style: Apply new nixfmt formatting
This commit is contained in:
parent
895afdce5a
commit
f8167209eb
GPG key ID:
49670FD774E43268
4 changed files with 126 additions and 129 deletions
|
|
@ -140,123 +140,121 @@ in
|
|||
};
|
||||
|
||||
config = lib.mkIf (config.services.backups != { }) {
|
||||
systemd.services =
|
||||
{
|
||||
restic-prune = {
|
||||
# Doesn't hurt to finish the ongoing prune
|
||||
restartIfChanged = false;
|
||||
systemd.services = {
|
||||
restic-prune = {
|
||||
# Doesn't hurt to finish the ongoing prune
|
||||
restartIfChanged = false;
|
||||
|
||||
environment = resticEnv;
|
||||
environment = resticEnv;
|
||||
|
||||
path = with pkgs; [
|
||||
openssh
|
||||
rclone
|
||||
restic
|
||||
path = with pkgs; [
|
||||
openssh
|
||||
rclone
|
||||
restic
|
||||
];
|
||||
|
||||
script = ''
|
||||
# TODO(tlater): In an append-only setup, we should be
|
||||
# careful with this; an attacker could delete backups by
|
||||
# simply appending ad infinitum:
|
||||
# https://restic.readthedocs.io/en/stable/060_forget.html#security-considerations-in-append-only-mode
|
||||
restic forget --keep-last 3 --prune
|
||||
restic check
|
||||
'';
|
||||
|
||||
serviceConfig = {
|
||||
DynamicUser = true;
|
||||
Group = "backup";
|
||||
|
||||
CacheDirectory = "restic-prune";
|
||||
CacheDirectoryMode = "0700";
|
||||
};
|
||||
};
|
||||
}
|
||||
// lib.mapAttrs' (
|
||||
name: backup:
|
||||
lib.nameValuePair "backup-${name}" {
|
||||
# Don't want to restart mid-backup
|
||||
restartIfChanged = false;
|
||||
|
||||
environment = resticEnv // {
|
||||
RESTIC_CACHE_DIR = "%C/backup-${name}";
|
||||
};
|
||||
|
||||
path = with pkgs; [
|
||||
coreutils
|
||||
openssh
|
||||
rclone
|
||||
restic
|
||||
];
|
||||
|
||||
# TODO(tlater): If I ever add more than one repo, service
|
||||
# shutdown/restarting will potentially break if multiple
|
||||
# backups for the same service overlap. A more clever
|
||||
# sentinel file with reference counts would probably solve
|
||||
# this.
|
||||
serviceConfig = {
|
||||
User = backup.user;
|
||||
Group = "backup";
|
||||
RuntimeDirectory = "backup-${name}";
|
||||
CacheDirectory = "backup-${name}";
|
||||
CacheDirectoryMode = "0700";
|
||||
PrivateTmp = true;
|
||||
|
||||
ExecStart = [
|
||||
(lib.concatStringsSep " " (
|
||||
[
|
||||
"${pkgs.restic}/bin/restic"
|
||||
"backup"
|
||||
"--tag"
|
||||
name
|
||||
]
|
||||
++ backup.paths
|
||||
))
|
||||
];
|
||||
|
||||
script = ''
|
||||
# TODO(tlater): In an append-only setup, we should be
|
||||
# careful with this; an attacker could delete backups by
|
||||
# simply appending ad infinitum:
|
||||
# https://restic.readthedocs.io/en/stable/060_forget.html#security-considerations-in-append-only-mode
|
||||
restic forget --keep-last 3 --prune
|
||||
restic check
|
||||
'';
|
||||
ExecStartPre =
|
||||
map (service: "+${mkShutdownScript service}") backup.pauseServices
|
||||
++ singleton (
|
||||
writeScript "backup-${name}-repo-init" [ ] ''
|
||||
restic snapshots || restic init
|
||||
''
|
||||
)
|
||||
++ optional (backup.preparation.text != null) (
|
||||
writeScript "backup-${name}-prepare" backup.preparation.packages backup.preparation.text
|
||||
);
|
||||
|
||||
serviceConfig = {
|
||||
DynamicUser = true;
|
||||
Group = "backup";
|
||||
|
||||
CacheDirectory = "restic-prune";
|
||||
CacheDirectoryMode = "0700";
|
||||
};
|
||||
# TODO(tlater): Add repo pruning/checking
|
||||
ExecStopPost =
|
||||
map (service: "+${mkRestartScript service}") backup.pauseServices
|
||||
++ optional (backup.cleanup.text != null) (
|
||||
writeScript "backup-${name}-cleanup" backup.cleanup.packages backup.cleanup.text
|
||||
);
|
||||
};
|
||||
}
|
||||
// lib.mapAttrs' (
|
||||
name: backup:
|
||||
lib.nameValuePair "backup-${name}" {
|
||||
# Don't want to restart mid-backup
|
||||
restartIfChanged = false;
|
||||
) config.services.backups;
|
||||
|
||||
environment = resticEnv // {
|
||||
RESTIC_CACHE_DIR = "%C/backup-${name}";
|
||||
};
|
||||
|
||||
path = with pkgs; [
|
||||
coreutils
|
||||
openssh
|
||||
rclone
|
||||
restic
|
||||
];
