Add backup module

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-10-16 13:49:24 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2020-04-25 00:04:29 +0200
commit: 245acb2459476f63db7311472ceb397f709c7671 (patch)
tree: fda0804914f2f547cad0c52aab1265bdb2552f89
parent: 4fa343dcd0b797d765ee8a3dfc14833d212b7491 (diff)
download: NUR-245acb2459476f63db7311472ceb397f709c7671.tar.gz
NUR-245acb2459476f63db7311472ceb397f709c7671.tar.zst
NUR-245acb2459476f63db7311472ceb397f709c7671.zip
7 files changed, 197 insertions, 0 deletions
diff --git a/modules/backup/Eriomem_SAS.1.pem b/modules/backup/Eriomem_SAS.1.pem
new file mode 100644
index 00000000..ab76ee01
--- /dev/null
+++ b/modules/backup/Eriomem_SAS.1.pem
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGATCCA+mgAwIBAgIJAJjhCwfJd2HOMA0GCSqGSIb3DQEBCwUAMIGWMQswCQYD
+VQQGEwJGUjEXMBUGA1UECAwOw45sZSBkZSBGcmFuY2UxDjAMBgNVBAcMBVBhcmlz
+MRQwEgYDVQQKDAtFcmlvbWVtIFNBUzETMBEGA1UECwwKRXJpb21lbSBDQTEUMBIG
+A1UEAwwLRXJpb21lbSBTQVMxHTAbBgkqhkiG9w0BCQEWDmNhQGVyaW9tZW0ubmV0
+MB4XDTE3MDEzMTE1NTUzOFoXDTM3MDEzMTE1NTUzOFowgZYxCzAJBgNVBAYTAkZS
+MRcwFQYDVQQIDA7DjmxlIGRlIEZyYW5jZTEOMAwGA1UEBwwFUGFyaXMxFDASBgNV
+BAoMC0VyaW9tZW0gU0FTMRMwEQYDVQQLDApFcmlvbWVtIENBMRQwEgYDVQQDDAtF
+cmlvbWVtIFNBUzEdMBsGCSqGSIb3DQEJARYOY2FAZXJpb21lbS5uZXQwggIiMA0G
+CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC9PesBee6dcEXLgLMEpfnmNTbMP7xs
+EJGxEwcS7LLVsZu8bY5K4prCTErzc3nhmmOMIy/ZxVTlnTOPHFAUJ9EKI5cL0QfK
+9DbBzjPBs5AqntlpFBpz6DopV3FOFj3rn0nb/g3KyD3tqnN/YHdBiStX//z+Lp3H
+28M4ExpUFJBJrV3wboMzWgDnSirvJyLFbmeTPmUetYdC4hlSqr/Leo36da4CSl0X
+wN/83Vrzy/Cqrcfso43Hs86Swmg9pJmqRifWPNrMne49IwnGP4hIQXcb9ilU1bMK
+GzXor6I0yOYjuzvdg1k1KKvnHvO1U2cUV56MoTXmQHOt1yQr7fwiKyT0xiIgk5ou
+QKbXbuHpf3KTwPmg1s7105T2lEhxNMNd+c2leRux3CJKsoi6GoUhiDIL1jPrWNS3
+ynYHJ1lcyoEsGeXwR9mDmVLhgRLDAHNDOeT9Z0/NpwoylNH+vgwzo9tV3btWRJgu
+vB7TMDYdGsOd/OYNkQSiSUbtT8nm3xY2qGMC968GQieSCPW7a4n8MYhXW5Wa0/Ql
+Sg58e03v26u0rUT+GK1EOOFF8tak4uKxxRL+WBT9VhK9dRq/PnA+xB6808Y8kMjQ
+9HTnxCgHNcNn6Xj7DD5Rb/r5ppmMicoI3dF6xgMHHNTG3BMZS+CVzSbG1K+4mOxR
+1r6wxKmskoszLwIDAQABo1AwTjAdBgNVHQ4EFgQU3cuB9G9fGroFF0VW21vHR9A/
+/IwwHwYDVR0jBBgwFoAU3cuB9G9fGroFF0VW21vHR9A//IwwDAYDVR0TBAUwAwEB
+/zANBgkqhkiG9w0BAQsFAAOCAgEAGuL+CWzjOs9gydvkOsf0F0qoTS5mixe7v/ic
+OKdZfvHvzs8kz9rNWa8Guj5h640Qv252KSmellqHyXZhQumoks2XmFItMLY08IYo
+4MmT+sHXwx1x4Av/Sjj+b8VzP31v5EIXDVIS+/UTXzyoU1hgqzM9W937iaO2NVFL
+V3kzURHVR1oMxJtSjhGkbfoXRhdNZUhjGaNz5wX0ILtQ+PK4LoYiCqRAthDUSIkW
+mD/R6CV08tIFYKyf7sCx0updbIHPbqbZtPW4X4QULXMDQanDSwHzcxzrCFOMEwOm
+A+HASceq2X9nMUvH97fGQ4YuyogS/XI1k8H7jU7vlxMA3EGf80HnYc02b0oGDN3c
+bVHBE/Zexer51HHsQOGpyYDmaCVzd1qlcFhwS3BMMPVW6TEU4HCXaTK5ipdOqbAF
