diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-10-16 13:49:24 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-04-25 00:04:29 +0200 |
commit | 245acb2459476f63db7311472ceb397f709c7671 (patch) | |
tree | fda0804914f2f547cad0c52aab1265bdb2552f89 /modules | |
parent | 4fa343dcd0b797d765ee8a3dfc14833d212b7491 (diff) | |
download | NUR-245acb2459476f63db7311472ceb397f709c7671.tar.gz NUR-245acb2459476f63db7311472ceb397f709c7671.tar.zst NUR-245acb2459476f63db7311472ceb397f709c7671.zip |
Add backup module
Diffstat (limited to 'modules')
-rw-r--r-- | modules/backup/Eriomem_SAS.1.pem | 35 | ||||
-rw-r--r-- | modules/backup/Eriomem_SAS.pem | 26 | ||||
-rw-r--r-- | modules/backup/default.nix | 100 | ||||
-rw-r--r-- | modules/default.nix | 1 | ||||
-rw-r--r-- | modules/myids.nix | 2 | ||||
-rw-r--r-- | modules/webapps/mastodon.nix | 30 | ||||
-rw-r--r-- | modules/webapps/webstats/default.nix | 3 |
7 files changed, 197 insertions, 0 deletions
diff --git a/modules/backup/Eriomem_SAS.1.pem b/modules/backup/Eriomem_SAS.1.pem new file mode 100644 index 00000000..ab76ee01 --- /dev/null +++ b/modules/backup/Eriomem_SAS.1.pem | |||
@@ -0,0 +1,35 @@ | |||
1 | -----BEGIN CERTIFICATE----- | ||
2 | MIIGATCCA+mgAwIBAgIJAJjhCwfJd2HOMA0GCSqGSIb3DQEBCwUAMIGWMQswCQYD | ||
3 | VQQGEwJGUjEXMBUGA1UECAwOw45sZSBkZSBGcmFuY2UxDjAMBgNVBAcMBVBhcmlz | ||
4 | MRQwEgYDVQQKDAtFcmlvbWVtIFNBUzETMBEGA1UECwwKRXJpb21lbSBDQTEUMBIG | ||
5 | A1UEAwwLRXJpb21lbSBTQVMxHTAbBgkqhkiG9w0BCQEWDmNhQGVyaW9tZW0ubmV0 | ||
6 | MB4XDTE3MDEzMTE1NTUzOFoXDTM3MDEzMTE1NTUzOFowgZYxCzAJBgNVBAYTAkZS | ||
7 | MRcwFQYDVQQIDA7DjmxlIGRlIEZyYW5jZTEOMAwGA1UEBwwFUGFyaXMxFDASBgNV | ||
8 | BAoMC0VyaW9tZW0gU0FTMRMwEQYDVQQLDApFcmlvbWVtIENBMRQwEgYDVQQDDAtF | ||
9 | cmlvbWVtIFNBUzEdMBsGCSqGSIb3DQEJARYOY2FAZXJpb21lbS5uZXQwggIiMA0G | ||
10 | CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC9PesBee6dcEXLgLMEpfnmNTbMP7xs | ||
11 | EJGxEwcS7LLVsZu8bY5K4prCTErzc3nhmmOMIy/ZxVTlnTOPHFAUJ9EKI5cL0QfK | ||
12 | 9DbBzjPBs5AqntlpFBpz6DopV3FOFj3rn0nb/g3KyD3tqnN/YHdBiStX//z+Lp3H | ||
13 | 28M4ExpUFJBJrV3wboMzWgDnSirvJyLFbmeTPmUetYdC4hlSqr/Leo36da4CSl0X | ||
14 | wN/83Vrzy/Cqrcfso43Hs86Swmg9pJmqRifWPNrMne49IwnGP4hIQXcb9ilU1bMK | ||
15 | GzXor6I0yOYjuzvdg1k1KKvnHvO1U2cUV56MoTXmQHOt1yQr7fwiKyT0xiIgk5ou | ||
16 | QKbXbuHpf3KTwPmg1s7105T2lEhxNMNd+c2leRux3CJKsoi6GoUhiDIL1jPrWNS3 | ||
17 | ynYHJ1lcyoEsGeXwR9mDmVLhgRLDAHNDOeT9Z0/NpwoylNH+vgwzo9tV3btWRJgu | ||
18 | vB7TMDYdGsOd/OYNkQSiSUbtT8nm3xY2qGMC968GQieSCPW7a4n8MYhXW5Wa0/Ql | ||
19 | Sg58e03v26u0rUT+GK1EOOFF8tak4uKxxRL+WBT9VhK9dRq/PnA+xB6808Y8kMjQ | ||
