From 245acb2459476f63db7311472ceb397f709c7671 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Wed, 16 Oct 2019 13:49:24 +0200 Subject: Add backup module --- modules/backup/Eriomem_SAS.1.pem | 35 ++++++++++++ modules/backup/Eriomem_SAS.pem | 26 +++++++++ modules/backup/default.nix | 100 +++++++++++++++++++++++++++++++++++ modules/default.nix | 1 + modules/myids.nix | 2 + modules/webapps/mastodon.nix | 30 +++++++++++ modules/webapps/webstats/default.nix | 3 ++ 7 files changed, 197 insertions(+) create mode 100644 modules/backup/Eriomem_SAS.1.pem create mode 100644 modules/backup/Eriomem_SAS.pem create mode 100644 modules/backup/default.nix diff --git a/modules/backup/Eriomem_SAS.1.pem b/modules/backup/Eriomem_SAS.1.pem new file mode 100644 index 00000000..ab76ee01 --- /dev/null +++ b/modules/backup/Eriomem_SAS.1.pem @@ -0,0 +1,35 @@ +-----BEGIN CERTIFICATE----- +MIIGATCCA+mgAwIBAgIJAJjhCwfJd2HOMA0GCSqGSIb3DQEBCwUAMIGWMQswCQYD +VQQGEwJGUjEXMBUGA1UECAwOw45sZSBkZSBGcmFuY2UxDjAMBgNVBAcMBVBhcmlz +MRQwEgYDVQQKDAtFcmlvbWVtIFNBUzETMBEGA1UECwwKRXJpb21lbSBDQTEUMBIG +A1UEAwwLRXJpb21lbSBTQVMxHTAbBgkqhkiG9w0BCQEWDmNhQGVyaW9tZW0ubmV0 +MB4XDTE3MDEzMTE1NTUzOFoXDTM3MDEzMTE1NTUzOFowgZYxCzAJBgNVBAYTAkZS +MRcwFQYDVQQIDA7DjmxlIGRlIEZyYW5jZTEOMAwGA1UEBwwFUGFyaXMxFDASBgNV +BAoMC0VyaW9tZW0gU0FTMRMwEQYDVQQLDApFcmlvbWVtIENBMRQwEgYDVQQDDAtF +cmlvbWVtIFNBUzEdMBsGCSqGSIb3DQEJARYOY2FAZXJpb21lbS5uZXQwggIiMA0G +CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC9PesBee6dcEXLgLMEpfnmNTbMP7xs +EJGxEwcS7LLVsZu8bY5K4prCTErzc3nhmmOMIy/ZxVTlnTOPHFAUJ9EKI5cL0QfK +9DbBzjPBs5AqntlpFBpz6DopV3FOFj3rn0nb/g3KyD3tqnN/YHdBiStX//z+Lp3H +28M4ExpUFJBJrV3wboMzWgDnSirvJyLFbmeTPmUetYdC4hlSqr/Leo36da4CSl0X +wN/83Vrzy/Cqrcfso43Hs86Swmg9pJmqRifWPNrMne49IwnGP4hIQXcb9ilU1bMK +GzXor6I0yOYjuzvdg1k1KKvnHvO1U2cUV56MoTXmQHOt1yQr7fwiKyT0xiIgk5ou +QKbXbuHpf3KTwPmg1s7105T2lEhxNMNd+c2leRux3CJKsoi6GoUhiDIL1jPrWNS3 +ynYHJ1lcyoEsGeXwR9mDmVLhgRLDAHNDOeT9Z0/NpwoylNH+vgwzo9tV3btWRJgu +vB7TMDYdGsOd/OYNkQSiSUbtT8nm3xY2qGMC968GQieSCPW7a4n8MYhXW5Wa0/Ql +Sg58e03v26u0rUT+GK1EOOFF8tak4uKxxRL+WBT9VhK9dRq/PnA+xB6808Y8kMjQ +9HTnxCgHNcNn6Xj7DD5Rb/r5ppmMicoI3dF6xgMHHNTG3BMZS+CVzSbG1K+4mOxR +1r6wxKmskoszLwIDAQABo1AwTjAdBgNVHQ4EFgQU3cuB9G9fGroFF0VW21vHR9A/ +/IwwHwYDVR0jBBgwFoAU3cuB9G9fGroFF0VW21vHR9A//IwwDAYDVR0TBAUwAwEB +/zANBgkqhkiG9w0BAQsFAAOCAgEAGuL+CWzjOs9gydvkOsf0F0qoTS5mixe7v/ic +OKdZfvHvzs8kz9rNWa8Guj5h640Qv252KSmellqHyXZhQumoks2XmFItMLY08IYo +4MmT+sHXwx1x4Av/Sjj+b8VzP31v5EIXDVIS+/UTXzyoU1hgqzM9W937iaO2NVFL +V3kzURHVR1oMxJtSjhGkbfoXRhdNZUhjGaNz5wX0ILtQ+PK4LoYiCqRAthDUSIkW +mD/R6CV08tIFYKyf7sCx0updbIHPbqbZtPW4X4QULXMDQanDSwHzcxzrCFOMEwOm +A+HASceq2X9nMUvH97fGQ4YuyogS/XI1k8H7jU7vlxMA3EGf80HnYc02b0oGDN3c +bVHBE/Zexer51HHsQOGpyYDmaCVzd1qlcFhwS3BMMPVW6TEU4HCXaTK5ipdOqbAF +syx9OUviqw3fRmZORt6lrhBO9+V3WIKGxUET64GLRoC4F32CThOBKzFXvFcHik4n +1W44lGVAQp3B/Q55KzYOIQ3D3/N7cbxyPtw1dwW60lN/UWo7YZJJc+6GXjp6c4Cy +s2VEoUx4OIs1eba99O5fdQ5IpW3IK6Cb1WaajcusZX9/QTIsf3ntSNPCnoebgk0V +TOMpOOnKIbKYMjdxpKbYLpXFQzxy3WEi2PtmqgLAk+xwcmzz+3W2I0qKKTwGuaOZ +MnGrJwg= +-----END CERTIFICATE----- diff --git a/modules/backup/Eriomem_SAS.pem b/modules/backup/Eriomem_SAS.pem new file mode 100644 index 00000000..8d77f26b --- /dev/null +++ b/modules/backup/Eriomem_SAS.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEbjCCA1agAwIBAgIJAKQiaGqY4pkkMA0GCSqGSIb3DQEBBQUAMIGAMQswCQYD +VQQGEwJGUjEWMBQGA1UECBQNzmxlIGRlIEZyYW5jZTEOMAwGA1UEBxMFUGFyaXMx +FDASBgNVBAoTC0VyaW9tZW0gU0FTMRQwEgYDVQQDEwtFcmlvbWVtIFNBUzEdMBsG +CSqGSIb3DQEJARYOY2FAZXJpb21lbS5uZXQwHhcNMTQwNTEzMTgzMDMxWhcNMzQw +NTEzMTgzMDMxWjCBgDELMAkGA1UEBhMCRlIxFjAUBgNVBAgUDc5sZSBkZSBGcmFu +Y2UxDjAMBgNVBAcTBVBhcmlzMRQwEgYDVQQKEwtFcmlvbWVtIFNBUzEUMBIGA1UE +AxMLRXJpb21lbSBTQVMxHTAbBgkqhkiG9w0BCQEWDmNhQGVyaW9tZW0ubmV0MIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApVfR27JW3u3yvjdEEA8/mGlA +NMlurqteMnCXgPAKnkyU7xbuBWkNxs6FrcXvdpjomPQsDosLXOb4pV+4SxezApaY +XVqSzDWPV8M35QJjE8nOVuDvr3ziJfRITG9/WL2DpF9zpI6HpXVxdYNbZGxeCI2K +eSQ1pkc3574hDB1YB86TumcWPIYuw7cDFC9HB7htm2XYURt6o2jXbpNtdHWoEhWx +/m7cqpDCZmoBW1n3eApZac+4Im2bPXSQAqB/Lb0rgfsqJq3vEL4x12oC/5Ycn4cF +xti4AapPjC2GaPbybFLfBwMLu+lAgPJh3A4DC1DcQsxTuKPvUi/K00eCZDokewID +AQABo4HoMIHlMB0GA1UdDgQWBBRFwVSljClgTQxBTRvqftvJ3OE3xTCBtQYDVR0j +BIGtMIGqgBRFwVSljClgTQxBTRvqftvJ3OE3xaGBhqSBgzCBgDELMAkGA1UEBhMC +RlIxFjAUBgNVBAgUDc5sZSBkZSBGcmFuY2UxDjAMBgNVBAcTBVBhcmlzMRQwEgYD +VQQKEwtFcmlvbWVtIFNBUzEUMBIGA1UEAxMLRXJpb21lbSBTQVMxHTAbBgkqhkiG +9w0BCQEWDmNhQGVyaW9tZW0ubmV0ggkApCJoapjimSQwDAYDVR0TBAUwAwEB/zAN +BgkqhkiG9w0BAQUFAAOCAQEAKs7PMQ9HAKHY1seGRHEMivQGVzDDZ7nURBmTkEIl +549QEyQbrAkcHUjJdMAuIgnbPl4yJFEI97U21pXb3BeLxhKI6r09OgWwZEagrI44 +Ns9WbcNGtw5bkgyA4nn00w0ggAJLq9b0sToU2vK2x6g+1oXH8K7BbOu49/+NTzCa +fgBzFMi0P7FWGrE2rqh6gFBVJh8qBuK2+QG6Rnfdw+mHWsedc//NRFjPSC3ZWaPc +cu9s4+IkjOy3RhdkNrF3ieWitmGZi4mUZQ3qi+Np2Z+ekn0QmXjmLdbLFxKw8xoR +Ed36LPnGcmKQN72RikmNmx83i8CrOF6Or9auGE5O8+qpyw== +-----END