+syx9OUviqw3fRmZORt6lrhBO9+V3WIKGxUET64GLRoC4F32CThOBKzFXvFcHik4n
+1W44lGVAQp3B/Q55KzYOIQ3D3/N7cbxyPtw1dwW60lN/UWo7YZJJc+6GXjp6c4Cy
+s2VEoUx4OIs1eba99O5fdQ5IpW3IK6Cb1WaajcusZX9/QTIsf3ntSNPCnoebgk0V
+TOMpOOnKIbKYMjdxpKbYLpXFQzxy3WEi2PtmqgLAk+xwcmzz+3W2I0qKKTwGuaOZ
+MnGrJwg=
+-----END CERTIFICATE-----
diff --git a/modules/backup/Eriomem_SAS.pem b/modules/backup/Eriomem_SAS.pem
new file mode 100644
index 00000000..8d77f26b
--- /dev/null
+++ b/modules/backup/Eriomem_SAS.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEbjCCA1agAwIBAgIJAKQiaGqY4pkkMA0GCSqGSIb3DQEBBQUAMIGAMQswCQYD
+VQQGEwJGUjEWMBQGA1UECBQNzmxlIGRlIEZyYW5jZTEOMAwGA1UEBxMFUGFyaXMx
+FDASBgNVBAoTC0VyaW9tZW0gU0FTMRQwEgYDVQQDEwtFcmlvbWVtIFNBUzEdMBsG
+CSqGSIb3DQEJARYOY2FAZXJpb21lbS5uZXQwHhcNMTQwNTEzMTgzMDMxWhcNMzQw
+NTEzMTgzMDMxWjCBgDELMAkGA1UEBhMCRlIxFjAUBgNVBAgUDc5sZSBkZSBGcmFu
+Y2UxDjAMBgNVBAcTBVBhcmlzMRQwEgYDVQQKEwtFcmlvbWVtIFNBUzEUMBIGA1UE
+AxMLRXJpb21lbSBTQVMxHTAbBgkqhkiG9w0BCQEWDmNhQGVyaW9tZW0ubmV0MIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApVfR27JW3u3yvjdEEA8/mGlA
+NMlurqteMnCXgPAKnkyU7xbuBWkNxs6FrcXvdpjomPQsDosLXOb4pV+4SxezApaY
+XVqSzDWPV8M35QJjE8nOVuDvr3ziJfRITG9/WL2DpF9zpI6HpXVxdYNbZGxeCI2K
+eSQ1pkc3574hDB1YB86TumcWPIYuw7cDFC9HB7htm2XYURt6o2jXbpNtdHWoEhWx
+/m7cqpDCZmoBW1n3eApZac+4Im2bPXSQAqB/Lb0rgfsqJq3vEL4x12oC/5Ycn4cF
+xti4AapPjC2GaPbybFLfBwMLu+lAgPJh3A4DC1DcQsxTuKPvUi/K00eCZDokewID
+AQABo4HoMIHlMB0GA1UdDgQWBBRFwVSljClgTQxBTRvqftvJ3OE3xTCBtQYDVR0j
+BIGtMIGqgBRFwVSljClgTQxBTRvqftvJ3OE3xaGBhqSBgzCBgDELMAkGA1UEBhMC
+RlIxFjAUBgNVBAgUDc5sZSBkZSBGcmFuY2UxDjAMBgNVBAcTBVBhcmlzMRQwEgYD
+VQQKEwtFcmlvbWVtIFNBUzEUMBIGA1UEAxMLRXJpb21lbSBTQVMxHTAbBgkqhkiG
+9w0BCQEWDmNhQGVyaW9tZW0ubmV0ggkApCJoapjimSQwDAYDVR0TBAUwAwEB/zAN
+BgkqhkiG9w0BAQUFAAOCAQEAKs7PMQ9HAKHY1seGRHEMivQGVzDDZ7nURBmTkEIl
+549QEyQbrAkcHUjJdMAuIgnbPl4yJFEI97U21pXb3BeLxhKI6r09OgWwZEagrI44
+Ns9WbcNGtw5bkgyA4nn00w0ggAJLq9b0sToU2vK2x6g+1oXH8K7BbOu49/+NTzCa
+fgBzFMi0P7FWGrE2rqh6gFBVJh8qBuK2+QG6Rnfdw+mHWsedc//NRFjPSC3ZWaPc
+cu9s4+IkjOy3RhdkNrF3ieWitmGZi4mUZQ3qi+Np2Z+ekn0QmXjmLdbLFxKw8xoR
+Ed36LPnGcmKQN72RikmNmx83i8CrOF6Or9auGE5O8+qpyw==
+-----END CERTIFICATE-----
diff --git a/modules/backup/default.nix b/modules/backup/default.nix
new file mode 100644
index 00000000..7e0e4b2c
--- /dev/null
+++ b/modules/backup/default.nix
@@ -0,0 +1,100 @@
+{ lib, pkgs, myconfig, config, ... }:
+let
+  cfg = myconfig.env.backup;
+  varDir = "/var/lib/duply";
+  duplyProfile = profile: prefix: ''
+    GPG_PW="${cfg.password}"
+    TARGET="${cfg.remote}${prefix}"
+    export AWS_ACCESS_KEY_ID="${cfg.accessKeyId}"
+    export AWS_SECRET_ACCESS_KEY="${cfg.secretAccessKey}"
+    SOURCE="${profile.rootDir}"
+    FILENAME=".duplicity-ignore"
