diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-07-16 01:10:17 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-07-16 01:10:17 +0200 |
commit | 5a61f6ad5164a735be26e016c59e72252ffb49b7 (patch) | |
tree | 6acc3c8199d7f25c039c6c6686005436d1fb49d7 /modules/private | |
parent | ca367c14902ab1bf869976dc5dca52d07e308c15 (diff) | |
download | Nix-5a61f6ad5164a735be26e016c59e72252ffb49b7.tar.gz Nix-5a61f6ad5164a735be26e016c59e72252ffb49b7.tar.zst Nix-5a61f6ad5164a735be26e016c59e72252ffb49b7.zip |
Add alternate cloud storage for daily backups
Diffstat (limited to 'modules/private')
-rw-r--r-- | modules/private/environment.nix | 21 | ||||
-rw-r--r-- | modules/private/monitoring/default.nix | 18 | ||||
-rw-r--r-- | modules/private/monitoring/objects_common.nix | 5 | ||||
-rw-r--r-- | modules/private/monitoring/objects_monitoring-1.nix | 57 | ||||
-rwxr-xr-x | modules/private/monitoring/plugins/check_backup_age (renamed from modules/private/monitoring/plugins/check_eriomem_age) | 0 | ||||
-rw-r--r-- | modules/private/websites/chloe/production.nix | 1 | ||||
-rw-r--r-- | modules/private/websites/connexionswing/production.nix | 1 | ||||
-rw-r--r-- | modules/private/websites/isabelle/aten_production.nix | 1 | ||||
-rw-r--r-- | modules/private/websites/isabelle/iridologie.nix | 1 | ||||
-rw-r--r-- | modules/private/websites/ludivine/production.nix | 1 | ||||
-rw-r--r-- | modules/private/websites/piedsjaloux/production.nix | 1 | ||||
-rw-r--r-- | modules/private/websites/richie/production.nix | 1 | ||||
-rw-r--r-- | modules/private/websites/syden/peertube.nix | 1 |
13 files changed, 75 insertions, 34 deletions
diff --git a/modules/private/environment.nix b/modules/private/environment.nix index b8c4dd2..069a344 100644 --- a/modules/private/environment.nix +++ b/modules/private/environment.nix | |||
@@ -441,9 +441,24 @@ in | |||
441 | type = submodule { | 441 | type = submodule { |
442 | options = { | 442 | options = { |
443 | password = mkOption { type = str; description = "Password for encrypting files"; }; | 443 | password = mkOption { type = str; description = "Password for encrypting files"; }; |
444 | remote = mkOption { type = str; description = "Remote url access"; }; | 444 | remotes = mkOption { |
445 | accessKeyId = mkOption { type = str; description = "Remote access-key"; }; | 445 | type = attrsOf (submodule { |
446 | secretAccessKey = mkOption { type = str; description = "Remote access secret"; }; | 446 | options = { |
447 | remote = mkOption { | ||
448 | type = unspecified; | ||
449 | example = literalExample '' | ||
450 | bucket: "s3://some_host/${bucket}"; | ||
451 | ''; | ||
452 | description = '' | ||
453 | Function. | ||
454 | Takes a bucket name as argument and returns a url | ||
455 | ''; | ||
456 | }; | ||
457 | accessKeyId = mkOption { type = str; description = "Remote access-key"; }; | ||
458 | secretAccessKey = mkOption { type = str; description = "Remote access secret"; }; | ||
459 | }; | ||
460 | }); | ||
461 | }; | ||
447 | }; | 462 | }; |
448 | }; | 463 | }; |
449 | }; | 464 | }; |
diff --git a/modules/private/monitoring/default.nix b/modules/private/monitoring/default.nix index d5bf7fb..c573af2 100644 --- a/modules/private/monitoring/default.nix +++ b/modules/private/monitoring/default.nix | |||
