Gleipnir/nixos-systems
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add initial authentik backup script

Browse source 
This includes a new paradigm for using a pgpass file, which is great, as
well as sorting out how to properly do a bash script shebang in a
service file.
This commit is contained in:
Eli Ribble 2025-07-23 21:39:18 +00:00
parent a31e1dfe88
commit 47056f3df8
5 changed files with 141 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

53
modules/system/authentik-backup.nix Normal file
View file

@ -0,0 +1,53 @@
{ config, lib, myutils, pkgs, ... }:
let
backupScript = pkgs.stdenv.mkDerivation {
name = "backup-authentik-db-script";
src = ../../scripts/backup-authentik-db.sh; # Path to the script file
phases = "installPhase";
installPhase = ''
mkdir -p $out/bin
cp $src $out/bin/backup-authentik-db.sh
chmod +x $out/bin/backup-authentik-db.sh
'';
};
in
{
config = lib.mkIf config.myModules.authentik.enable {
sops.secrets.authentik-backup-pgpass = {
mode = "0400";
};
systemd.services.backup-authentik-db = {
description = "Backup authentik database";
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
path = [ pkgs.bash pkgs.postgresql ];
requires = [ "podman-authentik-worker.service" ]; # Ensure authentik is running first
script = "${backupScript}/bin/backup-authentik-db.sh";
serviceConfig = {
# Needs root so it can stop other services
User = "root";
Group = "root";
Environment = "PGPASSFILE=${config.sops.secrets.authentik-backup-pgpass.path}";
EnvironmentFile = "/var/run/secrets/authentik-env";
Type = "oneshot";
Restart = "on-failure";
};
wantedBy = [ "timers.target" ];
};
systemd.tmpfiles.rules = [
"d /var/backups/authentik-db 0755 root root"
];
systemd.timers.backup-authentik-db = {
description = "Daily backup of authentik database";
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "*-*-* 03:00:00"; # Run daily at 3:00 AM (adjust as needed)
Persistent = true; # If the system was off when it should have run, run it on startup
};
};
environment.systemPackages = [ pkgs.postgresql ];
};
}

2
modules/system/authentik.nix
View file

@ -1,4 +1,4 @@
{ pkgs, lib, config, ... }: { config, lib, pkgs, ... }:
with lib; with lib;
{ {
options.myModules.authentik.enable = mkEnableOption "custom authentik configuration"; options.myModules.authentik.enable = mkEnableOption "custom authentik configuration";

1
modules/system/default.nix
View file

@ -1,6 +1,7 @@
{ {
imports = [ imports = [
./authentik.nix ./authentik.nix
./authentik-backup.nix
./base.nix ./base.nix
./caddy.nix ./caddy.nix
./cloud-init.nix ./cloud-init.nix

43
scripts/backup-authentik-db.sh Normal file
View file

@ -0,0 +1,43 @@
#!/usr/bin/env bash
set -euo pipefail
set -o xtrace
service_redis="podman-authentik-redis"
service_server="podman-authentik-server"
service_worker="podman-authentik-worker"
backup_dir="/var/backups/authentik-db"
backup_file="$backup_dir/authentik-db-$(date +%Y-%m-%d_%H-%M-%S).dump"
# Stop the services
echo "Stopping $service_redis..."
systemctl stop "$service_redis"
echo "Stopping $service_server..."
systemctl stop "$service_server"
#echo "Stopping $service_worker..."
#systemctl stop "$service_worker"
# Ensure backup directory exists
echo "Creating backup directory"
mkdir -p "$backup_dir"
# Perform the database backup (requires appropriate pg_dump credentials)
echo "Backing up database..."
pg_dump -U "$AUTHENTIK_POSTGRESQL__USER" -d "$AUTHENTIK_POSTGRESQL__NAME" -h "$AUTHENTIK_POSTGRESQL__HOST" -p "$AUTHENTIK_POSTGRESQL__PORT" -f "$backup_file"
# Check if the backup was successful
if [ -s "$backup_file" ]; then
echo "Backup successful: $backup_file"
else
echo "Backup failed!"
exit 1 # Indicate an error
fi
# Restart the service
echo "Restarting $service_redis..."
systemctl start "$service_redis"
echo "Restarting $service_server..."
systemctl start "$service_server"
echo "Restarting $service_worker..."
systemctl start "$service_worker"
echo "Backup complete."

