WIP: backup mysql

flake.lock

@@ -1,26 +1,5 @@
 {
   "nodes": {
-    "dibbler": {
-      "inputs": {
-        "flake-utils": "flake-utils",
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1693682284,
-        "narHash": "sha256-FvVCkHH80YyUiqQlnGNr49rZRBniihF6YRpytguEkFQ=",
-        "ref": "refs/heads/master",
-        "rev": "8a6a0c12ba37e239684d2de1be12fd73903cfb2c",
-        "revCount": 193,
-        "type": "git",
-        "url": "https://git.pvv.ntnu.no/Projects/dibbler.git"
-      },
-      "original": {
-        "type": "git",
-        "url": "https://git.pvv.ntnu.no/Projects/dibbler.git"
-      }
-    },
     "disko": {
       "inputs": {
         "nixpkgs": [
@@ -43,7 +22,7 @@
     },
     "fix-python": {
       "inputs": {
-        "flake-utils": "flake-utils_2",
+        "flake-utils": "flake-utils",
         "nixpkgs": [
           "grzegorz",
           "nixpkgs"
@@ -67,24 +46,6 @@
       "inputs": {
         "systems": "systems"
       },
-      "locked": {
-        "lastModified": 1692799911,
-        "narHash": "sha256-3eihraek4qL744EvQXsK1Ha6C3CR7nnT8X2qWap4RNk=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "f9e7cf818399d17d347f847525c5a5a8032e4e44",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "flake-utils_2": {
-      "inputs": {
-        "systems": "systems_2"
-      },
       "locked": {
         "lastModified": 1689068808,
         "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
@@ -268,7 +229,6 @@
     },
     "root": {
       "inputs": {
-        "dibbler": "dibbler",
         "disko": "disko",
         "grzegorz": "grzegorz",
         "grzegorz-clients": "grzegorz-clients",
@@ -316,21 +276,6 @@
         "repo": "default",
         "type": "github"
       }
-    },
-    "systems_2": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
     }
   },
   "root": "root",

flake.nix

@@ -17,9 +17,6 @@
     pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
     pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
 
-    dibbler.url = "git+https://git.pvv.ntnu.no/Projects/dibbler.git";
-    dibbler.inputs.nixpkgs.follows = "nixpkgs";
-
     matrix-next.url = "github:dali99/nixos-matrix-modules/v0.6.0";
     matrix-next.inputs.nixpkgs.follows = "nixpkgs";
 
@@ -127,13 +124,6 @@
         ];
       };
       buskerud = stableNixosConfig "buskerud" { };
-      skrott = stableNixosConfig "skrott" {
-        system = "aarch64-linux";
-        modules = [
-          (nixpkgs + "/nixos/modules/installer/sd-card/sd-image-aarch64.nix")
-          inputs.dibbler.nixosModules.default
-        ];
-      };
     };
 
     nixosModules = {
@@ -157,7 +147,6 @@
 
         simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
 
-        skrot = self.nixosConfigurations.skrott.config.system.build.sdImage;
       } //
       (nixlib.pipe null [
         (_: pkgs.callPackage ./packages/mediawiki-extensions { })

hosts/bicep/services/mysql.nix

@@ -1,4 +1,7 @@
 { pkgs, lib, config, values, ... }:
+let
+  backupDir = "/var/lib/mysql/backups";
+in
 {
   sops.secrets."mysql/password" = {
     owner = "mysql";
@@ -36,11 +39,6 @@
     }];
   };
 
-  services.mysqlBackup = {
-    enable = true;
-    location = "/var/lib/mysql/backups";
-  };
-
   networking.firewall.allowedTCPPorts = [ 3306 ];
 
