summaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2019-10-16 13:49:24 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2020-04-25 00:04:29 +0200
commit245acb2459476f63db7311472ceb397f709c7671 (patch)
treefda0804914f2f547cad0c52aab1265bdb2552f89 /modules
parent4fa343dcd0b797d765ee8a3dfc14833d212b7491 (diff)
downloadNUR-245acb2459476f63db7311472ceb397f709c7671.tar.gz
NUR-245acb2459476f63db7311472ceb397f709c7671.tar.zst
NUR-245acb2459476f63db7311472ceb397f709c7671.zip
Add backup module
Diffstat (limited to 'modules')
-rw-r--r--modules/backup/Eriomem_SAS.1.pem35
-rw-r--r--modules/backup/Eriomem_SAS.pem26
-rw-r--r--modules/backup/default.nix100
-rw-r--r--modules/default.nix1
-rw-r--r--modules/myids.nix2
-rw-r--r--modules/webapps/mastodon.nix30
-rw-r--r--modules/webapps/webstats/default.nix3
7 files changed, 197 insertions, 0 deletions
diff --git a/modules/backup/Eriomem_SAS.1.pem b/modules/backup/Eriomem_SAS.1.pem
new file mode 100644
index 00000000..ab76ee01
--- /dev/null
+++ b/modules/backup/Eriomem_SAS.1.pem
@@ -0,0 +1,35 @@
1-----BEGIN CERTIFICATE-----
2MIIGATCCA+mgAwIBAgIJAJjhCwfJd2HOMA0GCSqGSIb3DQEBCwUAMIGWMQswCQYD
3VQQGEwJGUjEXMBUGA1UECAwOw45sZSBkZSBGcmFuY2UxDjAMBgNVBAcMBVBhcmlz
4MRQwEgYDVQQKDAtFcmlvbWVtIFNBUzETMBEGA1UECwwKRXJpb21lbSBDQTEUMBIG
5A1UEAwwLRXJpb21lbSBTQVMxHTAbBgkqhkiG9w0BCQEWDmNhQGVyaW9tZW0ubmV0
6MB4XDTE3MDEzMTE1NTUzOFoXDTM3MDEzMTE1NTUzOFowgZYxCzAJBgNVBAYTAkZS
7MRcwFQYDVQQIDA7DjmxlIGRlIEZyYW5jZTEOMAwGA1UEBwwFUGFyaXMxFDASBgNV
8BAoMC0VyaW9tZW0gU0FTMRMwEQYDVQQLDApFcmlvbWVtIENBMRQwEgYDVQQDDAtF
9cmlvbWVtIFNBUzEdMBsGCSqGSIb3DQEJARYOY2FAZXJpb21lbS5uZXQwggIiMA0G
10CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC9PesBee6dcEXLgLMEpfnmNTbMP7xs
11EJGxEwcS7LLVsZu8bY5K4prCTErzc3nhmmOMIy/ZxVTlnTOPHFAUJ9EKI5cL0QfK
129DbBzjPBs5AqntlpFBpz6DopV3FOFj3rn0nb/g3KyD3tqnN/YHdBiStX//z+Lp3H
1328M4ExpUFJBJrV3wboMzWgDnSirvJyLFbmeTPmUetYdC4hlSqr/Leo36da4CSl0X
14wN/83Vrzy/Cqrcfso43Hs86Swmg9pJmqRifWPNrMne49IwnGP4hIQXcb9ilU1bMK
15GzXor6I0yOYjuzvdg1k1KKvnHvO1U2cUV56MoTXmQHOt1yQr7fwiKyT0xiIgk5ou
16QKbXbuHpf3KTwPmg1s7105T2lEhxNMNd+c2leRux3CJKsoi6GoUhiDIL1jPrWNS3
17ynYHJ1lcyoEsGeXwR9mDmVLhgRLDAHNDOeT9Z0/NpwoylNH+vgwzo9tV3btWRJgu
18vB7TMDYdGsOd/OYNkQSiSUbtT8nm3xY2qGMC968GQieSCPW7a4n8MYhXW5Wa0/Ql
19Sg58e03v26u0rUT+GK1EOOFF8tak4uKxxRL+WBT9VhK9dRq/PnA+xB6808Y8kMjQ
209HTnxCgHNcNn6Xj7DD5Rb/r5ppmMicoI3dF6xgMHHNTG3BMZS+CVzSbG1K+4mOxR
211r6wxKmskoszLwIDAQABo1AwTjAdBgNVHQ4EFgQU3cuB9G9fGroFF0VW21vHR9A/
22/IwwHwYDVR0jBBgwFoAU3cuB9G9fGroFF0VW21vHR9A//IwwDAYDVR0TBAUwAwEB
23/zANBgkqhkiG9w0BAQsFAAOCAgEAGuL+CWzjOs9gydvkOsf0F0qoTS5mixe7v/ic
24OKdZfvHvzs8kz9rNWa8Guj5h640Qv252KSmellqHyXZhQumoks2XmFItMLY08IYo
254MmT+sHXwx1x4Av/Sjj+b8VzP31v5EIXDVIS+/UTXzyoU1hgqzM9W937iaO2NVFL
