feat: sync postgres backups to backblaze

Signed-off-by: Lander Van den Bulcke <landervandenbulcke@gmail.com>

.sops.yaml

@@ -31,6 +31,12 @@ creation_rules:
           - *mail-01
         pgp:
           - *lander
+  - path_regex: hosts/db-01/secrets.yam?l$
+    key_groups:
+      - age:
+          - *db-01
+        pgp:
+          - *lander
   - path_regex: hosts/hosting-01/secrets.yam?l$
     key_groups:
       - age:

hosts/db-01/default.nix

@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 {
   imports = [
     ./disk-config.nix
@@ -53,5 +53,45 @@
     ];
   };
 
+  services.restic.backups = {
+    postgresql = {
+      initialize = true;
+
+      repositoryFile = config.sops.secrets.restic-repository.path;
+      passwordFile = config.sops.secrets.restic-password.path;
+      environmentFile = config.sops.secrets.restic-environment.path;
+
+      timerConfig = {
+        OnCalendar = "03:00";
+        Persistent = true;
+      };
+
+      paths = [
+        "/var/backup/postgresql"
+      ];
+
+      pruneOpts = [
+        "--keep-daily 7"
+        "--keep-weekly 5"
+        "--keep-weekly 12"
+      ];
+    };
+  };
+
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    secrets = {
+      restic-environment = {
+        owner = "root";
+      };
+      restic-password = {
+        owner = "root";
+      };
+      restic-repository = {
+        owner = "root";
+      };
+    };
+  };
+
   system.stateVersion = "25.05";
 }

hosts/db-01/secrets.yaml

@@ -0,0 +1,30 @@
+restic-environment: ENC[AES256_GCM,data:c8Ksx+QSpiIDhTlCfjT8q6eXcvUxcZleDbux0qO/3WIXCa6BH+CjpT/0vScUZofZS0GTMfwfp2KOdqjgmYrWMaUS2nDbG5/PCMZNwp45KwC5qIQ2NH5RT6L9Eli+QNsDmEcQKptX,iv:s0pKkKtI544isCTVPKOO2vM0yJV8DlelIEHGL4t50+w=,tag:ekPvAIALsu8HuEBky8gUug==,type:str]
+restic-password: ENC[AES256_GCM,data:u1xmMLCTwTcTwNysIr1RpuAL+kL4zKd6ZA==,iv:VUw/nKj+7WDidPqVMshtlo3Fs0yo1/QmGWR+Zbil0s0=,tag:kmJYIl+WDwElvSvMbQ1xmg==,type:str]
+restic-repository: ENC[AES256_GCM,data:KQzrOhXuJ2vn7y3fyAqLbPgHqaCfnOlguUlhuFry11Ap3rKgyIy+QHa4z/akeigJsg==,iv:VFpi3GXU/jXlIBMCXDzZ7Jrc05/42Ur1K7lJXOAJJ1w=,tag:d4P0cOwFvoHa21UGakT1mQ==,type:str]
+sops:
+    age:
+        - recipient: age1a5zz4cyda0aqh0hgf8svpyh9ktwy6z5x3gnnu5ysvpvek9rn03csx7dyqn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCY0tVQk5tdUZJa2h6Q3Yy
+            QWxjaUVnZ3ZRZzhSbW42VVpVSHRZUXlSdmlrCk9iTllWeno5d3ZScjdxZGM3ZmlX
+            MnRWNWI3NHhWbmFUa3hvYVJ4WU5pa0kKLS0tIENHaG1YUTBRaE02Nkx6eDExcEhO
+            Qyt4M05FMnZubkN1Rk8ybFVCSjh5aEkKb40hoPGE7nHaL1CiYnoLo1QVZj91qSCk
+            XvfItL+ATREgjUDlc0zV0/Ps/XFL6wkyPASHIfkO+q1VSwSTMLNGlw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-09-19T14:03:15Z"
+    mac: ENC[AES256_GCM,data:tI8I3DwAwdfZEkzU1QldMEQjy7qUvyy6mCAifMxe7/63l2/zJ02T2AhRHbIbbcQdwj3oSshopucyTU65q7PZWEkrkxfIaZSHyMi3xkgQXIvVeD5KRLpw3G242ae2EFSL+3D+hrnaOBEUb4rtXrTlsBcIEsPSeVgK7ySNBfBnUj0=,iv:sCfLTRQlrSQLDkWsdQhefL9mOkqlkMCRQiHY747tt88=,tag:JLPUqOSYcjYfCETbWPgG0g==,type:str]
+    pgp:
+        - created_at: "2025-09-19T14:03:01Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DARdpY4woM6wSAQdAZBTYQrGKSh9Al/PomMw4FrqT+Z6FdqDP+SWHgMCMmE8w
+            d3kiCOBTs4IETttl+o0ZqZ0bR7QHI0NUOAlWdopI2m6dDGl7WDGxVMxbokpK+3ot
+            0l4BtsYlAvcJKrBRAY+/lgwYkxeaJwfXtqK7FdrpRv+criLyDn9T95TVz4Ss2zhe
+            rzkQS/NaX7CY7JhEwyPqENwHWKBw6x8GEKTdpPEL7Mi/OSKbjWUYn02mMkCtGQU3
+            =uMmY
+            -----END PGP MESSAGE-----
+          fp: 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2