-
Notifications
You must be signed in to change notification settings - Fork 8
/
options.nix
120 lines (104 loc) · 2.75 KB
/
options.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
{ lib, ... }:
with lib;
let
backupOptions = {
paths = mkOption {
type = types.listOf types.str;
default = [ ];
description = mdDoc ''
List of paths to back up.
'';
};
prepareCommand = mkOption {
type = types.nullOr types.str;
default = null;
description = mdDoc ''
A script to run before beginning the backup.
'';
};
cleanupCommand = mkOption {
type = types.nullOr types.str;
default = null;
description = mdDoc ''
A script to run after taking the backup.
'';
};
startAt = mkOption {
type = types.str;
default = "Mon, 04:00";
description = mdDoc ''
When to run the backup.
'';
};
};
sudoRuleOptions = {
command = mkOption {
type = types.str;
description = mdDoc ''
The command for which the rule applies.
'';
};
runAs = mkOption {
type = types.str;
default = "ALL:ALL";
description = mdDoc ''
The user / group under which the command is allowed to run.
A user can be specified using just the username: `"foo"`. It is also
possible to specify a user/group combination using `"foo:bar"` or to
only allow running as a specific group with `":bar"`.
'';
};
};
in
{
options.nixfiles.restic-backups = {
enable = mkOption {
type = types.bool;
default = false;
description = mdDoc ''
Enable the backup service.
'';
};
backups = mkOption {
type = types.attrsOf (types.submodule { options = backupOptions; });
default = { };
description = mdDoc ''
Attrset of backup job definitions.
'';
};
environmentFile = mkOption {
type = types.nullOr types.str;
description = mdDoc ''
Environment file to pass secrets into the service. This is of the form:
```text
# Repository password
RESTIC_PASSWORD="..."
# B2 credentials
B2_ACCOUNT_ID="..."
B2_ACCOUNT_KEY="..."
# AWS SNS credentials
AWS_ACCESS_KEY="..."
AWS_SECRET_ACCESS_KEY="..."
AWS_DEFAULT_REGION="..."
```
If any of the backup jobs need secrets, those should be specified in
this file as well.
'';
};
sudoRules = mkOption {
type = types.listOf (types.submodule { options = sudoRuleOptions; });
default = [ ];
description = mdDoc ''
List of additional sudo rules to grant the backup user.
'';
};
checkRepositoryAt = mkOption {
type = types.nullOr types.str;
default = null;
description = mdDoc ''
If not null, when to run `restic check` to validate the repository
metadata.
'';
};
};
}