-
Notifications
You must be signed in to change notification settings - Fork 107
/
backups.nix
127 lines (114 loc) · 4.15 KB
/
backups.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
{ config, lib, pkgs, ... }:
with lib;
let
options.services.backups = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable backups of node data.
This uses the NixOS duplicity service.
To further configure the backup, you can set NixOS options `services.duplicity.*`.
The `services.duplicity.cleanup.*` options are particularly useful.
'';
};
with-bulk-data = mkOption {
type = types.bool;
default = false;
description = ''
Whether to also backup Bitcoin blockchain and other bulk data.
'';
};
destination = mkOption {
type = types.str;
default = "file:///var/lib/localBackups";
description = ''
Where to back up to.
'';
};
frequency = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Run backup with the given frequency. If null, do not run automatically.
'';
};
postgresqlDatabases = mkOption {
type = types.listOf types.str;
default = [];
description = "List of database names to backup.";
};
extraFiles = mkOption {
type = types.listOf types.str;
default = [];
example = [ "/var/lib/nginx" ];
description = "Additional files to be appended to filelist.";
};
};
cfg = config.services.backups;
# Potential backup file paths are matched against filelist
# entries from top to bottom.
# The first match determines inclusion or exclusion.
includeFileList = builtins.toFile "filelist.txt" ''
${builtins.concatStringsSep "\n" cfg.extraFiles}
${optionalString (!cfg.with-bulk-data) ''
- ${config.services.bitcoind.dataDir}/blocks
- ${config.services.bitcoind.dataDir}/chainstate
- ${config.services.bitcoind.dataDir}/indexes
''}
${config.services.bitcoind.dataDir}
${config.services.clightning.dataDir}
${config.services.clightning-rest.dataDir}
${config.services.lnd.dataDir}
${optionalString (!cfg.with-bulk-data) ''
- ${config.services.liquidd.dataDir}/*/blocks
- ${config.services.liquidd.dataDir}/*/chainstate
- ${config.services.liquidd.dataDir}/*/indexes
''}
${config.services.liquidd.dataDir}
${optionalString cfg.with-bulk-data "${config.services.electrs.dataDir}"}
${config.services.nbxplorer.dataDir}
${config.services.btcpayserver.dataDir}
${config.services.joinmarket.dataDir}
${optionalString config.nix-bitcoin.generateSecrets "${config.nix-bitcoin.secretsDir}"}
/var/lib/tor
/var/lib/nixos
${builtins.concatStringsSep "\n" postgresqlBackupPaths}
# Exclude all unspecified files and directories
- /
'';
postgresqlBackupDir = config.services.postgresqlBackup.location;
postgresqlBackupPaths = map (db: "${postgresqlBackupDir}/${db}.sql.gz") cfg.postgresqlDatabases;
postgresqlBackupServices = map (db: "postgresqlBackup-${db}.service") cfg.postgresqlDatabases;
in {
inherit options;
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.duplicity ];
services.duplicity = {
enable = true;
inherit includeFileList;
fullIfOlderThan = mkDefault "1M";
targetUrl = cfg.destination;
frequency = cfg.frequency;
secretFile = "${config.nix-bitcoin.secretsDir}/backup-encryption-env";
};
systemd.services.duplicity = {
wants = postgresqlBackupServices;
after = postgresqlBackupServices ++ [ "nix-bitcoin-secrets.target" ];
};
services.postgresqlBackup = {
enable = mkIf (cfg.postgresqlDatabases != []) true;
databases = cfg.postgresqlDatabases;
};
nix-bitcoin.secrets.backup-encryption-env.user = "root";
nix-bitcoin.generateSecretsCmds.backups = ''
makePasswordSecret backup-encryption-password
if [[ backup-encryption-password -nt backup-encryption-env ]]; then
echo "PASSPHRASE=$(cat backup-encryption-password)" > backup-encryption-env
fi
'';
services.backups.postgresqlDatabases = mkIf config.services.btcpayserver.enable (
[ "btcpaydb" ] ++ optional cfg.with-bulk-data "nbxplorer"
);
};
}