modules/backup: create a wrapper to handle restic failures
- create wrapper module - expose po_env to everything
This commit is contained in:
parent
df63c1bb6a
commit
730fec96bb
@ -42,7 +42,6 @@ with lib; {
|
||||
config = mkIf config.xinCI.enable {
|
||||
sops.defaultSopsFile = config.xin-secrets.ci;
|
||||
sops.secrets = {
|
||||
po_env = { owner = config.xinCI.user; };
|
||||
ci_ed25519_key = {
|
||||
mode = "400";
|
||||
owner = config.xinCI.user;
|
||||
|
@ -36,7 +36,6 @@ with lib; {
|
||||
manager_pubkey = { owner = config.nixManager.user; };
|
||||
ca_key = { owner = config.nixManager.user; };
|
||||
ca_cert = { owner = config.nixManager.user; };
|
||||
po_env = { owner = config.nixManager.user; };
|
||||
};
|
||||
|
||||
environment.systemPackages = [
|
||||
|
@ -243,10 +243,6 @@ with lib; {
|
||||
owner = config.nixManager.user;
|
||||
sopsFile = config.xin-secrets.manager;
|
||||
};
|
||||
po_env = {
|
||||
owner = config.nixManager.user;
|
||||
sopsFile = config.xin-secrets.manager;
|
||||
};
|
||||
};
|
||||
systemd.services = mkIf enabled (listToAttrs (builtins.map xinlib.jobToService jobs));
|
||||
environment.systemPackages = mkIf enabled [ aclUpdateScript ];
|
||||
|
@ -65,6 +65,11 @@ in
|
||||
|
||||
secrets =
|
||||
if config.needsDeploy.enable then {
|
||||
po_env = {
|
||||
sopsFile = config.xin-secrets.deploy;
|
||||
owner = "root";
|
||||
mode = "444";
|
||||
};
|
||||
xin_secrets_deploy_key = {
|
||||
sopsFile = config.xin-secrets.deploy;
|
||||
owner = "root";
|
||||
|
@ -132,7 +132,10 @@
|
||||
, ...
|
||||
} @ inputs:
|
||||
let
|
||||
xinlib = import ./lib { inherit (unstable) lib; };
|
||||
xinlib = import ./lib {
|
||||
inherit (unstable) lib;
|
||||
inherit inputs;
|
||||
};
|
||||
supportedSystems = [ "x86_64-linux" ];
|
||||
#[ "x86_64-linux" "x86_64-darwin" "aarch64-linux" "aarch64-darwin" ];
|
||||
forAllSystems = unstable.lib.genAttrs supportedSystems;
|
||||
|
@ -219,31 +219,29 @@ in
|
||||
openFirewall = true;
|
||||
};
|
||||
printing.enable = true;
|
||||
restic = {
|
||||
backups =
|
||||
let
|
||||
paths = [ "/home/qbit" "/var/lib/libvirt" "/etc" ];
|
||||
paths = [ "/home/qbit" "/etc" ];
|
||||
pruneOpts = [ "--keep-hourly 12" "--keep-daily 7" "--keep-weekly 5" "--keep-yearly 4" ];
|
||||
timerConfig = { OnCalendar = "*-*-* 00:30:00"; };
|
||||
in
|
||||
{
|
||||
remote = {
|
||||
initialize = true;
|
||||
enable = true;
|
||||
passwordFile = "${config.sops.secrets.restic_remote_password_file.path}";
|
||||
repositoryFile = "${config.sops.secrets.restic_remote_repo_file.path}";
|
||||
|
||||
inherit paths;
|
||||
|
||||
pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-yearly 4" ];
|
||||
# Don't send libvirt over the air-wire
|
||||
inherit paths pruneOpts timerConfig;
|
||||
};
|
||||
local = {
|
||||
initialize = true;
|
||||
enable = true;
|
||||
repository = "/run/media/qbit/backup/${config.networking.hostName}";
|
||||
environmentFile = "${config.sops.secrets.restic_env_file.path}";
|
||||
passwordFile = "${config.sops.secrets.restic_password_file.path}";
|
||||
|
||||
inherit paths;
|
||||
|
||||
pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-yearly 5" ];
|
||||
};
|
||||
paths = paths ++ [ "/var/lib/libvirt" ];
|
||||
inherit pruneOpts timerConfig;
|
||||
};
|
||||
};
|
||||
pcscd.enable = true;
|
||||
|
@ -489,10 +489,9 @@ in
|
||||
];
|
||||
};
|
||||
|
||||
restic = {
|
||||
backups = {
|
||||
b2 = {
|
||||
initialize = true;
|
||||
enable = true;
|
||||
repository = "b2:cyaspanJicyeemJedMarlEjcasOmos";
|
||||
environmentFile = "${config.sops.secrets.restic_env_file.path}";
|
||||
passwordFile = "${config.sops.secrets.restic_password_file.path}";
|
||||
@ -517,7 +516,6 @@ in
|
||||
pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-yearly 10" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
nginx = {
|
||||
enable = true;
|
||||
|
@ -275,10 +275,9 @@ in
