aboutsummaryrefslogtreecommitdiff
path: root/modules/private
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2020-07-16 01:10:17 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2020-07-16 01:10:17 +0200
commit5a61f6ad5164a735be26e016c59e72252ffb49b7 (patch)
tree6acc3c8199d7f25c039c6c6686005436d1fb49d7 /modules/private
parentca367c14902ab1bf869976dc5dca52d07e308c15 (diff)
downloadNix-5a61f6ad5164a735be26e016c59e72252ffb49b7.tar.gz
Nix-5a61f6ad5164a735be26e016c59e72252ffb49b7.tar.zst
Nix-5a61f6ad5164a735be26e016c59e72252ffb49b7.zip
Add alternate cloud storage for daily backups
Diffstat (limited to 'modules/private')
-rw-r--r--modules/private/environment.nix21
-rw-r--r--modules/private/monitoring/default.nix18
-rw-r--r--modules/private/monitoring/objects_common.nix5
-rw-r--r--modules/private/monitoring/objects_monitoring-1.nix57
-rwxr-xr-xmodules/private/monitoring/plugins/check_backup_age (renamed from modules/private/monitoring/plugins/check_eriomem_age)0
-rw-r--r--modules/private/websites/chloe/production.nix1
-rw-r--r--modules/private/websites/connexionswing/production.nix1
-rw-r--r--modules/private/websites/isabelle/aten_production.nix1
-rw-r--r--modules/private/websites/isabelle/iridologie.nix1
-rw-r--r--modules/private/websites/ludivine/production.nix1
-rw-r--r--modules/private/websites/piedsjaloux/production.nix1
-rw-r--r--modules/private/websites/richie/production.nix1
-rw-r--r--modules/private/websites/syden/peertube.nix1
13 files changed, 75 insertions, 34 deletions
diff --git a/modules/private/environment.nix b/modules/private/environment.nix
index b8c4dd2..069a344 100644
--- a/modules/private/environment.nix
+++ b/modules/private/environment.nix
@@ -441,9 +441,24 @@ in
441 type = submodule { 441 type = submodule {
442 options = { 442 options = {
443 password = mkOption { type = str; description = "Password for encrypting files"; }; 443 password = mkOption { type = str; description = "Password for encrypting files"; };
444 remote = mkOption { type = str; description = "Remote url access"; }; 444 remotes = mkOption {
445 accessKeyId = mkOption { type = str; description = "Remote access-key"; }; 445 type = attrsOf (submodule {
446 secretAccessKey = mkOption { type = str; description = "Remote access secret"; }; 446 options = {
447 remote = mkOption {
448 type = unspecified;
449 example = literalExample ''
450 bucket: "s3://some_host/${bucket}";
451 '';
452 description = ''
453 Function.
454 Takes a bucket name as argument and returns a url
455 '';
456 };
457 accessKeyId = mkOption { type = str; description = "Remote access-key"; };
458 secretAccessKey = mkOption { type = str; description = "Remote access secret"; };
459 };
460 });
461 };
447 }; 462 };
448 }; 463 };
449 }; 464 };
diff --git a/modules/private/monitoring/default.nix b/modules/private/monitoring/default.nix
index d5bf7fb..c573af2 100644
--- a/modules/private/monitoring/default.nix
+++ b/modules/private/monitoring/default.nix
@@ -58,9 +58,12 @@ let
58 wrapProgram $out/check_eriomem --prefix PATH : ${lib.makeBinPath [ 58 wrapProgram $out/check_eriomem --prefix PATH : ${lib.makeBinPath [
59 pkgs.s3cmd pkgs.python3 59 pkgs.s3cmd pkgs.python3
60 ]} 60 ]}
61 wrapProgram $out/check_eriomem_age --prefix PATH : ${lib.makeBinPath [ 61 makeWrapper $out/check_backup_age $out/check_backup_eriomem_age --prefix PATH : ${lib.makeBinPath [
62 pkgs.duplicity 62 pkgs.duplicity