@@ -58,9 +58,12 @@ let | |||
58 | wrapProgram $out/check_eriomem --prefix PATH : ${lib.makeBinPath [ | 58 | wrapProgram $out/check_eriomem --prefix PATH : ${lib.makeBinPath [ |
59 | pkgs.s3cmd pkgs.python3 | 59 | pkgs.s3cmd pkgs.python3 |
60 | ]} | 60 | ]} |
61 | wrapProgram $out/check_eriomem_age --prefix PATH : ${lib.makeBinPath [ | 61 | makeWrapper $out/check_backup_age $out/check_backup_eriomem_age --prefix PATH : ${lib.makeBinPath [ |
62 | pkgs.duplicity | 62 | pkgs.duplicity |
63 | ]} --set SECRETS_PATH ${lib.optionalString cfg.master config.secrets.fullPaths."eriomem_access_key"} | 63 | ]} --set SECRETS_PATH ${lib.optionalString cfg.master config.secrets.fullPaths."eriomem_access_key"} |
64 | makeWrapper $out/check_backup_age $out/check_backup_ovh_age --prefix PATH : ${lib.makeBinPath [ | ||
65 | pkgs.duplicity | ||
66 | ]} --set SECRETS_PATH ${lib.optionalString cfg.master config.secrets.fullPaths."ovh_access_key"} | ||
64 | wrapProgram $out/notify_by_email --prefix PATH : ${lib.makeBinPath [ | 67 | wrapProgram $out/notify_by_email --prefix PATH : ${lib.makeBinPath [ |
65 | pkgs.mailutils | 68 | pkgs.mailutils |
66 | ]} | 69 | ]} |
@@ -256,18 +259,19 @@ in | |||
256 | permissions = "0400"; | 259 | permissions = "0400"; |
257 | text = config.myEnv.monitoring.ssh_secret_key; | 260 | text = config.myEnv.monitoring.ssh_secret_key; |
258 | } | 261 | } |
259 | ] ++ lib.optional cfg.master ( | 262 | ] ++ lib.optionals cfg.master ( |
263 | lib.mapAttrsToList (k: v: | ||
260 | { | 264 | { |
261 | dest = "eriomem_access_key"; | 265 | dest = "${k}_access_key"; |
262 | user = "naemon"; | 266 | user = "naemon"; |
263 | group = "naemon"; | 267 | group = "naemon"; |
264 | permissions = "0400"; | 268 | permissions = "0400"; |
265 | text = '' | 269 | text = '' |
266 | export AWS_ACCESS_KEY_ID="${config.myEnv.backup.accessKeyId}" | 270 | export AWS_ACCESS_KEY_ID="${v.accessKeyId}" |
267 | export AWS_SECRET_ACCESS_KEY="${config.myEnv.backup.secretAccessKey}" | 271 | export AWS_SECRET_ACCESS_KEY="${v.secretAccessKey}" |
268 | export BASE_URL="${config.myEnv.backup.remote}" | 272 | export BASE_URL="${v.remote "immae-eldiron"}" |
269 | ''; | 273 | ''; |
270 | } | 274 | }) config.myEnv.backup.remotes |
271 | ); | 275 | ); |
272 | # needed since extraResource is not in the closure | 276 | # needed since extraResource is not in the closure |
273 | systemd.services.naemon.path = [ myplugins ]; | 277 | systemd.services.naemon.path = [ myplugins ]; |
diff --git a/modules/private/monitoring/objects_common.nix b/modules/private/monitoring/objects_common.nix index d3a46ce..25f8124 100644 --- a/modules/private/monitoring/objects_common.nix +++ b/modules/private/monitoring/objects_common.nix | |||
@@ -108,8 +108,9 @@ in | |||
108 | check_dns = "$USER1$/check_dns -H $ARG1$ -s $HOSTADDRESS$ $ARG2$"; | 108 | check_dns = "$USER1$/check_dns -H $ARG1$ -s $HOSTADDRESS$ $ARG2$"; |
109 | check_emails = "$USER2$/check_emails -H $HOSTADDRESS$ -i $USER203$ -l $ARG1$ -p $ARG2$ -s $ARG3$ -f $ARG4$"; | 109 | check_emails = "$USER2$/check_emails -H $HOSTADDRESS$ -i $USER203$ -l $ARG1$ -p $ARG2$ -s $ARG3$ -f $ARG4$"; |
110 | check_emails_local = "$USER2$/check_emails -H $HOSTADDRESS$ -n $ARG1$ -r $ADMINEMAIL$ -s $ARG2$ -f $ARG3$"; | 110 | check_emails_local = "$USER2$/check_emails -H $HOSTADDRESS$ -n $ARG1$ -r $ADMINEMAIL$ -s $ARG2$ -f $ARG3$"; |
111 | check_eriomem = "$USER2$/check_eriomem $USER208$"; | 111 | check_backup_eriomem = "$USER2$/check_eriomem $USER208$"; |
112 | check_eriomem_age = "$USER2$/check_eriomem_age $ARG1$"; | 112 | check_backup_eriomem_age = "$USER2$/check_backup_eriomem_age $ARG1$"; |
113 | check_backup_ovh_age = "$USER2$/check_backup_ovh_age $ARG1$"; | ||
113 | check_external_dns = "$USER1$/check_dns -H $ARG2$ -s $ARG1$ $ARG3$"; | 114 | check_external_dns = "$USER1$/check_dns -H $ARG2$ -s $ARG1$ $ARG3$"; |
114 | check_ftp_database = "$USER2$/check_ftp_database"; | 115 | check_ftp_database = "$USER2$/check_ftp_database"; |
115 | check_git = "$USER2$/check_git $USER203$"; | 116 | check_git = "$USER2$/check_git $USER203$"; |
diff --git a/modules/private/monitoring/objects_monitoring-1.nix b/modules/private/monitoring/objects_monitoring-1.nix index 2cba58e..1aebd26 100644 --- a/modules/private/monitoring/objects_monitoring-1.nix +++ b/modules/private/monitoring/objects_monitoring-1.nix | |||
@@ -1,22 +1,24 @@ | |||
1 | { config, pkgs, nodes, hostFQDN, emailCheck, ... }: | 1 | { config, pkgs, nodes, hostFQDN, emailCheck, lib, ... }: |
2 | let | 2 | let |
3 | to_eriomem_age_dependency = name: { | 3 | to_backup_age_dependency = name: profile: map (remote: |
4 | dependent_host_name = "eldiron.immae.eu"; | 4 | { |
5 | host_name = "eldiron.immae.eu"; | 5 | dependent_host_name = "eldiron.immae.eu"; |
6 | dependent_service_description = "Eriomem backup for ${name} is not too old"; | 6 | host_name = "eldiron.immae.eu"; |
7 | service_description = "Eriomem backup is up and not full"; | 7 | dependent_service_description = "${remote} backup for ${name} is not too old"; |
8 | execution_failure_criteria = "u"; | 8 | service_description = "${remote} backup is up and not full"; |
9 | notification_failure_criteria = "u"; | 9 | execution_failure_criteria = "u"; |
10 | }; | 10 | notification_failure_criteria = "u"; |
11 | to_eriomem_age = name: { | 11 | }) profile.remotes; |
12 | service_description = "Eriomem backup for ${name} is not too old"; | 12 | to_backup_age = name: profile: map (remote: |
13 | host_name = "eldiron.immae.eu"; | 13 | { |
14 | use = "external-service"; | 14 | service_description = "${remote} backup for ${name} is not too old"; |
15 | check_command = ["check_eriomem_age" name]; | 15 | host_name = "eldiron.immae.eu"; |
16 | 16 | use = "external-service"; | |
17 | check_interval = "120"; | 17 | check_command = ["check_backup_${remote}_age" name]; |
18 | notification_interval = "1440"; | 18 | |
19 | }; | 19 | check_interval = "120"; |
20 | notification_interval = "1440"; | ||
21 | }) profile.remotes; | ||
20 | in | 22 | in |
21 | { | 23 | { |
22 | host = { | 24 | host = { |
@@ -111,10 +113,21 @@ in | |||
111 | 113 | ||
112 | # Backup services | 114 | # Backup services |
113 | { | 115 | { |
114 | service_description = "Eriomem backup is up and not full"; | 116 | service_description = "eriomem backup is up and not full"; |
