ahuston-0/nix-dotfiles
1
0
Fork 0
Code Issues Pull Requests 4 Actions Packages Projects Releases Wiki Activity
nix-dotfiles/modules/backup.nix
Alice Huston 241c66f5ec enable external SMTP for hydra (#49) 
* external SMTP for hydra

Signed-off-by: ahuston-0 <aliceghuston@gmail.com>

* nix-serve sops

Signed-off-by: ahuston-0 <aliceghuston@gmail.com>

* add binary cache

* add hydra jobs

* cleanup (#50)

* finish up cleanup branch merge

* switched back to nixpkgs-fmt

* add nixpkgs-fmt to hydrajobs.build

---------

Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
Co-authored-by: Dennis Wuitz <dennish@wuitz.de>
Co-authored-by: Dennis <52411861+DerDennisOP@users.noreply.github.com>
2024-02-01 22:50:14 +01:00

131 lines
4.3 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
let cfg = config.services.backup;
in {
options.services.backup = {
enable = lib.mkEnableOption "backup";
offsite = lib.mkOption {
type = with lib.types; listOf str;
default = [ ];
description = "Offsite backup hostnames.";
};
paths = lib.mkOption {
type = with lib.types; listOf str;
default = [ ];
description = "Extra paths to include in backup.";
};
exclude = lib.mkOption {
type = with lib.types; listOf str;
default = [ ];
description = "Extra paths to exclude in backup.";
};
backup_at = lib.mkOption {
type = lib.types.int;
default = 2;
description = "Time to run backup.";
};
};
config = {
assertions = [
{
assertion = cfg.paths != [ ] -> cfg.enable;
message = "Configuring backup services.backup.paths without enabling services.backup.enable is useless!";
}
{
assertion = cfg.backup_at < 24;
message = "Backup time must be less than 24 hours!";
}
];
services = {
postgresqlBackup = {
inherit (config.services.postgresql) enable;
backupAll = true;
startAt = "*-*-* ${lib.fixedWidthString 2 "0" (toString cfg.backup_at)}:00:00";
};
restic.backups =
let
commonOpts = {
extraBackupArgs = [ "--exclude-file=${pkgs.writeText "restic-exclude-file" (lib.concatMapStrings (x: x + "\n") cfg.exclude)}" ];
initialize = true;
passwordFile = config.sops.secrets."restic/password".path;
paths = [
"/etc/group"
"/etc/machine-id"
"/etc/passwd"
"/etc/shadow"
"/etc/ssh/ssh_host_ecdsa_key"
"/etc/ssh/ssh_host_ecdsa_key.pub"
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
"/etc/subgid"
"/etc/subuid"
"/var/lib/nixos/"
] ++ cfg.paths ++ lib.optional config.services.postgresql.enable "/var/backup/postgresql/" ++ lib.optional config.services.mysql.enable "/var/lib/mysql/"
++ lib.optional (config.security.acme.certs != { }) "/var/lib/acme/" ++ lib.optional config.security.dhparams.enable "/var/lib/dhparams/"
++ lib.optional config.mailserver.enable config.mailserver.mailDirectory;
pruneOpts = [ "--group-by host" "--keep-daily 7" "--keep-weekly 4" "--keep-monthly 12" ];
timerConfig = {
OnCalendar = "*-*-* ${lib.fixedWidthString 2 "0" (toString cfg.backup_at)}:30:00";
RandomizedDelaySec = "5m";
};
};
in
lib.mkIf cfg.enable {
local = commonOpts // { repository = "/var/backup"; };
offsite = lib.mkIf (cfg.offsite != [ ]) commonOpts // { repository = "sftp://offsite/${config.networking.hostName}"; };
};
};
sops.secrets = lib.mkIf (cfg.enable && cfg.offsite != [ ])
{
"restic/offsite/private" = {
owner = "root";
path = "/root/.ssh/id_offsite-backup";
sopsFile = ./backup.yaml;
};
"restic/offsite/public" = {
owner = "root";
path = "/root/.ssh/id_offsite-backup.pub";
sopsFile = ./backup.yaml;
};
"restic/offsite/ssh-config" = {
owner = "root";
path = "/root/.ssh/config";
sopsFile = ./backup.yaml;
};
} // lib.mkIf cfg.enable { "restic/password".owner = "root"; };
system.activationScripts.linkResticSSHConfigIntoVirtioFS = lib.mkIf (cfg.enable && cfg.offsite != [ ]) ''
echo "Linking restic ssh config..."
mkdir -m700 -p /home/root/.ssh/
ln -fs {,/home}/root/.ssh/id_offsite-backup
ln -fs {,/home}/root/.ssh/id_offsite-backup.pub
ln -fs {,/home}/root/.ssh/config
'';
systemd = lib.mkIf cfg.enable {
services = {
restic-backups-local.serviceConfig.Environment = "RESTIC_PROGRESS_FPS=0.016666";
restic-backups-offsite.serviceConfig.Environment = lib.mkIf (cfg.offsite != [ ]) "RESTIC_PROGRESS_FPS=0.016666";
};
timers = lib.mkIf config.services.postgresqlBackup.enable { postgresqlBackup.timerConfig.RandomizedDelaySec = "5m"; };
};
};
}
Reference in New Issue View Git Blame Copy Permalink