63 ]} --set SECRETS_PATH ${lib.optionalString cfg.master config.secrets.fullPaths."eriomem_access_key"} 63 ]} --set SECRETS_PATH ${lib.optionalString cfg.master config.secrets.fullPaths."eriomem_access_key"}
64 makeWrapper $out/check_backup_age $out/check_backup_ovh_age --prefix PATH : ${lib.makeBinPath [
65 pkgs.duplicity
66 ]} --set SECRETS_PATH ${lib.optionalString cfg.master config.secrets.fullPaths."ovh_access_key"}
64 wrapProgram $out/notify_by_email --prefix PATH : ${lib.makeBinPath [ 67 wrapProgram $out/notify_by_email --prefix PATH : ${lib.makeBinPath [
65 pkgs.mailutils 68 pkgs.mailutils
66 ]} 69 ]}
@@ -256,18 +259,19 @@ in
256 permissions = "0400"; 259 permissions = "0400";
257 text = config.myEnv.monitoring.ssh_secret_key; 260 text = config.myEnv.monitoring.ssh_secret_key;
258 } 261 }
259 ] ++ lib.optional cfg.master ( 262 ] ++ lib.optionals cfg.master (
263 lib.mapAttrsToList (k: v:
260 { 264 {
261 dest = "eriomem_access_key"; 265 dest = "${k}_access_key";
262 user = "naemon"; 266 user = "naemon";
263 group = "naemon"; 267 group = "naemon";
264 permissions = "0400"; 268 permissions = "0400";
265 text = '' 269 text = ''
266 export AWS_ACCESS_KEY_ID="${config.myEnv.backup.accessKeyId}" 270 export AWS_ACCESS_KEY_ID="${v.accessKeyId}"
267 export AWS_SECRET_ACCESS_KEY="${config.myEnv.backup.secretAccessKey}" 271 export AWS_SECRET_ACCESS_KEY="${v.secretAccessKey}"
268 export BASE_URL="${config.myEnv.backup.remote}" 272 export BASE_URL="${v.remote "immae-eldiron"}"
269 ''; 273 '';
270 } 274 }) config.myEnv.backup.remotes
271 ); 275 );
272 # needed since extraResource is not in the closure 276 # needed since extraResource is not in the closure
273 systemd.services.naemon.path = [ myplugins ]; 277 systemd.services.naemon.path = [ myplugins ];
diff --git a/modules/private/monitoring/objects_common.nix b/modules/private/monitoring/objects_common.nix
index d3a46ce..25f8124 100644
--- a/modules/private/monitoring/objects_common.nix
+++ b/modules/private/monitoring/objects_common.nix
@@ -108,8 +108,9 @@ in
108 check_dns = "$USER1$/check_dns -H $ARG1$ -s $HOSTADDRESS$ $ARG2$"; 108 check_dns = "$USER1$/check_dns -H $ARG1$ -s $HOSTADDRESS$ $ARG2$";
109 check_emails = "$USER2$/check_emails -H $HOSTADDRESS$ -i $USER203$ -l $ARG1$ -p $ARG2$ -s $ARG3$ -f $ARG4$"; 109 check_emails = "$USER2$/check_emails -H $HOSTADDRESS$ -i $USER203$ -l $ARG1$ -p $ARG2$ -s $ARG3$ -f $ARG4$";
110 check_emails_local = "$USER2$/check_emails -H $HOSTADDRESS$ -n $ARG1$ -r $ADMINEMAIL$ -s $ARG2$ -f $ARG3$"; 110 check_emails_local = "$USER2$/check_emails -H $HOSTADDRESS$ -n $ARG1$ -r $ADMINEMAIL$ -s $ARG2$ -f $ARG3$";
111 check_eriomem = "$USER2$/check_eriomem $USER208$"; 111 check_backup_eriomem = "$USER2$/check_eriomem $USER208$";
112 check_eriomem_age = "$USER2$/check_eriomem_age $ARG1$"; 112 check_backup_eriomem_age = "$USER2$/check_backup_eriomem_age $ARG1$";
113 check_backup_ovh_age = "$USER2$/check_backup_ovh_age $ARG1$";
113 check_external_dns = "$USER1$/check_dns -H $ARG2$ -s $ARG1$ $ARG3$"; 114 check_external_dns = "$USER1$/check_dns -H $ARG2$ -s $ARG1$ $ARG3$";
114 check_ftp_database = "$USER2$/check_ftp_database"; 115 check_ftp_database = "$USER2$/check_ftp_database";
115 check_git = "$USER2$/check_git $USER203$"; 116 check_git = "$USER2$/check_git $USER203$";
diff --git a/modules/private/monitoring/objects_monitoring-1.nix b/modules/private/monitoring/objects_monitoring-1.nix
index 2cba58e..1aebd26 100644
--- a/modules/private/monitoring/objects_monitoring-1.nix
+++ b/modules/private/monitoring/objects_monitoring-1.nix
