Add restic backup for all corp services

2026-01-12 00:48:54 +00:00 · 2026-01-12 00:48:54 +00:00 · b5defe1bf0
commit b5defe1bf0
parent d042a416c3
8 changed files with 304 additions and 55 deletions
--- a/modules/system/authentik.nix
+++ b/modules/system/authentik.nix
@ -45,6 +45,40 @@ with lib;
 				name = "authentik";
 			}];
 		};
+		services.restic.backups."authentik-db" = {
+			# We can use this due to overridding restic with unstable
+			command = [
+				"${lib.getExe pkgs.sudo}"
+				"-u postgres"
+				"${pkgs.postgresql}/bin/pg_dump authentik"
+			];
+			environmentFile = "/var/run/secrets/restic-env";
+			extraBackupArgs = [
+				"--tag database"
+			];
+			passwordFile = "/var/run/secrets/restic-password";
+			pruneOpts = [
+				"--keep-daily 14"
+				"--keep-weekly 4"
+				"--keep-monthly 2"
+				"--group-by tags"
+			];
+			repository = "s3:s3.us-west-004.backblazeb2.com/gleipnir-backup-corp/authentik";
+		};
+		services.restic.backups."authentik-files" = {
+			environmentFile = "/var/run/secrets/restic-env";
+			extraBackupArgs = [
+				"--tag files"
+			];
+			initialize = true;
+			passwordFile = "/var/run/secrets/restic-password";
+			paths = [
+				"/opt/authentik/certs"
+				"/opt/authentik/media"
+				"/opt/authentik/templates"
+			];
+			repository = "s3:s3.us-west-004.backblazeb2.com/gleipnir-backup-corp/authentik";
+		};
 		sops.secrets.authentik-env = with config.virtualisation.oci-containers; {
 			format = "dotenv";
 			group = "authentik";
--- a/modules/system/cloudreve.nix
+++ b/modules/system/cloudreve.nix
@ -34,6 +34,39 @@ with lib;
 				#listen_addresses = lib.mkForce "10.88.0.1,localhost";
 			#};
 		};
+		services.restic.backups."cloudreve-db" = {
+			# We can use this due to overridding restic with unstable
+			command = [
+				"${lib.getExe pkgs.sudo}"
+				"-u postgres"
+				"${pkgs.postgresql}/bin/pg_dump cloudreve"
+			];
+			environmentFile = "/var/run/secrets/restic-env";
+			extraBackupArgs = [
+				"--tag database"
+			];
+			passwordFile = "/var/run/secrets/restic-password";
+			pruneOpts = [
+				"--keep-daily 14"
+				"--keep-weekly 4"
+				"--keep-monthly 2"
+				"--group-by tags"
+			];
+			repository = "s3:s3.us-west-004.backblazeb2.com/gleipnir-backup-corp/cloudreve";
+		};
+		services.restic.backups."cloudreve-files" = {
+			environmentFile = "/var/run/secrets/restic-env";
+			extraBackupArgs = [
+				"--tag files"
+			];
+			initialize = true;
+			passwordFile = "/var/run/secrets/restic-password";
+			paths = [
+				"/mnt/bigdisk/cloudreve"
+			];
+			repository = "s3:s3.us-west-004.backblazeb2.com/gleipnir-backup-corp/cloudreve";
+			
+		};
 		sops.secrets.cloudreve-env = with config.virtualisation.oci-containers; {
 			format = "dotenv";
 			group = "cloudreve";
@ -43,7 +76,7 @@ with lib;
 			sopsFile = ../../secrets/cloudreve.env;
 		};
 		systemd.tmpfiles.rules = [
-			"d /opt/cloudreve 0755 cloudreve cloudreve"
+			"d /mnt/bigdisk/cloudreve 0755 cloudreve cloudreve"
 		];
 		# The container here comes from a private repository. In order to get it you need to buy a pro license
 		# and download and configure the image via https://cloudreve.org/manage
--- a/modules/system/label-studio.nix
+++ b/modules/system/label-studio.nix
@ -15,6 +15,38 @@ with lib;
 				name = "label-studio";
 			}];
 		};
+		services.restic.backups."label-studio-db" = {
+			# We can use this due to overridding restic with unstable
