From 9068dfa00c8dd18e078efbc27748596545bb8d5f Mon Sep 17 00:00:00 2001
From: teutat3s <teutates@mailbox.org>
Date: Sun, 25 Aug 2024 03:29:25 +0200
Subject: [PATCH] obs-portal: add backups

Restic backups to garage S3 bucket
---
 modules/obs-portal/default.nix                |  25 ++++++++++++++++++
 secrets/restic-repo-garage-obs-portal-env.age | Bin 0 -> 2533 bytes
 secrets/restic-repo-garage-obs-portal.age     | Bin 0 -> 2434 bytes
 secrets/secrets.nix                           |   2 ++
 4 files changed, 27 insertions(+)
 create mode 100644 secrets/restic-repo-garage-obs-portal-env.age
 create mode 100644 secrets/restic-repo-garage-obs-portal.age

diff --git a/modules/obs-portal/default.nix b/modules/obs-portal/default.nix
index e2733bf..8a15c0c 100644
--- a/modules/obs-portal/default.nix
+++ b/modules/obs-portal/default.nix
@@ -147,4 +147,29 @@ in
       };
     };
   };
+
+  services.restic.backups.obs-portal-garage = {
+    paths = [
+      "/var/lib/obs-portal/data"
+      "/tmp/obs-portal-backup.sql"
+    ];
+    timerConfig = {
+      OnCalendar = "*-*-* 00:30:00 Etc/UTC";
+    };
+    initialize = true;
+    passwordFile = config.age.secrets."restic-repo-garage-obs-portal".path;
+    environmentFile = config.age.secrets."restic-repo-garage-obs-portal-env".path;
+    repository = "s3:https://buckets.pub.solar/obs-portal-backups";
+    backupPrepareCommand = ''
+      ${pkgs.docker}/bin/docker exec -ti --user postgres obs-portal-db pg_dump obs > /tmp/obs-portal-backup.sql
+    '';
+    backupCleanupCommand = ''
+      rm /tmp/obs-portal-backup.sql
+    '';
+    pruneOpts = [
+      "--keep-daily 7"
+      "--keep-weekly 4"
+      "--keep-monthly 3"
+    ];
+  };
 }
diff --git a/secrets/restic-repo-garage-obs-portal-env.age b/secrets/restic-repo-garage-obs-portal-env.age
new file mode 100644
index 0000000000000000000000000000000000000000..ce4f1abdb01c8e971e613082243625d569519ea9
GIT binary patch
literal 2533
zcmZ9NN$Bhb9mfS<FRAx>5&sBYoW7ULWLI1=ne3CyWY0t>W}i$l*>?~@^j!p{^dcxK
z2*MMDDk8X^To4Z~Ra~mYrB^MLB2o~X9(w4z|KJ0^@8%`Z{iq0<x$4rgcu+P8IIMyD
zAG&MX^Zh8?py-;sOLx*`Ozw7r5$(YK6woAC?*!Rbm<VdUyg>}s^4qe(ujneo3c(%$
z#SKG6j<Rj;TWY5-u}?J<G@xqPs%l}Abq-phhG-3^K2Ey<cFK5nD7-c$h>+N&8&vR$
zggGN@Mv0_st0{(%bgy^VlKaN_1Xwt^H1vpOQ7rpi!AF<FWw%z_OKDPwI-Z%Rnba&z