26V3kzURHVR1oMxJtSjhGkbfoXRhdNZUhjGaNz5wX0ILtQ+PK4LoYiCqRAthDUSIkW
27mD/R6CV08tIFYKyf7sCx0updbIHPbqbZtPW4X4QULXMDQanDSwHzcxzrCFOMEwOm
28A+HASceq2X9nMUvH97fGQ4YuyogS/XI1k8H7jU7vlxMA3EGf80HnYc02b0oGDN3c
29bVHBE/Zexer51HHsQOGpyYDmaCVzd1qlcFhwS3BMMPVW6TEU4HCXaTK5ipdOqbAF
30syx9OUviqw3fRmZORt6lrhBO9+V3WIKGxUET64GLRoC4F32CThOBKzFXvFcHik4n
311W44lGVAQp3B/Q55KzYOIQ3D3/N7cbxyPtw1dwW60lN/UWo7YZJJc+6GXjp6c4Cy
32s2VEoUx4OIs1eba99O5fdQ5IpW3IK6Cb1WaajcusZX9/QTIsf3ntSNPCnoebgk0V
33TOMpOOnKIbKYMjdxpKbYLpXFQzxy3WEi2PtmqgLAk+xwcmzz+3W2I0qKKTwGuaOZ
34MnGrJwg=
35-----END CERTIFICATE-----
diff --git a/modules/backup/Eriomem_SAS.pem b/modules/backup/Eriomem_SAS.pem
new file mode 100644
index 00000000..8d77f26b
--- /dev/null
+++ b/modules/backup/Eriomem_SAS.pem
@@ -0,0 +1,26 @@
1-----BEGIN CERTIFICATE-----
2MIIEbjCCA1agAwIBAgIJAKQiaGqY4pkkMA0GCSqGSIb3DQEBBQUAMIGAMQswCQYD
3VQQGEwJGUjEWMBQGA1UECBQNzmxlIGRlIEZyYW5jZTEOMAwGA1UEBxMFUGFyaXMx
4FDASBgNVBAoTC0VyaW9tZW0gU0FTMRQwEgYDVQQDEwtFcmlvbWVtIFNBUzEdMBsG
5CSqGSIb3DQEJARYOY2FAZXJpb21lbS5uZXQwHhcNMTQwNTEzMTgzMDMxWhcNMzQw
6NTEzMTgzMDMxWjCBgDELMAkGA1UEBhMCRlIxFjAUBgNVBAgUDc5sZSBkZSBGcmFu
7Y2UxDjAMBgNVBAcTBVBhcmlzMRQwEgYDVQQKEwtFcmlvbWVtIFNBUzEUMBIGA1UE
8AxMLRXJpb21lbSBTQVMxHTAbBgkqhkiG9w0BCQEWDmNhQGVyaW9tZW0ubmV0MIIB
9IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApVfR27JW3u3yvjdEEA8/mGlA
10NMlurqteMnCXgPAKnkyU7xbuBWkNxs6FrcXvdpjomPQsDosLXOb4pV+4SxezApaY
11XVqSzDWPV8M35QJjE8nOVuDvr3ziJfRITG9/WL2DpF9zpI6HpXVxdYNbZGxeCI2K
12eSQ1pkc3574hDB1YB86TumcWPIYuw7cDFC9HB7htm2XYURt6o2jXbpNtdHWoEhWx
13/m7cqpDCZmoBW1n3eApZac+4Im2bPXSQAqB/Lb0rgfsqJq3vEL4x12oC/5Ycn4cF
14xti4AapPjC2GaPbybFLfBwMLu+lAgPJh3A4DC1DcQsxTuKPvUi/K00eCZDokewID
15AQABo4HoMIHlMB0GA1UdDgQWBBRFwVSljClgTQxBTRvqftvJ3OE3xTCBtQYDVR0j
16BIGtMIGqgBRFwVSljClgTQxBTRvqftvJ3OE3xaGBhqSBgzCBgDELMAkGA1UEBhMC
17RlIxFjAUBgNVBAgUDc5sZSBkZSBGcmFuY2UxDjAMBgNVBAcTBVBhcmlzMRQwEgYD
18VQQKEwtFcmlvbWVtIFNBUzEUMBIGA1UEAxMLRXJpb21lbSBTQVMxHTAbBgkqhkiG
199w0BCQEWDmNhQGVyaW9tZW0ubmV0ggkApCJoapjimSQwDAYDVR0TBAUwAwEB/zAN
20BgkqhkiG9w0BAQUFAAOCAQEAKs7PMQ9HAKHY1seGRHEMivQGVzDDZ7nURBmTkEIl
21549QEyQbrAkcHUjJdMAuIgnbPl4yJFEI97U21pXb3BeLxhKI6r09OgWwZEagrI44
22Ns9WbcNGtw5bkgyA4nn00w0ggAJLq9b0sToU2vK2x6g+1oXH8K7BbOu49/+NTzCa
23fgBzFMi0P7FWGrE2rqh6gFBVJh8qBuK2+QG6Rnfdw+mHWsedc//NRFjPSC3ZWaPc
24cu9s4+IkjOy3RhdkNrF3ieWitmGZi4mUZQ3qi+Np2Z+ekn0QmXjmLdbLFxKw8xoR
25Ed36LPnGcmKQN72RikmNmx83i8CrOF6Or9auGE5O8+qpyw==
26-----END CERTIFICATE-----
diff --git a/modules/backup/default.nix b/modules/backup/default.nix
new file mode 100644
index 00000000..7e0e4b2c
--- /dev/null
+++ b/modules/backup/default.nix
@@ -0,0 +1,100 @@
1{ lib, pkgs, myconfig, config, ... }:
2
3let
4 cfg = myconfig.env.backup;
5 varDir = "/var/lib/duply";
6 duplyProfile = profile: prefix: ''
