add backups + fix appservice-irc media proxy

profiles/backups.nix

@@ -0,0 +1,152 @@
+{ pkgs, config, lib, name, ... }:
+
+let
+  cfg = config.backups;
+  secrets = config.age.secrets;
+  postgresql = config.services.postgresql.package;
+  additionalPackages = [
+    pkgs.coreutils
+    postgresql
+    pkgs.sudo
+    pkgs.sqlite
+  ];
+  remotes = {
+    memoragon = {
+      host = "memoragon.infra.federez.net";
+      user = "borgmatic";
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINdqX4I1JyvhC6dySHLnW1IioYk1ZqltFlbDCygozrWx";
+      path = "./${name}";
+    };
+    harpagon = {
+      host = "harpagon.infra.federez.net";
+      user = "borgmatic";
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH1qDEAEJZ0qDRUq4yeHar5LKFTtsvHJIt2a54TBB/Lz";
+      path = "./${name}";
+    };
+  };
+in
+{
+  options.backups = lib.mkOption {
+    type = lib.types.submodule {
+      options = {
+        enable = lib.mkEnableOption "Sauvegardes";
+        directories = lib.mkOption {
+          type = lib.types.listOf lib.types.path;
+          default = [ ];
+          description = ''
+            Répertoires à sauvegarder.
+          '';
+        };
+        # FIXME add user ?
+        postgresqlDatabases = lib.mkOption {
+          type = lib.types.listOf lib.types.str;
+          default = [ ];
+          description = ''
+            Nom des bases de données PostgreSQL à sauvegarder.
+          '';
+        };
+        sqliteDatabases = lib.mkOption {
+          type = lib.types.attrsOf lib.types.path;
+          default = { };
+          description = ''
+            Chemins des bases de données SQLite à sauvegarder.
+          '';
+        };
+      };
+    };
+    description = ''
+      Configuration des sauvegardes.
+    '';
+  };
+
+  config = lib.mkIf cfg.enable {
+    age.secrets.borgmatic-passphrase = {
+      file = ../secrets/borgmatic-passphrase.age;
+    };
+
+    systemd.services.borgmatic = {
+      path = additionalPackages;
+      serviceConfig = {
+        LoadCredential = "pass:${secrets.borgmatic-passphrase.path}";
+        ExecStartPre = ''
+          ${lib.getExe' pkgs.borgmatic "borgmatic"} init --encryption repokey
+        '';
+        # TODO Remove once all hosts are usign NixOS 25.05+
+        NoNewPrivileges = false;
+        CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_RAW CAP_SETUID CAP_SETGID";
+      };
+    };
+
+    environment.systemPackages =
+      let
+        # KillMode=process is required to allow the background SSH session
+        # to persist when FUSE mounting a remote repository
+        binPath = lib.makeBinPath additionalPackages;
+        borgmaticWithCreds = pkgs.writeScriptBin "borgmatic-with-creds" ''
+          #!${pkgs.runtimeShell}
+          systemd-run --quiet --wait --collect --pipe --pty \
+            --service-type=exec \
+            --uid=root --gid=root \
+            --property=KillMode=none \
+            --property=LoadCredential=pass:${secrets.borgmatic-passphrase.path} \
+            --property=Environment=${binPath} \
+            -- \
+            ${lib.getExe' pkgs.borgmatic "borgmatic"} "$@"
+        '';
+      in
+      [ borgmaticWithCreds ];
+
+    services.openssh.knownHosts = lib.mapAttrs
+      (_: remote: {
+        hostNames = [ remote.host ];
+        publicKey = remote.publicKey;
+      })
+      remotes;
+
+    services.borgmatic = let
+      version = pkgs.borgmatic.version;
+      hasCredSupport = builtins.compareVersions version "1.9.10" >= 0;
+      encryption = if hasCredSupport then
+          { encryption_passphrase = "{credential systemd pass}"; }
+        else
+          { encryption_passcommand = "cat \${CREDENTIALS_DIRECTORY}/pass"; };
+      pgCommand = exe: "${lib.getExe' pkgs.sudo "sudo"} -u postgres ${lib.getExe' postgresql exe}";
+    in {
+      enable = true;
+      # $CREDENTIALS_DIRECTORY does not exist when the config check is run
+      enableConfigCheck = hasCredSupport;
+      settings = {
+        source_directories = cfg.directories;
+        repositories = lib.mapAttrsToList
+          (name: remote: {
+            label = name;
+            path = "ssh://${remote.user}@${remote.host}/${remote.path}";
+          })
+          remotes;
+        # Required for databases hooks
+        read_special = true;
+        # FIXME pertinent de réutiliser celle-là ?
+        ssh_command = "ssh -i /etc/ssh/ssh_host_ed25519_key";
+        keep_daily = 26;
+        keep_weekly = 20;
+        keep_monthly = 12;
+        # add checks
+        postgresql_databases = map
+          (name: {
+            inherit name;
+            username = "postgres";
+            pg_dump_command = if name == "all" then
+                pgCommand "pg_dumpall"
+              else
+                pgCommand "pg_dump";
+            pg_restore_command = pgCommand "pg_restore";
+            psql_command = pgCommand "psql";
+          })
+          cfg.postgresqlDatabases;
+        sqlite_databases = lib.mapAttrsToList
+          (name: path: { inherit name path; })
+          cfg.sqliteDatabases;
+      } // encryption;
+    };
+  };
+}