za5;OE*0kPTj2e8I09!06U?V4IHm@XB3^+R!ELU$CFx@xt>T+>To}=hF?(}irtnlM?
zhp#nwfnv6zF02BK;lWVL^X3>NV%eWSPCh!D>lh`%6<e!^{3NVIu0TTunq3AbcPoj+
z5YJ$CW?Ztdf&x6%F<Fh5Gr4!n!-7|7UCA3VoMoh6Le(SIV6Ykyf}=76-*Oew`tBLs
zw-Yv%HYeKvf&}%xrE#bj!enIna+fp;<sar_6lctiv@9FRHQINRVeYSj5@Z;a7H&L?
zZqIk20UV-|JJo*K7#KsLkk-thS&&`A#n+`TbOYDA#YG37K_oa%uyW>U{Gxf&X>&yA
z@C*Y~je~o_5GyKgt{L047bMtf3ZcepRo3O>c^!&u!Gtc{mV_zw!Kxima7)H@z3H5z
z3LsK#Z-z^np>t|-dxMqhzHg%wG4V^{RARxAI}TQh$gm7zktG&^C}j?Gd`sh|T|q#@
zx3oaBQkLeqEP7eH9wnIXbS+XQpYi;5e<q1Tc%?Ce-qqn@YL-z9C2Z-jaKu*xz@^+i
zIB*aeRDExB==CIX87g~_Q)mXOd6-ljw)Dt)VyUS??T%wppeHve)OzxVx&kD*5Xe05
z-jF{k4kp)BF-h>bg)@=f*Pcdbj1%P70C72MmBNF2ZHcqdiNxV>C`kt>1Vj`Q+x3Dy
zLGvkFui9M0nJ$E_7!)*@kbHIY)0R2E#m5=D(;*75Pe(A+;t(kWT3PkhHS9ob*3B!v
zzFE9d^L1i$mA75<SrlEeIvt^~=+LPX2OFx`8n}J5Q0OtZ`LiIU#2<45K^MrHQD*Jp
zrb(o2N3}cpfQ=iNP4YN_NOXwpu!9L0(q;f_jCvO(y@ZT0mhXF)hFKYjk(4~e8<;Xr
zw*Y|CzGDq<k%}^*rnM>gVYEMT0nzCRup8ovQCYEZiGV4wVVaSWl;$n1D`d8l1>EmA
zSsoy=-JPN^LZih$dlaWF$9B<iq5(z*J<;|FuP12<5@D6dYeurK8@}vF@Y)IG6sFOU
z<E|xn8bt0a;O1H~on(D7E|Uc<fS|hw4-U%U&z2?XhEe3)6p7o)s|>C(@N*00*wC|;
zG#ayz4K}=n^z?i>4E=SDLp{(sT1<_0*PJz>H1)b{@(b+ls+``R;R1uuPNhH{8kl-<
zE>Vv6n>ycAd(vJ<SUjT@uo*Gc6jg@XU<a==k!|bYrUt?A5jx2kK8vG(uIvQ7^rIko
zkXDEURF}@-sB=bq(FtIQ>W##Rv|dwk)pKaiuX&zM_I{}h3QZ+h)er<Pt?Mk$nn7-h
z{$RJHJLz?>JG=1(I34K#H`DW;syDg9MMkPm2(IxNbv3g3c5+<rgo5Exixj#tX!zrv
zQBDrp_`8N@u@*3b6zQEU+2K>$bJtWJVCm$$W1LRPY^L$8-qyO#<!m6l(Z^Lf+^;q$
zb~oIFyj4Fn!Y%@@qFBPRErrQ5qKZAFk7ElRh%Nvd3)NGdv$$J90InAW3wzDDlBtxQ
zTiZw7(acz<(QASEv&5sms_d-DgXFicmbwPh8|#J%+>v#93L&%0tiYLkg=a|8Rt82_
zifS}{F+ho)<ON{Su(g6OlG9p8_m;|h<xsiPh?%egGq>wdg{BRkBgVyib7$V%&=ad4
z+T_lT(;4kBA2q`BxtBqFPMEN#5|!ZhGJf)7+l1qlM?0nfbpGBHcyF5a!5p(1KibXq
zU@C+>se^9z{D=<cnPI`bl{`*Mc?*N7yJT&dl!&#eNtj1SbwVjPc>^}g8npO}v$agM
z^A8C@YzZJFEYRc1ln_AOSkg+ICz**eg%}6PYKNc?Y-38SoN9^3X<MtE4eAaQ7%^=#
z8kMhm|6uZFcCJHosiP7MhSoWr?Q3{6eQ{W~z*P7iI6xZ9ZSy3!Bt(NIv@?0-JhU*$
zUN%0~%DietD)TsP1zVe3y(=UK2QgzmPD>D9B(1gj65XV+AyAuf<NGU~xMaI(r^65+
zbwn{5V*w9?8`-la3pqp`^P`zD$#BBh0k0?wVG5HUf&2IG-(B6U=!7b$T*Y*E+ss12
zC49vg8HAg(d4dTy=!Bf#lu`yjzkaB?;BWr$8vlTN$MY}!@ISx%!OQ%U<4@DR`tH*Y
z`BxtOeR%p`@BP%@_*a_e9=-FE_de$R)BDL+o_ONfSNA{t$WtG+KMxgueC@;Ji=Te<
zjPa-C`FH>C_YeO3@b&k6@73+MKmLU$t+#*a$8Y=DXTJWzD=)`S{o@y(Lq7NyVSVod
z;*UQ2%nR@P?~}j%;)~l~z2t%4@L&CR{?vnC-uu?q?!Er(`^)b<_w!FYYQOna`Qcx`
I|K)f6A2a1%9{>OV

