feat: add fueltide backup

2026-04-24 22:22:26 +02:00 · 2026-04-24 22:22:26 +02:00 · bef415b591
commit bef415b591
parent 6d25a6074b
4 changed files with 255 additions and 60 deletions
--- a/hosts/web-arm/modules/fueltide-backup/default.nix
+++ b/hosts/web-arm/modules/fueltide-backup/default.nix
@ -0,0 +1,64 @@
+{ config, pkgs, ... }:
+
+let
+  project = "majxbigjafpzayzboxsf";
+  poolerHost = "aws-1-eu-west-1.pooler.supabase.com";
+  outDir = "/var/backup/fueltide-supabase";
+  # retain local dumps for this many days; borg handles offsite retention
+  retainDays = 1;
+  # match the upstream Supabase Postgres major version
+  pg = pkgs.postgresql_17;
+in {
+  sops.secrets.fueltide-supabase-db-password = { };
+
+  systemd.tmpfiles.rules = [ "d ${outDir} 0700 root root -" ];
+
+  systemd.services.fueltide-backup = {
+    description = "Dump upstream Supabase database for ${project}";
+    path = [ pg pkgs.coreutils pkgs.findutils ];
+    serviceConfig = {
+      Type = "oneshot";
+      User = "root";
+      LoadCredential = "db-password:${config.sops.secrets.fueltide-supabase-db-password.path}";
+    };
+    script = ''
+      set -euo pipefail
+
+      export PGPASSWORD
+      PGPASSWORD=$(cat "$CREDENTIALS_DIRECTORY/db-password")
+      export PGHOST="${poolerHost}"
+      export PGPORT=5432
+      export PGUSER="postgres.${project}"
+      export PGDATABASE=postgres
+
+      TS=$(date -u +%Y%m%dT%H%M%SZ)
+      OUT="${outDir}/$TS"
+      mkdir -p "$OUT"
+      chmod 700 "$OUT"
+
+      # cluster roles (Supabase-managed roles already exist on a fresh project;
+      # restore errors for those are expected and benign)
+      pg_dumpall --roles-only --no-role-passwords > "$OUT/roles.sql"
+
+      # schema: tables, functions, triggers, RLS policies, views, extensions
+      pg_dump --schema-only --no-owner --no-privileges > "$OUT/schema.sql"
+
+      # data: all rows (includes auth.users, storage.objects metadata, etc.)
+      pg_dump --data-only --no-owner > "$OUT/data.sql"
+
+      ( cd "$OUT" && sha256sum *.sql > sha256.txt )
+
+      find "${outDir}" -mindepth 1 -maxdepth 1 -type d \
+        -mtime +${toString retainDays} -exec rm -rf {} +
+    '';
+  };
+
+  systemd.timers.fueltide-backup = {
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnCalendar = "*-*-* 02:30:00";
+      Persistent = true;
+      RandomizedDelaySec = "10m";
+    };
+  };
+}