summaryrefslogtreecommitdiff
path: root/modules/duply_backup
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2019-10-24 00:35:49 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2020-04-25 00:04:31 +0200
commit01938a297abdb89c79d7d03247a68e93937d47f7 (patch)
treef8dcc597c0c8047c0e6a4d3ac7f131e881f74ce6 /modules/duply_backup
parentee06505ff39584e4ce6caeeb7ea7215c7d84224a (diff)
downloadNUR-01938a297abdb89c79d7d03247a68e93937d47f7.tar.gz
NUR-01938a297abdb89c79d7d03247a68e93937d47f7.tar.zst
NUR-01938a297abdb89c79d7d03247a68e93937d47f7.zip
Rename backup module to duply_backup
Diffstat (limited to 'modules/duply_backup')
-rw-r--r--modules/duply_backup/default.nix104
1 files changed, 104 insertions, 0 deletions
diff --git a/modules/duply_backup/default.nix b/modules/duply_backup/default.nix
new file mode 100644
index 00000000..32fa9414
--- /dev/null
+++ b/modules/duply_backup/default.nix
@@ -0,0 +1,104 @@
1{ lib, pkgs, myconfig, config, ... }:
2
3let
4 cfg = myconfig.env.backup;
5 varDir = "/var/lib/duply";
6 duplyProfile = profile: prefix: ''
7 GPG_PW="${cfg.password}"
8 TARGET="${cfg.remote}${prefix}"
9 export AWS_ACCESS_KEY_ID="${cfg.accessKeyId}"
10 export AWS_SECRET_ACCESS_KEY="${cfg.secretAccessKey}"
11 SOURCE="${profile.rootDir}"
12 FILENAME=".duplicity-ignore"
13 DUPL_PARAMS="$DUPL_PARAMS --exclude-if-present '$FILENAME'"
14 VERBOSITY=4
15 ARCH_DIR="${varDir}/caches"
16
17 # Do a full backup after 1 month
18 MAX_FULLBKP_AGE=1M
19 DUPL_PARAMS="$DUPL_PARAMS --full-if-older-than $MAX_FULLBKP_AGE "
20 # Backups older than 2months are deleted
21 MAX_AGE=2M
22 # Keep 2 full backups
23 MAX_FULL_BACKUPS=2
24 MAX_FULLS_WITH_INCRS=2
25 '';
26 action = "bkp_purge_purgeFull_purgeIncr";
27in
28{
29 options = {
30 services.duplyBackup.enable = lib.mkOption {
31 type = lib.types.bool;
32 default = false;
33 description = ''
34 Whether to enable remote backups.
35 '';
36 };
37 services.duplyBackup.profiles = lib.mkOption {
38 type = lib.types.attrsOf (lib.types.submodule {
39 options = {
40 rootDir = lib.mkOption {
41 type = lib.types.path;
42 description = ''
43 Path to backup
44 '';
45 };
46 excludeFile = lib.mkOption {
47 type = lib.types.lines;
48 default = "";
49 description = ''
50 Content to put in exclude file
51 '';
52 };
53 };
54 });
55 };
56 };
57
58 config = lib.mkIf config.services.duplyBackup.enable {
59 system.activationScripts.backup = ''
60 install -m 0700 -o root -g root -d ${varDir} ${varDir}/caches
61 '';
62 secrets.keys = lib.flatten (lib.mapAttrsToList (k: v: [
63 {
64 permissions = "0400";
65 dest = "backup/${k}/conf";
66 text = duplyProfile v "${k}/";
67 }
68 {
69 permissions = "0400";
70 dest = "backup/${k}/exclude";
71 text = v.excludeFile;
72 }
73 ]) config.services.duplyBackup.profiles);
74
75 services.cron = {
76 enable = true;
77 systemCronJobs = let
78 backups = pkgs.writeScript "backups" ''
79 #!${pkgs.stdenv.shell}
80
81 ${builtins.concatStringsSep "\n" (lib.mapAttrsToList (k: v:
82 ''
83 touch ${varDir}/${k}.log
84 ${pkgs.duply}/bin/duply ${config.secrets.location}/backup/${k}/ ${action} --force >> ${varDir}/${k}.log
85 ''
86 ) config.services.duplyBackup.profiles)}
87 '';
88 in
89 [
90 "0 2 * * * root ${backups}"
91 ];
92
93 };
94
95 security.pki.certificates = let
96 cert = pkgs.fetchurl {
97 url = "http://downloads.e.eriomem.net/eriomemca.pem";
98 sha256 = "1ixx4c6j3m26j8dp9a3dkvxc80v1nr5aqgmawwgs06bskasqkvvh";
99 };
100 in [
101 (builtins.readFile cert)
102 ];
103 };
104}