drone: add restic local backups

2025-09-30 22:14:37 -04:00 · 2025-09-30 22:14:37 -04:00 · 8d8bdc1ab7
commit 8d8bdc1ab7
parent 0cfc3a6101
4 changed files with 85 additions and 2 deletions
--- a/modules/nixos/homeserver/restic.nix
+++ b/modules/nixos/homeserver/restic.nix
@ -0,0 +1,75 @@
+{ config, pkgs, ... }:
+
+{
+  # for use as rclone backend
+  environment.systemPackages = [ pkgs.rclone ];
+
+  systemd.services.db-dump = {
+    wantedBy = [ "restic-backups-main.service" "restic-backups-offsite.service" ];
+    script = ''
+      if [ ! -d /var/backups/db-backup ]; then
+          mkdir -p -m 600 /var/backups/db-backup
+      fi
+
+      ${pkgs.sqlite}/bin/sqlite3 /var/lib/vaultwarden/db.sqlite3 ".backup /var/backups/db-backup/vaultwarden.sqlite3"
+      ${pkgs.sqlite}/bin/sqlite3 /var/lib/uptime-kuma/kuma.db ".backup /var/backups/db-backup/kuma.db"
+
+      ${pkgs.sudo}/bin/sudo -u authentik -- ${pkgs.postgresql}/bin/pg_dump > /var/backups/db-backup/dump-authentik
+      ${pkgs.sudo}/bin/sudo -u onlyoffice -- ${pkgs.postgresql}/bin/pg_dump > /var/backups/db-backup/dump-onlyoffice
+      ${pkgs.sudo}/bin/sudo -u zipline -- ${pkgs.postgresql}/bin/pg_dump > /var/backups/db-backup/dump-zipline
+      ${pkgs.sudo}/bin/sudo -u postgres -- ${pkgs.postgresql}/bin/pg_dumpall -g > /var/backups/db-backup/dump-globals      
+    '';
+    serviceConfig = {
+      Type = "oneshot";
+      User = "root";
+    };
+  };
+
+  services.restic.backups = {
+    main = {
+      initialize = true;
+      repository = "/mnt/external/backup/restic";
+      passwordFile = config.sops.secrets."restic/password".path;
+      timerConfig = {
+        OnCalendar = "03:00";
+        Persistent = true;
+      };
+
+      paths = [
+        "/var/lib/private/authentik"
+        "/var/lib/private/uptime-kuma"
+        "/var/lib/nextcloud"
+        "/var/lib/vaultwarden"
+        "/var/backups/db-backup"
+      ];
+      # exclude databases since they are covered separately
+      exclude = [
+        "*.db"
+        "*.db-shm"
+        "*.db-wal"
+        "*.sqlite3"
+        "*.sqlite3-shm"
+        "*.sqlite3-wal"
+      ];
+
+      backupCleanupCommand = "rm -r /var/backups/db-backup/*";
+    };
+
+#    offsite = {
+#      initialize = true;
+#      repository = "rclone:protondrive:restic";
+#      passwordFile = config.sops.secrets."restic/password".path;
+#      timerConfig = {
+#        OnCalendar = "3:05";
+#        Persistent = true;
+#      };
+#      rcloneOptions = { protondrive-replace-existing-draft = true; };
+#      rcloneConfigFile = config.sops.secrets."restic/rclone/offsite".path;
+
+#      paths = config.services.restic.backups.main.paths;
+#      exclude = config.services.restic.backups.main.exclude;
+
+#      backupCleanupCommand = "rm -r /var/backups/db-backup/*";
+#    };
+  };
+}