profiles/discourse.nix

@@ -1,5 +1,6 @@
 { config, lib, pkgs, ... }:
 let
+  cfg = config.services.discourse;
   discourse-shared-edits = pkgs.discourse.mkDiscoursePlugin {
     name = "discourse-shared-edits";
     src = pkgs.fetchFromGitHub {
@@ -24,6 +25,11 @@ in
     };
   };
 
+  backups = {
+    directories = [ "/var/lib/discourse" ];
+    postgresqlDatabases = [ cfg.database.name ];
+  };
+
   services.postgresql.package = pkgs.postgresql_13;
 
   services.discourse = {

profiles/gitlab.nix

@@ -17,6 +17,11 @@ in
       gitlab-ldap-password = ../secrets/gitlab-ldap-password.age;
     };
 
+  backups = {
+    directories = [ cfg.statePath ];
+    postgresqlDatabases = [ cfg.databaseName ];
+  };
+
   services.gitlab = {
     enable = true;
     databasePasswordFile = secrets.gitlab-db-password.path;

profiles/grafana.nix

@@ -51,6 +51,11 @@ in {
     };
   };
 
+  backups = {
+    directories = [ cfg.dataDir ];
+    sqliteDatabases.grafana = cfg.settings.database.path;
+  };
+
   services.grafana = {
     enable = true;
 

profiles/indico.nix

@@ -5,6 +5,10 @@
   ...
 }:
 
+
+let
+  cfg = config.services.indico;
+in
 {
   imports = [
     ../modules/indico.nix
@@ -26,6 +30,11 @@
     };
   };
 
+  backups = {
+    directories = [ cfg.stateDir ];
+    postgresqlDatabases = [ cfg.user ];
+  };
+
   services.indico = {
     enable = true;
     nginx.domain = "events.federez.net";

profiles/irc-bot.nix

@@ -4,6 +4,8 @@ let
   bindPort = cfg.settings.ircService.mediaProxy.bindPort;
   upstreamUrl  = "127.0.0.1:${toString bindPort}";
 in {
+  backups.directories = [ "/var/lib/matrix-appservice-irc" ];
+
   services.nginx = {
     enable = true;
     recommendedProxySettings = true;
@@ -26,7 +28,10 @@ in {
       homeserver.url = "https://matrix.federez.net";
       homeserver.domain = "federez.net";
 