+    DUPL_PARAMS="$DUPL_PARAMS --exclude-if-present '$FILENAME'"
+    VERBOSITY=4
+    ARCH_DIR="${varDir}/caches"
+    # Do a full backup after 1 month
+    MAX_FULLBKP_AGE=1M
+    DUPL_PARAMS="$DUPL_PARAMS --full-if-older-than $MAX_FULLBKP_AGE "
+    # Backups older than 2months are deleted
+    MAX_AGE=2M
+    # Keep 2 full backups
+    MAX_FULL_BACKUPS=2
+    MAX_FULLS_WITH_INCRS=2
+  '';
+  action = "bkp_purge_purgeFull_purgeIncr";
+in
+{
+  options = {
+    services.backup.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = ''
+        Whether to enable remote backups.
+      '';
+    };
+    services.backup.profiles = lib.mkOption {
+      type = lib.types.attrsOf (lib.types.submodule {
+        options = {
+          rootDir = lib.mkOption {
+            type = lib.types.path;
+            description = ''
+              Path to backup
+              '';
+          };
+          excludeFile = lib.mkOption {
+            type = lib.types.lines;
+            default = "";
+            description = ''
+              Content to put in exclude file
+              '';
+          };
+        };
+      });
+    };
+  };
+  config = lib.mkIf config.services.backup.enable {
+    system.activationScripts.backup = ''
+      install -m 0700 -o root -g root -d ${varDir} ${varDir}/caches
+      '';
+    secrets.keys = lib.flatten (lib.mapAttrsToList (k: v: [
+      {
+        permissions = "0400";
+        dest = "backup/${k}/conf";
+        text = duplyProfile v "${k}/";
+      }
+      {
+        permissions = "0400";
+        dest = "backup/${k}/exclude";
+        text = v.excludeFile;
+      }
+    ]) config.services.backup.profiles);
+    services.cron = {
+      enable = true;
+      systemCronJobs = let
+        backups = pkgs.writeScript "backups" ''
+          #!${pkgs.stdenv.shell}
+          ${builtins.concatStringsSep "\n" (lib.mapAttrsToList (k: v:
+            ''
+              touch ${varDir}/${k}.log
+              ${pkgs.duply}/bin/duply ${config.secrets.location}/backup/${k}/ ${action} --force >> ${varDir}/${k}.log
+            ''
+          ) config.services.backup.profiles)}
+        '';
+      in
+        [
+          "0 2 * * * root ${backups}"
+        ];
+    };
+    security.pki.certificates = [
+      (builtins.readFile ./Eriomem_SAS.1.pem)
+      (builtins.readFile ./Eriomem_SAS.pem)
+    ];
+  };
+}
diff --git a/modules/default.nix b/modules/default.nix
index 9e9c4111..05f2bfe0 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -13,6 +13,7 @@
  opendmarc = ./opendmarc.nix;
  openarc = ./openarc.nix;
+  backup = ./backup;
  naemon = ./naemon;
  php-application = ./websites/php-application.nix;
