3 files changed, 161 insertions, 0 deletions
diff --git a/modules/backup/Eriomem_SAS.1.pem b/modules/backup/Eriomem_SAS.1.pem
new file mode 100644
index 00000000..ab76ee01
--- /dev/null
+++ b/modules/backup/Eriomem_SAS.1.pem
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGATCCA+mgAwIBAgIJAJjhCwfJd2HOMA0GCSqGSIb3DQEBCwUAMIGWMQswCQYD
+VQQGEwJGUjEXMBUGA1UECAwOw45sZSBkZSBGcmFuY2UxDjAMBgNVBAcMBVBhcmlz
+MRQwEgYDVQQKDAtFcmlvbWVtIFNBUzETMBEGA1UECwwKRXJpb21lbSBDQTEUMBIG
+A1UEAwwLRXJpb21lbSBTQVMxHTAbBgkqhkiG9w0BCQEWDmNhQGVyaW9tZW0ubmV0
+MB4XDTE3MDEzMTE1NTUzOFoXDTM3MDEzMTE1NTUzOFowgZYxCzAJBgNVBAYTAkZS
+MRcwFQYDVQQIDA7DjmxlIGRlIEZyYW5jZTEOMAwGA1UEBwwFUGFyaXMxFDASBgNV
+BAoMC0VyaW9tZW0gU0FTMRMwEQYDVQQLDApFcmlvbWVtIENBMRQwEgYDVQQDDAtF
+cmlvbWVtIFNBUzEdMBsGCSqGSIb3DQEJARYOY2FAZXJpb21lbS5uZXQwggIiMA0G
+CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC9PesBee6dcEXLgLMEpfnmNTbMP7xs
+EJGxEwcS7LLVsZu8bY5K4prCTErzc3nhmmOMIy/ZxVTlnTOPHFAUJ9EKI5cL0QfK
+9DbBzjPBs5AqntlpFBpz6DopV3FOFj3rn0nb/g3KyD3tqnN/YHdBiStX//z+Lp3H
+28M4ExpUFJBJrV3wboMzWgDnSirvJyLFbmeTPmUetYdC4hlSqr/Leo36da4CSl0X
+wN/83Vrzy/Cqrcfso43Hs86Swmg9pJmqRifWPNrMne49IwnGP4hIQXcb9ilU1bMK
+GzXor6I0yOYjuzvdg1k1KKvnHvO1U2cUV56MoTXmQHOt1yQr7fwiKyT0xiIgk5ou
+QKbXbuHpf3KTwPmg1s7105T2lEhxNMNd+c2leRux3CJKsoi6GoUhiDIL1jPrWNS3
+ynYHJ1lcyoEsGeXwR9mDmVLhgRLDAHNDOeT9Z0/NpwoylNH+vgwzo9tV3btWRJgu
+vB7TMDYdGsOd/OYNkQSiSUbtT8nm3xY2qGMC968GQieSCPW7a4n8MYhXW5Wa0/Ql
+Sg58e03v26u0rUT+GK1EOOFF8tak4uKxxRL+WBT9VhK9dRq/PnA+xB6808Y8kMjQ
+9HTnxCgHNcNn6Xj7DD5Rb/r5ppmMicoI3dF6xgMHHNTG3BMZS+CVzSbG1K+4mOxR
+1r6wxKmskoszLwIDAQABo1AwTjAdBgNVHQ4EFgQU3cuB9G9fGroFF0VW21vHR9A/
+/IwwHwYDVR0jBBgwFoAU3cuB9G9fGroFF0VW21vHR9A//IwwDAYDVR0TBAUwAwEB
+/zANBgkqhkiG9w0BAQsFAAOCAgEAGuL+CWzjOs9gydvkOsf0F0qoTS5mixe7v/ic
+OKdZfvHvzs8kz9rNWa8Guj5h640Qv252KSmellqHyXZhQumoks2XmFItMLY08IYo
+4MmT+sHXwx1x4Av/Sjj+b8VzP31v5EIXDVIS+/UTXzyoU1hgqzM9W937iaO2NVFL
+V3kzURHVR1oMxJtSjhGkbfoXRhdNZUhjGaNz5wX0ILtQ+PK4LoYiCqRAthDUSIkW
+mD/R6CV08tIFYKyf7sCx0updbIHPbqbZtPW4X4QULXMDQanDSwHzcxzrCFOMEwOm
+A+HASceq2X9nMUvH97fGQ4YuyogS/XI1k8H7jU7vlxMA3EGf80HnYc02b0oGDN3c
+bVHBE/Zexer51HHsQOGpyYDmaCVzd1qlcFhwS3BMMPVW6TEU4HCXaTK5ipdOqbAF
+syx9OUviqw3fRmZORt6lrhBO9+V3WIKGxUET64GLRoC4F32CThOBKzFXvFcHik4n
+1W44lGVAQp3B/Q55KzYOIQ3D3/N7cbxyPtw1dwW60lN/UWo7YZJJc+6GXjp6c4Cy
+s2VEoUx4OIs1eba99O5fdQ5IpW3IK6Cb1WaajcusZX9/QTIsf3ntSNPCnoebgk0V
+TOMpOOnKIbKYMjdxpKbYLpXFQzxy3WEi2PtmqgLAk+xwcmzz+3W2I0qKKTwGuaOZ