|
||||
server = "127.0.0.1:24800";
|
||||
};
|
||||
};
|
||||
restic = {
|
||||
backups = {
|
||||
remote = {
|
||||
initialize = true;
|
||||
enable = true;
|
||||
environmentFile = "${config.sops.secrets.restic_env_file.path}";
|
||||
passwordFile = "${config.sops.secrets.restic_password_file.path}";
|
||||
repositoryFile = "${config.sops.secrets.restic_repo_file.path}";
|
||||
@ -288,7 +287,6 @@ in
|
||||
pruneOpts = [ "--keep-daily 7" "--keep-weekly 2" "--keep-monthly 2" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
rsyslogd = {
|
||||
enable = testingMode;
|
||||
defaultConfig = ''
|
||||
|
103
modules/backup.nix
Normal file
103
modules/backup.nix
Normal file
@ -0,0 +1,103 @@
|
||||
{ lib, inputs, config, utils, pkgs, ... }:
|
||||
with lib;
|
||||
let
|
||||
inherit (utils.systemdUtils.unitOptions) unitOption;
|
||||
cfg = config.services.backups;
|
||||
enabledBackups = filterAttrs (_: conf: conf.enable) cfg;
|
||||
in
|
||||
{
|
||||
options = {
|
||||
services.backups = mkOption {
|
||||
description = "Backup configurations, wrapped to allow for notifications of failed backups.";
|
||||
default = { };
|
||||
type = with types; attrsOf (submodule ({ name, ... }: {
|
||||
options = {
|
||||
enable = mkEnableOption "Enable backup for ${name}";
|
||||
|
||||
passwordFile = mkOption {
|
||||
type = path;
|
||||
description = "Path to file containing password.";
|
||||
};
|
||||
|
||||
repository = mkOption {
|
||||
type = nullOr str;
|
||||
default = null;
|
||||
description = "optional path to repository (can also be specified in the repositoryFile.";
|
||||
};
|
||||
|
||||
repositoryFile = mkOption {
|
||||
type = nullOr path;
|
||||
default = null;
|
||||
description = "Path to repository file.";
|
||||
};
|
||||
|
||||
environmentFile = mkOption {
|
||||
type = nullOr str;
|
||||
default = null;
|
||||
description = "path to environment file";
|
||||
};
|
||||
|
||||
paths = mkOption {
|
||||
type = listOf str;
|
||||
description = "List of paths to backup.";
|
||||
default = [ ];
|
||||
};
|
||||
|
||||
pruneOpts = mkOption {
|
||||
type = listOf str;
|
||||
description = "Options for 'restic forget'.";
|
||||
default = [ "--keep-hourly 12" "--keep-daily 7" "--keep-weekly 5" "--keep-yearly 4" ];
|
||||
};
|
||||
|
||||
timerConfig = mkOption {
|
||||
type = nullOr (attrsOf unitOption);
|
||||
description = "systemd.timer(5) settings for when to do the backup.";
|
||||
default = {
|
||||
OnCalendar = "daily";
|
||||
Persistent = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
}));
|
||||
};
|
||||
};
|
||||
config = mkIf (enabledBackups != { }) {
|
||||
services.restic.backups = mapAttrs'
|
||||
(name: conf: nameValuePair
|
||||
name
|
||||
{
|
||||
initialize = true;
|
||||
inherit (conf) passwordFile repository repositoryFile paths pruneOpts timerConfig environmentFile;
|
||||
})
|
||||
enabledBackups;
|
||||
|
||||
systemd.services = mkMerge [
|
||||
(mapAttrs'
|
||||
(name: _: nameValuePair
|
||||
"restic-backups-${name}-failed"
|
||||
{
|
||||
enable = true;
|
||||
description = "Notification service for ${name}";
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
};
|
||||
script = ''
|
||||
. ${config.sops.secrets.po_env.path}
|
||||
|
||||
PO=${inputs.po.packages.${pkgs.system}.po}/bin/po
|
||||
$PO -title "restic-${name} backup failed!" -body "Please check the ${name} backup on ${config.networking.hostName}."
|
||||
'';
|
||||
|
||||
})
|
||||
enabledBackups)
|
||||
(mapAttrs'
|
||||
(name: _: nameValuePair
|
||||
"restic-backups-${name}"
|
||||
{
|
||||
unitConfig.OnFailure = "restic-backups-${name}-failed.service";
|
||||
})
|
||||
enabledBackups)
|
||||
];
|
||||
};
|
||||
}
|
||||
|
@ -1,5 +1,6 @@
|
||||
{ ... }: {
|
||||
imports = [
|
||||
./backup.nix
|
||||
./golink.nix
|
||||
./gotosocial.nix
|
||||
./lock-action.nix
|
||||
|
Loading…
Reference in New Issue
Block a user