77 lines
2.2 KiB
Nix
77 lines
2.2 KiB
Nix
{ config, lib, ... }:
|
|
|
|
{
|
|
config = {
|
|
services = {
|
|
postgresqlBackup = {
|
|
inherit (config.services.postgresql) enable;
|
|
backupAll = true;
|
|
compression = "zstd";
|
|
compressionLevel = 9;
|
|
pgdumpOptions = "--create --clean";
|
|
startAt = "*-*-* 04:00:00";
|
|
};
|
|
|
|
restic.backups =
|
|
let
|
|
commonOpts = {
|
|
initialize = true;
|
|
passwordFile = config.sops.secrets."restic/password".path;
|
|
paths = [ "/var/backup/postgresql/" ];
|
|
pruneOpts = [
|
|
"--group-by host"
|
|
"--keep-daily 7"
|
|
"--keep-weekly 4"
|
|
"--keep-monthly 12"
|
|
];
|
|
timerConfig = {
|
|
OnCalendar = "*-*-* 04:30:00";
|
|
RandomizedDelaySec = "5m";
|
|
};
|
|
};
|
|
in
|
|
{
|
|
server8 = lib.mkIf config.services.postgresql.enable (commonOpts // {
|
|
repositoryFile = config.sops.secrets."restic/repository/server8".path;
|
|
});
|
|
offsite = lib.mkIf config.services.postgresql.enable (commonOpts // {
|
|
repository = "sftp://offsite/${config.networking.hostName}";
|
|
});
|
|
};
|
|
};
|
|
|
|
sops.secrets = {
|
|
"restic/offsite/private" = {
|
|
mode = "400";
|
|
owner = "root";
|
|
path = "/root/.ssh/id_offsite-backup";
|
|
sopsFile = ./backup.yaml;
|
|
};
|
|
"restic/offsite/public" = {
|
|
mode = "400";
|
|
owner = "root";
|
|
path = "/root/.ssh/id_offsite-backup.pub";
|
|
sopsFile = ./backup.yaml;
|
|
};
|
|
"restic/offsite/ssh-config" = {
|
|
mode = "400";
|
|
owner = "root";
|
|
path = "/root/.ssh/config";
|
|
sopsFile = ./backup.yaml;
|
|
};
|
|
};
|
|
|
|
system.activationScripts.linkResticSSHConfigIntoVirtioFS = ''
|
|
echo "Linking restic ssh config..."
|
|
mkdir -m700 -p /home/root/.ssh/
|
|
ln -fs {,/home}/root/.ssh/id_offsite-backup
|
|
ln -fs {,/home}/root/.ssh/id_offsite-backup.pub
|
|
ln -fs {,/home}/root/.ssh/config
|
|
'';
|
|
|
|
systemd.timers = lib.mkIf config.services.postgresqlBackup.enable {
|
|
postgresqlBackup.timerConfig.RandomizedDelaySec = "5m";
|
|
};
|
|
};
|
|
}
|