServices.pub.enable {
+    services.backup.profiles.pub = {
+      rootDir = "/var/lib/pub";
+    };
    users.users.pub = let
      restrict = pkgs.runCommand "restrict" { 
        file = ./restrict;
diff --git a/modules/private/system.nix b/modules/private/system.nix
index fba504e..c12c226 100644
--- a/modules/private/system.nix
+++ b/modules/private/system.nix
@@ -1,6 +1,17 @@
-{ pkgs, privateFiles, ... }:
+{ pkgs, privateFiles, lib, ... }:
 {
  config = {
+    services.backup.profiles.system = {
+      rootDir = "/var/lib";
+      excludeFile = lib.mkAfter ''
+        + /var/lib/nixos
+        + /var/lib/udev
+        + /var/lib/udisks2
+        + /var/lib/systemd
+        + /var/lib/private/systemd
+        - /var/lib
+        '';
+    };
    nixpkgs.overlays = builtins.attrValues (import ../../overlays);
    _module.args = {
      pkgsNext = import <nixpkgsNext> {};
diff --git a/modules/private/tasks/default.nix b/modules/private/tasks/default.nix
index a2da0c3..b2191c0 100644
--- a/modules/private/tasks/default.nix
+++ b/modules/private/tasks/default.nix
@@ -86,6 +86,15 @@ in {
  };
  config = lib.mkIf cfg.enable {
+    services.backup.profiles.tasks = {
+      rootDir = "/var/lib";
+      excludeFile = ''
+        + /var/lib/taskserver
+        + /var/lib/taskwarrior-web
+        - /var/lib
+        '';
+    };
    secrets.keys = [{
      dest = "webapps/tools-taskwarrior-web";
      user = "wwwrun";
diff --git a/modules/private/websites/aten/integration.nix b/modules/private/websites/aten/integration.nix
index 6768f80..0c92818 100644
--- a/modules/private/websites/aten/integration.nix
+++ b/modules/private/websites/aten/integration.nix
@@ -8,6 +8,7 @@ in {
  options.myServices.websites.aten.integration.enable = lib.mkEnableOption "enable Aten's website in integration";
  config = lib.mkIf cfg.enable {
+    services.backup.profiles.aten_dev.rootDir = app.varDir;
    services.phpApplication.apps.aten_dev = {
      websiteEnv = "integration";
      httpdUser = config.services.httpd.Inte.user;
diff --git a/modules/private/websites/aten/production.nix b/modules/private/websites/aten/production.nix
index 97f4a08..2ffcef3 100644
--- a/modules/private/websites/aten/production.nix
+++ b/modules/private/websites/aten/production.nix
@@ -8,6 +8,7 @@ in {
  options.myServices.websites.aten.production.enable = lib.mkEnableOption "enable Aten's website in production";
  config = lib.mkIf cfg.enable {
+    services.backup.profiles.aten_prod.rootDir = app.varDir;
    services.webstats.sites = [ { name = "aten.pro"; } ];
    services.phpApplication.apps.aten_prod = {
      websiteEnv = "production";
diff --git a/modules/private/websites/chloe/integration.nix b/modules/private/websites/chloe/integration.nix
index 1f7ac31..75e25af 100644
--- a/modules/private/websites/chloe/integration.nix
+++ b/modules/private/websites/chloe/integration.nix
@@ -12,6 +12,7 @@ in {
  options.myServices.websites.chloe.integration.enable = lib.mkEnableOption "enable Chloe's website in integration";
  config = lib.mkIf cfg.enable {
+    services.backup.profiles.chloe_dev.rootDir = chloe.app.varDir;
    secrets.keys = chloe.keys;
    systemd.services.phpfpm-chloe_dev.after = lib.mkAfter chloe.phpFpm.serviceDeps;
    systemd.services.phpfpm-chloe_dev.wants = chloe.phpFpm.serviceDeps;
diff --git a/modules/private/websites/chloe/production.nix b/modules/private/websites/chloe/production.nix
