2019-05-15 16:17:30 +00:00
|
|
|
{ config, lib, ... }:
|
|
|
|
|
|
|
|
|
|
let
|
|
|
|
|
|
|
|
|
|
inherit (lib.attrsets) hasAttr;
|
2023-11-18 12:09:20 +00:00
|
|
|
inherit (lib.meta) getExe';
|
2019-05-15 16:17:30 +00:00
|
|
|
inherit (lib.modules) mkDefault mkIf;
|
|
|
|
|
inherit (lib.options) mkEnableOption mkOption;
|
2021-12-05 12:52:06 +00:00
|
|
|
inherit (lib.types) nonEmptyStr nullOr;
|
2019-05-15 16:17:30 +00:00
|
|
|
|
|
|
|
|
options.services.tsmBackup = {
|
2024-04-13 12:54:15 +00:00
|
|
|
enable = mkEnableOption ''
|
2019-05-15 16:17:30 +00:00
|
|
|
automatic backups with the
|
2023-08-15 09:12:07 +00:00
|
|
|
IBM Storage Protect (Tivoli Storage Manager, TSM) client.
|
2019-05-15 16:17:30 +00:00
|
|
|
This also enables
|
|
|
|
|
{option}`programs.tsmClient.enable`
|
2024-04-13 12:54:15 +00:00
|
|
|
'';
|
2019-05-15 16:17:30 +00:00
|
|
|
command = mkOption {
|
2021-12-05 12:52:06 +00:00
|
|
|
type = nonEmptyStr;
|
2019-05-15 16:17:30 +00:00
|
|
|
default = "backup";
|
|
|
|
|
example = "incr";
|
2024-04-13 12:54:15 +00:00
|
|
|
description = ''
|
2019-05-15 16:17:30 +00:00
|
|
|
The actual command passed to the
|
|
|
|
|
`dsmc` executable to start the backup.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
servername = mkOption {
|
2021-12-05 12:52:06 +00:00
|
|
|
type = nonEmptyStr;
|
2019-05-15 16:17:30 +00:00
|
|
|
example = "mainTsmServer";
|
2024-04-13 12:54:15 +00:00
|
|
|
description = ''
|
2019-05-15 16:17:30 +00:00
|
|
|
Create a systemd system service
|
|
|
|
|
`tsm-backup.service` that starts
|
|
|
|
|
a backup based on the given servername's stanza.
|
|
|
|
|
Note that this server's
|
|
|
|
|
{option}`passwdDir` will default to
|
|
|
|
|
{file}`/var/lib/tsm-backup/password`
|
|
|
|
|
(but may be overridden);
|
|
|
|
|
also, the service will use
|
|
|
|
|
{file}`/var/lib/tsm-backup` as
|
|
|
|
|
`HOME` when calling
|
|
|
|
|
`dsmc`.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
autoTime = mkOption {
|
2021-12-05 12:52:06 +00:00
|
|
|
type = nullOr nonEmptyStr;
|
2019-05-15 16:17:30 +00:00
|
|
|
default = null;
|
|
|
|
|
example = "12:00";
|
2024-04-13 12:54:15 +00:00
|
|
|
description = ''
|
2019-05-15 16:17:30 +00:00
|
|
|
The backup service will be invoked
|
|
|
|
|
automatically at the given date/time,
|
|
|
|
|
which must be in the format described in
|
|
|
|
|
{manpage}`systemd.time(5)`.
|
|
|
|
|
The default `null`
|
|
|
|
|
disables automatic backups.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
cfg = config.services.tsmBackup;
|
|
|
|
|
cfgPrg = config.programs.tsmClient;
|
|
|
|
|
|
|
|
|
|
assertions = [
|
|
|
|
|
{
|
|
|
|
|
assertion = hasAttr cfg.servername cfgPrg.servers;
|
|
|
|
|
message = "TSM service servername not found in list of servers";
|
|
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
assertion = cfgPrg.servers.${cfg.servername}.genPasswd;
|
|
|
|
|
message = "TSM service requires automatic password generation";
|
|
|
|
|
}
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
in
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
|
|
inherit options;
|
|
|
|
|
|
|
|
|
|
config = mkIf cfg.enable {
|
|
|
|
|
inherit assertions;
|
|
|
|
|
programs.tsmClient.enable = true;
|
nixos/tsm-client: use `freeformType` for server config
`tsm-client` uses a global configuration
file that must contain coordinates for each
server that it is supposed to contact.
This configuration consists of text
lines with key-value pairs.
In the NixOS module, these servers may be declared
with an attribute set, where the attribute name
defines an alias for the server, and the value
is again an attribute set with the settings for
the respective server.
This is organized as an option of type `attrsOf submodule...`.
Before this commit:
Important settings have their own option within
the submodule. For everything else, there is
the "catch-all" option `extraConfig` that may
be used to declare any key-value pairs.
There is also `text` that can be used to
add arbitrary text to each server's
section in the global config file.
After this commit:
`extraConfig` and `text` are gone,
the attribute names and values of each server's attribute
set are translated directly into key-value pairs,
with the following notable rules:
* Lists are translated into multiple lines
with the same key, as such is permitted by
the software for certain keys.
* `null` may be used to override/shadow a value that
is defined elsewhere and hides the corresponding key.
Those "important settings" that have previously been
defined as dedicated options are still defined as such,
but they have been renamed to match their
corresponding key names in the configuration file.
There is a notable exception:
"Our" boolean option `genPasswd` influences the "real"
option `passwordaccess', but the latter one is
uncomfortable to use and might lead
to undesirable outcome if used the wrong way.
So it seems advisable to keep the boolean option
and the warning in its description.
To this end, the value of `getPasswd` itself is
later filtered out when the config file is generated.
The tsm-backup service module and the vm test are adapted.
Migration code will be added in a separate
commit to permit easy reversal later, when the
migration code is no longer deemed necessary.
2023-08-23 14:00:32 +00:00
|
|
|
programs.tsmClient.servers.${cfg.servername}.passworddir =
|
2019-05-15 16:17:30 +00:00
|
|
|
mkDefault "/var/lib/tsm-backup/password";
|
|
|
|
|
systemd.services.tsm-backup = {
|
2023-08-15 09:12:07 +00:00
|
|
|
description = "IBM Storage Protect (Tivoli Storage Manager) Backup";
|
2019-05-15 16:17:30 +00:00
|
|
|
# DSM_LOG needs a trailing slash to have it treated as a directory.
|
|
|
|
|
# `/var/log` would be littered with TSM log files otherwise.
|
|
|
|
|
environment.DSM_LOG = "/var/log/tsm-backup/";
|
|
|
|
|
# TSM needs a HOME dir to store certificates.
|
|
|
|
|
environment.HOME = "/var/lib/tsm-backup";
|
2021-10-24 08:56:40 +00:00
|
|
|
serviceConfig = {
|
|
|
|
|
# for exit status description see
|
2024-03-22 16:25:25 +00:00
|
|
|
# https://www.ibm.com/docs/en/storage-protect/8.1.22?topic=clients-client-return-codes
|
2021-10-24 08:56:40 +00:00
|
|
|
SuccessExitStatus = "4 8";
|
|
|
|
|
# The `-se` option must come after the command.
|
|
|
|
|
# The `-optfile` option suppresses a `dsm.opt`-not-found warning.
|
|
|
|
|
ExecStart =
|
2023-11-18 12:09:20 +00:00
|
|
|
"${getExe' cfgPrg.wrappedPackage "dsmc"} ${cfg.command} -se='${cfg.servername}' -optfile=/dev/null";
|
2021-10-24 08:56:40 +00:00
|
|
|
LogsDirectory = "tsm-backup";
|
|
|
|
|
StateDirectory = "tsm-backup";
|
|
|
|
|
StateDirectoryMode = "0750";
|
|
|
|
|
# systemd sandboxing
|
|
|
|
|
LockPersonality = true;
|
|
|
|
|
NoNewPrivileges = true;
|
|
|
|
|
PrivateDevices = true;
|
|
|
|
|
#PrivateTmp = true; # would break backup of {/var,}/tmp
|
|
|
|
|
#PrivateUsers = true; # would block backup of /home/*
|
|
|
|
|
ProtectClock = true;
|
|
|
|
|
ProtectControlGroups = true;
|
|
|
|
|
ProtectHome = "read-only";
|
|
|
|
|
ProtectHostname = true;
|
|
|
|
|
ProtectKernelLogs = true;
|
|
|
|
|
ProtectKernelModules = true;
|
|
|
|
|
ProtectKernelTunables = true;
|
|
|
|
|
ProtectProc = "noaccess";
|
|
|
|
|
ProtectSystem = "strict";
|
|
|
|
|
RestrictNamespaces = true;
|
|
|
|
|
RestrictSUIDSGID = true;
|
|
|
|
|
};
|
2019-05-15 16:17:30 +00:00
|
|
|
startAt = mkIf (cfg.autoTime!=null) cfg.autoTime;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
meta.maintainers = [ lib.maintainers.yarny ];
|
|
|
|
|
|
|
|
|
|
}
|