-      ircService.mediaProxy.publicUrl = "https://matrix-irc.federez.net/media";
+      ircService.mediaProxy = {
+        publicUrl = "https://matrix-irc.federez.net/";
+        ttlSeconds = 3153600000; # 100 ans
+      };
 
       ircService.servers."irc.rezosup.org" = {
         name = "RezoSup";

profiles/matrix-server.nix

@@ -1,5 +1,6 @@
 { pkgs, lib, config, ... }:
 let
+  cfg = config.services.matrix-synapse;
   fqdn = "matrix.federez.net";
   baseUrl = "https://${fqdn}";
 in {
@@ -14,6 +15,11 @@ in {
       LC_CTYPE = "C";
   '';
 
+  backups = {
+    directories = [ cfg.dataDir ];
+    postgresqlDatabases = [ "matrix-synapse" ];
+  };
+
   # Surgical operations for various databases.
   environment.systemPackages = [ pkgs.matrix-synapse pkgs.sqlite ];
   services.nginx = {

profiles/monitoring/default.nix

@@ -1,5 +1,6 @@
-{ lib, config, infra, ... }: 
+{ lib, config, network, ... }:
 let
+  cfg = config.services.victoriametrics;
   mkScrapeConfig = name: path: port: targets: {
     job_name = name;
     metrics_path = path;
@@ -17,7 +18,7 @@ let
   nodePort = 9100;
   vmPort = 8428;
   nodesConfig = mkScrapeConfig "node" "/metrics" nodePort
-    (lib.attrsets.mapAttrsToList (n: _: n) infra.nodes);
+    (lib.attrsets.mapAttrsToList (n: _: n) network.infra.nodes);
   critical = { severity = "critical"; };
   warning = { severity = "warning"; };
   importRules = path: let
@@ -32,6 +33,8 @@ in {
     file = ../../secrets/alertbot-matrix-password.age;
   };
 
+  backups.directories = [ "/var/lib/${cfg.stateDir}" ];
+
   services.alertbot = {
     enable = true;
     listenPort = 8081;

profiles/sysadmin.nix

@@ -6,6 +6,8 @@
     ../pubkeys/jeltz.keys
   ];
 
+  backups.directories = [ "/root" ];
+
   nix.package = lib.mkDefault pkgs.lix;
 
   users.motd = (builtins.readFile ./federez.motd);
@@ -49,7 +51,6 @@
     "net.ipv4.tcp_fastopen" = 3;
   };
 
-
   environment.systemPackages = [
     pkgs.htop
     pkgs.kitty.terminfo

profiles/telegram-bot.nix

@@ -1,4 +1,8 @@
 { config, lib, ... }: {
+  backups.sqliteDatabases = {
+    mautrix-telegram = "/var/lib/mautrix-telegram/mautrix-telegram.db";
+  };
+
   systemd.services.mautrix-telegram.serviceConfig.WorkingDirectory = lib.mkForce "/var/lib/mautrix-telegram";
   age.secrets.mautrix-telegram.file = ../secrets/mautrix-telegram.age;
   services.mautrix-telegram = {
@@ -16,7 +20,7 @@
         domain = "federez.net";
       };
       bridge = {
-        bridge_notices.exceptions = [ "@klingon:federez.net" ];
+        bridge_notices.exceptions = [ "@alertbot:federez.net" ];
         relay_user_distinguishers = [ "🔴" "🟠" "🟡" "🟢" "🔵" "🟣" "🟤" "⚫" "⚪" "🟧" "🟨" "🟩" "🟦" "🟪" "🟫" "⬜" "🔶" "🔷" ];
         displayname_preference = [
           "username"

profiles/vaultwarden.nix

@@ -2,6 +2,13 @@
   age.secrets.vaultwarden-secrets.file = ../secrets/vaultwarden-secrets.age;
   networking.firewall.allowedTCPPorts = [ 80 443 ];
 
+  backups = {
+    directories = [ "/var/lib/bitwarden_rs" ];
+    sqliteDatabases = {
+      vaultwarden = "/var/lib/bitwarden_rs/db.sqlite3";
+    };
+  };
+
   services.nginx = {
     enable = true;
     recommendedTlsSettings = true;