diff --git a/modules/myids.nix b/modules/myids.nix
index ac9fd65e..79610aff 100644
--- a/modules/myids.nix
+++ b/modules/myids.nix
@@ -3,6 +3,7 @@
  # Check that there is no clash with nixos/modules/misc/ids.nix
  config = {
    ids.uids = {
+      backup = 389;
      vhost = 390;
      openarc = 391;
      opendmarc = 392;
@@ -15,6 +16,7 @@
    };
    ids.gids = {
      nagios = 11; # commented in the ids file
+      backup = 389;
      vhost = 390;
      openarc = 391;
      opendmarc = 392;
diff --git a/modules/webapps/mastodon.nix b/modules/webapps/mastodon.nix
index 26d5238f..eed9e3f6 100644
--- a/modules/webapps/mastodon.nix
+++ b/modules/webapps/mastodon.nix
@@ -190,6 +190,36 @@ in
      unitConfig.RequiresMountsFor = cfg.dataDir;
    };
+    systemd.services.mastodon-cleanup = {
+      description = "Cleanup mastodon";
+      startAt = "daily";
+      restartIfChanged = false;
+      environment.RAILS_ENV = "production";
+      environment.BUNDLE_PATH = "${cfg.workdir.gems}/${cfg.workdir.gems.ruby.gemPath}";
+      environment.BUNDLE_GEMFILE = "${cfg.workdir.gems.confFiles}/Gemfile";
+      environment.SOCKET = cfg.sockets.rails;
+      path = [ cfg.workdir.gems cfg.workdir.gems.ruby pkgs.file ];
+      script = ''
+        exec ./bin/tootctl media remove --days 30
+      '';
+      serviceConfig = {
+        User = cfg.user;
+        EnvironmentFile = cfg.configFile;
+        PrivateTmp = true;
+        Type = "oneshot";
+        WorkingDirectory = cfg.workdir;
+        StateDirectory = cfg.systemdStateDirectory;
+        RuntimeDirectory = cfg.systemdRuntimeDirectory;
+        RuntimeDirectoryPreserve = "yes";
+      };
+      unitConfig.RequiresMountsFor = cfg.dataDir;
+    };
    systemd.services.mastodon-sidekiq = {
      description = "Mastodon Sidekiq";
      wantedBy = [ "multi-user.target" ];
diff --git a/modules/webapps/webstats/default.nix b/modules/webapps/webstats/default.nix
index 924d72de..6771f015 100644
--- a/modules/webapps/webstats/default.nix
+++ b/modules/webapps/webstats/default.nix
@@ -37,6 +37,9 @@ in {
  };
  config = lib.mkIf (builtins.length cfg.sites > 0) {
+    services.backup.profiles.goaccess = {
+      rootDir = cfg.dataDir;
+    };
    users.users.root.packages = [
      pkgs.goaccess
    ];
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-10-16 13:49:24 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2020-04-25 00:04:29 +0200
commit	245acb2459476f63db7311472ceb397f709c7671 (patch)
tree	fda0804914f2f547cad0c52aab1265bdb2552f89
parent	4fa343dcd0b797d765ee8a3dfc14833d212b7491 (diff)