|
||||
|
||||
# TODO(tlater): If I ever add more than one repo, service
|
||||
# shutdown/restarting will potentially break if multiple
|
||||
# backups for the same service overlap. A more clever
|
||||
# sentinel file with reference counts would probably solve
|
||||
# this.
|
||||
serviceConfig = {
|
||||
User = backup.user;
|
||||
Group = "backup";
|
||||
RuntimeDirectory = "backup-${name}";
|
||||
CacheDirectory = "backup-${name}";
|
||||
CacheDirectoryMode = "0700";
|
||||
PrivateTmp = true;
|
||||
|
||||
ExecStart = [
|
||||
(lib.concatStringsSep " " (
|
||||
[
|
||||
"${pkgs.restic}/bin/restic"
|
||||
"backup"
|
||||
"--tag"
|
||||
name
|
||||
]
|
||||
++ backup.paths
|
||||
))
|
||||
];
|
||||
|
||||
ExecStartPre =
|
||||
map (service: "+${mkShutdownScript service}") backup.pauseServices
|
||||
++ singleton (
|
||||
writeScript "backup-${name}-repo-init" [ ] ''
|
||||
restic snapshots || restic init
|
||||
''
|
||||
)
|
||||
++ optional (backup.preparation.text != null) (
|
||||
writeScript "backup-${name}-prepare" backup.preparation.packages backup.preparation.text
|
||||
);
|
||||
|
||||
# TODO(tlater): Add repo pruning/checking
|
||||
ExecStopPost =
|
||||
map (service: "+${mkRestartScript service}") backup.pauseServices
|
||||
++ optional (backup.cleanup.text != null) (
|
||||
writeScript "backup-${name}-cleanup" backup.cleanup.packages backup.cleanup.text
|
||||
);
|
||||
};
|
||||
}
|
||||
) config.services.backups;
|
||||
|
||||
systemd.timers =
|
||||
{
|
||||
restic-prune = {
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig.OnCalendar = "Thursday 03:00:00 UTC";
|
||||
# Don't make this persistent, in case the server was offline
|
||||
# for a while. This job cannot run at the same time as any
|
||||
# of the backup jobs.
|
||||
systemd.timers = {
|
||||
restic-prune = {
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig.OnCalendar = "Thursday 03:00:00 UTC";
|
||||
# Don't make this persistent, in case the server was offline
|
||||
# for a while. This job cannot run at the same time as any
|
||||
# of the backup jobs.
|
||||
};
|
||||
}
|
||||
// lib.mapAttrs' (
|
||||
name: _:
|
||||
lib.nameValuePair "backup-${name}" {
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig = {
|
||||
OnCalendar = "Wednesday 02:30:00 UTC";
|
||||
RandomizedDelaySec = "1h";
|
||||
FixedRandomDelay = true;
|
||||
Persistent = true;
|
||||
};
|
||||
}
|
||||
// lib.mapAttrs' (
|
||||
name: _:
|
||||
lib.nameValuePair "backup-${name}" {
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig = {
|
||||
OnCalendar = "Wednesday 02:30:00 UTC";
|
||||
RandomizedDelaySec = "1h";
|
||||
FixedRandomDelay = true;
|
||||
Persistent = true;
|
||||
};
|
||||
}
|
||||
) config.services.backups;
|
||||
) config.services.backups;
|
||||
|
||||
users = {
|
||||
# This user is only used to own the ssh key, because apparently
|
||||
|
|
|
|||
|
|
@ -30,11 +30,12 @@
|
|||
|
||||
{
|
||||
labels.type = "nginx";
|
||||
filenames =
|
||||
[ "/var/log/nginx/*.log" ]
|
||||
++ lib.mapAttrsToList (
|
||||
vHost: _: "/var/log/nginx/${vHost}/access.log"
|
||||
) config.services.nginx.virtualHosts;
|
||||
filenames = [
|
||||
"/var/log/nginx/*.log"
|
||||
]
|
||||
++ lib.mapAttrsToList (
|
||||
vHost: _: "/var/log/nginx/${vHost}/access.log"
|
||||
) config.services.nginx.virtualHosts;
|
||||
}
|
||||
];
|
||||
|
||||
|
|
|
|||
|
|
@ -154,8 +154,7 @@ in
|
|||
lib.recursiveUpdate {
|
||||
inherit (scrape) job_name;
|
||||
static_configs =
|
||||
scrape.static_configs
|
||||
++ lib.optional (scrape.targets != [ ]) { inherit (scrape) targets; };
|
||||
scrape.static_configs ++ lib.optional (scrape.targets != [ ]) { inherit (scrape) targets; };
|
||||
} scrape.extraSettings
|
||||
) config.services.victoriametrics.scrapeConfigs;
|
||||
};
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue