From 2f8e30aa740c6499dc93153103eed67ed0ccb5fe Mon Sep 17 00:00:00 2001 From: Lander Van den Bulcke Date: Fri, 19 Sep 2025 16:13:25 +0200 Subject: [PATCH] feat: sync postgres backups to backblaze Signed-off-by: Lander Van den Bulcke --- .sops.yaml | 6 ++++++ hosts/db-01/default.nix | 42 +++++++++++++++++++++++++++++++++++++++- hosts/db-01/secrets.yaml | 30 ++++++++++++++++++++++++++++ 3 files changed, 77 insertions(+), 1 deletion(-) create mode 100644 hosts/db-01/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index 173813c..52a0571 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -31,6 +31,12 @@ creation_rules: - *mail-01 pgp: - *lander + - path_regex: hosts/db-01/secrets.yam?l$ + key_groups: + - age: + - *db-01 + pgp: + - *lander - path_regex: hosts/hosting-01/secrets.yam?l$ key_groups: - age: diff --git a/hosts/db-01/default.nix b/hosts/db-01/default.nix index babd075..d76acc1 100644 --- a/hosts/db-01/default.nix +++ b/hosts/db-01/default.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ config, pkgs, ... }: { imports = [ ./disk-config.nix @@ -53,5 +53,45 @@ ]; }; + services.restic.backups = { + postgresql = { + initialize = true; + + repositoryFile = config.sops.secrets.restic-repository.path; + passwordFile = config.sops.secrets.restic-password.path; + environmentFile = config.sops.secrets.restic-environment.path; + + timerConfig = { + OnCalendar = "03:00"; + Persistent = true; + }; + + paths = [ + "/var/backup/postgresql" + ]; + + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 5" + "--keep-weekly 12" + ]; + }; + }; + + sops = { + defaultSopsFile = ./secrets.yaml; + secrets = { + restic-environment = { + owner = "root"; + }; + restic-password = { + owner = "root"; + }; + restic-repository = { + owner = "root"; + }; + }; + }; + system.stateVersion = "25.05"; } diff --git a/hosts/db-01/secrets.yaml b/hosts/db-01/secrets.yaml new file mode 100644 index 0000000..e37a434 --- /dev/null +++ b/hosts/db-01/secrets.yaml @@ -0,0 +1,30 @@ +restic-environment: ENC[AES256_GCM,data:c8Ksx+QSpiIDhTlCfjT8q6eXcvUxcZleDbux0qO/3WIXCa6BH+CjpT/0vScUZofZS0GTMfwfp2KOdqjgmYrWMaUS2nDbG5/PCMZNwp45KwC5qIQ2NH5RT6L9Eli+QNsDmEcQKptX,iv:s0pKkKtI544isCTVPKOO2vM0yJV8DlelIEHGL4t50+w=,tag:ekPvAIALsu8HuEBky8gUug==,type:str] +restic-password: ENC[AES256_GCM,data:u1xmMLCTwTcTwNysIr1RpuAL+kL4zKd6ZA==,iv:VUw/nKj+7WDidPqVMshtlo3Fs0yo1/QmGWR+Zbil0s0=,tag:kmJYIl+WDwElvSvMbQ1xmg==,type:str] +restic-repository: ENC[AES256_GCM,data:KQzrOhXuJ2vn7y3fyAqLbPgHqaCfnOlguUlhuFry11Ap3rKgyIy+QHa4z/akeigJsg==,iv:VFpi3GXU/jXlIBMCXDzZ7Jrc05/42Ur1K7lJXOAJJ1w=,tag:d4P0cOwFvoHa21UGakT1mQ==,type:str] +sops: + age: + - recipient: age1a5zz4cyda0aqh0hgf8svpyh9ktwy6z5x3gnnu5ysvpvek9rn03csx7dyqn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCY0tVQk5tdUZJa2h6Q3Yy + QWxjaUVnZ3ZRZzhSbW42VVpVSHRZUXlSdmlrCk9iTllWeno5d3ZScjdxZGM3ZmlX + MnRWNWI3NHhWbmFUa3hvYVJ4WU5pa0kKLS0tIENHaG1YUTBRaE02Nkx6eDExcEhO + Qyt4M05FMnZubkN1Rk8ybFVCSjh5aEkKb40hoPGE7nHaL1CiYnoLo1QVZj91qSCk + XvfItL+ATREgjUDlc0zV0/Ps/XFL6wkyPASHIfkO+q1VSwSTMLNGlw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-09-19T14:03:15Z" + mac: ENC[AES256_GCM,data:tI8I3DwAwdfZEkzU1QldMEQjy7qUvyy6mCAifMxe7/63l2/zJ02T2AhRHbIbbcQdwj3oSshopucyTU65q7PZWEkrkxfIaZSHyMi3xkgQXIvVeD5KRLpw3G242ae2EFSL+3D+hrnaOBEUb4rtXrTlsBcIEsPSeVgK7ySNBfBnUj0=,iv:sCfLTRQlrSQLDkWsdQhefL9mOkqlkMCRQiHY747tt88=,tag:JLPUqOSYcjYfCETbWPgG0g==,type:str] + pgp: + - created_at: "2025-09-19T14:03:01Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DARdpY4woM6wSAQdAZBTYQrGKSh9Al/PomMw4FrqT+Z6FdqDP+SWHgMCMmE8w + d3kiCOBTs4IETttl+o0ZqZ0bR7QHI0NUOAlWdopI2m6dDGl7WDGxVMxbokpK+3ot + 0l4BtsYlAvcJKrBRAY+/lgwYkxeaJwfXtqK7FdrpRv+criLyDn9T95TVz4Ss2zhe + rzkQS/NaX7CY7JhEwyPqENwHWKBw6x8GEKTdpPEL7Mi/OSKbjWUYn02mMkCtGQU3 + =uMmY + -----END PGP MESSAGE----- + fp: 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92 + unencrypted_suffix: _unencrypted + version: 3.10.2