@@ -1,22 +1,24 @@
1{ config, pkgs, nodes, hostFQDN, emailCheck, ... }: 1{ config, pkgs, nodes, hostFQDN, emailCheck, lib, ... }:
2let 2let
3 to_eriomem_age_dependency = name: { 3 to_backup_age_dependency = name: profile: map (remote:
4 dependent_host_name = "eldiron.immae.eu"; 4 {
5 host_name = "eldiron.immae.eu"; 5 dependent_host_name = "eldiron.immae.eu";
6 dependent_service_description = "Eriomem backup for ${name} is not too old"; 6 host_name = "eldiron.immae.eu";
7 service_description = "Eriomem backup is up and not full"; 7 dependent_service_description = "${remote} backup for ${name} is not too old";
8 execution_failure_criteria = "u"; 8 service_description = "${remote} backup is up and not full";
9 notification_failure_criteria = "u"; 9 execution_failure_criteria = "u";
10 }; 10 notification_failure_criteria = "u";
11 to_eriomem_age = name: { 11 }) profile.remotes;
12 service_description = "Eriomem backup for ${name} is not too old"; 12 to_backup_age = name: profile: map (remote:
13 host_name = "eldiron.immae.eu"; 13 {
14 use = "external-service"; 14 service_description = "${remote} backup for ${name} is not too old";
15 check_command = ["check_eriomem_age" name]; 15 host_name = "eldiron.immae.eu";
16 16 use = "external-service";
17 check_interval = "120"; 17 check_command = ["check_backup_${remote}_age" name];
18 notification_interval = "1440"; 18
19 }; 19 check_interval = "120";
20 notification_interval = "1440";
21 }) profile.remotes;
20in 22in
21{ 23{
22 host = { 24 host = {
@@ -111,10 +113,21 @@ in
111 113
112 # Backup services 114 # Backup services
113 { 115 {
114 service_description = "Eriomem backup is up and not full"; 116 service_description = "eriomem backup is up and not full";
117 host_name = "eldiron.immae.eu";
118 use = "external-service";
119 check_command = "check_backup_eriomem";
120
121 check_interval = "120";
122 notification_interval = "1440";
123
124 servicegroups = "webstatus-backup";
125 }
126 {
127 service_description = "ovh backup is up and not full";
115 host_name = "eldiron.immae.eu"; 128 host_name = "eldiron.immae.eu";
116 use = "external-service"; 129 use = "external-service";
117 check_command = "check_eriomem"; 130 check_command = "check_ok";
118 131
119 check_interval = "120"; 132 check_interval = "120";
120 notification_interval = "1440"; 133 notification_interval = "1440";
@@ -673,7 +686,7 @@ in
673 _webstatus_name = "LDAP"; 686 _webstatus_name = "LDAP";
674 _webstatus_url = "ldap.immae.eu"; 687 _webstatus_url = "ldap.immae.eu";
675 } 688 }
676 ] ++ map to_eriomem_age (builtins.attrNames nodes.eldiron.config.services.duplyBackup.profiles); 689 ] ++ lib.flatten (lib.mapAttrsToList to_backup_age nodes.eldiron.config.services.duplyBackup.profiles);
677 contact = { 690 contact = {
678 telio-tortay = config.myEnv.monitoring.contacts.telio-tortay // { 691 telio-tortay = config.myEnv.monitoring.contacts.telio-tortay // {
679 use = "generic-contact"; 692 use = "generic-contact";
@@ -688,5 +701,5 @@ in
688 telio-tortay = { alias = "Telio Tortay"; members = "immae"; }; 701 telio-tortay = { alias = "Telio Tortay"; members = "immae"; };
689 tiboqorl = { alias = "Tiboqorl"; members = "immae"; }; 702 tiboqorl = { alias = "Tiboqorl"; members = "immae"; };
690 }; 703 };
691 servicedependency = map to_eriomem_age_dependency (builtins.attrNames nodes.eldiron.config.services.duplyBackup.profiles); 704 servicedependency = lib.flatten (lib.mapAttrsToList to_backup_age_dependency nodes.eldiron.config.services.duplyBackup.profiles);