+MnGrJwg=
+-----END CERTIFICATE-----
diff --git a/modules/backup/Eriomem_SAS.pem b/modules/backup/Eriomem_SAS.pem
new file mode 100644
index 00000000..8d77f26b
--- /dev/null
+++ b/modules/backup/Eriomem_SAS.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEbjCCA1agAwIBAgIJAKQiaGqY4pkkMA0GCSqGSIb3DQEBBQUAMIGAMQswCQYD
+VQQGEwJGUjEWMBQGA1UECBQNzmxlIGRlIEZyYW5jZTEOMAwGA1UEBxMFUGFyaXMx
+FDASBgNVBAoTC0VyaW9tZW0gU0FTMRQwEgYDVQQDEwtFcmlvbWVtIFNBUzEdMBsG
+CSqGSIb3DQEJARYOY2FAZXJpb21lbS5uZXQwHhcNMTQwNTEzMTgzMDMxWhcNMzQw
+NTEzMTgzMDMxWjCBgDELMAkGA1UEBhMCRlIxFjAUBgNVBAgUDc5sZSBkZSBGcmFu
+Y2UxDjAMBgNVBAcTBVBhcmlzMRQwEgYDVQQKEwtFcmlvbWVtIFNBUzEUMBIGA1UE
+AxMLRXJpb21lbSBTQVMxHTAbBgkqhkiG9w0BCQEWDmNhQGVyaW9tZW0ubmV0MIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApVfR27JW3u3yvjdEEA8/mGlA
+NMlurqteMnCXgPAKnkyU7xbuBWkNxs6FrcXvdpjomPQsDosLXOb4pV+4SxezApaY
+XVqSzDWPV8M35QJjE8nOVuDvr3ziJfRITG9/WL2DpF9zpI6HpXVxdYNbZGxeCI2K
+eSQ1pkc3574hDB1YB86TumcWPIYuw7cDFC9HB7htm2XYURt6o2jXbpNtdHWoEhWx
+/m7cqpDCZmoBW1n3eApZac+4Im2bPXSQAqB/Lb0rgfsqJq3vEL4x12oC/5Ycn4cF
+xti4AapPjC2GaPbybFLfBwMLu+lAgPJh3A4DC1DcQsxTuKPvUi/K00eCZDokewID
+AQABo4HoMIHlMB0GA1UdDgQWBBRFwVSljClgTQxBTRvqftvJ3OE3xTCBtQYDVR0j
+BIGtMIGqgBRFwVSljClgTQxBTRvqftvJ3OE3xaGBhqSBgzCBgDELMAkGA1UEBhMC
+RlIxFjAUBgNVBAgUDc5sZSBkZSBGcmFuY2UxDjAMBgNVBAcTBVBhcmlzMRQwEgYD
+VQQKEwtFcmlvbWVtIFNBUzEUMBIGA1UEAxMLRXJpb21lbSBTQVMxHTAbBgkqhkiG
+9w0BCQEWDmNhQGVyaW9tZW0ubmV0ggkApCJoapjimSQwDAYDVR0TBAUwAwEB/zAN
+BgkqhkiG9w0BAQUFAAOCAQEAKs7PMQ9HAKHY1seGRHEMivQGVzDDZ7nURBmTkEIl
+549QEyQbrAkcHUjJdMAuIgnbPl4yJFEI97U21pXb3BeLxhKI6r09OgWwZEagrI44
+Ns9WbcNGtw5bkgyA4nn00w0ggAJLq9b0sToU2vK2x6g+1oXH8K7BbOu49/+NTzCa
+fgBzFMi0P7FWGrE2rqh6gFBVJh8qBuK2+QG6Rnfdw+mHWsedc//NRFjPSC3ZWaPc
+cu9s4+IkjOy3RhdkNrF3ieWitmGZi4mUZQ3qi+Np2Z+ekn0QmXjmLdbLFxKw8xoR
+Ed36LPnGcmKQN72RikmNmx83i8CrOF6Or9auGE5O8+qpyw==
+-----END CERTIFICATE-----
diff --git a/modules/backup/default.nix b/modules/backup/default.nix
new file mode 100644
index 00000000..7e0e4b2c
--- /dev/null
+++ b/modules/backup/default.nix
@@ -0,0 +1,100 @@
+{ lib, pkgs, myconfig, config, ... }:
+let
+  cfg = myconfig.env.backup;
+  varDir = "/var/lib/duply";
+  duplyProfile = profile: prefix: ''
+    GPG_PW="${cfg.password}"
+    TARGET="${cfg.remote}${prefix}"
+    export AWS_ACCESS_KEY_ID="${cfg.accessKeyId}"
+    export AWS_SECRET_ACCESS_KEY="${cfg.secretAccessKey}"