index 6cfdb7f..7c59806 100644
--- a/modules/private/websites/chloe/production.nix
+++ b/modules/private/websites/chloe/production.nix
@@ -12,6 +12,7 @@ in {
  options.myServices.websites.chloe.production.enable = lib.mkEnableOption "enable Chloe's website in production";
  config = lib.mkIf cfg.enable {
+    services.backup.profiles.chloe_prod.rootDir = chloe.app.varDir;
    secrets.keys = chloe.keys;
    services.webstats.sites = [ { name = "osteopathe-cc.fr"; } ];
diff --git a/modules/private/websites/connexionswing/integration.nix b/modules/private/websites/connexionswing/integration.nix
index 2ceaffa..fee8e4f 100644
--- a/modules/private/websites/connexionswing/integration.nix
+++ b/modules/private/websites/connexionswing/integration.nix
@@ -8,6 +8,7 @@ in {
  options.myServices.websites.connexionswing.integration.enable = lib.mkEnableOption "enable Connexionswing's website in integration";
  config = lib.mkIf cfg.enable {
+    services.backup.profiles.connexionswing_dev.rootDir = app.varDir;
    services.phpApplication.apps.connexionswing_dev = {
      websiteEnv = "integration";
      httpdUser = config.services.httpd.Inte.user;
diff --git a/modules/private/websites/connexionswing/production.nix b/modules/private/websites/connexionswing/production.nix
index 1427c8d..79e672a 100644
--- a/modules/private/websites/connexionswing/production.nix
+++ b/modules/private/websites/connexionswing/production.nix
@@ -8,6 +8,7 @@ in {
  options.myServices.websites.connexionswing.production.enable = lib.mkEnableOption "enable Connexionswing's website in production";
  config = lib.mkIf cfg.enable {
+    services.backup.profiles.connexionswing_prod.rootDir = app.varDir;
    services.webstats.sites = [ { name = "connexionswing.com"; } ];
    services.phpApplication.apps.connexionswing_prod = {
      websiteEnv = "production";
diff --git a/modules/private/websites/default.nix b/modules/private/websites/default.nix
index f55f7e3..e2bcef5 100644
--- a/modules/private/websites/default.nix
+++ b/modules/private/websites/default.nix
@@ -73,6 +73,9 @@ in
  };
  config = {
+    services.backup.profiles.php = {
+      rootDir = "/var/lib/php";
+    };
    users.users.wwwrun.extraGroups = [ "keys" ];
    networking.firewall.allowedTCPPorts = [ 80 443 ];
diff --git a/modules/private/websites/emilia/production.nix b/modules/private/websites/emilia/production.nix
index 422bfd4..0dab316 100644
--- a/modules/private/websites/emilia/production.nix
+++ b/modules/private/websites/emilia/production.nix
@@ -43,6 +43,9 @@ in {
  options.myServices.websites.emilia.production.enable = lib.mkEnableOption "enable Emilia's website";
  config = lib.mkIf cfg.enable {
+    services.backup.profiles.emilia_prod = {
+      rootDir = varDir;
+    };
    system.activationScripts.emilia = ''
      install -m 0755 -o wwwrun -g wwwrun -d ${varDir}
      '';
diff --git a/modules/private/websites/florian/app.nix b/modules/private/websites/florian/app.nix
index 3f44ec4..7e2c333 100644
--- a/modules/private/websites/florian/app.nix
+++ b/modules/private/websites/florian/app.nix
@@ -9,6 +9,7 @@ in {
  options.myServices.websites.florian.app.enable = lib.mkEnableOption "enable Florian's app in integration";
  config = lib.mkIf cfg.enable {
+    services.backup.profiles.tellesflorian_dev.rootDir = app.varDir;
    services.phpApplication.apps.florian_dev = {
      websiteEnv = "integration";
      httpdUser = config.services.httpd.Inte.user;
