diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-10-24 00:35:49 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-04-25 00:04:31 +0200 |
commit | 01938a297abdb89c79d7d03247a68e93937d47f7 (patch) | |
tree | f8dcc597c0c8047c0e6a4d3ac7f131e881f74ce6 /modules/duply_backup | |
parent | ee06505ff39584e4ce6caeeb7ea7215c7d84224a (diff) | |
download | NUR-01938a297abdb89c79d7d03247a68e93937d47f7.tar.gz NUR-01938a297abdb89c79d7d03247a68e93937d47f7.tar.zst NUR-01938a297abdb89c79d7d03247a68e93937d47f7.zip |
Rename backup module to duply_backup
Diffstat (limited to 'modules/duply_backup')
-rw-r--r-- | modules/duply_backup/default.nix | 104 |
1 files changed, 104 insertions, 0 deletions
diff --git a/modules/duply_backup/default.nix b/modules/duply_backup/default.nix new file mode 100644 index 00000000..32fa9414 --- /dev/null +++ b/modules/duply_backup/default.nix | |||
@@ -0,0 +1,104 @@ | |||
1 | { lib, pkgs, myconfig, config, ... }: | ||
2 | |||
3 | let | ||
4 | cfg = myconfig.env.backup; | ||
5 | varDir = "/var/lib/duply"; | ||
6 | duplyProfile = profile: prefix: '' | ||
7 | GPG_PW="${cfg.password}" | ||
8 | TARGET="${cfg.remote}${prefix}" | ||
9 | export AWS_ACCESS_KEY_ID="${cfg.accessKeyId}" | ||
10 | export AWS_SECRET_ACCESS_KEY="${cfg.secretAccessKey}" | ||
11 | SOURCE="${profile.rootDir}" | ||
12 | FILENAME=".duplicity-ignore" | ||
13 | DUPL_PARAMS="$DUPL_PARAMS --exclude-if-present '$FILENAME'" | ||
14 | VERBOSITY=4 | ||
15 | ARCH_DIR="${varDir}/caches" | ||
16 | |||
17 | # Do a full backup after 1 month | ||
18 | MAX_FULLBKP_AGE=1M | ||
19 | DUPL_PARAMS="$DUPL_PARAMS --full-if-older-than $MAX_FULLBKP_AGE " | ||
20 | # Backups older than 2months are deleted | ||
21 | MAX_AGE=2M | ||
22 | # Keep 2 full backups | ||
23 | MAX_FULL_BACKUPS=2 | ||
24 | MAX_FULLS_WITH_INCRS=2 | ||
25 | ''; | ||
26 | action = "bkp_purge_purgeFull_purgeIncr"; | ||
27 | in | ||
28 | { | ||
29 | options = { | ||
30 | services.duplyBackup.enable = lib.mkOption { | ||
31 | type = lib.types.bool; | ||
32 | default = false; | ||
33 | description = '' | ||
34 | Whether to enable remote backups. | ||
35 | ''; | ||
36 | }; | ||
37 | services.duplyBackup.profiles = lib.mkOption { | ||
38 | type = lib.types.attrsOf (lib.types.submodule { | ||
39 | options = { | ||
40 | rootDir = lib.mkOption { | ||
41 | type = lib.types.path; | ||
42 | description = '' | ||
43 | Path to backup | ||
44 | ''; | ||
45 | }; | ||
46 | excludeFile = lib.mkOption { | ||
47 | type = lib.types.lines; | ||
48 | default = ""; | ||
49 | description = '' | ||
50 | Content to put in exclude file | ||
51 | ''; | ||
52 | }; | ||
53 | }; | ||
54 | }); | ||
55 | }; | ||
56 | }; | ||
57 | |||
58 | config = lib.mkIf config.services.duplyBackup.enable { | ||
59 | system.activationScripts.backup = '' | ||
60 | install -m 0700 -o root -g root -d ${varDir} ${varDir}/caches | ||
61 | ''; | ||
62 | secrets.keys = lib.flatten (lib.mapAttrsToList (k: v: [ | ||
63 | { | ||
64 | permissions = "0400"; | ||
65 | dest = "backup/${k}/conf"; | ||
66 | text = duplyProfile v "${k}/"; | ||
67 | } | ||
68 | { | ||
69 | permissions = "0400"; | ||
70 | dest = "backup/${k}/exclude"; | ||
71 | text = v.excludeFile; | ||
72 | } | ||
73 | ]) config.services.duplyBackup.profiles); | ||
74 | |||
75 | services.cron = { | ||
76 | enable = true; | ||
77 | systemCronJobs = let | ||
78 | backups = pkgs.writeScript "backups" '' | ||
79 | #!${pkgs.stdenv.shell} | ||
80 | |||
81 | ${builtins.concatStringsSep "\n" (lib.mapAttrsToList (k: v: | ||
82 | '' | ||
83 | touch ${varDir}/${k}.log | ||
84 | ${pkgs.duply}/bin/duply ${config.secrets.location}/backup/${k}/ ${action} --force >> ${varDir}/${k}.log | ||
85 | '' | ||
86 | ) config.services.duplyBackup.profiles)} | ||
87 | ''; | ||
88 | in | ||
89 | [ | ||
90 | "0 2 * * * root ${backups}" | ||
91 | ]; | ||
92 | |||
93 | }; | ||
94 | |||
95 | security.pki.certificates = let | ||
96 | cert = pkgs.fetchurl { | ||
97 | url = "http://downloads.e.eriomem.net/eriomemca.pem"; | ||
98 | sha256 = "1ixx4c6j3m26j8dp9a3dkvxc80v1nr5aqgmawwgs06bskasqkvvh"; | ||
99 | }; | ||
100 | in [ | ||
101 | (builtins.readFile cert) | ||
102 | ]; | ||
103 | }; | ||
104 | } | ||