backup postresql db's with rustic

modules/rustic-postgresql.nix

@@ -0,0 +1,71 @@
+{ config, lib, pkgs, inputs, ... }:
+with lib;
+{
+  options.backups.postgresql = mkOption {
+    description = mdDoc ''
+      Periodic backups of postgresql database to create with Rustic.
+    '';
+    type = types.attrsOf (types.submodule ({ config, name, ... }: {
+      options = {
+        dbName = mkOption {
+          type = types.str;
+          default = name;
+        };
+        proxyAddress = mkOption {
+          type = with types; nullOr str;
+          default = "http://192.168.0.6:8888";
+        };
+      };
+    }));
+    default = { };
+  };
+  config = mkIf (config.backups.postgresql != { }) {
+    sops.secrets.rclone-postgresql-backups.sopsFile = inputs.self.secretsDir + /rustic.yaml;
+    sops.secrets.rustic-postgresql-pass.sopsFile = inputs.self.secretsDir + /rustic.yaml;
+    sops.secrets.rclone-postgresql-backups.owner = "postgres";
+    sops.secrets.rustic-postgresql-pass.owner = "postgres";
+
+    services.rustic.backups =
+      mapAttrs'
+        (name: backup: nameValuePair "postgresql-${name}" ({
+          backup = true;
+          prune = true;
+          initialize = true;
+          user = "postgres";
+          extraEnvironment.https_proxy = mkIf (backup.proxyAddress != null) backup.proxyAddress;
+          rcloneConfigFile = config.sops.secrets.rclone-postgresql-backups.path;
+          rcloneOptions = { fast-list = true; };
+          pruneOpts = [ "--repack-cacheable-only=false" ];
+          timerConfig = {
+            OnCalendar = "daily";
+            Persistent = true;
+          };
+          # Backup postgresql db and pass it to rustic through stdin
+          backupCommandPrefix = "${config.services.postgresql.package}/bin/pg_dump ${backup.dbName} | ${pkgs.zstd}/bin/zstd --rsyncable --stdout - |";
+          extraBackupArgs = [ "-" ];
+          # Rustic profile yaml
+          settings = {
+            repository = {
+              repository = "rclone:postgresql-backups:postgresql-backups/${backup.dbName}";
+              password-file = config.sops.secrets.rustic-postgresql-pass.path;
+            };
+            backup = {
+              host = config.device;
+              label = backup.dbName;
+              ignore-devid = true;
+              group-by = "label";
+              stdin-filename = "${backup.dbName}.dump.zst";
+            };
+            forget = {
+              filter-label = [ backup.dbName ];
+              group-by = "label";
+              prune = true;
+              keep-daily = 4;
+              keep-weekly = 2;
+              keep-monthly = 1;
+            };
+          };
+        })
+      ) config.backups.postgresql;
+  };
+}

profiles/servers/atticd.nix

@@ -47,5 +47,7 @@
     ensureDatabases = [ "atticd" ];
   };
 
+  backups.postgresql.atticd = {};
+
   persist.state.directories = [ "/var/lib/atticd" ];
 }

profiles/servers/gitea.nix

@@ -28,6 +28,8 @@ in {
     { directory = "/srv/gitea"; user = gitea-user; group = gitea-group; }
   ];
 
+  backups.postgresql.gitea = {};
+
   # TODO: backups! gitea.dump setting
   services.gitea = {
     enable = true;

profiles/servers/outline.nix

@@ -52,6 +52,8 @@
     utilsSecretFile = config.sops.secrets.outline-utils.path;
   };
 
+  backups.postgresql.outline = {};
+
   persist.state.directories = [
     "/var/lib/redis-outline"
   ];