20 | 9HTnxCgHNcNn6Xj7DD5Rb/r5ppmMicoI3dF6xgMHHNTG3BMZS+CVzSbG1K+4mOxR | ||
21 | 1r6wxKmskoszLwIDAQABo1AwTjAdBgNVHQ4EFgQU3cuB9G9fGroFF0VW21vHR9A/ | ||
22 | /IwwHwYDVR0jBBgwFoAU3cuB9G9fGroFF0VW21vHR9A//IwwDAYDVR0TBAUwAwEB | ||
23 | /zANBgkqhkiG9w0BAQsFAAOCAgEAGuL+CWzjOs9gydvkOsf0F0qoTS5mixe7v/ic | ||
24 | OKdZfvHvzs8kz9rNWa8Guj5h640Qv252KSmellqHyXZhQumoks2XmFItMLY08IYo | ||
25 | 4MmT+sHXwx1x4Av/Sjj+b8VzP31v5EIXDVIS+/UTXzyoU1hgqzM9W937iaO2NVFL | ||
26 | V3kzURHVR1oMxJtSjhGkbfoXRhdNZUhjGaNz5wX0ILtQ+PK4LoYiCqRAthDUSIkW | ||
27 | mD/R6CV08tIFYKyf7sCx0updbIHPbqbZtPW4X4QULXMDQanDSwHzcxzrCFOMEwOm | ||
28 | A+HASceq2X9nMUvH97fGQ4YuyogS/XI1k8H7jU7vlxMA3EGf80HnYc02b0oGDN3c | ||
29 | bVHBE/Zexer51HHsQOGpyYDmaCVzd1qlcFhwS3BMMPVW6TEU4HCXaTK5ipdOqbAF | ||
30 | syx9OUviqw3fRmZORt6lrhBO9+V3WIKGxUET64GLRoC4F32CThOBKzFXvFcHik4n | ||
31 | 1W44lGVAQp3B/Q55KzYOIQ3D3/N7cbxyPtw1dwW60lN/UWo7YZJJc+6GXjp6c4Cy | ||
32 | s2VEoUx4OIs1eba99O5fdQ5IpW3IK6Cb1WaajcusZX9/QTIsf3ntSNPCnoebgk0V | ||
33 | TOMpOOnKIbKYMjdxpKbYLpXFQzxy3WEi2PtmqgLAk+xwcmzz+3W2I0qKKTwGuaOZ | ||
34 | MnGrJwg= | ||
35 | -----END CERTIFICATE----- | ||
diff --git a/modules/backup/Eriomem_SAS.pem b/modules/backup/Eriomem_SAS.pem new file mode 100644 index 00000000..8d77f26b --- /dev/null +++ b/modules/backup/Eriomem_SAS.pem | |||
@@ -0,0 +1,26 @@ | |||
1 | -----BEGIN CERTIFICATE----- | ||
2 | MIIEbjCCA1agAwIBAgIJAKQiaGqY4pkkMA0GCSqGSIb3DQEBBQUAMIGAMQswCQYD | ||
3 | VQQGEwJGUjEWMBQGA1UECBQNzmxlIGRlIEZyYW5jZTEOMAwGA1UEBxMFUGFyaXMx | ||
4 | FDASBgNVBAoTC0VyaW9tZW0gU0FTMRQwEgYDVQQDEwtFcmlvbWVtIFNBUzEdMBsG | ||
5 | CSqGSIb3DQEJARYOY2FAZXJpb21lbS5uZXQwHhcNMTQwNTEzMTgzMDMxWhcNMzQw | ||
6 | NTEzMTgzMDMxWjCBgDELMAkGA1UEBhMCRlIxFjAUBgNVBAgUDc5sZSBkZSBGcmFu | ||
7 | Y2UxDjAMBgNVBAcTBVBhcmlzMRQwEgYDVQQKEwtFcmlvbWVtIFNBUzEUMBIGA1UE | ||
8 | AxMLRXJpb21lbSBTQVMxHTAbBgkqhkiG9w0BCQEWDmNhQGVyaW9tZW0ubmV0MIIB | ||
9 | IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApVfR27JW3u3yvjdEEA8/mGlA | ||
10 | NMlurqteMnCXgPAKnkyU7xbuBWkNxs6FrcXvdpjomPQsDosLXOb4pV+4SxezApaY | ||
11 | XVqSzDWPV8M35QJjE8nOVuDvr3ziJfRITG9/WL2DpF9zpI6HpXVxdYNbZGxeCI2K | ||
12 | eSQ1pkc3574hDB1YB86TumcWPIYuw7cDFC9HB7htm2XYURt6o2jXbpNtdHWoEhWx | ||
13 | /m7cqpDCZmoBW1n3eApZac+4Im2bPXSQAqB/Lb0rgfsqJq3vEL4x12oC/5Ycn4cF | ||
14 | xti4AapPjC2GaPbybFLfBwMLu+lAgPJh3A4DC1DcQsxTuKPvUi/K00eCZDokewID | ||
15 | AQABo4HoMIHlMB0GA1UdDgQWBBRFwVSljClgTQxBTRvqftvJ3OE3xTCBtQYDVR0j | ||
16 | BIGtMIGqgBRFwVSljClgTQxBTRvqftvJ3OE3xaGBhqSBgzCBgDELMAkGA1UEBhMC | ||
17 | RlIxFjAUBgNVBAgUDc5sZSBkZSBGcmFuY2UxDjAMBgNVBAcTBVBhcmlzMRQwEgYD | ||