692} 705}
diff --git a/modules/private/monitoring/plugins/check_eriomem_age b/modules/private/monitoring/plugins/check_backup_age
index 4d03b82..4d03b82 100755
--- a/modules/private/monitoring/plugins/check_eriomem_age
+++ b/modules/private/monitoring/plugins/check_backup_age
diff --git a/modules/private/websites/chloe/production.nix b/modules/private/websites/chloe/production.nix
index b5233c6..7f8f1de 100644
--- a/modules/private/websites/chloe/production.nix
+++ b/modules/private/websites/chloe/production.nix
@@ -15,6 +15,7 @@ in {
15 15
16 config = lib.mkIf cfg.enable { 16 config = lib.mkIf cfg.enable {
17 services.duplyBackup.profiles.chloe_production.rootDir = app.varDir; 17 services.duplyBackup.profiles.chloe_production.rootDir = app.varDir;
18 services.duplyBackup.profiles.chloe_production.remotes = ["eriomem" "ovh"];
18 secrets.keys = [ 19 secrets.keys = [
19 { 20 {
20 dest = "websites/chloe/production"; 21 dest = "websites/chloe/production";
diff --git a/modules/private/websites/connexionswing/production.nix b/modules/private/websites/connexionswing/production.nix
index e172f84..f6a059d 100644
--- a/modules/private/websites/connexionswing/production.nix
+++ b/modules/private/websites/connexionswing/production.nix
@@ -14,6 +14,7 @@ in {
14 14
15 config = lib.mkIf cfg.enable { 15 config = lib.mkIf cfg.enable {
16 services.duplyBackup.profiles.connexionswing_production.rootDir = app.varDir; 16 services.duplyBackup.profiles.connexionswing_production.rootDir = app.varDir;
17 services.duplyBackup.profiles.connexionswing_production.remotes = ["eriomem" "ovh"];
17 services.webstats.sites = [ { name = "connexionswing.com"; } ]; 18 services.webstats.sites = [ { name = "connexionswing.com"; } ];
18 services.phpApplication.apps.connexionswing_production = { 19 services.phpApplication.apps.connexionswing_production = {
19 websiteEnv = "production"; 20 websiteEnv = "production";
diff --git a/modules/private/websites/isabelle/aten_production.nix b/modules/private/websites/isabelle/aten_production.nix
index 4fa3622..3671712 100644
--- a/modules/private/websites/isabelle/aten_production.nix
+++ b/modules/private/websites/isabelle/aten_production.nix
@@ -13,6 +13,7 @@ in {
13 13
14 config = lib.mkIf cfg.enable { 14 config = lib.mkIf cfg.enable {
15 services.duplyBackup.profiles.isabelle_aten_production.rootDir = app.varDir; 15 services.duplyBackup.profiles.isabelle_aten_production.rootDir = app.varDir;
16 services.duplyBackup.profiles.isabelle_aten_production.remotes = ["eriomem" "ovh"];
16 services.webstats.sites = [ { name = "aten.pro"; } ]; 17 services.webstats.sites = [ { name = "aten.pro"; } ];
17 services.phpApplication.apps.isabelle_aten_production = { 18 services.phpApplication.apps.isabelle_aten_production = {
18 websiteEnv = "production"; 19 websiteEnv = "production";
diff --git a/modules/private/websites/isabelle/iridologie.nix b/modules/private/websites/isabelle/iridologie.nix
index 5fa87ce..14296bf 100644
--- a/modules/private/websites/isabelle/iridologie.nix
+++ b/modules/private/websites/isabelle/iridologie.nix
@@ -17,6 +17,7 @@ in {
17 17
18 config = lib.mkIf cfg.enable { 18 config = lib.mkIf cfg.enable {
19 services.duplyBackup.profiles.isabelle_iridologie.rootDir = app.varDir; 19 services.duplyBackup.profiles.isabelle_iridologie.rootDir = app.varDir;
20 services.duplyBackup.profiles.isabelle_iridologie.remotes = ["eriomem" "ovh"];
20 secrets.keys = [ 21 secrets.keys = [
