Add initial authentik backup script

This includes a new paradigm for using a pgpass file, which is great, as well as sorting out how to properly do a bash script shebang in a service file.
2025-07-23 21:39:18 +00:00 · 2025-07-23 21:39:18 +00:00 · 47056f3df8
commit 47056f3df8
parent a31e1dfe88
5 changed files with 141 additions and 1 deletions
--- a/modules/system/authentik-backup.nix
+++ b/modules/system/authentik-backup.nix
@ -0,0 +1,53 @@
+{ config, lib, myutils, pkgs, ... }:
+
+let
+	backupScript = pkgs.stdenv.mkDerivation {
+		name = "backup-authentik-db-script";
+		src = ../../scripts/backup-authentik-db.sh; # Path to the script file
+		phases = "installPhase";
+		installPhase = ''
+			mkdir -p $out/bin
+			cp $src $out/bin/backup-authentik-db.sh
+			chmod +x $out/bin/backup-authentik-db.sh
+		'';
+	};
+in
+{
+	config = lib.mkIf config.myModules.authentik.enable {
+		sops.secrets.authentik-backup-pgpass = {
+			mode = "0400";
+		};
+		systemd.services.backup-authentik-db = {
+			description = "Backup authentik database";
+			after = [ "network-online.target" ];
+			wants = [ "network-online.target" ];
+			path = [ pkgs.bash pkgs.postgresql ];
+			requires = [ "podman-authentik-worker.service" ];	# Ensure authentik is running first
+			script = "${backupScript}/bin/backup-authentik-db.sh";
+			serviceConfig = {
+				# Needs root so it can stop other services
+				User = "root";
+				Group = "root";
+				Environment = "PGPASSFILE=${config.sops.secrets.authentik-backup-pgpass.path}";
+				EnvironmentFile = "/var/run/secrets/authentik-env";
+				Type = "oneshot";
+				Restart = "on-failure";
+			};
+			wantedBy = [ "timers.target" ];
+		};
+
+		systemd.tmpfiles.rules = [
+			"d /var/backups/authentik-db 0755 root root"
+		];
+		systemd.timers.backup-authentik-db = {
+			description = "Daily backup of authentik database";
+			wantedBy = [ "timers.target" ];
+			timerConfig = {
+				OnCalendar = "*-*-* 03:00:00"; # Run daily at 3:00 AM (adjust as needed)
+				Persistent = true; # If the system was off when it should have run, run it on startup
+			};
+		};
+
+		environment.systemPackages = [ pkgs.postgresql ];
+	};
+}
--- a/modules/system/authentik.nix
+++ b/modules/system/authentik.nix
@ -1,4 +1,4 @@
-{ pkgs, lib, config, ... }:
+{ config, lib, pkgs, ... }:
 with lib;
 {
 	options.myModules.authentik.enable = mkEnableOption "custom authentik configuration";
--- a/modules/system/default.nix
+++ b/modules/system/default.nix
@ -1,6 +1,7 @@
 {
 	imports = [
 		./authentik.nix
+		./authentik-backup.nix
 		./base.nix
 		./caddy.nix
 		./cloud-init.nix
--- a/scripts/backup-authentik-db.sh
+++ b/scripts/backup-authentik-db.sh
@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+set -euo pipefail
+set -o xtrace
+
+service_redis="podman-authentik-redis"
+service_server="podman-authentik-server"
+service_worker="podman-authentik-worker"
+backup_dir="/var/backups/authentik-db"
+backup_file="$backup_dir/authentik-db-$(date +%Y-%m-%d_%H-%M-%S).dump"
+
+# Stop the services
+echo "Stopping $service_redis..."
+systemctl stop "$service_redis"
+echo "Stopping $service_server..."
+systemctl stop "$service_server"
+#echo "Stopping $service_worker..."
+#systemctl stop "$service_worker"
+
+# Ensure backup directory exists
+echo "Creating backup directory"
+mkdir -p "$backup_dir"
+
+# Perform the database backup (requires appropriate pg_dump credentials)
+echo "Backing up database..."
+pg_dump -U "$AUTHENTIK_POSTGRESQL__USER" -d "$AUTHENTIK_POSTGRESQL__NAME" -h "$AUTHENTIK_POSTGRESQL__HOST" -p "$AUTHENTIK_POSTGRESQL__PORT" -f "$backup_file"
+
+# Check if the backup was successful
+if [ -s "$backup_file" ]; then
+  echo "Backup successful: $backup_file"
+else
+  echo "Backup failed!"
+  exit 1 # Indicate an error
+fi
+
+# Restart the service
+echo "Restarting $service_redis..."
+systemctl start "$service_redis"
+echo "Restarting $service_server..."
+systemctl start "$service_server"
+echo "Restarting $service_worker..."