+    SOURCE="${profile.rootDir}"
+    FILENAME=".duplicity-ignore"
+    DUPL_PARAMS="$DUPL_PARAMS --exclude-if-present '$FILENAME'"
+    VERBOSITY=4
+    ARCH_DIR="${varDir}/caches"
+    # Do a full backup after 1 month
+    MAX_FULLBKP_AGE=1M
+    DUPL_PARAMS="$DUPL_PARAMS --full-if-older-than $MAX_FULLBKP_AGE "
+    # Backups older than 2months are deleted
+    MAX_AGE=2M
+    # Keep 2 full backups
+    MAX_FULL_BACKUPS=2
+    MAX_FULLS_WITH_INCRS=2
+  '';
+  action = "bkp_purge_purgeFull_purgeIncr";
+in
+{
+  options = {
+    services.backup.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = ''
+        Whether to enable remote backups.
+      '';
+    };
+    services.backup.profiles = lib.mkOption {
+      type = lib.types.attrsOf (lib.types.submodule {
+        options = {
+          rootDir = lib.mkOption {
+            type = lib.types.path;
+            description = ''
+              Path to backup
+              '';
+          };
+          excludeFile = lib.mkOption {
+            type = lib.types.lines;
+            default = "";
+            description = ''
+              Content to put in exclude file
+              '';
+          };
+        };
+      });
+    };
+  };
+  config = lib.mkIf config.services.backup.enable {
+    system.activationScripts.backup = ''
+      install -m 0700 -o root -g root -d ${varDir} ${varDir}/caches
+      '';
+    secrets.keys = lib.flatten (lib.mapAttrsToList (k: v: [
+      {
+        permissions = "0400";
+        dest = "backup/${k}/conf";
+        text = duplyProfile v "${k}/";
+      }
+      {
+        permissions = "0400";
+        dest = "backup/${k}/exclude";
+        text = v.excludeFile;
+      }
+    ]) config.services.backup.profiles);
+    services.cron = {
+      enable = true;
+      systemCronJobs = let
+        backups = pkgs.writeScript "backups" ''
+          #!${pkgs.stdenv.shell}
+          ${builtins.concatStringsSep "\n" (lib.mapAttrsToList (k: v:
+            ''
+              touch ${varDir}/${k}.log
+              ${pkgs.duply}/bin/duply ${config.secrets.location}/backup/${k}/ ${action} --force >> ${varDir}/${k}.log
+            ''
+          ) config.services.backup.profiles)}
+        '';
+      in
+        [
+          "0 2 * * * root ${backups}"
+        ];
+    };
+    security.pki.certificates = [
+      (builtins.readFile ./Eriomem_SAS.1.pem)