117 | host_name = "eldiron.immae.eu"; | ||
118 | use = "external-service"; | ||
119 | check_command = "check_backup_eriomem"; | ||
120 | |||
121 | check_interval = "120"; | ||
122 | notification_interval = "1440"; | ||
123 | |||
124 | servicegroups = "webstatus-backup"; | ||
125 | } | ||
126 | { | ||
127 | service_description = "ovh backup is up and not full"; | ||
115 | host_name = "eldiron.immae.eu"; | 128 | host_name = "eldiron.immae.eu"; |
116 | use = "external-service"; | 129 | use = "external-service"; |
117 | check_command = "check_eriomem"; | 130 | check_command = "check_ok"; |
118 | 131 | ||
119 | check_interval = "120"; | 132 | check_interval = "120"; |
120 | notification_interval = "1440"; | 133 | notification_interval = "1440"; |
@@ -673,7 +686,7 @@ in | |||
673 | _webstatus_name = "LDAP"; | 686 | _webstatus_name = "LDAP"; |
674 | _webstatus_url = "ldap.immae.eu"; | 687 | _webstatus_url = "ldap.immae.eu"; |
675 | } | 688 | } |
676 | ] ++ map to_eriomem_age (builtins.attrNames nodes.eldiron.config.services.duplyBackup.profiles); | 689 | ] ++ lib.flatten (lib.mapAttrsToList to_backup_age nodes.eldiron.config.services.duplyBackup.profiles); |
677 | contact = { | 690 | contact = { |
678 | telio-tortay = config.myEnv.monitoring.contacts.telio-tortay // { | 691 | telio-tortay = config.myEnv.monitoring.contacts.telio-tortay // { |
679 | use = "generic-contact"; | 692 | use = "generic-contact"; |
@@ -688,5 +701,5 @@ in | |||
688 | telio-tortay = { alias = "Telio Tortay"; members = "immae"; }; | 701 | telio-tortay = { alias = "Telio Tortay"; members = "immae"; }; |
689 | tiboqorl = { alias = "Tiboqorl"; members = "immae"; }; | 702 | tiboqorl = { alias = "Tiboqorl"; members = "immae"; }; |
690 | }; | 703 | }; |
691 | servicedependency = map to_eriomem_age_dependency (builtins.attrNames nodes.eldiron.config.services.duplyBackup.profiles); | 704 | servicedependency = lib.flatten (lib.mapAttrsToList to_backup_age_dependency nodes.eldiron.config.services.duplyBackup.profiles); |
692 | } | 705 | } |
diff --git a/modules/private/monitoring/plugins/check_eriomem_age b/modules/private/monitoring/plugins/check_backup_age index 4d03b82..4d03b82 100755 --- a/modules/private/monitoring/plugins/check_eriomem_age +++ b/modules/private/monitoring/plugins/check_backup_age | |||
diff --git a/modules/private/websites/chloe/production.nix b/modules/private/websites/chloe/production.nix index b5233c6..7f8f1de 100644 --- a/modules/private/websites/chloe/production.nix +++ b/modules/private/websites/chloe/production.nix | |||
@@ -15,6 +15,7 @@ in { | |||
15 | 15 | ||
16 | config = lib.mkIf cfg.enable { | 16 | config = lib.mkIf cfg.enable { |
17 | services.duplyBackup.profiles.chloe_production.rootDir = app.varDir; | 17 | services.duplyBackup.profiles.chloe_production.rootDir = app.varDir; |
18 | services.duplyBackup.profiles.chloe_production.remotes = ["eriomem" "ovh"]; | ||
18 | secrets.keys = [ | 19 | secrets.keys = [ |
19 | { | 20 | { |
20 | dest = "websites/chloe/production"; | 21 | dest = "websites/chloe/production"; |