+			command = [
+				"${lib.getExe pkgs.sudo}"
+				"-u postgres"
+				"${pkgs.postgresql}/bin/pg_dump label-studio"
+			];
+			environmentFile = "/var/run/secrets/restic-env";
+			extraBackupArgs = [
+				"--tag database"
+			];
+			passwordFile = "/var/run/secrets/restic-password";
+			pruneOpts = [
+				"--keep-daily 14"
+				"--keep-weekly 4"
+				"--keep-monthly 2"
+				"--group-by tags"
+			];
+			repository = "s3:s3.us-west-004.backblazeb2.com/gleipnir-backup-corp/label-studio";
+		};
+		services.restic.backups."label-studio-files" = {
+			environmentFile = "/var/run/secrets/restic-env";
+			extraBackupArgs = [
+				"--tag files"
+			];
+			initialize = true;
+			passwordFile = "/var/run/secrets/restic-password";
+			paths = [
+				"/mnt/bigdisk/label-studio"
+			];
+			repository = "s3:s3.us-west-004.backblazeb2.com/gleipnir-backup-corp/label-studio";
+		};
 		sops.secrets.label-studio-env = {
 			format = "dotenv";
 			group = "label-studio";
--- a/modules/system/librechat.nix
+++ b/modules/system/librechat.nix
@ -37,6 +37,59 @@ in
 				search_path = "\"$user\", public, vector";
 			};
 		};
+		services.restic.backups."mongodb" = {
+			# We can use this due to overridding restic with unstable
+			command = [
+				"${lib.getExe pkgs.sudo}"
+				"-u mongodb"
+				"${pkgs.mongodb}/bin/mongodump --archive=/mnt/bigdisk/temp/mongodb"
+			];
+			environmentFile = "/var/run/secrets/restic-env";
+			extraBackupArgs = [
+				"--tag database"
+			];
+			passwordFile = "/var/run/secrets/restic-password";
+			pruneOpts = [
+				"--keep-daily 14"
+				"--keep-weekly 4"
+				"--keep-monthly 2"
+				"--group-by tags"
+			];
+			repository = "s3:s3.us-west-004.backblazeb2.com/gleipnir-backup-corp/mongodb";
+		};
+		services.restic.backups."rag_api-db" = {
+			# We can use this due to overridding restic with unstable
+			command = [
+				"${lib.getExe pkgs.sudo}"
+				"-u postgres"
+				"${pkgs.postgresql}/bin/pg_dump rag_api"
+			];
+			environmentFile = "/var/run/secrets/restic-env";
+			extraBackupArgs = [
+				"--tag database"
+			];
+			passwordFile = "/var/run/secrets/restic-password";
+			pruneOpts = [
+				"--keep-daily 14"
+				"--keep-weekly 4"
+				"--keep-monthly 2"
+				"--group-by tags"
+			];
+			repository = "s3:s3.us-west-004.backblazeb2.com/gleipnir-backup-corp/rag_api";
+		};
+		services.restic.backups."librechat-files" = {
+			environmentFile = "/var/run/secrets/restic-env";
+			extraBackupArgs = [
+				"--tag files"
+			];
+			initialize = true;
+			passwordFile = "/var/run/secrets/restic-password";
+			paths = [
+				"/opt/librechat"
+			];
+			repository = "s3:s3.us-west-004.backblazeb2.com/gleipnir-backup-corp/librechat";
+			
+		};
 		sops.secrets.librechat-env = {
 			format = "dotenv";
 			group = "librechat";
--- a/modules/system/synapse.nix
+++ b/modules/system/synapse.nix
@ -74,6 +74,39 @@ in {
 		#		name = "matrix-synapse";
 		#	}];
 		#};
+		services.restic.backups."synapse-db" = {
+			# We can use this due to overridding restic with unstable
+			command = [
+				"${lib.getExe pkgs.sudo}"
+				"-u postgres"
+				"${pkgs.postgresql}/bin/pg_dump matrix-synapse"
+			];
+			environmentFile = "/var/run/secrets/restic-env";
+			extraBackupArgs = [
+				"--tag database"
+			];
+			passwordFile = "/var/run/secrets/restic-password";
+			pruneOpts = [
+				"--keep-daily 14"