18 | VQQKEwtFcmlvbWVtIFNBUzEUMBIGA1UEAxMLRXJpb21lbSBTQVMxHTAbBgkqhkiG | ||
19 | 9w0BCQEWDmNhQGVyaW9tZW0ubmV0ggkApCJoapjimSQwDAYDVR0TBAUwAwEB/zAN | ||
20 | BgkqhkiG9w0BAQUFAAOCAQEAKs7PMQ9HAKHY1seGRHEMivQGVzDDZ7nURBmTkEIl | ||
21 | 549QEyQbrAkcHUjJdMAuIgnbPl4yJFEI97U21pXb3BeLxhKI6r09OgWwZEagrI44 | ||
22 | Ns9WbcNGtw5bkgyA4nn00w0ggAJLq9b0sToU2vK2x6g+1oXH8K7BbOu49/+NTzCa | ||
23 | fgBzFMi0P7FWGrE2rqh6gFBVJh8qBuK2+QG6Rnfdw+mHWsedc//NRFjPSC3ZWaPc | ||
24 | cu9s4+IkjOy3RhdkNrF3ieWitmGZi4mUZQ3qi+Np2Z+ekn0QmXjmLdbLFxKw8xoR | ||
25 | Ed36LPnGcmKQN72RikmNmx83i8CrOF6Or9auGE5O8+qpyw== | ||
26 | -----END CERTIFICATE----- | ||
diff --git a/modules/backup/default.nix b/modules/backup/default.nix new file mode 100644 index 00000000..7e0e4b2c --- /dev/null +++ b/modules/backup/default.nix | |||
@@ -0,0 +1,100 @@ | |||
1 | { lib, pkgs, myconfig, config, ... }: | ||
2 | |||
3 | let | ||
4 | cfg = myconfig.env.backup; | ||
5 | varDir = "/var/lib/duply"; | ||
6 | duplyProfile = profile: prefix: '' | ||
7 | GPG_PW="${cfg.password}" | ||
8 | TARGET="${cfg.remote}${prefix}" | ||
9 | export AWS_ACCESS_KEY_ID="${cfg.accessKeyId}" | ||
10 | export AWS_SECRET_ACCESS_KEY="${cfg.secretAccessKey}" | ||
11 | SOURCE="${profile.rootDir}" | ||
12 | FILENAME=".duplicity-ignore" | ||
13 | DUPL_PARAMS="$DUPL_PARAMS --exclude-if-present '$FILENAME'" | ||
14 | VERBOSITY=4 | ||
15 | ARCH_DIR="${varDir}/caches" | ||
16 | |||
17 | # Do a full backup after 1 month | ||
18 | MAX_FULLBKP_AGE=1M | ||
19 | DUPL_PARAMS="$DUPL_PARAMS --full-if-older-than $MAX_FULLBKP_AGE " | ||
20 | # Backups older than 2months are deleted | ||
21 | MAX_AGE=2M | ||
22 | # Keep 2 full backups | ||
23 | MAX_FULL_BACKUPS=2 | ||
24 | MAX_FULLS_WITH_INCRS=2 | ||
25 | ''; | ||
26 | action = "bkp_purge_purgeFull_purgeIncr"; | ||
27 | in | ||
28 | { | ||
29 | options = { | ||
30 | services.backup.enable = lib.mkOption { | ||
31 | type = lib.types.bool; | ||
32 | default = false; | ||
33 | description = '' | ||
34 | Whether to enable remote backups. | ||
35 | ''; | ||
36 | }; | ||
37 | services.backup.profiles = lib.mkOption { | ||
38 | type = lib.types.attrsOf (lib.types.submodule { | ||
39 | options = { | ||
40 | rootDir = lib.mkOption { | ||
41 | type = lib.types.path; | ||
42 | description = '' | ||
43 | Path to backup | ||
44 | ''; | ||
45 | }; | ||
46 | excludeFile = lib.mkOption { | ||
47 | type = lib.types.lines; | ||
48 | default = ""; | ||
49 | description = '' | ||
50 | Content to put in exclude file | ||
51 | ''; | ||
52 | }; | ||
53 | }; | ||
54 | }); | ||
55 | }; | ||
56 | }; | ||
57 | |||
58 | config = lib.mkIf config.services.backup.enable { | ||
59 | system.activationScripts.backup = '' | ||
60 | install -m 0700 -o root -g root -d ${varDir} ${varDir}/caches | ||
61 | ''; | ||
62 | secrets.keys = lib.flatten (lib.mapAttrsToList (k: v: [ | ||
63 | { | ||
64 | permissions = "0400"; | ||
65 | dest = "backup/${k}/conf"; | ||
66 | text = duplyProfile v "${k}/"; | ||
67 | } | ||
68 | { | ||
69 | permissions = "0400"; | ||
70 | dest = "backup/${k}/exclude"; | ||
71 | text = v.excludeFile; | ||
72 | } | ||
73 | ]) config.services.backup.profiles); | ||
74 | |||
75 | services.cron = { | ||
76 | enable = true; | ||
77 | systemCronJobs = let | ||
78 | backups = pkgs.writeScript "backups" '' | ||
79 | #!${pkgs.stdenv.shell} | ||
80 | |||
81 | ${builtins.concatStringsSep "\n" (lib.mapAttrsToList (k: v: | ||
82 | '' | ||
83 | touch ${varDir}/${k}.log | ||
84 | ${pkgs.duply}/bin/duply ${config.secrets.location}/backup/${k}/ ${action} --force >> ${varDir}/${k}.log | ||
85 | '' | ||
86 | ) config.services.backup.profiles)} | ||
87 | ''; | ||
88 | in | ||
89 | [ | ||
90 | "0 2 * * * root ${backups}" | ||
91 | ]; | ||
92 | |||
93 | }; | ||
94 | |||
95 | security.pki.certificates = [ | ||
96 | (builtins.readFile ./Eriomem_SAS.1.pem) | ||
97 | (builtins.readFile ./Eriomem_SAS.pem) | ||
98 | ]; | ||
99 | }; | ||
100 | } | ||
diff --git a/modules/default.nix b/modules/default.nix index 9e9c4111..05f2bfe0 100644 --- a/modules/default.nix +++ b/modules/default.nix | |||
@@ -13,6 +13,7 @@ | |||
13 | opendmarc = ./opendmarc.nix; | 13 | opendmarc = ./opendmarc.nix; |
14 | openarc = ./openarc.nix; | 14 | openarc = ./openarc.nix; |
15 | 15 | ||
16 | backup = ./backup; | ||
16 | naemon = ./naemon; | 17 | naemon = ./naemon; |
17 | 18 | ||
18 | php-application = ./websites/php-application.nix; | 19 | php-application = ./websites/php-application.nix; |
diff --git a/modules/myids.nix b/modules/myids.nix index ac9fd65e..79610aff 100644 --- a/modules/myids.nix +++ b/modules/myids.nix | |||
@@ -3,6 +3,7 @@ | |||
3 | # Check that there is no clash with nixos/modules/misc/ids.nix | 3 | # Check that there is no clash with nixos/modules/misc/ids.nix |
4 | config = { | 4 | config = { |
5 | ids.uids = { | 5 | ids.uids = { |
6 | backup = 389; | ||
6 | vhost = 390; | 7 | vhost = 390; |
7 | openarc = 391; | 8 | openarc = 391; |
8 | opendmarc = 392; | 9 | opendmarc = 392; |
@@ -15,6 +16,7 @@ | |||
15 | }; | 16 | }; |
16 | ids.gids = { | 17 | ids.gids = { |
17 | nagios = 11; # commented in the ids file | 18 | nagios = 11; # commented in the ids file |
19 | backup = 389; | ||
18 | vhost = 390; | 20 | vhost = 390; |
19 | openarc = 391; | 21 | openarc = 391; |
20 | opendmarc = 392; | 22 | opendmarc = 392; |
diff --git a/modules/webapps/mastodon.nix b/modules/webapps/mastodon.nix index 26d5238f..eed9e3f6 100644 --- a/modules/webapps/mastodon.nix +++ b/modules/webapps/mastodon.nix | |||
@@ -190,6 +190,36 @@ in | |||
190 | unitConfig.RequiresMountsFor = cfg.dataDir; | 190 | unitConfig.RequiresMountsFor = cfg.dataDir; |
191 | }; | 191 | }; |
192 | 192 | ||
193 | systemd.services.mastodon-cleanup = { | ||
194 | description = "Cleanup mastodon"; | ||
195 | startAt = "daily"; | ||
196 | restartIfChanged = false; | ||
197 | |||
198 | environment.RAILS_ENV = "production"; | ||
199 | environment.BUNDLE_PATH = "${cfg.workdir.gems}/${cfg.workdir.gems.ruby.gemPath}"; | ||
200 | environment.BUNDLE_GEMFILE = "${cfg.workdir.gems.confFiles}/Gemfile"; | ||
201 | environment.SOCKET = cfg.sockets.rails; | ||
202 | |||
203 | path = [ cfg.workdir.gems cfg.workdir.gems.ruby pkgs.file ]; | ||
204 | |||
205 | script = '' | ||
206 | exec ./bin/tootctl media remove --days 30 | ||
207 | ''; | ||
208 | |||
209 | serviceConfig = { | ||
210 | User = cfg.user; | ||
211 | EnvironmentFile = cfg.configFile; | ||
212 | PrivateTmp = true; | ||
213 | Type = "oneshot"; | ||
214 | WorkingDirectory = cfg.workdir; | ||
215 | StateDirectory = cfg.systemdStateDirectory; | ||
216 | RuntimeDirectory = cfg.systemdRuntimeDirectory; | ||
217 | RuntimeDirectoryPreserve = "yes"; | ||
218 | }; | ||
219 | |||
220 | unitConfig.RequiresMountsFor = cfg.dataDir; | ||
221 | }; | ||
222 | |||
193 | systemd.services.mastodon-sidekiq = { | 223 | systemd.services.mastodon-sidekiq = { |
194 | description = "Mastodon Sidekiq"; | 224 | description = "Mastodon Sidekiq"; |
195 | wantedBy = [ "multi-user.target" ]; | 225 | wantedBy = [ "multi-user.target" ]; |
diff --git a/modules/webapps/webstats/default.nix b/modules/webapps/webstats/default.nix index 924d72de..6771f015 100644 --- a/modules/webapps/webstats/default.nix +++ b/modules/webapps/webstats/default.nix | |||
@@ -37,6 +37,9 @@ in { | |||
37 | }; | 37 | }; |
38 | 38 | ||
39 | config = lib.mkIf (builtins.length cfg.sites > 0) { | 39 | config = lib.mkIf (builtins.length cfg.sites > 0) { |
40 | services.backup.profiles.goaccess = { | ||
41 | rootDir = cfg.dataDir; | ||
42 | }; | ||
40 | users.users.root.packages = [ | 43 | users.users.root.packages = [ |
41 | pkgs.goaccess | 44 | pkgs.goaccess |
42 | ]; | 45 | ]; |