diff --git a/modules/private/websites/connexionswing/production.nix b/modules/private/websites/connexionswing/production.nix index e172f84..f6a059d 100644 --- a/modules/private/websites/connexionswing/production.nix +++ b/modules/private/websites/connexionswing/production.nix | |||
@@ -14,6 +14,7 @@ in { | |||
14 | 14 | ||
15 | config = lib.mkIf cfg.enable { | 15 | config = lib.mkIf cfg.enable { |
16 | services.duplyBackup.profiles.connexionswing_production.rootDir = app.varDir; | 16 | services.duplyBackup.profiles.connexionswing_production.rootDir = app.varDir; |
17 | services.duplyBackup.profiles.connexionswing_production.remotes = ["eriomem" "ovh"]; | ||
17 | services.webstats.sites = [ { name = "connexionswing.com"; } ]; | 18 | services.webstats.sites = [ { name = "connexionswing.com"; } ]; |
18 | services.phpApplication.apps.connexionswing_production = { | 19 | services.phpApplication.apps.connexionswing_production = { |
19 | websiteEnv = "production"; | 20 | websiteEnv = "production"; |
diff --git a/modules/private/websites/isabelle/aten_production.nix b/modules/private/websites/isabelle/aten_production.nix index 4fa3622..3671712 100644 --- a/modules/private/websites/isabelle/aten_production.nix +++ b/modules/private/websites/isabelle/aten_production.nix | |||
@@ -13,6 +13,7 @@ in { | |||
13 | 13 | ||
14 | config = lib.mkIf cfg.enable { | 14 | config = lib.mkIf cfg.enable { |
15 | services.duplyBackup.profiles.isabelle_aten_production.rootDir = app.varDir; | 15 | services.duplyBackup.profiles.isabelle_aten_production.rootDir = app.varDir; |
16 | services.duplyBackup.profiles.isabelle_aten_production.remotes = ["eriomem" "ovh"]; | ||
16 | services.webstats.sites = [ { name = "aten.pro"; } ]; | 17 | services.webstats.sites = [ { name = "aten.pro"; } ]; |
17 | services.phpApplication.apps.isabelle_aten_production = { | 18 | services.phpApplication.apps.isabelle_aten_production = { |
18 | websiteEnv = "production"; | 19 | websiteEnv = "production"; |
diff --git a/modules/private/websites/isabelle/iridologie.nix b/modules/private/websites/isabelle/iridologie.nix index 5fa87ce..14296bf 100644 --- a/modules/private/websites/isabelle/iridologie.nix +++ b/modules/private/websites/isabelle/iridologie.nix | |||
@@ -17,6 +17,7 @@ in { | |||
17 | 17 | ||
18 | config = lib.mkIf cfg.enable { | 18 | config = lib.mkIf cfg.enable { |
19 | services.duplyBackup.profiles.isabelle_iridologie.rootDir = app.varDir; | 19 | services.duplyBackup.profiles.isabelle_iridologie.rootDir = app.varDir; |
20 | services.duplyBackup.profiles.isabelle_iridologie.remotes = ["eriomem" "ovh"]; | ||
20 | secrets.keys = [ | 21 | secrets.keys = [ |
21 | { | 22 | { |
22 | dest = "websites/isabelle/iridologie"; | 23 | dest = "websites/isabelle/iridologie"; |
diff --git a/modules/private/websites/ludivine/production.nix b/modules/private/websites/ludivine/production.nix index b30f488..3a9895d 100644 --- a/modules/private/websites/ludivine/production.nix +++ b/modules/private/websites/ludivine/production.nix | |||
@@ -14,6 +14,7 @@ in { | |||
14 | 14 | ||
15 | config = lib.mkIf cfg.enable { | 15 | config = lib.mkIf cfg.enable { |
16 | services.duplyBackup.profiles.ludivine_production.rootDir = app.varDir; | 16 | services.duplyBackup.profiles.ludivine_production.rootDir = app.varDir; |