7 GPG_PW="${cfg.password}"
8 TARGET="${cfg.remote}${prefix}"
9 export AWS_ACCESS_KEY_ID="${cfg.accessKeyId}"
10 export AWS_SECRET_ACCESS_KEY="${cfg.secretAccessKey}"
11 SOURCE="${profile.rootDir}"
12 FILENAME=".duplicity-ignore"
13 DUPL_PARAMS="$DUPL_PARAMS --exclude-if-present '$FILENAME'"
14 VERBOSITY=4
15 ARCH_DIR="${varDir}/caches"
16
17 # Do a full backup after 1 month
18 MAX_FULLBKP_AGE=1M
19 DUPL_PARAMS="$DUPL_PARAMS --full-if-older-than $MAX_FULLBKP_AGE "
20 # Backups older than 2months are deleted
21 MAX_AGE=2M
22 # Keep 2 full backups
23 MAX_FULL_BACKUPS=2
24 MAX_FULLS_WITH_INCRS=2
25 '';
26 action = "bkp_purge_purgeFull_purgeIncr";
27in
28{
29 options = {
30 services.backup.enable = lib.mkOption {
31 type = lib.types.bool;
32 default = false;
33 description = ''
34 Whether to enable remote backups.
35 '';
36 };
37 services.backup.profiles = lib.mkOption {
38 type = lib.types.attrsOf (lib.types.submodule {
39 options = {
40 rootDir = lib.mkOption {
41 type = lib.types.path;
42 description = ''
43 Path to backup
44 '';
45 };
46 excludeFile = lib.mkOption {
47 type = lib.types.lines;
48 default = "";
49 description = ''
50 Content to put in exclude file
51 '';
52 };
53 };
54 });
55 };
56 };
57
58 config = lib.mkIf config.services.backup.enable {
59 system.activationScripts.backup = ''
60 install -m 0700 -o root -g root -d ${varDir} ${varDir}/caches
61 '';
62 secrets.keys = lib.flatten (lib.mapAttrsToList (k: v: [
63 {
64 permissions = "0400";
65 dest = "backup/${k}/conf";
66 text = duplyProfile v "${k}/";
67 }
68 {
69 permissions = "0400";
70 dest = "backup/${k}/exclude";
71 text = v.excludeFile;
72 }
73 ]) config.services.backup.profiles);
74
75 services.cron = {
76 enable = true;
77 systemCronJobs = let
78 backups = pkgs.writeScript "backups" ''
79 #!${pkgs.stdenv.shell}
80
81 ${builtins.concatStringsSep "\n" (lib.mapAttrsToList (k: v:
82 ''
83 touch ${varDir}/${k}.log
84 ${pkgs.duply}/bin/duply ${config.secrets.location}/backup/${k}/ ${action} --force >> ${varDir}/${k}.log
85 ''
86 ) config.services.backup.profiles)}
87 '';
88 in
89 [
90 "0 2 * * * root ${backups}"
91 ];
92
93 };
94
95 security.pki.certificates = [
96 (builtins.readFile ./Eriomem_SAS.1.pem)
97 (builtins.readFile ./Eriomem_SAS.pem)
98 ];
99 };
100}
diff --git a/modules/default.nix b/modules/default.nix
index 9e9c4111..05f2bfe0 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -13,6 +13,7 @@
13 opendmarc = ./opendmarc.nix; 13 opendmarc = ./opendmarc.nix;
14 openarc = ./openarc.nix; 14 openarc = ./openarc.nix;
15 15
16 backup = ./backup;
16 naemon = ./naemon; 17 naemon = ./naemon;
17 18
18 php-application = ./websites/php-application.nix; 19 php-application = ./websites/php-application.nix;
