add kanidm

2026-05-02 12:52:47 -04:00
parent f42d031f4f
commit 6a6f5a1e9d
14 changed files with 288 additions and 53 deletions
--- a/systems/palatine-hill/backup.nix
+++ b/systems/palatine-hill/backup.nix
@@ -0,0 +1,46 @@
+{ config, pkgs, ... }:
+{
+  # Restic backups to the local REST server (docker/restic.nix, port 8010, private repos).
+  # Each service gets its own repo: rest:http://localhost:8010/<username>/
+  # REST credentials are injected via sops templates as an EnvironmentFile.
+  # Add new jobs below following the same pattern.
+
+  sops = {
+    secrets."restic/kanidm_password" = { };
+    secrets."restic/kanidm_rest_password" = { };
+
+    # Compose a KEY=VALUE env file for the restic systemd service.
+    templates."restic-kanidm-env" = {
+      content = ''
+        RESTIC_REST_USERNAME=kanidm
+        RESTIC_REST_PASSWORD=${config.sops.placeholder."restic/kanidm_rest_password"}
+      '';
+    };
+  };
+
+  services.restic.backups = {
+    kanidm = {
+      repository = "rest:http://localhost:8010/kanidm/";
+      passwordFile = config.sops.secrets."restic/kanidm_password".path;
+      environmentFile = config.sops.templates."restic-kanidm-env".path;
+
+      # Checkpoint the SQLite WAL before backup so the snapshot is consistent.
+      backupPrepareCommand = ''
+        ${pkgs.sqlite}/bin/sqlite3 /var/lib/kanidm/kanidm.db "PRAGMA wal_checkpoint(FULL);"
+      '';
+
+      paths = [ "/var/lib/kanidm" ];
+
+      timerConfig = {
+        OnCalendar = "04:00";
+        Persistent = true;
+      };
+
+      pruneOpts = [
+        "--keep-daily 7"
+        "--keep-weekly 4"
+        "--keep-monthly 3"
+      ];
+    };
+  };
+}