1 files changed, 100 insertions, 0 deletions
diff --git a/modules/backup/default.nix b/modules/backup/default.nix
new file mode 100644
index 00000000..7e0e4b2c
--- /dev/null
+++ b/modules/backup/default.nix
@@ -0,0 +1,100 @@
+{ lib, pkgs, myconfig, config, ... }:
+let
+  cfg = myconfig.env.backup;
+  varDir = "/var/lib/duply";
+  duplyProfile = profile: prefix: ''
+    GPG_PW="${cfg.password}"
+    TARGET="${cfg.remote}${prefix}"
+    export AWS_ACCESS_KEY_ID="${cfg.accessKeyId}"
+    export AWS_SECRET_ACCESS_KEY="${cfg.secretAccessKey}"
+    SOURCE="${profile.rootDir}"
+    FILENAME=".duplicity-ignore"
+    DUPL_PARAMS="$DUPL_PARAMS --exclude-if-present '$FILENAME'"
+    VERBOSITY=4
+    ARCH_DIR="${varDir}/caches"
+    # Do a full backup after 1 month
+    MAX_FULLBKP_AGE=1M
+    DUPL_PARAMS="$DUPL_PARAMS --full-if-older-than $MAX_FULLBKP_AGE "
+    # Backups older than 2months are deleted
+    MAX_AGE=2M
+    # Keep 2 full backups
+    MAX_FULL_BACKUPS=2
+    MAX_FULLS_WITH_INCRS=2
+  '';
+  action = "bkp_purge_purgeFull_purgeIncr";
+in
+{
+  options = {
+    services.backup.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = ''
+        Whether to enable remote backups.
+      '';
+    };
+    services.backup.profiles = lib.mkOption {
+      type = lib.types.attrsOf (lib.types.submodule {
+        options = {
+          rootDir = lib.mkOption {
+            type = lib.types.path;
+            description = ''
+              Path to backup
+              '';
+          };
+          excludeFile = lib.mkOption {
+            type = lib.types.lines;
+            default = "";
+            description = ''
+              Content to put in exclude file
+              '';
+          };
+        };
+      });
+    };
+  };
+  config = lib.mkIf config.services.backup.enable {
+    system.activationScripts.backup = ''
+      install -m 0700 -o root -g root -d ${varDir} ${varDir}/caches
+      '';
+    secrets.keys = lib.flatten (lib.mapAttrsToList (k: v: [
+      {
+        permissions = "0400";
+        dest = "backup/${k}/conf";
+        text = duplyProfile v "${k}/";
+      }
+      {
+        permissions = "0400";
+        dest = "backup/${k}/exclude";
+        text = v.excludeFile;
+      }
+    ]) config.services.backup.profiles);
+    services.cron = {
+      enable = true;
+      systemCronJobs = let
+        backups = pkgs.writeScript "backups" ''
+          #!${pkgs.stdenv.shell}
+          ${builtins.concatStringsSep "\n" (lib.mapAttrsToList (k: v:
+            ''
+              touch ${varDir}/${k}.log
+              ${pkgs.duply}/bin/duply ${config.secrets.location}/backup/${k}/ ${action} --force >> ${varDir}/${k}.log
+            ''
+          ) config.services.backup.profiles)}
+        '';
+      in
+        [
+          "0 2 * * * root ${backups}"
+        ];
+    };
+    security.pki.certificates = [
+      (builtins.readFile ./Eriomem_SAS.1.pem)
+      (builtins.readFile ./Eriomem_SAS.pem)
+    ];
+  };
+}

diff --git a/modules/backup/default.nix b/modules/backup/default.nix new file mode 100644 index 00000000..7e0e4b2c --- /dev/null +++ b/modules/backup/default.nix
@@ -0,0 +1,100 @@
	1	{ lib, pkgs, myconfig, config, ... }:
	2
	3	let
	4	cfg = myconfig.env.backup;
	5	varDir = "/var/lib/duply";
	6	duplyProfile = profile: prefix: ''
	7	GPG_PW="${cfg.password}"
	8	TARGET="${cfg.remote}${prefix}"
	9	export AWS_ACCESS_KEY_ID="${cfg.accessKeyId}"
	10	export AWS_SECRET_ACCESS_KEY="${cfg.secretAccessKey}"
	11	SOURCE="${profile.rootDir}"
	12	FILENAME=".duplicity-ignore"
	13	DUPL_PARAMS="$DUPL_PARAMS --exclude-if-present '$FILENAME'"
	14	VERBOSITY=4
	15	ARCH_DIR="${varDir}/caches"
	16
	17	# Do a full backup after 1 month
	18	MAX_FULLBKP_AGE=1M
	19	DUPL_PARAMS="$DUPL_PARAMS --full-if-older-than $MAX_FULLBKP_AGE "
	20	# Backups older than 2months are deleted
	21	MAX_AGE=2M
	22	# Keep 2 full backups
	23	MAX_FULL_BACKUPS=2
	24	MAX_FULLS_WITH_INCRS=2
	25	'';
	26	action = "bkp_purge_purgeFull_purgeIncr";
	27	in
	28	{
	29	options = {
	30	services.backup.enable = lib.mkOption {
	31	type = lib.types.bool;
	32	default = false;
	33	description = ''
	34	Whether to enable remote backups.
	35	'';
	36	};
	37	services.backup.profiles = lib.mkOption {
	38	type = lib.types.attrsOf (lib.types.submodule {
	39	options = {
	40	rootDir = lib.mkOption {
	41	type = lib.types.path;
	42	description = ''
	43	Path to backup
	44	'';
	45	};
	46	excludeFile = lib.mkOption {
	47	type = lib.types.lines;
	48	default = "";
	49	description = ''
	50	Content to put in exclude file
	51	'';
	52	};
	53	};
	54	});
	55	};
	56	};
	57
	58	config = lib.mkIf config.services.backup.enable {
	59	system.activationScripts.backup = ''
	60	install -m 0700 -o root -g root -d ${varDir} ${varDir}/caches
	61	'';
	62	secrets.keys = lib.flatten (lib.mapAttrsToList (k: v: [
	63	{
	64	permissions = "0400";
	65	dest = "backup/${k}/conf";
	66	text = duplyProfile v "${k}/";
	67	}
	68	{
	69	permissions = "0400";
	70	dest = "backup/${k}/exclude";
	71	text = v.excludeFile;
	72	}
	73	]) config.services.backup.profiles);
	74
	75	services.cron = {
	76	enable = true;
	77	systemCronJobs = let
	78	backups = pkgs.writeScript "backups" ''
	79	#!${pkgs.stdenv.shell}
	80
	81	${builtins.concatStringsSep "\n" (lib.mapAttrsToList (k: v:
	82	''
	83	touch ${varDir}/${k}.log
	84	${pkgs.duply}/bin/duply ${config.secrets.location}/backup/${k}/ ${action} --force >> ${varDir}/${k}.log
	85	''
	86	) config.services.backup.profiles)}
	87	'';
	88	in
	89	[
	90	"0 2 * * * root ${backups}"
	91	];
	92
	93	};
	94
	95	security.pki.certificates = [
	96	(builtins.readFile ./Eriomem_SAS.1.pem)
	97	(builtins.readFile ./Eriomem_SAS.pem)
	98	];
	99	};
	100	}