diff --git a/modules/private/websites/ludivinecassal/integration.nix b/modules/private/websites/ludivinecassal/integration.nix
index 55f2432..d1b8f9b 100644
--- a/modules/private/websites/ludivinecassal/integration.nix
+++ b/modules/private/websites/ludivinecassal/integration.nix
@@ -8,6 +8,7 @@ in {
  options.myServices.websites.ludivinecassal.integration.enable = lib.mkEnableOption "enable Ludivine's website in integration";
  config = lib.mkIf cfg.enable {
+    services.backup.profiles.ludivinecassal_dev.rootDir = app.varDir;
    services.phpApplication.apps.ludivinecassal_dev = {
      websiteEnv = "integration";
      httpdUser = config.services.httpd.Inte.user;
diff --git a/modules/private/websites/ludivinecassal/production.nix b/modules/private/websites/ludivinecassal/production.nix
index 82f6899..341fd6d 100644
--- a/modules/private/websites/ludivinecassal/production.nix
+++ b/modules/private/websites/ludivinecassal/production.nix
@@ -8,6 +8,7 @@ in {
  options.myServices.websites.ludivinecassal.production.enable = lib.mkEnableOption "enable Ludivine's website in production";
  config = lib.mkIf cfg.enable {
+    services.backup.profiles.ludivinecassal_prod.rootDir = app.varDir;
    services.webstats.sites = [ { name = "ludivinecassal.com"; } ];
    services.phpApplication.apps.ludivinecassal_prod = {
      websiteEnv = "production";
diff --git a/modules/private/websites/piedsjaloux/integration.nix b/modules/private/websites/piedsjaloux/integration.nix
index 0a33bc0..853fcff 100644
--- a/modules/private/websites/piedsjaloux/integration.nix
+++ b/modules/private/websites/piedsjaloux/integration.nix
@@ -8,6 +8,7 @@ in {
  options.myServices.websites.piedsjaloux.integration.enable = lib.mkEnableOption "enable PiedsJaloux's website in integration";
  config = lib.mkIf cfg.enable {
+    services.backup.profiles.piedsjaloux_dev.rootDir = app.varDir;
    services.phpApplication.apps.piedsjaloux_dev = {
      websiteEnv = "integration";
      httpdUser = config.services.httpd.Inte.user;
diff --git a/modules/private/websites/piedsjaloux/production.nix b/modules/private/websites/piedsjaloux/production.nix
index 9007f19..9e64fca 100644
--- a/modules/private/websites/piedsjaloux/production.nix
+++ b/modules/private/websites/piedsjaloux/production.nix
@@ -8,6 +8,7 @@ in {
  options.myServices.websites.piedsjaloux.production.enable = lib.mkEnableOption "enable PiedsJaloux's website in production";
  config = lib.mkIf cfg.enable {
+    services.backup.profiles.piedsjaloux_prod.rootDir = app.varDir;
    services.webstats.sites = [ { name = "piedsjaloux.fr"; } ];
    services.phpApplication.apps.piedsjaloux_prod = {
      websiteEnv = "production";
diff --git a/modules/private/websites/tools/diaspora/default.nix b/modules/private/websites/tools/diaspora/default.nix
index 17a6a09..24d3d51 100644
--- a/modules/private/websites/tools/diaspora/default.nix
+++ b/modules/private/websites/tools/diaspora/default.nix
@@ -10,6 +10,9 @@ in {
  };
  config = lib.mkIf cfg.enable {
+    services.backup.profiles.diaspora = {
+      rootDir = dcfg.dataDir;
+    };
    users.users.diaspora.extraGroups = [ "keys" ];
    secrets.keys = [
diff --git a/modules/private/websites/tools/ether/default.nix b/modules/private/websites/tools/ether/default.nix
index c038528..600254b 100644
--- a/modules/private/websites/tools/ether/default.nix
+++ b/modules/private/websites/tools/ether/default.nix
