forked from M-Labs/it-infra
backup: do not store on disk
This commit is contained in:
parent
139f6b3353
commit
82760bc05d
@ -14,30 +14,23 @@ let
|
||||
"/var/lib/mattermost/data/2023*"
|
||||
];
|
||||
makeBackup = pkgs.writeScript "make-backup" ''
|
||||
#!${pkgs.bash}/bin/bash
|
||||
#!${pkgs.bash}/bin/bash -p
|
||||
|
||||
set -e
|
||||
umask 0077
|
||||
|
||||
FILENAME=backup-`date +%F`.tar.bz2.gpg
|
||||
|
||||
DBDUMPDIR=`mktemp -d`
|
||||
pushd $DBDUMPDIR
|
||||
trap "rm -rf $DBDUMPDIR" EXIT
|
||||
cd $DBDUMPDIR
|
||||
|
||||
${config.services.mysql.package}/bin/mysqldump --user=root --single-transaction flarum > flarum.sql
|
||||
${pkgs.sudo}/bin/sudo -u mattermost ${config.services.postgresql.package}/bin/pg_dump mattermost > mattermost.sql
|
||||
${pkgs.sudo}/bin/sudo -u rt ${config.services.postgresql.package}/bin/pg_dump rt5 > rt.sql
|
||||
${config.services.postgresql.package}/bin/pg_dump mattermost > mattermost.sql
|
||||
${config.services.postgresql.package}/bin/pg_dump rt5 > rt.sql
|
||||
|
||||
exec 6< /etc/nixos/secret/backup-passphrase
|
||||
${pkgs.gnutar}/bin/tar cf - ${lib.concatMapStringsSep " " (p: "--exclude \"${p}\"") excludePaths} /etc/nixos /var/vmail /var/lib/hedgedoc /var/lib/gitea /var/lib/afws /var/lib/mattermost/data /var/www/193thz flarum.sql mattermost.sql rt.sql | \
|
||||
${pkgs.bzip2}/bin/bzip2 | \
|
||||
${pkgs.gnupg}/bin/gpg --symmetric --batch --passphrase-file /etc/nixos/secret/backup-passphrase > /home/backupdl/$FILENAME
|
||||
|
||||
popd
|
||||
rm -rf $DBDUMPDIR
|
||||
|
||||
chown backupdl.users /home/backupdl/$FILENAME
|
||||
|
||||
echo Backup done
|
||||
${pkgs.gnupg}/bin/gpg --symmetric --batch --passphrase-fd 6
|
||||
'';
|
||||
cfg = config.services.mlabs-backup;
|
||||
in
|
||||
@ -51,20 +44,20 @@ in
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
systemd.services.mlabs-backup = {
|
||||
description = "M-Labs backup";
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
User = "root";
|
||||
Group = "root";
|
||||
ExecStart = "${makeBackup}";
|
||||
};
|
||||
users.extraGroups.backupdl = { };
|
||||