CERTIFICATE----- diff --git a/modules/backup/default.nix b/modules/backup/default.nix new file mode 100644 index 00000000..7e0e4b2c --- /dev/null +++ b/modules/backup/default.nix @@ -0,0 +1,100 @@ +{ lib, pkgs, myconfig, config, ... }: + +let + cfg = myconfig.env.backup; + varDir = "/var/lib/duply"; + duplyProfile = profile: prefix: '' + GPG_PW="${cfg.password}" + TARGET="${cfg.remote}${prefix}" + export AWS_ACCESS_KEY_ID="${cfg.accessKeyId}" + export AWS_SECRET_ACCESS_KEY="${cfg.secretAccessKey}" + SOURCE="${profile.rootDir}" + FILENAME=".duplicity-ignore" + DUPL_PARAMS="$DUPL_PARAMS --exclude-if-present '$FILENAME'" + VERBOSITY=4 + ARCH_DIR="${varDir}/caches" + + # Do a full backup after 1 month + MAX_FULLBKP_AGE=1M + DUPL_PARAMS="$DUPL_PARAMS --full-if-older-than $MAX_FULLBKP_AGE " + # Backups older than 2months are deleted + MAX_AGE=2M + # Keep 2 full backups + MAX_FULL_BACKUPS=2 + MAX_FULLS_WITH_INCRS=2 + ''; + action = "bkp_purge_purgeFull_purgeIncr"; +in +{ + options = { + services.backup.enable = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Whether to enable remote backups. + ''; + }; + services.backup.profiles = lib.mkOption { + type = lib.types.attrsOf (lib.types.submodule { + options = { + rootDir = lib.mkOption { + type = lib.types.path; + description = '' + Path to backup + ''; + }; + excludeFile = lib.mkOption { + type = lib.types.lines; + default = ""; + description = '' + Content to put in exclude file + ''; + }; + }; + }); + }; + }; + + config = lib.mkIf config.services.backup.enable { + system.activationScripts.backup = '' + install -m 0700 -o root -g root -d ${varDir} ${varDir}/caches + ''; + secrets.keys = lib.flatten (lib.mapAttrsToList (k: v: [ + { + permissions = "0400"; + dest = "backup/${k}/conf"; + text = duplyProfile v "${k}/"; + } + { + permissions = "0400"; + dest = "backup/${k}/exclude"; + text = v.excludeFile; + } + ]) config.services.backup.profiles); + + services.cron = { + enable = true; + systemCronJobs = let + backups = pkgs.writeScript "backups" '' + #!${pkgs.stdenv.shell} + + ${builtins.concatStringsSep "\n" (lib.mapAttrsToList (k: v: + '' + touch ${varDir}/${k}.log + ${pkgs.duply}/bin/duply ${config.secrets.location}/backup/${k}/ ${action} --force >> ${varDir}/${k}.log + '' + ) config.services.backup.profiles)} + ''; + in + [ + "0 2 * * * root ${backups}" + ]; + + }; + + security.pki.certificates = [ + (builtins.readFile ./Eriomem_SAS.1.pem) + (builtins.readFile ./Eriomem_SAS.pem) + ]; + }; +} diff --git a/modules/default.nix b/modules/default.nix index 9e9c4111..05f2bfe0 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -13,6 +13,7 @@ opendmarc = ./opendmarc.nix; openarc = ./openarc.nix; + backup = ./backup; naemon = ./naemon; php-application = ./websites/php-application.nix; diff --git a/modules/myids.nix b/modules/myids.nix index ac9fd65e..79610aff 100644 --- a/modules/myids.nix +++ b/modules/myids.nix @@ -3,6 +3,7 @@ # Check that there is no clash with nixos/modules/misc/ids.nix config = { ids.uids = { + backup = 389; vhost = 390; openarc = 391; opendmarc = 392; @@ -15,6 +16,7 @@ }; ids.gids = { nagios = 11; # commented in the ids file + backup = 389; vhost = 390; openarc = 391; opendmarc = 392; diff --git a/modules/webapps/mastodon.nix b/modules/webapps/mastodon.nix index 26d5238f..eed9e3f6 100644 --- a/modules/webapps/mastodon.nix +++ b/modules/webapps/mastodon.nix @@ -190,6 +190,36 @@ in unitConfig.RequiresMountsFor = cfg.dataDir; }; + systemd.services.mastodon-cleanup = { + description = "Cleanup mastodon"; + startAt = "daily"; + restartIfChanged = false; + + environment.RAILS_ENV = "production"; + environment.BUNDLE_PATH = "${cfg.workdir.gems}/${cfg.workdir.gems.ruby.gemPath}"; + environment.BUNDLE_GEMFILE = "${cfg.workdir.gems.confFiles}/Gemfile"; + environment.SOCKET = cfg.sockets.rails; + + path = [ cfg.workdir.gems cfg.workdir.gems.ruby pkgs.file ]; + + script = '' + exec ./bin/tootctl media remove --days 30 + ''; + + serviceConfig = { + User = cfg.user; + EnvironmentFile = cfg.configFile; + PrivateTmp = true; + Type = "oneshot"; + WorkingDirectory = cfg.workdir; + StateDirectory = cfg.systemdStateDirectory; + RuntimeDirectory = cfg.systemdRuntimeDirectory; + RuntimeDirectoryPreserve = "yes"; + }; + + unitConfig.RequiresMountsFor = cfg.dataDir; + }; + systemd.services.mastodon-sidekiq = { description = "Mastodon Sidekiq"; wantedBy = [ "multi-user.target" ]; diff --git a/modules/webapps/webstats/default.nix b/modules/webapps/webstats/default.nix index 924d72de..6771f015 100644 --- a/modules/webapps/webstats/default.nix +++ b/modules/webapps/webstats/default.nix @@ -37,6 +37,9 @@ in { }; config = lib.mkIf (builtins.length cfg.sites > 0) { + services.backup.profiles.goaccess = { + rootDir = cfg.dataDir; + }; users.users.root.packages = [ pkgs.goaccess ]; -- cgit v1.2.3