+      (builtins.readFile ./Eriomem_SAS.pem)
+    ];
+  };
+}

diff --git a/modules/backup/Eriomem_SAS.1.pem b/modules/backup/Eriomem_SAS.1.pem new file mode 100644 index 00000000..ab76ee01 --- /dev/null +++ b/modules/backup/Eriomem_SAS.1.pem
@@ -0,0 +1,35 @@
	1	-----BEGIN CERTIFICATE-----
	2	MIIGATCCA+mgAwIBAgIJAJjhCwfJd2HOMA0GCSqGSIb3DQEBCwUAMIGWMQswCQYD
	3	VQQGEwJGUjEXMBUGA1UECAwOw45sZSBkZSBGcmFuY2UxDjAMBgNVBAcMBVBhcmlz
	4	MRQwEgYDVQQKDAtFcmlvbWVtIFNBUzETMBEGA1UECwwKRXJpb21lbSBDQTEUMBIG
	5	A1UEAwwLRXJpb21lbSBTQVMxHTAbBgkqhkiG9w0BCQEWDmNhQGVyaW9tZW0ubmV0
	6	MB4XDTE3MDEzMTE1NTUzOFoXDTM3MDEzMTE1NTUzOFowgZYxCzAJBgNVBAYTAkZS
	7	MRcwFQYDVQQIDA7DjmxlIGRlIEZyYW5jZTEOMAwGA1UEBwwFUGFyaXMxFDASBgNV
	8	BAoMC0VyaW9tZW0gU0FTMRMwEQYDVQQLDApFcmlvbWVtIENBMRQwEgYDVQQDDAtF
	9	cmlvbWVtIFNBUzEdMBsGCSqGSIb3DQEJARYOY2FAZXJpb21lbS5uZXQwggIiMA0G
	10	CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC9PesBee6dcEXLgLMEpfnmNTbMP7xs
	11	EJGxEwcS7LLVsZu8bY5K4prCTErzc3nhmmOMIy/ZxVTlnTOPHFAUJ9EKI5cL0QfK
	12	9DbBzjPBs5AqntlpFBpz6DopV3FOFj3rn0nb/g3KyD3tqnN/YHdBiStX//z+Lp3H
	13	28M4ExpUFJBJrV3wboMzWgDnSirvJyLFbmeTPmUetYdC4hlSqr/Leo36da4CSl0X
	14	wN/83Vrzy/Cqrcfso43Hs86Swmg9pJmqRifWPNrMne49IwnGP4hIQXcb9ilU1bMK
	15	GzXor6I0yOYjuzvdg1k1KKvnHvO1U2cUV56MoTXmQHOt1yQr7fwiKyT0xiIgk5ou
	16	QKbXbuHpf3KTwPmg1s7105T2lEhxNMNd+c2leRux3CJKsoi6GoUhiDIL1jPrWNS3
	17	ynYHJ1lcyoEsGeXwR9mDmVLhgRLDAHNDOeT9Z0/NpwoylNH+vgwzo9tV3btWRJgu
	18	vB7TMDYdGsOd/OYNkQSiSUbtT8nm3xY2qGMC968GQieSCPW7a4n8MYhXW5Wa0/Ql
	19	Sg58e03v26u0rUT+GK1EOOFF8tak4uKxxRL+WBT9VhK9dRq/PnA+xB6808Y8kMjQ
	20	9HTnxCgHNcNn6Xj7DD5Rb/r5ppmMicoI3dF6xgMHHNTG3BMZS+CVzSbG1K+4mOxR
	21	1r6wxKmskoszLwIDAQABo1AwTjAdBgNVHQ4EFgQU3cuB9G9fGroFF0VW21vHR9A/
	22	/IwwHwYDVR0jBBgwFoAU3cuB9G9fGroFF0VW21vHR9A//IwwDAYDVR0TBAUwAwEB
	23	/zANBgkqhkiG9w0BAQsFAAOCAgEAGuL+CWzjOs9gydvkOsf0F0qoTS5mixe7v/ic
	24	OKdZfvHvzs8kz9rNWa8Guj5h640Qv252KSmellqHyXZhQumoks2XmFItMLY08IYo
	25	4MmT+sHXwx1x4Av/Sjj+b8VzP31v5EIXDVIS+/UTXzyoU1hgqzM9W937iaO2NVFL
	26	V3kzURHVR1oMxJtSjhGkbfoXRhdNZUhjGaNz5wX0ILtQ+PK4LoYiCqRAthDUSIkW
	27	mD/R6CV08tIFYKyf7sCx0updbIHPbqbZtPW4X4QULXMDQanDSwHzcxzrCFOMEwOm
	28	A+HASceq2X9nMUvH97fGQ4YuyogS/XI1k8H7jU7vlxMA3EGf80HnYc02b0oGDN3c
	29	bVHBE/Zexer51HHsQOGpyYDmaCVzd1qlcFhwS3BMMPVW6TEU4HCXaTK5ipdOqbAF
	30	syx9OUviqw3fRmZORt6lrhBO9+V3WIKGxUET64GLRoC4F32CThOBKzFXvFcHik4n
	31	1W44lGVAQp3B/Q55KzYOIQ3D3/N7cbxyPtw1dwW60lN/UWo7YZJJc+6GXjp6c4Cy
	32	s2VEoUx4OIs1eba99O5fdQ5IpW3IK6Cb1WaajcusZX9/QTIsf3ntSNPCnoebgk0V
	33	TOMpOOnKIbKYMjdxpKbYLpXFQzxy3WEi2PtmqgLAk+xwcmzz+3W2I0qKKTwGuaOZ
	34	MnGrJwg=
	35	-----END CERTIFICATE-----


diff --git a/modules/backup/Eriomem_SAS.pem b/modules/backup/Eriomem_SAS.pem new file mode 100644 index 00000000..8d77f26b --- /dev/null +++ b/modules/backup/Eriomem_SAS.pem
@@ -0,0 +1,26 @@
	1	-----BEGIN CERTIFICATE-----
	2	MIIEbjCCA1agAwIBAgIJAKQiaGqY4pkkMA0GCSqGSIb3DQEBBQUAMIGAMQswCQYD
	3	VQQGEwJGUjEWMBQGA1UECBQNzmxlIGRlIEZyYW5jZTEOMAwGA1UEBxMFUGFyaXMx
	4	FDASBgNVBAoTC0VyaW9tZW0gU0FTMRQwEgYDVQQDEwtFcmlvbWVtIFNBUzEdMBsG
	5	CSqGSIb3DQEJARYOY2FAZXJpb21lbS5uZXQwHhcNMTQwNTEzMTgzMDMxWhcNMzQw
	6	NTEzMTgzMDMxWjCBgDELMAkGA1UEBhMCRlIxFjAUBgNVBAgUDc5sZSBkZSBGcmFu
	7	Y2UxDjAMBgNVBAcTBVBhcmlzMRQwEgYDVQQKEwtFcmlvbWVtIFNBUzEUMBIGA1UE
	8	AxMLRXJpb21lbSBTQVMxHTAbBgkqhkiG9w0BCQEWDmNhQGVyaW9tZW0ubmV0MIIB
	9	IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApVfR27JW3u3yvjdEEA8/mGlA
	10	NMlurqteMnCXgPAKnkyU7xbuBWkNxs6FrcXvdpjomPQsDosLXOb4pV+4SxezApaY
	11	XVqSzDWPV8M35QJjE8nOVuDvr3ziJfRITG9/WL2DpF9zpI6HpXVxdYNbZGxeCI2K
	12	eSQ1pkc3574hDB1YB86TumcWPIYuw7cDFC9HB7htm2XYURt6o2jXbpNtdHWoEhWx
	13	/m7cqpDCZmoBW1n3eApZac+4Im2bPXSQAqB/Lb0rgfsqJq3vEL4x12oC/5Ycn4cF
	14	xti4AapPjC2GaPbybFLfBwMLu+lAgPJh3A4DC1DcQsxTuKPvUi/K00eCZDokewID
	15	AQABo4HoMIHlMB0GA1UdDgQWBBRFwVSljClgTQxBTRvqftvJ3OE3xTCBtQYDVR0j
	16	BIGtMIGqgBRFwVSljClgTQxBTRvqftvJ3OE3xaGBhqSBgzCBgDELMAkGA1UEBhMC
	17	RlIxFjAUBgNVBAgUDc5sZSBkZSBGcmFuY2UxDjAMBgNVBAcTBVBhcmlzMRQwEgYD
	18	VQQKEwtFcmlvbWVtIFNBUzEUMBIGA1UEAxMLRXJpb21lbSBTQVMxHTAbBgkqhkiG
	19	9w0BCQEWDmNhQGVyaW9tZW0ubmV0ggkApCJoapjimSQwDAYDVR0TBAUwAwEB/zAN
	20	BgkqhkiG9w0BAQUFAAOCAQEAKs7PMQ9HAKHY1seGRHEMivQGVzDDZ7nURBmTkEIl
	21	549QEyQbrAkcHUjJdMAuIgnbPl4yJFEI97U21pXb3BeLxhKI6r09OgWwZEagrI44
	22	Ns9WbcNGtw5bkgyA4nn00w0ggAJLq9b0sToU2vK2x6g+1oXH8K7BbOu49/+NTzCa
	23	fgBzFMi0P7FWGrE2rqh6gFBVJh8qBuK2+QG6Rnfdw+mHWsedc//NRFjPSC3ZWaPc
	24	cu9s4+IkjOy3RhdkNrF3ieWitmGZi4mUZQ3qi+Np2Z+ekn0QmXjmLdbLFxKw8xoR
	25	Ed36LPnGcmKQN72RikmNmx83i8CrOF6Or9auGE5O8+qpyw==
	26	-----END CERTIFICATE-----


diff --git a/modules/backup/default.nix b/modules/backup/default.nix new file mode 100644 index 00000000..7e0e4b2c --- /dev/null +++ b/modules/backup/default.nix
@@ -0,0 +1,100 @@
	1	{ lib, pkgs, myconfig, config, ... }:
	2
	3	let
	4	cfg = myconfig.env.backup;
	5	varDir = "/var/lib/duply";
