modules/backup: create a wrapper to handle restic failures

- create wrapper module
- expose po_env to everything
This commit is contained in:
Aaron Bieber 2024-07-31 09:52:49 -06:00
parent df63c1bb6a
commit 730fec96bb
No known key found for this signature in database
10 changed files with 166 additions and 66 deletions

View File

@ -42,7 +42,6 @@ with lib; {
config = mkIf config.xinCI.enable {
sops.defaultSopsFile = config.xin-secrets.ci;
sops.secrets = {
po_env = { owner = config.xinCI.user; };
ci_ed25519_key = {
mode = "400";
owner = config.xinCI.user;

View File

@ -36,7 +36,6 @@ with lib; {
manager_pubkey = { owner = config.nixManager.user; };
ca_key = { owner = config.nixManager.user; };
ca_cert = { owner = config.nixManager.user; };
po_env = { owner = config.nixManager.user; };
};
environment.systemPackages = [

View File

@ -243,10 +243,6 @@ with lib; {
owner = config.nixManager.user;
sopsFile = config.xin-secrets.manager;
};
po_env = {
owner = config.nixManager.user;
sopsFile = config.xin-secrets.manager;
};
};
systemd.services = mkIf enabled (listToAttrs (builtins.map xinlib.jobToService jobs));
environment.systemPackages = mkIf enabled [ aclUpdateScript ];

View File

@ -65,6 +65,11 @@ in
secrets =
if config.needsDeploy.enable then {
po_env = {
sopsFile = config.xin-secrets.deploy;
owner = "root";
mode = "444";
};
xin_secrets_deploy_key = {
sopsFile = config.xin-secrets.deploy;
owner = "root";

View File

@ -132,7 +132,10 @@
, ...
} @ inputs:
let
xinlib = import ./lib { inherit (unstable) lib; };
xinlib = import ./lib {
inherit (unstable) lib;
inherit inputs;
};
supportedSystems = [ "x86_64-linux" ];
#[ "x86_64-linux" "x86_64-darwin" "aarch64-linux" "aarch64-darwin" ];
forAllSystems = unstable.lib.genAttrs supportedSystems;

View File

@ -219,31 +219,29 @@ in
openFirewall = true;
};
printing.enable = true;
restic = {
backups =
let
paths = [ "/home/qbit" "/var/lib/libvirt" "/etc" ];
paths = [ "/home/qbit" "/etc" ];
pruneOpts = [ "--keep-hourly 12" "--keep-daily 7" "--keep-weekly 5" "--keep-yearly 4" ];
timerConfig = { OnCalendar = "*-*-* 00:30:00"; };
in
{
remote = {
initialize = true;
enable = true;
passwordFile = "${config.sops.secrets.restic_remote_password_file.path}";
repositoryFile = "${config.sops.secrets.restic_remote_repo_file.path}";
inherit paths;
pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-yearly 4" ];
# Don't send libvirt over the air-wire
inherit paths pruneOpts timerConfig;
};
local = {
initialize = true;
enable = true;
repository = "/run/media/qbit/backup/${config.networking.hostName}";
environmentFile = "${config.sops.secrets.restic_env_file.path}";
passwordFile = "${config.sops.secrets.restic_password_file.path}";
inherit paths;
pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-yearly 5" ];
};
paths = paths ++ [ "/var/lib/libvirt" ];
inherit pruneOpts timerConfig;
};
};
pcscd.enable = true;

View File

@ -489,10 +489,9 @@ in
];
};
restic = {
backups = {
b2 = {
initialize = true;
enable = true;
repository = "b2:cyaspanJicyeemJedMarlEjcasOmos";
environmentFile = "${config.sops.secrets.restic_env_file.path}";
passwordFile = "${config.sops.secrets.restic_password_file.path}";
@ -517,7 +516,6 @@ in
pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-yearly 10" ];
};
};
};
nginx = {
enable = true;

View File

@ -275,10 +275,9 @@ in
server = "127.0.0.1:24800";
};
};
restic = {
backups = {
remote = {
initialize = true;
enable = true;
environmentFile = "${config.sops.secrets.restic_env_file.path}";
passwordFile = "${config.sops.secrets.restic_password_file.path}";
repositoryFile = "${config.sops.secrets.restic_repo_file.path}";
@ -288,7 +287,6 @@ in
pruneOpts = [ "--keep-daily 7" "--keep-weekly 2" "--keep-monthly 2" ];
};
};
};
rsyslogd = {
enable = testingMode;
defaultConfig = ''

103
modules/backup.nix Normal file
View File

@ -0,0 +1,103 @@
{ lib, inputs, config, utils, pkgs, ... }:
with lib;
let
inherit (utils.systemdUtils.unitOptions) unitOption;
cfg = config.services.backups;
enabledBackups = filterAttrs (_: conf: conf.enable) cfg;
in
{
options = {
services.backups = mkOption {
description = "Backup configurations, wrapped to allow for notifications of failed backups.";
default = { };
type = with types; attrsOf (submodule ({ name, ... }: {
options = {
enable = mkEnableOption "Enable backup for ${name}";
passwordFile = mkOption {
type = path;
description = "Path to file containing password.";
};
repository = mkOption {
type = nullOr str;
default = null;
description = "optional path to repository (can also be specified in the repositoryFile.";
};
repositoryFile = mkOption {
type = nullOr path;
default = null;
description = "Path to repository file.";
};
environmentFile = mkOption {
type = nullOr str;
default = null;
description = "path to environment file";
};
paths = mkOption {
type = listOf str;
description = "List of paths to backup.";
default = [ ];
};
pruneOpts = mkOption {
type = listOf str;
description = "Options for 'restic forget'.";
default = [ "--keep-hourly 12" "--keep-daily 7" "--keep-weekly 5" "--keep-yearly 4" ];
};
timerConfig = mkOption {
type = nullOr (attrsOf unitOption);
description = "systemd.timer(5) settings for when to do the backup.";
default = {
OnCalendar = "daily";
Persistent = true;
};
};
};
}));
};
};
config = mkIf (enabledBackups != { }) {
services.restic.backups = mapAttrs'
(name: conf: nameValuePair
name
{
initialize = true;
inherit (conf) passwordFile repository repositoryFile paths pruneOpts timerConfig environmentFile;
})
enabledBackups;
systemd.services = mkMerge [
(mapAttrs'
(name: _: nameValuePair
"restic-backups-${name}-failed"
{
enable = true;
description = "Notification service for ${name}";
serviceConfig = {
Type = "oneshot";
};
script = ''
. ${config.sops.secrets.po_env.path}
PO=${inputs.po.packages.${pkgs.system}.po}/bin/po
$PO -title "restic-${name} backup failed!" -body "Please check the ${name} backup on ${config.networking.hostName}."
'';
})
enabledBackups)
(mapAttrs'
(name: _: nameValuePair
"restic-backups-${name}"
{
unitConfig.OnFailure = "restic-backups-${name}-failed.service";
})
enabledBackups)
];
};
}

View File

@ -1,5 +1,6 @@
{ ... }: {
imports = [
./backup.nix
./golink.nix
./gotosocial.nix
./lock-action.nix