@@ -12,6 +12,9 @@ in {
  };
  config = lib.mkIf cfg.enable {
+    services.backup.profiles.etherpad-lite = {
+      rootDir = "/var/lib/private/etherpad-lite";
+    };
    secrets.keys = [
      {
        dest = "webapps/tools-etherpad-apikey";
diff --git a/modules/private/websites/tools/mail/default.nix b/modules/private/websites/tools/mail/default.nix
index ea0a27f..35711af 100644
--- a/modules/private/websites/tools/mail/default.nix
+++ b/modules/private/websites/tools/mail/default.nix
@@ -17,6 +17,10 @@ in
  ];
  config = lib.mkIf cfg.enable {
+    services.backup.profiles.mail.excludeFile = ''
+      + ${rainloop.varDir}
+      + ${roundcubemail.varDir}
+      '';
    secrets.keys = roundcubemail.keys;
    services.websites.env.tools.modules =
diff --git a/modules/private/websites/tools/mastodon/default.nix b/modules/private/websites/tools/mastodon/default.nix
index d67ae2b..2236bd5 100644
--- a/modules/private/websites/tools/mastodon/default.nix
+++ b/modules/private/websites/tools/mastodon/default.nix
@@ -10,6 +10,9 @@ in {
  };
  config = lib.mkIf cfg.enable {
+    services.backup.profiles.mastodon = {
+      rootDir = mcfg.dataDir;
+    };
    secrets.keys = [{
      dest = "webapps/tools-mastodon";
      user = "mastodon";
diff --git a/modules/private/websites/tools/tools/default.nix b/modules/private/websites/tools/tools/default.nix
index e17c708..6f27b0b 100644
--- a/modules/private/websites/tools/tools/default.nix
+++ b/modules/private/websites/tools/tools/default.nix
@@ -51,6 +51,15 @@ in {
      ++ wallabag.keys
      ++ yourls.keys;
+    services.backup.profiles = {
+      dokuwiki = dokuwiki.backups;
+      kanboard = kanboard.backups;
+      rompr = rompr.backups;
+      shaarli = shaarli.backups;
+      ttrss = ttrss.backups;
+      wallabag = wallabag.backups;
+    };
    services.websites.env.tools.modules =
      [ "proxy_fcgi" ]
      ++ adminer.apache.modules
diff --git a/modules/private/websites/tools/tools/dokuwiki.nix b/modules/private/websites/tools/tools/dokuwiki.nix
index c61d15f..e40d671 100644
--- a/modules/private/websites/tools/tools/dokuwiki.nix
+++ b/modules/private/websites/tools/tools/dokuwiki.nix
@@ -1,5 +1,8 @@
 { lib, stdenv, dokuwiki, dokuwiki-plugins }:
 rec {
+  backups = {
+    rootDir = varDir;
+  };
  varDir = "/var/lib/dokuwiki";
  activationScript = {
    deps = [ "wrappers" ];
diff --git a/modules/private/websites/tools/tools/kanboard.nix b/modules/private/websites/tools/tools/kanboard.nix
index 68f92b8..68c3a10 100644
--- a/modules/private/websites/tools/tools/kanboard.nix
+++ b/modules/private/websites/tools/tools/kanboard.nix
@@ -1,5 +1,8 @@
 { env, kanboard }:
 rec {
+  backups = {
+    rootDir = varDir;
+  };
  varDir = "/var/lib/kanboard";
  activationScript = {
    deps = [ "wrappers" ];
diff --git a/modules/private/websites/tools/tools/rompr.nix b/modules/private/websites/tools/tools/rompr.nix
index fea59fc..74034f0 100644
--- a/modules/private/websites/tools/tools/rompr.nix
+++ b/modules/private/websites/tools/tools/rompr.nix
@@ -1,5 +1,8 @@
 { lib, env, rompr }:
 rec {
+  backups = {
+    rootDir = varDir;
+  };
  varDir = "/var/lib/rompr";
  activationScript = ''
    install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \
diff --git a/modules/private/websites/tools/tools/shaarli.nix b/modules/private/websites/tools/tools/shaarli.nix
index 2e89a47..28041ba 100644
--- a/modules/private/websites/tools/tools/shaarli.nix
