47 lines
1.4 KiB
Nix
47 lines
1.4 KiB
Nix
|
{ config, pkgs, ... }:
|
||
|
|
{
|
||
|
|
# Restic backups to the local REST server (docker/restic.nix, port 8010, private repos).
|
||
|
|
# Each service gets its own repo: rest:http://localhost:8010/<username>/
|
||
|
|
# REST credentials are injected via sops templates as an EnvironmentFile.
|
||
|
|
# Add new jobs below following the same pattern.
|
||
|
|
|
||
|
|
sops = {
|
||
|
|
secrets."restic/kanidm_password" = { };
|
||
|
|
secrets."restic/kanidm_rest_password" = { };
|
||
|
|
|
||
|
|
# Compose a KEY=VALUE env file for the restic systemd service.
|
||
|
|
templates."restic-kanidm-env" = {
|
||
|
|
content = ''
|
||
|
|
RESTIC_REST_USERNAME=kanidm
|
||
|
|
RESTIC_REST_PASSWORD=${config.sops.placeholder."restic/kanidm_rest_password"}
|
||
|
|
'';
|
||
|
|
};
|
||
|
|
};
|
||
|
|
|
||
|
|
services.restic.backups = {
|
||
|
|
kanidm = {
|
||
|
|
repository = "rest:http://localhost:8010/kanidm/";
|
||
|
|
passwordFile = config.sops.secrets."restic/kanidm_password".path;
|
||
|
|
environmentFile = config.sops.templates."restic-kanidm-env".path;
|
||
|
|
|
||
|
|
# Checkpoint the SQLite WAL before backup so the snapshot is consistent.
|
||
|
|
backupPrepareCommand = ''
|
||
|
|
${pkgs.sqlite}/bin/sqlite3 /var/lib/kanidm/kanidm.db "PRAGMA wal_checkpoint(FULL);"
|
||
|
|
'';
|
||
|
|
|
||
|
|
paths = [ "/var/lib/kanidm" ];
|
||
|
|
|
||
|
|
timerConfig = {
|
||
|
|
OnCalendar = "04:00";
|
||
|
|
Persistent = true;
|
||
|
|
};
|
||
|
|
|
||
|
|
pruneOpts = [
|
||
|
|
"--keep-daily 7"
|
||
|
|
"--keep-weekly 4"
|
||
|
|
"--keep-monthly 3"
|
||
|
|
];
|
||
|
|
};
|
||
|
|
};
|
||
|
|
}
|