diff --git a/configuration/nginx.nix b/configuration/nginx.nix index 3abef7f..935b5ac 100644 --- a/configuration/nginx.nix +++ b/configuration/nginx.nix @@ -20,22 +20,21 @@ ''; }; - logrotate.settings = - { - # Override the default, just keep fewer logs - nginx.rotate = 6; + logrotate.settings = { + # Override the default, just keep fewer logs + nginx.rotate = 6; + } + // lib.mapAttrs' ( + virtualHost: _: + lib.nameValuePair "/var/log/nginx/${virtualHost}/access.log" { + frequency = "daily"; + rotate = 2; + compress = true; + delaycompress = true; + su = "${config.services.nginx.user} ${config.services.nginx.group}"; + postrotate = "[ ! -f /var/run/nginx/nginx.pid ] || kill -USR1 `cat /var/run/nginx/nginx.pid`"; } - // lib.mapAttrs' ( - virtualHost: _: - lib.nameValuePair "/var/log/nginx/${virtualHost}/access.log" { - frequency = "daily"; - rotate = 2; - compress = true; - delaycompress = true; - su = "${config.services.nginx.user} ${config.services.nginx.group}"; - postrotate = "[ ! -f /var/run/nginx/nginx.pid ] || kill -USR1 `cat /var/run/nginx/nginx.pid`"; - } - ) config.services.nginx.virtualHosts; + ) config.services.nginx.virtualHosts; backups.acme = { user = "acme"; diff --git a/configuration/services/backups.nix b/configuration/services/backups.nix index baa61e3..688f5f9 100644 --- a/configuration/services/backups.nix +++ b/configuration/services/backups.nix @@ -140,123 +140,121 @@ in }; config = lib.mkIf (config.services.backups != { }) { - systemd.services = - { - restic-prune = { - # Doesn't hurt to finish the ongoing prune - restartIfChanged = false; + systemd.services = { + restic-prune = { + # Doesn't hurt to finish the ongoing prune + restartIfChanged = false; - environment = resticEnv; + environment = resticEnv; - path = with pkgs; [ - openssh - rclone - restic + path = with pkgs; [ + openssh + rclone + restic + ]; + + script = '' + # TODO(tlater): In an append-only setup, we should be + # careful with this; an attacker could delete backups by + # simply appending ad infinitum: + # https://restic.readthedocs.io/en/stable/060_forget.html#security-considerations-in-append-only-mode + restic forget --keep-last 3 --prune + restic check + ''; + + serviceConfig = { + DynamicUser = true; + Group = "backup"; + + CacheDirectory = "restic-prune"; + CacheDirectoryMode = "0700"; + }; + }; + } + // lib.mapAttrs' ( + name: backup: + lib.nameValuePair "backup-${name}" { + # Don't want to restart mid-backup + restartIfChanged = false; + + environment = resticEnv // { + RESTIC_CACHE_DIR = "%C/backup-${name}"; + }; + + path = with pkgs; [ + coreutils + openssh + rclone + restic + ]; + + # TODO(tlater): If I ever add more than one repo, service + # shutdown/restarting will potentially break if multiple + # backups for the same service overlap. A more clever + # sentinel file with reference counts would probably solve + # this. + serviceConfig = { + User = backup.user; + Group = "backup"; + RuntimeDirectory = "backup-${name}"; + CacheDirectory = "backup-${name}"; + CacheDirectoryMode = "0700"; + PrivateTmp = true; + + ExecStart = [ + (lib.concatStringsSep " " ( + [ + "${pkgs.restic}/bin/restic" + "backup" + "--tag" + name + ] + ++ backup.paths + )) ]; - script = '' - # TODO(tlater): In an append-only setup, we should be - # careful with this; an attacker could delete backups by - # simply appending ad infinitum: - # https://restic.readthedocs.io/en/stable/060_forget.html#security-considerations-in-append-only-mode - restic forget --keep-last 3 --prune - restic check - ''; + ExecStartPre = + map (service: "+${mkShutdownScript service}") backup.pauseServices + ++ singleton ( + writeScript "backup-${name}-repo-init" [ ] '' + restic snapshots || restic init + '' + ) + ++ optional (backup.preparation.text != null) ( + writeScript "backup-${name}-prepare" backup.preparation.packages backup.preparation.text + ); - serviceConfig = { - DynamicUser = true; - Group = "backup"; - - CacheDirectory = "restic-prune"; - CacheDirectoryMode = "0700"; - }; + # TODO(tlater): Add repo pruning/checking + ExecStopPost = + map (service: "+${mkRestartScript service}") backup.pauseServices + ++ optional (backup.cleanup.text != null) ( + writeScript "backup-${name}-cleanup" backup.cleanup.packages backup.cleanup.text + ); }; } - // lib.mapAttrs' ( - name: backup: - lib.nameValuePair "backup-${name}" { - # Don't want to restart mid-backup - restartIfChanged = false; + ) config.services.backups; - environment = resticEnv // { - RESTIC_CACHE_DIR = "%C/backup-${name}"; - }; - - path = with pkgs; [ - coreutils - openssh - rclone - restic - ]; - - # TODO(tlater): If I ever add more than one repo, service - # shutdown/restarting will potentially break if multiple - # backups for the same service overlap. A more clever - # sentinel file with reference counts would probably solve - # this. - serviceConfig = { - User = backup.user; - Group = "backup"; - RuntimeDirectory = "backup-${name}"; - CacheDirectory = "backup-${name}"; - CacheDirectoryMode = "0700"; - PrivateTmp = true; - - ExecStart = [ - (lib.concatStringsSep " " ( - [ - "${pkgs.restic}/bin/restic" - "backup" - "--tag" - name - ] - ++ backup.paths - )) - ]; - - ExecStartPre = - map (service: "+${mkShutdownScript service}") backup.pauseServices - ++ singleton ( - writeScript "backup-${name}-repo-init" [ ] '' - restic snapshots || restic init - '' - ) - ++ optional (backup.preparation.text != null) ( - writeScript "backup-${name}-prepare" backup.preparation.packages backup.preparation.text - ); - - # TODO(tlater): Add repo pruning/checking - ExecStopPost = - map (service: "+${mkRestartScript service}") backup.pauseServices - ++ optional (backup.cleanup.text != null) ( - writeScript "backup-${name}-cleanup" backup.cleanup.packages backup.cleanup.text - ); - }; - } - ) config.services.backups; - - systemd.timers = - { - restic-prune = { - wantedBy = [ "timers.target" ]; - timerConfig.OnCalendar = "Thursday 03:00:00 UTC"; - # Don't make this persistent, in case the server was offline - # for a while. This job cannot run at the same time as any - # of the backup jobs. + systemd.timers = { + restic-prune = { + wantedBy = [ "timers.target" ]; + timerConfig.OnCalendar = "Thursday 03:00:00 UTC"; + # Don't make this persistent, in case the server was offline + # for a while. This job cannot run at the same time as any + # of the backup jobs. + }; + } + // lib.mapAttrs' ( + name: _: + lib.nameValuePair "backup-${name}" { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = "Wednesday 02:30:00 UTC"; + RandomizedDelaySec = "1h"; + FixedRandomDelay = true; + Persistent = true; }; } - // lib.mapAttrs' ( - name: _: - lib.nameValuePair "backup-${name}" { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar = "Wednesday 02:30:00 UTC"; - RandomizedDelaySec = "1h"; - FixedRandomDelay = true; - Persistent = true; - }; - } - ) config.services.backups; + ) config.services.backups; users = { # This user is only used to own the ssh key, because apparently diff --git a/configuration/services/crowdsec.nix b/configuration/services/crowdsec.nix index b736047..174115b 100644 --- a/configuration/services/crowdsec.nix +++ b/configuration/services/crowdsec.nix @@ -30,11 +30,12 @@ { labels.type = "nginx"; - filenames = - [ "/var/log/nginx/*.log" ] - ++ lib.mapAttrsToList ( - vHost: _: "/var/log/nginx/${vHost}/access.log" - ) config.services.nginx.virtualHosts; + filenames = [ + "/var/log/nginx/*.log" + ] + ++ lib.mapAttrsToList ( + vHost: _: "/var/log/nginx/${vHost}/access.log" + ) config.services.nginx.virtualHosts; } ]; diff --git a/configuration/services/metrics/options.nix b/configuration/services/metrics/options.nix index e1b0761..b24ef7a 100644 --- a/configuration/services/metrics/options.nix +++ b/configuration/services/metrics/options.nix @@ -154,8 +154,7 @@ in lib.recursiveUpdate { inherit (scrape) job_name; static_configs = - scrape.static_configs - ++ lib.optional (scrape.targets != [ ]) { inherit (scrape) targets; }; + scrape.static_configs ++ lib.optional (scrape.targets != [ ]) { inherit (scrape) targets; }; } scrape.extraSettings ) config.services.victoriametrics.scrapeConfigs; };