literal 0
HcmV?d00001

diff --git a/secrets/restic-repo-garage-obs-portal.age b/secrets/restic-repo-garage-obs-portal.age
new file mode 100644
index 0000000000000000000000000000000000000000..7f81fd012d3df984c949ca2eab27944008cee8a8
GIT binary patch
literal 2434
zcmZXWxym#N6^6}(iUkFe56monYu`YH+PAKK?FNJD+V{P?y2Qi_5KN3TF*P-vOwdqF
zCNvnGL<|KTknuAZ(3vZE&N;lxNy_{~KBUWQ+Ujxm-nf*|0|7q#@NHeI4|#?X1j4-4
zg5EsKH(T0uqGn&3dwP9-zsaMn3vI(`eFza{L*3(08u4i~6$fC7i6<}^Ld{opYltN?
zmV5@&Zg?PI#29$x`w<oAmZ^wertQ~MFrROr4vt=ucyYmi_G9C(=fhOECg{Ma?6a83
z@Nnkr#!jCs0JlTwZuo3f4Z=1mL!`$=TBL}@s<|lZK<fy@HSU+<mVQB7*5s`qd}S<w
zs!TmlvSn;({Js&3nn)w?gbUB(mImKDDd3|buhNGwklyoF97DBuw7DzKtx{QW2QF#2
z2s=!L+*aUze{>~ILbgPjaoi9}p3s{-9IV|kM_kNT>QEdVmi!?L<ieP^Ck$L+JwJ3+
z6mfZxmK)U2Rut%s&ncVy?1Jo>H59x^GdJ8i`CLi+nguw4s0otk*O(50L2|s{BHbN_
zwiNJzwGN>gL29WwU2<NO@J&Q)h5k@wq7Bf1lmeK&tD&mxcB6r94EWuQ%?+r`I$gyU
zq{A+_`MQ>P0xwDr{oHxM4Smzcqswui9(~2K8K$EyR+52V?j_()l|eHB5$sq-3k$u-
zPg)FTgm8BekuznaoI=SaaCF2nFc+FleYWIyIffi2ScM)yHY^jhqy{xBQPr>{L)>4X
zyKp{yV!^J&y}E_Wjjo(t)3|&$TX$^df#vcQw6|8J07SMP&e?gG0?mpm3tPLa4yQdM
z4^;@Nh`R%HZLDu|2gIdGL~^cUd1bqo!qag*Nd&r-(~&;j)?A=Fi|SSn30~VOUCbLX
zU781{(WM{4pbh2WV2Ll&wwBl^AHB8_@rsdv_^zMyVxMSdtypdm*u}bKGSPP#A`K2d
z_=;*n1^PPDDs%Lm+b`H2we+JuRa1P7B0%%Znedkv#G|e2w$by_m_8{Qe(jRue(h(f
ztGF5Ulj#3++)9E6vw)Xg1>4qMIon^4-r25qj7+I~9o?*xp(O6kyez?syv93K9xID3
z+8u@lp+9elQQ{Q<P6@;<HkrZNmWG`XLYap){;RHT8P;4_-gl3Js5zati3{zale9i`
z&ThdPN}n(M4rr0FXH5oqSvJg!VZ=T<(xU&qa9_^dq-k-U#}S{(QM{cm-=Qj_fQC7H
zwUHbKiUG7|);ngfHkYBHsJKK90h5>^4j;5);kn&)T3J;>ncTXAW1+TJoaUyRY|a_d
z(I5!WBho|`Sgx9kHzix+N2|(f>&}Qw9g@Om<#Hyudsi&^eF}-;1rz3z0w>t+?CNN5
z0B@KJSwc;g@gtiKL&}=iv4E{-;3f~^XTiiHfkesRBSk&DSa7|rO|s{j#SRkozyY_E