+				"--keep-weekly 4"
+				"--keep-monthly 2"
+				"--group-by tags"
+			];
+			repository = "s3:s3.us-west-004.backblazeb2.com/gleipnir-backup-corp/matrix-synapse";
+		};
+		services.restic.backups."synapse-files" = {
+			environmentFile = "/var/run/secrets/restic-env";
+			extraBackupArgs = [
+				"--tag files"
+			];
+			initialize = true;
+			passwordFile = "/var/run/secrets/restic-password";
+			paths = [
+				"/var/lib/matrix-synapse"
+			];
+			repository = "s3:s3.us-west-004.backblazeb2.com/gleipnir-backup-corp/authentik";
+			
+		};
 		sops.secrets."matrix-synapse.yaml" = {
 			format = "yaml";
 			group = "matrix-synapse";
--- a/modules/system/twenty-crm.nix
+++ b/modules/system/twenty-crm.nix
@ -27,6 +27,38 @@ in {
 			requirePass = "letmein";
 			user = user;
 		};
+		services.restic.backups."twenty-crm-db" = {
+			# We can use this due to overridding restic with unstable
+			command = [
+				"${lib.getExe pkgs.sudo}"
+				"-u postgres"
+				"${pkgs.postgresql}/bin/pg_dump ${user}"
+			];
+			environmentFile = "/var/run/secrets/restic-env";
+			extraBackupArgs = [
+				"--tag database"
+			];
+			passwordFile = "/var/run/secrets/restic-password";
+			pruneOpts = [
+				"--keep-daily 14"
+				"--keep-weekly 4"
+				"--keep-monthly 2"
+				"--group-by tags"
+			];
+			repository = "s3:s3.us-west-004.backblazeb2.com/gleipnir-backup-corp/twenty-crm";
+		};
+		services.restic.backups."twenty-crm-files" = {
+			environmentFile = "/var/run/secrets/restic-env";
+			extraBackupArgs = [
+				"--tag files"
+			];
+			initialize = true;
+			passwordFile = "/var/run/secrets/restic-password";
+			paths = [
+				"/mnt/bigdisk/twenty-crm-data"
+			];
+			repository = "s3:s3.us-west-004.backblazeb2.com/gleipnir-backup-corp/authentik";
+		};
 		sops.secrets.twenty-crm-env = {
 			format = "dotenv";
 			group = user;
@ -52,7 +84,7 @@ in {
 			ports = [ "127.0.0.1:${port}:3000" ];
 			volumes = [
 				"/run/postgresql/.s.PGSQL.5432:/run/postgresql/.s.PGSQL.5432"
-				"twenty-crm-data:/app/packages/twenty-server/.local-storage"
+				"/mnt/bigdisk/twenty-crm-data:/app/packages/twenty-server/.local-storage"
 				"/home/eliribble/src/twentycrm/entrypoint.sh:/app/entrypoint.sh"
 			];
 		};
--- a/modules/system/vikunja.nix
+++ b/modules/system/vikunja.nix
@ -15,6 +15,38 @@ with lib;
 				name = "vikunja";
 			}];
 		};
+		services.restic.backups."vikunja-db" = {
+			# We can use this due to overridding restic with unstable
+			command = [
+				"${lib.getExe pkgs.sudo}"
+				"-u postgres"
+				"${pkgs.postgresql}/bin/pg_dump vikunja"
+			];
+			environmentFile = "/var/run/secrets/restic-env";
+			extraBackupArgs = [
+				"--tag database"
+			];
+			passwordFile = "/var/run/secrets/restic-password";
+			pruneOpts = [
+				"--keep-daily 14"
+				"--keep-weekly 4"
+				"--keep-monthly 2"
+				"--group-by tags"
+			];
+			repository = "s3:s3.us-west-004.backblazeb2.com/gleipnir-backup-corp/vikunja";
+		};
+		services.restic.backups."vikunja-files" = {
+			environmentFile = "/var/run/secrets/restic-env";
+			extraBackupArgs = [
+				"--tag files"
+			];
+			initialize = true;
+			passwordFile = "/var/run/secrets/restic-password";
+			paths = [
+				"/var/lib/vikunja"
+			];
+			repository = "s3:s3.us-west-004.backblazeb2.com/gleipnir-backup-corp/vikunja";
+		};
 		services.vikunja = {
 			enable = true;
 			frontendHostname = "todo.gleipnir.technology";