backup static files to garage

newinfra/nix/modules/backup/backup.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+time="$(date --iso-8601=s --utc)"
+echo "Starting backup procedure with time=$time"
+
+dir=$(mktemp -d)
+echo "Setting workdir to $dir"
+cd "$dir"
+# Delete the temporary directory afterwards.
+# Yes, this variable should expand now.
+# shellcheck disable=SC2064
+trap "rm -rf $dir" EXIT
+
+echo "Logging into garage"
+export MC_CONFIG_DIR="$dir"
+mc alias set garage "$S3_ENDPOINT" "$S3_ACCESS_KEY" "$S3_SECRET_KEY" --api S3v4
+
+mc ls garage/backups
+
+files=$(jq -c '.files[]' "$CONFIG_FILE") 
+
+IFS=$'\n'
+for file_config in $files; do
+    filepath=$(echo "$file_config" | jq -r ".file")
+    app=$(echo "$file_config" | jq -r ".app")
+
+    echo "Backing up app $app FILE $filepath..."
+    tmppath="$dir/file"
+    xz < "$filepath" > "$tmppath"
+
+    echo "Uplading file"
+    mc put "$tmppath" "garage/$S3_BUCKET/$app/$time/$(basename "$filepath").xz"
+    echo "Uploaded file"
+done

newinfra/nix/modules/backup/default.nix

@@ -0,0 +1,64 @@
+{ config, lib, pkgs, ... }: with lib;
+let
+  jobOptions = { ... }: {
+    options = {
+      app = mkOption {
+        type = types.string;
+        description = "The app name, used as the directory in the bucket";
+      };
+      environmentFile = mkOption {
+        type = types.nullOr types.path;
+        default = null;
+      };
+      file = mkOption {
+        type = types.string;
+      };
+      #pg_dump = { };
+      #mongo_dump = { };
+    };
+  };
+in
+{
+  options.services.custom-backup = {
+    jobs = mkOption {
+      default = [ ];
+      type = types.listOf (types.submodule jobOptions);
+      description = "Backup jobs to execute";
+    };
+  };
+
+  config =
+    let
+      cfg = config.services.custom-backup;
+      backupConfig = {
+        files = builtins.map (job: { app = job.app; file = job.file; })
+          (builtins.filter (job: job.file != null) cfg.jobs);
+      };
+      backupScript = pkgs.writeShellApplication {
+        name = "backup";
+        runtimeInputs = with pkgs; [ jq minio-client getent xz ];
+        text = builtins.readFile ./backup.sh;
+      };
+    in
+    {
+      age.secrets.backup_s3_secret.file = ../../secrets/backup_s3_secret.age;
+
+      systemd.services.custom-backup = {
+        startAt = "daily";
+        serviceConfig = {
+          DynamicUser = true;
+          ExecStart = "${backupScript}/bin/backup";
+          Environment = [
+            "CONFIG_FILE=${pkgs.writeText "backup-config.json" (builtins.toJSON backupConfig)}"
+            "S3_BUCKET=backups"
+            "S3_ENDPOINT=http://localhost:3900"
+          ];
+          EnvironmentFile = (builtins.filter (file: file != null)
+            (builtins.map (job: job.environmentFile) cfg.jobs)) ++ [
+            config.age.secrets.backup_s3_secret.path
+          ];
+        };
+      };
+    };
+}
+

newinfra/nix/modules/garage/README.md

@@ -21,9 +21,15 @@
     - key `docker-registry` RW
 - `loki`
     - key `loki` RW
+- `backups`
+    - key `backups` RW
 
 ## keys
 
 - `caddy`: `GK25e33d4ba20d54231e513b80`
 - `docker-registry`: `GK48011ee5b5ccbaf4233c0e40`
 - `loki`: `GK84ffae2a0728abff0f96667b`
+- `backups`: `GK8cb8454a6f650326562bff2f`
+
+- `admin`: `GKaead6cf5340e54a4a19d9490`
+    - RW permissions on ~every bucket

newinfra/nix/modules/garage/default.nix

@@ -1,6 +1,10 @@
 { config, pkgs, name, ... }: {
   age.secrets.garage_secrets.file = ../../secrets/garage_secrets.age;
 
+  environment.systemPackages = with pkgs; [
+    minio-client
+  ];
+
   networking.firewall.interfaces.wg0.allowedTCPPorts = [
     3901 # RPC
     3903 # admin for metrics