z##Dl~Hd3RTFBNg_9v3y^1@Ju-M8qowTkCVBR&NGj<G$*N8(PJB8xLW&fK&_UOQ!nb
zR_Z7wEeu4T`&yLtxZJ^@--YvlHn-mPg}2U^Rf$5Og|~*DNrh-fMW1{cNU;2tod;Vw
zpznezRc0H}4(LXYR5DI^pO7NA9m|%_%o-3j|L(Hb=Inh_JRIRz7T6i@>Y>iK3O0`f
z_TGVEfZkb@j4lZZ8n1zG-e-F8oMl+L@A*U%BW5(s2KI1TILiP5LK#;Fcd3Q3bEIUW
zw(&vXDg^|6xrET*c4jJ9Mf%MCH;<?K@nJ#<^6lZC_IvcRxH<0a2s-aKbdwrmw+P1%
zo}rZX%5JZNw;)X&DK2@a0+7Ike&1t{znl=?$#W2g?OaDScEPW!uJ{&|nofUtK<^Iu
zU)DL#Q2ow2D3DvHxfH08zT8tVP+XkYFg&H7CqDIdeXJ+b<`=3#fm~`XTkW`sw-P68
zpgNC<B2kHhetn=kG{GQS47FX8L-0k<e9@s-$+On-jZ*3@wYisn6{mQ$?md`1taNQG
z4RsB>Y_@{p!EJnvVG5Wosl;1cww-xXK|3G%<X!01sj|FyU#3ikp=zl%KkA(?(`qFo
zG4{=1&a-1=tsLPgqDT=HuKCF@b3pdQ3)N1%cBD45Bcxve4dj~al0669x*IvZD0HC>
z_pB<(j9vMwv`}Mi(UfJRU!if~`tsSg2PJi`N>ZKIjH_>i^E7+l`hs>vqnM*wdCqIW
z<?xZV1eOHpaU&TnvT>hY6^75zgNT&dB;Uu83153Dv9>Xq6#bR|0K`JHbKd5Cm-E&^
zHIFf>$Pe&#jeB4Ae6AEim_QxHNu)>|j<W<-*pQOIC<EIz-J{l3Ji%h4xbJ-Gm``DL
zZ#ELZqS-1V@ZrOUx9;v$(oGUqVU3mPHjxgF3aNm&^hEQ{6!f(w+^lQ3%ntDPkH7uX
zumA0rKl<qFzxnPz{_^?vKl|%vzxoOJ$sc|$Dj$FP?~knSeDue!eGccJeq;L0x3=GZ
a^ZwgUKKa-0e({5C{;~J7fByMTzy1$CMI~hb

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index ab52663..4c25e1e 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -54,6 +54,8 @@ in
 
   "restic-repo-droppie.age".publicKeys = nachtigallKeys ++ adminKeys;
   "restic-repo-storagebox.age".publicKeys = nachtigallKeys ++ adminKeys;
+  "restic-repo-garage-obs-portal.age".publicKeys = nachtigallKeys ++ adminKeys;
+  "restic-repo-garage-obs-portal-env.age".publicKeys = nachtigallKeys ++ adminKeys;
 
   "drone-db-secrets.age".publicKeys = flora6Keys ++ adminKeys;
   "drone-secrets.age".publicKeys = flora6Keys ++ adminKeys;