   systemd.services.mysql.serviceConfig = {
@@ -50,4 +48,51 @@
       values.ipv6-space
     ];
   };
+
+  # NOTE: instead of having the upstream nixpkgs postgres backup unit trigger
+  #       another unit, it was easier to just make one ourselves
+  systemd.services."backup-mysql" = {
+    description = "Backup MySQL data";
+    requires = [ "mysql.service" ];
+
+    path = [
+      pkgs.coreutils
+      pkgs.rsync
+      pkgs.gzip
+      config.services.mysql.package
+    ];
+
+    script = let
+      rotations = 10;
+      sshTarget1 = "root@isvegg.pvv.ntnu.no:/mnt/backup1/bicep/mysql";
+      sshTarget2 = "root@isvegg.pvv.ntnu.no:/mnt/backup2/bicep/mysql";
+    in ''
+      set -eo pipefail
+
+      mysqldump | gzip -c -9 --rsyncable > "${backupDir}/$(date --iso-8601)-dump.sql.gz"
+
+      while [ $(ls -1 "${backupDir}" | wc -l) -gt ${toString rotations} ]; do
+        rm $(find "${backupDir}" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)
+      done
+
+      rsync -avz --delete "${backupDir}" '${sshTarget1}'
+      rsync -avz --delete "${backupDir}" '${sshTarget2}'
+    '';
+
+    serviceConfig = {
+      Type = "oneshot";
+      User = "mysql";
+      Group = "mysql";
+      UMask = "0077";
+      ReadWritePaths = [ backupDir ];
+    };
+
+    startAt = "*-*-* 02:15:00";
+  };
+
+  systemd.tmpfiles.settings."10-mysql-backup".${backupDir}.d = {
+    user = "mysql";
+    group = "mysql";
+    mode = "700";
+  };
 }

hosts/bicep/services/postgres.nix

@@ -1,6 +1,7 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 let
   sslCert = config.security.acme.certs."postgres.pvv.ntnu.no";
+  backupDir = "/var/lib/postgresql/backups";
 in
 {
   services.postgresql = {
@@ -89,9 +90,50 @@ in
   networking.firewall.allowedTCPPorts = [ 5432 ];
   networking.firewall.allowedUDPPorts = [ 5432 ];
 
-  services.postgresqlBackup = {
+  # NOTE: instead of having the upstream nixpkgs postgres backup unit trigger
-    enable = true;
+  #       another unit, it was easier to just make one ourselves
-    location = "/var/lib/postgres/backups";
+  systemd.services."backup-postgresql" = {
-    backupAll = true;
+    description = "Backup PostgreSQL data";
+    requires = [ "postgresql.service" ];
+
+    path = [
+      pkgs.coreutils
+      pkgs.rsync
+      pkgs.gzip
+      config.services.postgresql.package
+    ];
+
+    script = let
+      rotations = 10;
+      sshTarget1 = "root@isvegg.pvv.ntnu.no:/mnt/backup1/bicep/postgresql";
+      sshTarget2 = "root@isvegg.pvv.ntnu.no:/mnt/backup2/bicep/postgresql";
+    in ''
+      set -eo pipefail
+
+      pg_dumpall -U postgres | gzip -c -9 --rsyncable > "${backupDir}/$(date --iso-8601)-dump.sql.gz"
+
+      while [ $(ls -1 "${backupDir}" | wc -l) -gt ${toString rotations} ]; do
+        rm $(find "${backupDir}" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)
+      done
+
+      rsync -avz --delete "${backupDir}" '${sshTarget1}'
+      rsync -avz --delete "${backupDir}" '${sshTarget2}'
+    '';
+
+    serviceConfig = {
+      Type = "oneshot";
+      User = "postgres";
+      Group = "postgres";
+      UMask = "0077";
+      ReadWritePaths = [ backupDir ];
+    };
+
+    startAt = "*-*-* 01:15:00";
+  };
+
+  systemd.tmpfiles.settings."10-postgresql-backup".${backupDir}.d = {
+    user = "postgres";
+    group = "postgres";
+    mode = "700";
   };
 }

hosts/skrott/configuration.nix

@@ -1,10 +0,0 @@
-{ lib, values, ... }: {
-  system.stateVersion = "22.05";
-
-  systemd.network.networks."30-all" = values.defaultNetworkConfig // {
-    matchConfig.Name = "eth0";
-    address = with values.hosts.skrott; [ (ipv4 + "/25") (ipv6 + "/64") ];
-  };
-
-  networking.hostName = lib.mkForce "skrot";
-}

values.nix

@@ -63,10 +63,6 @@ in rec {
       ipv4 = pvv-ipv4 231;
       ipv6 = pvv-ipv6 231;
     };
-    skrott = {
-      ipv4 = pvv-ipv4 235;
-      ipv6 = pvv-ipv6 235;
-    };
   };
 
   defaultNetworkConfig = {