download	NUR-245acb2459476f63db7311472ceb397f709c7671.tar.gz NUR-245acb2459476f63db7311472ceb397f709c7671.tar.zst NUR-245acb2459476f63db7311472ceb397f709c7671.zip

diff --git a/modules/backup/Eriomem_SAS.1.pem b/modules/backup/Eriomem_SAS.1.pem new file mode 100644 index 00000000..ab76ee01 --- /dev/null +++ b/modules/backup/Eriomem_SAS.1.pem
@@ -0,0 +1,35 @@
		1	-----BEGIN CERTIFICATE-----
		2	MIIGATCCA+mgAwIBAgIJAJjhCwfJd2HOMA0GCSqGSIb3DQEBCwUAMIGWMQswCQYD
		3	VQQGEwJGUjEXMBUGA1UECAwOw45sZSBkZSBGcmFuY2UxDjAMBgNVBAcMBVBhcmlz
		4	MRQwEgYDVQQKDAtFcmlvbWVtIFNBUzETMBEGA1UECwwKRXJpb21lbSBDQTEUMBIG
		5	A1UEAwwLRXJpb21lbSBTQVMxHTAbBgkqhkiG9w0BCQEWDmNhQGVyaW9tZW0ubmV0
		6	MB4XDTE3MDEzMTE1NTUzOFoXDTM3MDEzMTE1NTUzOFowgZYxCzAJBgNVBAYTAkZS
		7	MRcwFQYDVQQIDA7DjmxlIGRlIEZyYW5jZTEOMAwGA1UEBwwFUGFyaXMxFDASBgNV
		8	BAoMC0VyaW9tZW0gU0FTMRMwEQYDVQQLDApFcmlvbWVtIENBMRQwEgYDVQQDDAtF
		9	cmlvbWVtIFNBUzEdMBsGCSqGSIb3DQEJARYOY2FAZXJpb21lbS5uZXQwggIiMA0G
		10	CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC9PesBee6dcEXLgLMEpfnmNTbMP7xs
		11	EJGxEwcS7LLVsZu8bY5K4prCTErzc3nhmmOMIy/ZxVTlnTOPHFAUJ9EKI5cL0QfK
		12	9DbBzjPBs5AqntlpFBpz6DopV3FOFj3rn0nb/g3KyD3tqnN/YHdBiStX//z+Lp3H
		13	28M4ExpUFJBJrV3wboMzWgDnSirvJyLFbmeTPmUetYdC4hlSqr/Leo36da4CSl0X
		14	wN/83Vrzy/Cqrcfso43Hs86Swmg9pJmqRifWPNrMne49IwnGP4hIQXcb9ilU1bMK
		15	GzXor6I0yOYjuzvdg1k1KKvnHvO1U2cUV56MoTXmQHOt1yQr7fwiKyT0xiIgk5ou
		16	QKbXbuHpf3KTwPmg1s7105T2lEhxNMNd+c2leRux3CJKsoi6GoUhiDIL1jPrWNS3
		17	ynYHJ1lcyoEsGeXwR9mDmVLhgRLDAHNDOeT9Z0/NpwoylNH+vgwzo9tV3btWRJgu
		18	vB7TMDYdGsOd/OYNkQSiSUbtT8nm3xY2qGMC968GQieSCPW7a4n8MYhXW5Wa0/Ql
		19	Sg58e03v26u0rUT+GK1EOOFF8tak4uKxxRL+WBT9VhK9dRq/PnA+xB6808Y8kMjQ
		20	9HTnxCgHNcNn6Xj7DD5Rb/r5ppmMicoI3dF6xgMHHNTG3BMZS+CVzSbG1K+4mOxR
		21	1r6wxKmskoszLwIDAQABo1AwTjAdBgNVHQ4EFgQU3cuB9G9fGroFF0VW21vHR9A/
		22	/IwwHwYDVR0jBBgwFoAU3cuB9G9fGroFF0VW21vHR9A//IwwDAYDVR0TBAUwAwEB
		23	/zANBgkqhkiG9w0BAQsFAAOCAgEAGuL+CWzjOs9gydvkOsf0F0qoTS5mixe7v/ic
		24	OKdZfvHvzs8kz9rNWa8Guj5h640Qv252KSmellqHyXZhQumoks2XmFItMLY08IYo
		25	4MmT+sHXwx1x4Av/Sjj+b8VzP31v5EIXDVIS+/UTXzyoU1hgqzM9W937iaO2NVFL
		26	V3kzURHVR1oMxJtSjhGkbfoXRhdNZUhjGaNz5wX0ILtQ+PK4LoYiCqRAthDUSIkW
		27	mD/R6CV08tIFYKyf7sCx0updbIHPbqbZtPW4X4QULXMDQanDSwHzcxzrCFOMEwOm
		28	A+HASceq2X9nMUvH97fGQ4YuyogS/XI1k8H7jU7vlxMA3EGf80HnYc02b0oGDN3c
		29	bVHBE/Zexer51HHsQOGpyYDmaCVzd1qlcFhwS3BMMPVW6TEU4HCXaTK5ipdOqbAF
		30	syx9OUviqw3fRmZORt6lrhBO9+V3WIKGxUET64GLRoC4F32CThOBKzFXvFcHik4n
		31	1W44lGVAQp3B/Q55KzYOIQ3D3/N7cbxyPtw1dwW60lN/UWo7YZJJc+6GXjp6c4Cy
		32	s2VEoUx4OIs1eba99O5fdQ5IpW3IK6Cb1WaajcusZX9/QTIsf3ntSNPCnoebgk0V
		33	TOMpOOnKIbKYMjdxpKbYLpXFQzxy3WEi2PtmqgLAk+xwcmzz+3W2I0qKKTwGuaOZ
		34	MnGrJwg=
		35	-----END CERTIFICATE-----


