dotfiles/platforms/nixos/modules/nmasur/presets/services/litestream.nix

# This is my setup for backing up SQlite databases and other systems to S3 or
# S3-equivalent services (like Backblaze B2).

{ config, lib, ... }:

let
  cfg = config.nmasur.presets.services.litestream;
in
{

  options.nmasur.presets.services.litestream = {
    enable = lib.mkEnableOption "Litestream SQLite backups";
    s3 = {
      endpoint = lib.mkOption {
        type = lib.types.nullOr lib.types.str;
        description = "S3 endpoint for Litestream backups";
        # default = null;
      };
      bucket = lib.mkOption {
        type = lib.types.nullOr lib.types.str;
        description = "S3 bucket for Litestream backups";
        # default = null;
      };
      accessKeyId = lib.mkOption {
        type = lib.types.nullOr lib.types.str;
        description = "S3 access key ID for Litestream backups";
        # default = null;
      };
      accessKeySecret = lib.mkOption {
        type = lib.types.nullOr lib.types.path;
        description = "S3 secret key path for Litestream backups";
        default = ../../../../../../private/backup.age;
      };
    };
  };

  config = lib.mkIf (cfg.enable) {

    users.groups.backup = { };

    secrets.litestream-backup = {
      source = cfg.s3.accessKeySecret;
      dest = "${config.secretsDirectory}/backup";
      group = "backup";
      permissions = "0440";
    };

    users.users.litestream.extraGroups = [ "backup" ];

    services.litestream = {
      enable = true;
      environmentFile = config.secrets.litestream-backup.dest;
      settings = { };
    };

    # Broken on 2024-08-23
    # https://github.com/NixOS/nixpkgs/commit/0875d0ce1c778f344cd2377a5337a45385d6ffa0
    insecurePackages = [ "litestream-0.3.13" ];

    # Wait for secret to exist
    systemd.services.litestream = {
      after = [ "backup-secret.service" ];
      requires = [ "backup-secret.service" ];
      environment.AWS_ACCESS_KEY_ID = cfg.s3.accessKeyId;
    };

  };
}
backups and fish functions 2025-01-31 15:40:41 -05:00			`# This is my setup for backing up SQlite databases and other systems to S3 or`
			`# S3-equivalent services (like Backblaze B2).`

			`{ config, lib, ... }:`

			`let`
			`cfg = config.nmasur.presets.services.litestream;`
			`in`
			`{`

			`options.nmasur.presets.services.litestream = {`
			`enable = lib.mkEnableOption "Litestream SQLite backups";`
			`s3 = {`
			`endpoint = lib.mkOption {`
			`type = lib.types.nullOr lib.types.str;`
			`description = "S3 endpoint for Litestream backups";`
			`# default = null;`
			`};`
			`bucket = lib.mkOption {`
			`type = lib.types.nullOr lib.types.str;`
			`description = "S3 bucket for Litestream backups";`
			`# default = null;`
			`};`
			`accessKeyId = lib.mkOption {`
			`type = lib.types.nullOr lib.types.str;`
			`description = "S3 access key ID for Litestream backups";`
			`# default = null;`
			`};`
			`accessKeySecret = lib.mkOption {`
			`type = lib.types.nullOr lib.types.path;`
			`description = "S3 secret key path for Litestream backups";`
			`default = ../../../../../../private/backup.age;`
			`};`
			`};`
			`};`

			`config = lib.mkIf (cfg.enable) {`

			`users.groups.backup = { };`

			`secrets.litestream-backup = {`
			`source = cfg.s3.accessKeySecret;`
			`dest = "${config.secretsDirectory}/backup";`
			`group = "backup";`
			`permissions = "0440";`
			`};`

			`users.users.litestream.extraGroups = [ "backup" ];`

			`services.litestream = {`
			`enable = true;`
			`environmentFile = config.secrets.litestream-backup.dest;`
			`settings = { };`
			`};`

			`# Broken on 2024-08-23`
			`# https://github.com/NixOS/nixpkgs/commit/0875d0ce1c778f344cd2377a5337a45385d6ffa0`
			`insecurePackages = [ "litestream-0.3.13" ];`

			`# Wait for secret to exist`
			`systemd.services.litestream = {`
			`after = [ "backup-secret.service" ];`
			`requires = [ "backup-secret.service" ];`
			`environment.AWS_ACCESS_KEY_ID = cfg.s3.accessKeyId;`
			`};`

			`};`
			`}`