From f08bd96b741a4611e837cfbc7a5655988d0b7186 Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Thu, 29 Jan 2026 13:41:06 +0900
Subject: [PATCH] bicep/{postgres,mysql}: move backups to `/data`

---
 hosts/bicep/services/mysql/backup.nix      | 14 ++++++++++----
 hosts/bicep/services/postgresql/backup.nix | 13 ++++++++++---
 2 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/hosts/bicep/services/mysql/backup.nix b/hosts/bicep/services/mysql/backup.nix
index 68fb18b..9824e66 100644
--- a/hosts/bicep/services/mysql/backup.nix
+++ b/hosts/bicep/services/mysql/backup.nix
@@ -1,7 +1,7 @@
 { config, lib, pkgs, ... }:
 let
   cfg = config.services.mysql;
-  backupDir = "/var/lib/mysql-backups";
+  backupDir = "/data/mysql-backups";
 in
 {
   # services.mysqlBackup = lib.mkIf cfg.enable {
@@ -9,6 +9,12 @@ in
   #   location = "/var/lib/mysql-backups";
   # };
 
+  systemd.tmpfiles.settings."10-mysql-backups".${backupDir}.d = {
+	  user = "mysql";
+	  group = "mysql";
+	  mode = "700";
+	};
+
   services.rsync-pull-targets = lib.mkIf cfg.enable {
     enable = true;
     locations.${backupDir} = {
@@ -42,8 +48,7 @@ in
     in ''
       set -eo pipefail
 
-      mysqldump --all-databases | gzip -c -9 --rsyncable > "${backupDir}/mysql-dump.sql.gz"
-
+      mysqldump --all-databases | gzip -c -9 --rsyncable > "/var/lib/mysql-backups/mysql-dump.sql.gz"
     '';
 
     # NOTE: keep multiple backups and symlink latest one once we have more disk again
@@ -63,7 +68,8 @@ in
       IOSchedulingClass = "best-effort";
       IOSchedulingPriority = 7;
 
-      StateDirectory = [ (builtins.baseNameOf backupDir) ];
+      StateDirectory = [ "mysql-backups" ];
+      BindPaths = [ "${backupDir}:/var/lib/mysql-backups" ];
 
       # TODO: hardening
     };
diff --git a/hosts/bicep/services/postgresql/backup.nix b/hosts/bicep/services/postgresql/backup.nix
index 86b172c..3b06652 100644
--- a/hosts/bicep/services/postgresql/backup.nix
+++ b/hosts/bicep/services/postgresql/backup.nix
@@ -1,7 +1,7 @@
 { config, lib, pkgs, ... }:
 let
   cfg = config.services.postgresql;
-  backupDir = "/var/lib/postgresql-backups";
+  backupDir = "/data/postgresql-backups";
 in
 {
   # services.postgresqlBackup = lib.mkIf cfg.enable {
@@ -10,6 +10,12 @@ in
   #   backupAll = true;
   # };
 
+  systemd.tmpfiles.settings."10-postgresql-backups".${backupDir}.d = {
+	  user = "postgres";
+	  group = "postgres";
+	  mode = "700";
+	};
+
   services.rsync-pull-targets = lib.mkIf cfg.enable {
     enable = true;
     locations.${backupDir} = {
@@ -43,7 +49,7 @@ in
     in ''
       set -eo pipefail
 
-      pg_dumpall -U postgres | gzip -c -9 --rsyncable > "${backupDir}/postgresql-dump.sql.gz"
+      pg_dumpall -U postgres | gzip -c -9 --rsyncable > "/var/lib//postgresql-backups/postgresql-dump.sql.gz"
     '';
 
     # pg_dumpall -U postgres | gzip -c -9 --rsyncable > "${backupDir}/$(date --iso-8601)-dump.sql.gz"
@@ -61,7 +67,8 @@ in
       IOSchedulingClass = "best-effort";
       IOSchedulingPriority = 7;
 
-      StateDirectory = [ (builtins.baseNameOf backupDir) ];
+      StateDirectory = [ "postgresql-backups" ];
+      BindPaths = [ "${backupDir}:/var/lib/postgresql-backups" ];
 
       # TODO: hardening
     };