diff --git a/modules/backup/Eriomem_SAS.pem b/modules/backup/Eriomem_SAS.pem new file mode 100644 index 00000000..8d77f26b --- /dev/null +++ b/modules/backup/Eriomem_SAS.pem
@@ -0,0 +1,26 @@
		1	-----BEGIN CERTIFICATE-----
		2	MIIEbjCCA1agAwIBAgIJAKQiaGqY4pkkMA0GCSqGSIb3DQEBBQUAMIGAMQswCQYD
		3	VQQGEwJGUjEWMBQGA1UECBQNzmxlIGRlIEZyYW5jZTEOMAwGA1UEBxMFUGFyaXMx
		4	FDASBgNVBAoTC0VyaW9tZW0gU0FTMRQwEgYDVQQDEwtFcmlvbWVtIFNBUzEdMBsG
		5	CSqGSIb3DQEJARYOY2FAZXJpb21lbS5uZXQwHhcNMTQwNTEzMTgzMDMxWhcNMzQw
		6	NTEzMTgzMDMxWjCBgDELMAkGA1UEBhMCRlIxFjAUBgNVBAgUDc5sZSBkZSBGcmFu
		7	Y2UxDjAMBgNVBAcTBVBhcmlzMRQwEgYDVQQKEwtFcmlvbWVtIFNBUzEUMBIGA1UE
		8	AxMLRXJpb21lbSBTQVMxHTAbBgkqhkiG9w0BCQEWDmNhQGVyaW9tZW0ubmV0MIIB
		9	IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApVfR27JW3u3yvjdEEA8/mGlA
		10	NMlurqteMnCXgPAKnkyU7xbuBWkNxs6FrcXvdpjomPQsDosLXOb4pV+4SxezApaY
		11	XVqSzDWPV8M35QJjE8nOVuDvr3ziJfRITG9/WL2DpF9zpI6HpXVxdYNbZGxeCI2K
		12	eSQ1pkc3574hDB1YB86TumcWPIYuw7cDFC9HB7htm2XYURt6o2jXbpNtdHWoEhWx
		13	/m7cqpDCZmoBW1n3eApZac+4Im2bPXSQAqB/Lb0rgfsqJq3vEL4x12oC/5Ycn4cF
		14	xti4AapPjC2GaPbybFLfBwMLu+lAgPJh3A4DC1DcQsxTuKPvUi/K00eCZDokewID
		15	AQABo4HoMIHlMB0GA1UdDgQWBBRFwVSljClgTQxBTRvqftvJ3OE3xTCBtQYDVR0j
		16	BIGtMIGqgBRFwVSljClgTQxBTRvqftvJ3OE3xaGBhqSBgzCBgDELMAkGA1UEBhMC
		17	RlIxFjAUBgNVBAgUDc5sZSBkZSBGcmFuY2UxDjAMBgNVBAcTBVBhcmlzMRQwEgYD
		18	VQQKEwtFcmlvbWVtIFNBUzEUMBIGA1UEAxMLRXJpb21lbSBTQVMxHTAbBgkqhkiG
		19	9w0BCQEWDmNhQGVyaW9tZW0ubmV0ggkApCJoapjimSQwDAYDVR0TBAUwAwEB/zAN
		20	BgkqhkiG9w0BAQUFAAOCAQEAKs7PMQ9HAKHY1seGRHEMivQGVzDDZ7nURBmTkEIl
		21	549QEyQbrAkcHUjJdMAuIgnbPl4yJFEI97U21pXb3BeLxhKI6r09OgWwZEagrI44
		22	Ns9WbcNGtw5bkgyA4nn00w0ggAJLq9b0sToU2vK2x6g+1oXH8K7BbOu49/+NTzCa
		23	fgBzFMi0P7FWGrE2rqh6gFBVJh8qBuK2+QG6Rnfdw+mHWsedc//NRFjPSC3ZWaPc
		24	cu9s4+IkjOy3RhdkNrF3ieWitmGZi4mUZQ3qi+Np2Z+ekn0QmXjmLdbLFxKw8xoR
		25	Ed36LPnGcmKQN72RikmNmx83i8CrOF6Or9auGE5O8+qpyw==
		26	-----END CERTIFICATE-----


diff --git a/modules/backup/default.nix b/modules/backup/default.nix new file mode 100644 index 00000000..7e0e4b2c --- /dev/null +++ b/modules/backup/default.nix
@@ -0,0 +1,100 @@
		1	{ lib, pkgs, myconfig, config, ... }:
		2
		3	let
		4	cfg = myconfig.env.backup;
		5	varDir = "/var/lib/duply";
		6	duplyProfile = profile: prefix: ''
		7	GPG_PW="${cfg.password}"
		8	TARGET="${cfg.remote}${prefix}"
		9	export AWS_ACCESS_KEY_ID="${cfg.accessKeyId}"
		10	export AWS_SECRET_ACCESS_KEY="${cfg.secretAccessKey}"
		11	SOURCE="${profile.rootDir}"
		12	FILENAME=".duplicity-ignore"
		13	DUPL_PARAMS="$DUPL_PARAMS --exclude-if-present '$FILENAME'"
		14	VERBOSITY=4
		15	ARCH_DIR="${varDir}/caches"
		16
		17	# Do a full backup after 1 month
		18	MAX_FULLBKP_AGE=1M