21 { 22 {
22 dest = "websites/isabelle/iridologie"; 23 dest = "websites/isabelle/iridologie";
diff --git a/modules/private/websites/ludivine/production.nix b/modules/private/websites/ludivine/production.nix
index b30f488..3a9895d 100644
--- a/modules/private/websites/ludivine/production.nix
+++ b/modules/private/websites/ludivine/production.nix
@@ -14,6 +14,7 @@ in {
14 14
15 config = lib.mkIf cfg.enable { 15 config = lib.mkIf cfg.enable {
16 services.duplyBackup.profiles.ludivine_production.rootDir = app.varDir; 16 services.duplyBackup.profiles.ludivine_production.rootDir = app.varDir;
17 services.duplyBackup.profiles.ludivine_production.remotes = ["eriomem" "ovh"];
17 services.webstats.sites = [ { name = "ludivinecassal.com"; } ]; 18 services.webstats.sites = [ { name = "ludivinecassal.com"; } ];
18 services.phpApplication.apps.ludivine_production = { 19 services.phpApplication.apps.ludivine_production = {
19 websiteEnv = "production"; 20 websiteEnv = "production";
diff --git a/modules/private/websites/piedsjaloux/production.nix b/modules/private/websites/piedsjaloux/production.nix
index 03b9ec5..e12b046 100644
--- a/modules/private/websites/piedsjaloux/production.nix
+++ b/modules/private/websites/piedsjaloux/production.nix
@@ -15,6 +15,7 @@ in {
15 15
16 config = lib.mkIf cfg.enable { 16 config = lib.mkIf cfg.enable {
17 services.duplyBackup.profiles.piedsjaloux_production.rootDir = app.varDir; 17 services.duplyBackup.profiles.piedsjaloux_production.rootDir = app.varDir;
18 services.duplyBackup.profiles.piedsjaloux_production.remotes = ["eriomem" "ovh"];
18 services.webstats.sites = [ { name = "piedsjaloux.fr"; } ]; 19 services.webstats.sites = [ { name = "piedsjaloux.fr"; } ];
19 services.phpApplication.apps.piedsjaloux_production = { 20 services.phpApplication.apps.piedsjaloux_production = {
20 websiteEnv = "production"; 21 websiteEnv = "production";
diff --git a/modules/private/websites/richie/production.nix b/modules/private/websites/richie/production.nix
index a6957af..2d85175 100644
--- a/modules/private/websites/richie/production.nix
+++ b/modules/private/websites/richie/production.nix
@@ -26,6 +26,7 @@ in
26 options.myServices.websites.richie.production.enable = lib.mkEnableOption "enable Richie's website"; 26 options.myServices.websites.richie.production.enable = lib.mkEnableOption "enable Richie's website";
27 config = lib.mkIf cfg.enable { 27 config = lib.mkIf cfg.enable {
28 services.duplyBackup.profiles.richie_production.rootDir = vardir; 28 services.duplyBackup.profiles.richie_production.rootDir = vardir;
29 services.duplyBackup.profiles.richie_production.remotes = ["eriomem" "ovh"];
29 services.webstats.sites = [ { name = "europe-richie.org"; } ]; 30 services.webstats.sites = [ { name = "europe-richie.org"; } ];
30 31
31 secrets.keys = [{ 32 secrets.keys = [{
diff --git a/modules/private/websites/syden/peertube.nix b/modules/private/websites/syden/peertube.nix
index b17e775..5970cca 100644
--- a/modules/private/websites/syden/peertube.nix
+++ b/modules/private/websites/syden/peertube.nix
@@ -12,6 +12,7 @@ in
12 config = lib.mkIf scfg.enable { 12 config = lib.mkIf scfg.enable {
13 services.duplyBackup.profiles.syden_peertube = { 13 services.duplyBackup.profiles.syden_peertube = {
14 rootDir = dataDir; 14 rootDir = dataDir;
15 remotes = ["eriomem" "ovh"];
15 }; 16 };
16 users.users.peertube = { 17 users.users.peertube = {
17 uid = config.ids.uids.peertube; 18 uid = config.ids.uids.peertube;