43
secrets/secrets.yaml Normal file
View file

@ -0,0 +1,43 @@
authentik-backup-pgpass: ENC[AES256_GCM,data:tYHAgbrXM6xy41I5jfiPM4Pkt3lqN2RdBLf1CaltTNT8Cw8p1Rh+xoihhLdm3DHbwzy/NWcTD5hXXV1iAyqcvTd1Cr2gNMsh5tD096z2kpS8p2ZfZnOCzgNZkIu8C6pq826qqf3ZrMyqX7A/qwkoa1GtALXi5sUgL7qZAGqPeCKwdVYV7Q==,iv:94bHTSrmOqoi3SkZnhS7TNwQR29cSm4FdADO6DTGZo8=,tag:WS2vGTUxqJMOov0lvc/STw==,type:str]
sops:
age:
- recipient: age1x704pjnueguchkl54ly8w4w26ltys5900v7xnl7w3zlgasus09jszz45t8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLaGkvNGltaWlZc1dSQm45
SmxFdTl2YmNjbkt6OHI4aUJmWVVQTnV6VnhBCko1U3VLR3VNSVRHTlluTjRHVmh5
ai9JeTdNNStIYWdEQ0VrOXdDZGVPdWsKLS0tIDV4SGhGR3g5TVRic2huNUkyMEo4
Q3NpNDRzSG9RU0g3bkQzUUtKanoxSzAKQDQk8nl8G+KlpBu2heK19Coukb1WSqLS
X2FIYO7m0985ehN+DivNCa82Am0kQTTApF8X4mDM7j+nTTP+t3vUSg==
-----END AGE ENCRYPTED FILE-----
- recipient: age15y4k929zaj9fdg3vd40pa40tgvrgv9mn22xfummn5zxfmkcw5d0st6prjx
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGNUplanpOeWlUMFRxR05w
OHQ1ci9OVUJwUUpqZFlvL2hLU25DeWZyUDJzCis0ZUkvY1NFOVl0RnoweW5naWt2
UWFjQ3BjMnhsV21HLzNnN1FPdTFFMzAKLS0tIElMeU9qWTBBTVEwaFAydEVST05S
ODBhc0VxWW9lVENoa2ZINWlwNURjRUkK/C8vmJIdgpOgqlRX6twsPWZtlJtywFJp
ifqcxJC66TxRd55VGXjFgE/T9Wy6NIOSssAmKhtTeLOPsr5/prLtWA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1kgwk20cc6t68kqj5nhem6swvx6k4e7zjx2xdwy382360h8tdyqrq0nn3gf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXcUE5NExVemNnZzRXMkJE
RTF3VXRKdzRrSU1FbmFQT1A1cVRhekl4V3hrClBKcTJiYllEZzNXbFdWSEtvRVIz
c0dyWDBtMTJuRzJVdE1BeERDUU5PcW8KLS0tIDVDcDlueTA0RjVJbnNyRkw0dEg2
N2lFWTNBRkIrZ3YrRVV6aFVheTNvZlEKDwmh2VM0qxzT/Z6FvDhiVCxWu7wRDSF1
wr3Zjj5+QTusS1N+h22HdNMD+dKBKE9rR9fKwioPFz8PQY0V0lpImg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1t3ryfktuhr3cysf49m9q2n8fkjf9ajjjnhztxw9hz8paxgk4lpcq065jge
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJZ05MNmlqWWoyTkpyTFpG
SEVNOXRsMm5LcTNlM2dUN1laVVp5NkRGM3dBCmM2bTZOOGNSbkJPVVBsL3czVHN4
dkFsZ3ZQcU8rTzJZdnk4TkJFa0JkdjQKLS0tIGZ2MGJOQUlnSWpUZGhLbGtoNElG
T1VIdC9iVkp1alhYVjRlTEZ3MVJBVHMKDMsbeJ4B4I9tQFX60cMX3ZxrxZ0hLdhE
OwcN9uWc16i2TdsukUEcQxmK81SCwTm31TFRjt6aiDkeduFT/MeVRg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-24T15:54:07Z"
mac: ENC[AES256_GCM,data:Vc7+KdIH7BEogU8bj2J0qyz7bOw/Z9ONakdFMTlSe//aDRssaQogu2DbRHy+MBSUT8s2Cl79U6qpxv6GSuxCjj8ztV5DnBy7vF6CBL+LstvCnzVkCVHcZbwEzNLmLTfkDe+Dr/pVdMy25zuicNnLUJMVl4tWkOC0oHbyyA6ZdG8=,iv:2KKGq5G6TzacbKENLRcI4P9UCiBridkb6WBy7A+tSGA=,tag:3NzryYPznp8INHbTnNly/A==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2