		19	DUPL_PARAMS="$DUPL_PARAMS --full-if-older-than $MAX_FULLBKP_AGE "
		20	# Backups older than 2months are deleted
		21	MAX_AGE=2M
		22	# Keep 2 full backups
		23	MAX_FULL_BACKUPS=2
		24	MAX_FULLS_WITH_INCRS=2
		25	'';
		26	action = "bkp_purge_purgeFull_purgeIncr";
		27	in
		28	{
		29	options = {
		30	services.backup.enable = lib.mkOption {
		31	type = lib.types.bool;
		32	default = false;
		33	description = ''
		34	Whether to enable remote backups.
		35	'';
		36	};
		37	services.backup.profiles = lib.mkOption {
		38	type = lib.types.attrsOf (lib.types.submodule {
		39	options = {
		40	rootDir = lib.mkOption {
		41	type = lib.types.path;
		42	description = ''
		43	Path to backup
		44	'';
		45	};
		46	excludeFile = lib.mkOption {
		47	type = lib.types.lines;
		48	default = "";
		49	description = ''
		50	Content to put in exclude file
		51	'';
		52	};
		53	};
		54	});
		55	};
		56	};
		57
		58	config = lib.mkIf config.services.backup.enable {
		59	system.activationScripts.backup = ''
		60	install -m 0700 -o root -g root -d ${varDir} ${varDir}/caches
		61	'';
		62	secrets.keys = lib.flatten (lib.mapAttrsToList (k: v: [
		63	{
		64	permissions = "0400";
		65	dest = "backup/${k}/conf";
		66	text = duplyProfile v "${k}/";
		67	}
		68	{
		69	permissions = "0400";
		70	dest = "backup/${k}/exclude";
		71	text = v.excludeFile;
		72	}
		73	]) config.services.backup.profiles);
		74
		75	services.cron = {
		76	enable = true;
		77	systemCronJobs = let
		78	backups = pkgs.writeScript "backups" ''
		79	#!${pkgs.stdenv.shell}
		80
		81	${builtins.concatStringsSep "\n" (lib.mapAttrsToList (k: v:
		82	''
		83	touch ${varDir}/${k}.log
		84	${pkgs.duply}/bin/duply ${config.secrets.location}/backup/${k}/ ${action} --force >> ${varDir}/${k}.log
		85	''
		86	) config.services.backup.profiles)}
		87	'';
		88	in
		89	[
		90	"0 2 * * * root ${backups}"
		91	];
		92
		93	};
		94
		95	security.pki.certificates = [
		96	(builtins.readFile ./Eriomem_SAS.1.pem)
		97	(builtins.readFile ./Eriomem_SAS.pem)
		98	];
		99	};
		100	}


diff --git a/modules/default.nix b/modules/default.nix index 9e9c4111..05f2bfe0 100644 --- a/modules/default.nix +++ b/modules/default.nix
@@ -13,6 +13,7 @@
13	opendmarc = ./opendmarc.nix;	13	opendmarc = ./opendmarc.nix;
14	openarc = ./openarc.nix;	14	openarc = ./openarc.nix;
15		15
		16	backup = ./backup;
16	naemon = ./naemon;	17	naemon = ./naemon;
17		18
18	php-application = ./websites/php-application.nix;	19	php-application = ./websites/php-application.nix;


diff --git a/modules/myids.nix b/modules/myids.nix index ac9fd65e..79610aff 100644 --- a/modules/myids.nix +++ b/modules/myids.nix
@@ -3,6 +3,7 @@