17 | services.duplyBackup.profiles.ludivine_production.remotes = ["eriomem" "ovh"]; | ||
17 | services.webstats.sites = [ { name = "ludivinecassal.com"; } ]; | 18 | services.webstats.sites = [ { name = "ludivinecassal.com"; } ]; |
18 | services.phpApplication.apps.ludivine_production = { | 19 | services.phpApplication.apps.ludivine_production = { |
19 | websiteEnv = "production"; | 20 | websiteEnv = "production"; |
diff --git a/modules/private/websites/piedsjaloux/production.nix b/modules/private/websites/piedsjaloux/production.nix index 03b9ec5..e12b046 100644 --- a/modules/private/websites/piedsjaloux/production.nix +++ b/modules/private/websites/piedsjaloux/production.nix | |||
@@ -15,6 +15,7 @@ in { | |||
15 | 15 | ||
16 | config = lib.mkIf cfg.enable { | 16 | config = lib.mkIf cfg.enable { |
17 | services.duplyBackup.profiles.piedsjaloux_production.rootDir = app.varDir; | 17 | services.duplyBackup.profiles.piedsjaloux_production.rootDir = app.varDir; |
18 | services.duplyBackup.profiles.piedsjaloux_production.remotes = ["eriomem" "ovh"]; | ||
18 | services.webstats.sites = [ { name = "piedsjaloux.fr"; } ]; | 19 | services.webstats.sites = [ { name = "piedsjaloux.fr"; } ]; |
19 | services.phpApplication.apps.piedsjaloux_production = { | 20 | services.phpApplication.apps.piedsjaloux_production = { |
20 | websiteEnv = "production"; | 21 | websiteEnv = "production"; |
diff --git a/modules/private/websites/richie/production.nix b/modules/private/websites/richie/production.nix index a6957af..2d85175 100644 --- a/modules/private/websites/richie/production.nix +++ b/modules/private/websites/richie/production.nix | |||
@@ -26,6 +26,7 @@ in | |||
26 | options.myServices.websites.richie.production.enable = lib.mkEnableOption "enable Richie's website"; | 26 | options.myServices.websites.richie.production.enable = lib.mkEnableOption "enable Richie's website"; |
27 | config = lib.mkIf cfg.enable { | 27 | config = lib.mkIf cfg.enable { |
28 | services.duplyBackup.profiles.richie_production.rootDir = vardir; | 28 | services.duplyBackup.profiles.richie_production.rootDir = vardir; |
29 | services.duplyBackup.profiles.richie_production.remotes = ["eriomem" "ovh"]; | ||
29 | services.webstats.sites = [ { name = "europe-richie.org"; } ]; | 30 | services.webstats.sites = [ { name = "europe-richie.org"; } ]; |
30 | 31 | ||
31 | secrets.keys = [{ | 32 | secrets.keys = [{ |
diff --git a/modules/private/websites/syden/peertube.nix b/modules/private/websites/syden/peertube.nix index b17e775..5970cca 100644 --- a/modules/private/websites/syden/peertube.nix +++ b/modules/private/websites/syden/peertube.nix | |||
@@ -12,6 +12,7 @@ in | |||
12 | config = lib.mkIf scfg.enable { | 12 | config = lib.mkIf scfg.enable { |
13 | services.duplyBackup.profiles.syden_peertube = { | 13 | services.duplyBackup.profiles.syden_peertube = { |
14 | rootDir = dataDir; | 14 | rootDir = dataDir; |
15 | remotes = ["eriomem" "ovh"]; | ||
15 | }; | 16 | }; |
16 | users.users.peertube = { | 17 | users.users.peertube = { |
17 | uid = config.ids.uids.peertube; | 18 | uid = config.ids.uids.peertube; |