users.extraUsers.backupdl = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["backupdl" "nextcloud"];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCbH+l0FIBTPdUKOS9H5OOT5ro/nljKLsiCTzTzublCScdPPmCNy27ORbLgNHX5Ughlug5wr2rAIU9AexV+L71V5MeVHUWDfKgRsNIpUTtY6wpJkAP7r1ipk2kTWc/sxhrxyPea62cohmy1dOeLlwXO6U8FnsiZfYKmgjZ8wuTo6ixDB8krXsAZ8VY/bj5WFcXqeW8GF1Qjpel7HgpCpj3HIUyC63uwIyUoYe+cgnhjzNLbRYdU9Yx2iqcUCwEUX2cMdz5VX+xbLkL8CWcuiMFg6TFo+CUPFtuA/kVzHcZ4Pa3BiilL3rf7oXlIXGN12JVsN+caX7j2weVqm2b5u5eVsyDxiLx1KA37ukq92CYAAdOuKE+saMPsLuOn+Qd9B6D5oYnYgsWg460uEGgwczwOTXLAZTT5wrwRaKIE+ezKqtRP+Tz7l2IEixulyj1MUR+XpSwECZXiFJx5DGofwzxcd2kWnNOPBReDkHv0At5ZLNIrLuxFMz2L6UXbqvHwEu8= backupdl@minipc"
|
||||
];
|
||||
};
|
||||
|
||||
systemd.timers.mlabs-backup = {
|
||||
description = "M-Labs backup";
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig.OnCalendar = "tuesday,friday *-*-* 08:00:00";
|
||||
security.wrappers.mlabs-backup = {
|
||||
source = makeBackup;
|
||||
setuid = true;
|
||||
owner = "root";
|
||||
group = "backupdl";
|
||||
permissions = "g+x";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
@ -527,13 +527,6 @@ in
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBNsAtZdp0BMvw0rRpMDgJ0V9hqB/BVSyhZ3m8LEx0im939ya6Urmlz3x7+RilD1LMl/p4B1Yxt+z/w7J5NB7unTYlKigJr/s9aH/0IKCFRvO5Omw88k3tWCCRA9KbbXAh0OE/Kli09rrgRuB6++c+XBZ4IvFvohfML0eAjdofn6ePnLWt+R/RNvNjmSb5y7rSIbJ9t+B7O1QOr7u+1GgZEexhG79o52I4rsrgyhUJOK4FbDGPnIkFYFeB2alijzbM1bAu9GR6BD4HBoqeW+DF7tUZs8GYtJsBX8rMnzuR3t8pM7RcGjY5IHQM9MM5WpHokJCFNSSzrvFgbK7CBFklOtipo1H1fwOuDuT3sCE3/ZTK5UgfKGdsb+vsvZub7KBNXfgru2webpl/rLcDJpn3eSDX/ZMGXVV8zskteQHtakra52bc2IeFaPiE1V+WeUB/LpIvRWG+Eh1VEgbUcjoVkaIBu6tQflW7US3uCGYan9Hw80MkwxAmqY1pogAJgzxsYbqdcNb8Xrra6LYFeMD8HXKdW9sXh7mzxDwwkzqjXCKPavWPT7ujicTRlJC6TfmZTdZUPh2mjvzUZI9ZPr50hkV0EAdERn57HwPGMlHiOCntPI/Jw3XmZXIOxChkyss5YFF5mWIzYOp5YxWBlWusNpnMeZCk2ncJmdXcAd6GzQ=="
|
||||
];
|
||||
};
|
||||
users.extraUsers.backupdl = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["nextcloud"];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCbH+l0FIBTPdUKOS9H5OOT5ro/nljKLsiCTzTzublCScdPPmCNy27ORbLgNHX5Ughlug5wr2rAIU9AexV+L71V5MeVHUWDfKgRsNIpUTtY6wpJkAP7r1ipk2kTWc/sxhrxyPea62cohmy1dOeLlwXO6U8FnsiZfYKmgjZ8wuTo6ixDB8krXsAZ8VY/bj5WFcXqeW8GF1Qjpel7HgpCpj3HIUyC63uwIyUoYe+cgnhjzNLbRYdU9Yx2iqcUCwEUX2cMdz5VX+xbLkL8CWcuiMFg6TFo+CUPFtuA/kVzHcZ4Pa3BiilL3rf7oXlIXGN12JVsN+caX7j2weVqm2b5u5eVsyDxiLx1KA37ukq92CYAAdOuKE+saMPsLuOn+Qd9B6D5oYnYgsWg460uEGgwczwOTXLAZTT5wrwRaKIE+ezKqtRP+Tz7l2IEixulyj1MUR+XpSwECZXiFJx5DGofwzxcd2kWnNOPBReDkHv0At5ZLNIrLuxFMz2L6UXbqvHwEu8= backupdl@minipc"
|
||||
];
|
||||
};
|
||||
users.extraUsers.occheung = {
|
||||
isNormalUser = true;
|
||||
openssh.authorizedKeys.keys = [
|
||||
|
Loading…
Reference in New Issue
Block a user