diff --git a/modules/myids.nix b/modules/myids.nix
index ac9fd65e..79610aff 100644
--- a/modules/myids.nix
+++ b/modules/myids.nix
@@ -3,6 +3,7 @@
3 # Check that there is no clash with nixos/modules/misc/ids.nix 3 # Check that there is no clash with nixos/modules/misc/ids.nix
4 config = { 4 config = {
5 ids.uids = { 5 ids.uids = {
6 backup = 389;
6 vhost = 390; 7 vhost = 390;
7 openarc = 391; 8 openarc = 391;
8 opendmarc = 392; 9 opendmarc = 392;
@@ -15,6 +16,7 @@
15 }; 16 };
16 ids.gids = { 17 ids.gids = {
17 nagios = 11; # commented in the ids file 18 nagios = 11; # commented in the ids file
19 backup = 389;
18 vhost = 390; 20 vhost = 390;
19 openarc = 391; 21 openarc = 391;
20 opendmarc = 392; 22 opendmarc = 392;
diff --git a/modules/webapps/mastodon.nix b/modules/webapps/mastodon.nix
index 26d5238f..eed9e3f6 100644
--- a/modules/webapps/mastodon.nix
+++ b/modules/webapps/mastodon.nix
@@ -190,6 +190,36 @@ in
190 unitConfig.RequiresMountsFor = cfg.dataDir; 190 unitConfig.RequiresMountsFor = cfg.dataDir;
191 }; 191 };
192 192
193 systemd.services.mastodon-cleanup = {
194 description = "Cleanup mastodon";
195 startAt = "daily";
196 restartIfChanged = false;
197
198 environment.RAILS_ENV = "production";
199 environment.BUNDLE_PATH = "${cfg.workdir.gems}/${cfg.workdir.gems.ruby.gemPath}";
200 environment.BUNDLE_GEMFILE = "${cfg.workdir.gems.confFiles}/Gemfile";
201 environment.SOCKET = cfg.sockets.rails;
202
203 path = [ cfg.workdir.gems cfg.workdir.gems.ruby pkgs.file ];
204
205 script = ''
206 exec ./bin/tootctl media remove --days 30
207 '';
208
209 serviceConfig = {
210 User = cfg.user;
211 EnvironmentFile = cfg.configFile;
212 PrivateTmp = true;
213 Type = "oneshot";
214 WorkingDirectory = cfg.workdir;
215 StateDirectory = cfg.systemdStateDirectory;
216 RuntimeDirectory = cfg.systemdRuntimeDirectory;
217 RuntimeDirectoryPreserve = "yes";
218 };
219
220 unitConfig.RequiresMountsFor = cfg.dataDir;
221 };
222
193 systemd.services.mastodon-sidekiq = { 223 systemd.services.mastodon-sidekiq = {
194 description = "Mastodon Sidekiq"; 224 description = "Mastodon Sidekiq";
195 wantedBy = [ "multi-user.target" ]; 225 wantedBy = [ "multi-user.target" ];
diff --git a/modules/webapps/webstats/default.nix b/modules/webapps/webstats/default.nix
index 924d72de..6771f015 100644
--- a/modules/webapps/webstats/default.nix
+++ b/modules/webapps/webstats/default.nix
@@ -37,6 +37,9 @@ in {
37 }; 37 };
38 38
39 config = lib.mkIf (builtins.length cfg.sites > 0) { 39 config = lib.mkIf (builtins.length cfg.sites > 0) {
40 services.backup.profiles.goaccess = {
41 rootDir = cfg.dataDir;
42 };
40 users.users.root.packages = [ 43 users.users.root.packages = [
41 pkgs.goaccess 44 pkgs.goaccess
42 ]; 45 ];