3	# Check that there is no clash with nixos/modules/misc/ids.nix	3	# Check that there is no clash with nixos/modules/misc/ids.nix
4	config = {	4	config = {
5	ids.uids = {	5	ids.uids = {
		6	backup = 389;
6	vhost = 390;	7	vhost = 390;
7	openarc = 391;	8	openarc = 391;
8	opendmarc = 392;	9	opendmarc = 392;
@@ -15,6 +16,7 @@
15	};	16	};
16	ids.gids = {	17	ids.gids = {
17	nagios = 11; # commented in the ids file	18	nagios = 11; # commented in the ids file
		19	backup = 389;
18	vhost = 390;	20	vhost = 390;
19	openarc = 391;	21	openarc = 391;
20	opendmarc = 392;	22	opendmarc = 392;


diff --git a/modules/webapps/mastodon.nix b/modules/webapps/mastodon.nix index 26d5238f..eed9e3f6 100644 --- a/modules/webapps/mastodon.nix +++ b/modules/webapps/mastodon.nix
@@ -190,6 +190,36 @@ in
190	unitConfig.RequiresMountsFor = cfg.dataDir;	190	unitConfig.RequiresMountsFor = cfg.dataDir;
191	};	191	};
192		192
		193	systemd.services.mastodon-cleanup = {
		194	description = "Cleanup mastodon";
		195	startAt = "daily";
		196	restartIfChanged = false;
		197
		198	environment.RAILS_ENV = "production";
		199	environment.BUNDLE_PATH = "${cfg.workdir.gems}/${cfg.workdir.gems.ruby.gemPath}";
		200	environment.BUNDLE_GEMFILE = "${cfg.workdir.gems.confFiles}/Gemfile";
		201	environment.SOCKET = cfg.sockets.rails;
		202
		203	path = [ cfg.workdir.gems cfg.workdir.gems.ruby pkgs.file ];
		204
		205	script = ''
		206	exec ./bin/tootctl media remove --days 30
		207	'';
		208
		209	serviceConfig = {
		210	User = cfg.user;
		211	EnvironmentFile = cfg.configFile;
		212	PrivateTmp = true;
		213	Type = "oneshot";
		214	WorkingDirectory = cfg.workdir;
		215	StateDirectory = cfg.systemdStateDirectory;
		216	RuntimeDirectory = cfg.systemdRuntimeDirectory;
		217	RuntimeDirectoryPreserve = "yes";
		218	};
		219
		220	unitConfig.RequiresMountsFor = cfg.dataDir;
		221	};
		222
193	systemd.services.mastodon-sidekiq = {	223	systemd.services.mastodon-sidekiq = {
194	description = "Mastodon Sidekiq";	224	description = "Mastodon Sidekiq";
195	wantedBy = [ "multi-user.target" ];	225	wantedBy = [ "multi-user.target" ];


diff --git a/modules/webapps/webstats/default.nix b/modules/webapps/webstats/default.nix index 924d72de..6771f015 100644 --- a/modules/webapps/webstats/default.nix +++ b/modules/webapps/webstats/default.nix
@@ -37,6 +37,9 @@ in {
37	};	37	};
38		38
39	config = lib.mkIf (builtins.length cfg.sites > 0) {	39	config = lib.mkIf (builtins.length cfg.sites > 0) {
		40	services.backup.profiles.goaccess = {
		41	rootDir = cfg.dataDir;
		42	};
40	users.users.root.packages = [	43	users.users.root.packages = [
41	pkgs.goaccess	44	pkgs.goaccess
42	];	45	];