From 2ed1c83858f458662d2bcdf2ed57cbf4161b2689 Mon Sep 17 00:00:00 2001 From: h7x4 Date: Tue, 27 Jan 2026 20:39:12 +0900 Subject: [PATCH] bicep/{postgres,mysql}: add rsync pull targets for backups --- hosts/bicep/services/mysql.nix | 16 ++++++++++++++++ hosts/bicep/services/postgres.nix | 18 +++++++++++++++++- 2 files changed, 33 insertions(+), 1 deletion(-) diff --git a/hosts/bicep/services/mysql.nix b/hosts/bicep/services/mysql.nix index a3d1c38..c8d8a3e 100644 --- a/hosts/bicep/services/mysql.nix +++ b/hosts/bicep/services/mysql.nix @@ -44,6 +44,22 @@ in location = "/var/lib/mysql/backups"; }; + services.rsync-pull-targets = lib.mkIf cfg.enable { + enable = true; + locations.${config.services.mysqlBackup.location} = { + user = "root"; + rrsyncArgs.ro = true; + authorizedKeysAttrs = [ + "restrict" + "no-agent-forwarding" + "no-port-forwarding" + "no-pty" + "no-X11-forwarding" + ]; + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJgj55/7Cnj4cYMJ5sIkl+OwcGeBe039kXJTOf2wvo9j mysql rsync backup"; + }; + }; + networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 3306 ]; systemd.tmpfiles.settings."10-mysql".${dataDir}.d = lib.mkIf cfg.enable { diff --git a/hosts/bicep/services/postgres.nix b/hosts/bicep/services/postgres.nix index ad4be68..e2bad28 100644 --- a/hosts/bicep/services/postgres.nix +++ b/hosts/bicep/services/postgres.nix @@ -121,7 +121,23 @@ services.postgresqlBackup = { enable = true; - location = "/var/lib/postgres/backups"; + location = "/var/lib/postgres-backups"; backupAll = true; }; + + services.rsync-pull-targets = { + enable = true; + locations.${config.services.postgresqlBackup.location} = { + user = "root"; + rrsyncArgs.ro = true; + authorizedKeysAttrs = [ + "restrict" + "no-agent-forwarding" + "no-port-forwarding" + "no-pty" + "no-X11-forwarding" + ]; + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGvO7QX7QmwSiGLXEsaxPIOpAqnJP3M+qqQRe5dzf8gJ postgresql rsync backup"; + }; + }; }