+++ b/modules/private/websites/tools/tools/shaarli.nix
@@ -2,6 +2,9 @@
 let
  varDir = "/var/lib/shaarli";
 in rec {
+  backups = {
+    rootDir = varDir;
+  };
  activationScript = ''
    install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \
      ${varDir}/cache ${varDir}/pagecache ${varDir}/tmp ${varDir}/data \
diff --git a/modules/private/websites/tools/tools/ttrss.nix b/modules/private/websites/tools/tools/ttrss.nix
index 05c8cab..598cc3a 100644
--- a/modules/private/websites/tools/tools/ttrss.nix
+++ b/modules/private/websites/tools/tools/ttrss.nix
@@ -1,5 +1,8 @@
 { php, env, ttrss, ttrss-plugins }:
 rec {
+  backups = {
+    rootDir = varDir;
+  };
  varDir = "/var/lib/ttrss";
  activationScript = {
    deps = [ "wrappers" ];
diff --git a/modules/private/websites/tools/tools/wallabag.nix b/modules/private/websites/tools/tools/wallabag.nix
index 2912b2c..8572d64 100644
--- a/modules/private/websites/tools/tools/wallabag.nix
+++ b/modules/private/websites/tools/tools/wallabag.nix
@@ -1,5 +1,8 @@
 { env, wallabag, mylibs }:
 rec {
+  backups = {
+    rootDir = varDir;
+  };
  varDir = "/var/lib/wallabag";
  keys = [{
    dest = "webapps/tools-wallabag";
diff --git a/modules/webapps/mastodon.nix b/modules/webapps/mastodon.nix
index 26d5238..eed9e3f 100644
--- a/modules/webapps/mastodon.nix
+++ b/modules/webapps/mastodon.nix
@@ -190,6 +190,36 @@ in
      unitConfig.RequiresMountsFor = cfg.dataDir;
    };
+    systemd.services.mastodon-cleanup = {
+      description = "Cleanup mastodon";
+      startAt = "daily";
+      restartIfChanged = false;
+      environment.RAILS_ENV = "production";
+      environment.BUNDLE_PATH = "${cfg.workdir.gems}/${cfg.workdir.gems.ruby.gemPath}";
+      environment.BUNDLE_GEMFILE = "${cfg.workdir.gems.confFiles}/Gemfile";
+      environment.SOCKET = cfg.sockets.rails;
+      path = [ cfg.workdir.gems cfg.workdir.gems.ruby pkgs.file ];
+      script = ''
+        exec ./bin/tootctl media remove --days 30
+      '';
+      serviceConfig = {
+        User = cfg.user;
+        EnvironmentFile = cfg.configFile;
+        PrivateTmp = true;
+        Type = "oneshot";
+        WorkingDirectory = cfg.workdir;
+        StateDirectory = cfg.systemdStateDirectory;
+        RuntimeDirectory = cfg.systemdRuntimeDirectory;
+        RuntimeDirectoryPreserve = "yes";
+      };
+      unitConfig.RequiresMountsFor = cfg.dataDir;
+    };
    systemd.services.mastodon-sidekiq = {
      description = "Mastodon Sidekiq";
      wantedBy = [ "multi-user.target" ];
diff --git a/modules/webapps/webstats/default.nix b/modules/webapps/webstats/default.nix
index 924d72d..6771f01 100644
--- a/modules/webapps/webstats/default.nix
+++ b/modules/webapps/webstats/default.nix
@@ -37,6 +37,9 @@ in {
  };
  config = lib.mkIf (builtins.length cfg.sites > 0) {
+    services.backup.profiles.goaccess = {
+      rootDir = cfg.dataDir;
+    };
    users.users.root.packages = [
      pkgs.goaccess
    ];
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-10-16 13:49:24 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-10-16 13:49:24 +0200
commit	6a8252b11bb02f3e67857d5a9d733b1affa6a625 (patch)
tree	175cb91c386b444ce951361baaa4875136d5c9e4
parent	5304a64b84c5a84525c96419cc6126775af306e0 (diff)
download	Nix-6a8252b11bb02f3e67857d5a9d733b1affa6a625.tar.gz Nix-6a8252b11bb02f3e67857d5a9d733b1affa6a625.tar.zst Nix-6a8252b11bb02f3e67857d5a9d733b1affa6a625.zip