+systemctl start "$service_worker"
+
+echo "Backup complete."
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@ -0,0 +1,43 @@
+authentik-backup-pgpass: ENC[AES256_GCM,data:tYHAgbrXM6xy41I5jfiPM4Pkt3lqN2RdBLf1CaltTNT8Cw8p1Rh+xoihhLdm3DHbwzy/NWcTD5hXXV1iAyqcvTd1Cr2gNMsh5tD096z2kpS8p2ZfZnOCzgNZkIu8C6pq826qqf3ZrMyqX7A/qwkoa1GtALXi5sUgL7qZAGqPeCKwdVYV7Q==,iv:94bHTSrmOqoi3SkZnhS7TNwQR29cSm4FdADO6DTGZo8=,tag:WS2vGTUxqJMOov0lvc/STw==,type:str]
+sops:
+    age:
+        - recipient: age1x704pjnueguchkl54ly8w4w26ltys5900v7xnl7w3zlgasus09jszz45t8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLaGkvNGltaWlZc1dSQm45
+            SmxFdTl2YmNjbkt6OHI4aUJmWVVQTnV6VnhBCko1U3VLR3VNSVRHTlluTjRHVmh5
+            ai9JeTdNNStIYWdEQ0VrOXdDZGVPdWsKLS0tIDV4SGhGR3g5TVRic2huNUkyMEo4
+            Q3NpNDRzSG9RU0g3bkQzUUtKanoxSzAKQDQk8nl8G+KlpBu2heK19Coukb1WSqLS
+            X2FIYO7m0985ehN+DivNCa82Am0kQTTApF8X4mDM7j+nTTP+t3vUSg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age15y4k929zaj9fdg3vd40pa40tgvrgv9mn22xfummn5zxfmkcw5d0st6prjx
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGNUplanpOeWlUMFRxR05w
+            OHQ1ci9OVUJwUUpqZFlvL2hLU25DeWZyUDJzCis0ZUkvY1NFOVl0RnoweW5naWt2
+            UWFjQ3BjMnhsV21HLzNnN1FPdTFFMzAKLS0tIElMeU9qWTBBTVEwaFAydEVST05S
+            ODBhc0VxWW9lVENoa2ZINWlwNURjRUkK/C8vmJIdgpOgqlRX6twsPWZtlJtywFJp
+            ifqcxJC66TxRd55VGXjFgE/T9Wy6NIOSssAmKhtTeLOPsr5/prLtWA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1kgwk20cc6t68kqj5nhem6swvx6k4e7zjx2xdwy382360h8tdyqrq0nn3gf
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXcUE5NExVemNnZzRXMkJE
+            RTF3VXRKdzRrSU1FbmFQT1A1cVRhekl4V3hrClBKcTJiYllEZzNXbFdWSEtvRVIz
+            c0dyWDBtMTJuRzJVdE1BeERDUU5PcW8KLS0tIDVDcDlueTA0RjVJbnNyRkw0dEg2
+            N2lFWTNBRkIrZ3YrRVV6aFVheTNvZlEKDwmh2VM0qxzT/Z6FvDhiVCxWu7wRDSF1
+            wr3Zjj5+QTusS1N+h22HdNMD+dKBKE9rR9fKwioPFz8PQY0V0lpImg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1t3ryfktuhr3cysf49m9q2n8fkjf9ajjjnhztxw9hz8paxgk4lpcq065jge
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJZ05MNmlqWWoyTkpyTFpG
+            SEVNOXRsMm5LcTNlM2dUN1laVVp5NkRGM3dBCmM2bTZOOGNSbkJPVVBsL3czVHN4
+            dkFsZ3ZQcU8rTzJZdnk4TkJFa0JkdjQKLS0tIGZ2MGJOQUlnSWpUZGhLbGtoNElG
+            T1VIdC9iVkp1alhYVjRlTEZ3MVJBVHMKDMsbeJ4B4I9tQFX60cMX3ZxrxZ0hLdhE
+            OwcN9uWc16i2TdsukUEcQxmK81SCwTm31TFRjt6aiDkeduFT/MeVRg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-24T15:54:07Z"
+    mac: ENC[AES256_GCM,data:Vc7+KdIH7BEogU8bj2J0qyz7bOw/Z9ONakdFMTlSe//aDRssaQogu2DbRHy+MBSUT8s2Cl79U6qpxv6GSuxCjj8ztV5DnBy7vF6CBL+LstvCnzVkCVHcZbwEzNLmLTfkDe+Dr/pVdMy25zuicNnLUJMVl4tWkOC0oHbyyA6ZdG8=,iv:2KKGq5G6TzacbKENLRcI4P9UCiBridkb6WBy7A+tSGA=,tag:3NzryYPznp8INHbTnNly/A==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2