	6	duplyProfile = profile: prefix: ''
	7	GPG_PW="${cfg.password}"
	8	TARGET="${cfg.remote}${prefix}"
	9	export AWS_ACCESS_KEY_ID="${cfg.accessKeyId}"
	10	export AWS_SECRET_ACCESS_KEY="${cfg.secretAccessKey}"
	11	SOURCE="${profile.rootDir}"
	12	FILENAME=".duplicity-ignore"
	13	DUPL_PARAMS="$DUPL_PARAMS --exclude-if-present '$FILENAME'"
	14	VERBOSITY=4
	15	ARCH_DIR="${varDir}/caches"
	16
	17	# Do a full backup after 1 month
	18	MAX_FULLBKP_AGE=1M
	19	DUPL_PARAMS="$DUPL_PARAMS --full-if-older-than $MAX_FULLBKP_AGE "
	20	# Backups older than 2months are deleted
	21	MAX_AGE=2M
	22	# Keep 2 full backups
	23	MAX_FULL_BACKUPS=2
	24	MAX_FULLS_WITH_INCRS=2
	25	'';
	26	action = "bkp_purge_purgeFull_purgeIncr";
	27	in
	28	{
	29	options = {
	30	services.backup.enable = lib.mkOption {
	31	type = lib.types.bool;
	32	default = false;
	33	description = ''
	34	Whether to enable remote backups.
	35	'';
	36	};
	37	services.backup.profiles = lib.mkOption {
	38	type = lib.types.attrsOf (lib.types.submodule {
	39	options = {
	40	rootDir = lib.mkOption {
	41	type = lib.types.path;
	42	description = ''
	43	Path to backup
	44	'';
	45	};
	46	excludeFile = lib.mkOption {
	47	type = lib.types.lines;
	48	default = "";
	49	description = ''
	50	Content to put in exclude file
	51	'';
	52	};
	53	};
	54	});
	55	};
	56	};
	57
	58	config = lib.mkIf config.services.backup.enable {
	59	system.activationScripts.backup = ''
	60	install -m 0700 -o root -g root -d ${varDir} ${varDir}/caches
	61	'';
	62	secrets.keys = lib.flatten (lib.mapAttrsToList (k: v: [
	63	{
	64	permissions = "0400";
	65	dest = "backup/${k}/conf";
	66	text = duplyProfile v "${k}/";
	67	}
	68	{
	69	permissions = "0400";
	70	dest = "backup/${k}/exclude";
	71	text = v.excludeFile;
	72	}
	73	]) config.services.backup.profiles);
	74
	75	services.cron = {
	76	enable = true;
	77	systemCronJobs = let
	78	backups = pkgs.writeScript "backups" ''
	79	#!${pkgs.stdenv.shell}
	80
	81	${builtins.concatStringsSep "\n" (lib.mapAttrsToList (k: v:
	82	''
	83	touch ${varDir}/${k}.log
	84	${pkgs.duply}/bin/duply ${config.secrets.location}/backup/${k}/ ${action} --force >> ${varDir}/${k}.log
	85	''
	86	) config.services.backup.profiles)}
	87	'';
	88	in
	89	[
	90	"0 2 * * * root ${backups}"
	91	];
	92
	93	};
	94
	95	security.pki.certificates = [
	96	(builtins.readFile ./Eriomem_SAS.1.pem)
	97	(builtins.readFile ./Eriomem_SAS.pem)
	98	];
	99	};
	100	}