Backup database to S3

mastodon.nix

@@ -53,12 +53,37 @@ let
     for p in procs:
         p.wait()
   '';
+
+  s3cmd = pkgs.writeShellScript "s3cmd" ''
+    ${pkgs.s3cmd}/bin/s3cmd \
+      --access_key='${secrets.backup.accessKey}' \
+      --secret_key='${secrets.backup.secretKey}' \
+      --host='${secrets.backup.host}' \
+      --host-bucket='${secrets.backup.hostBucket}' \
+      $@
+  '';
+  bucket = secrets.backup.bucket;
 in {
   services.postgresqlBackup = {
     enable = true;
     databases = [ "mastodon" ];
+    compression = "gzip";
   };
 
+  systemd.services.postgresqlBackup-mastodon.serviceConfig.ExecStartPost =
+    pkgs.writeShellScript "backup-to-s3" ''
+      cd /var/backup/postgresql
+
+      ${pkgs.gnupg}/bin/gpg --batch --passphrase '${secrets.backup.password}' \
+                            --symmetric mastodon.sql.gz
+
+      ${s3cmd} rm ${bucket}/mastodon.prev.sql.gz.gpg
+      ${s3cmd} mv ${bucket}/mastodon.sql.gz.gpg ${bucket}/mastodon.prev.sql.gz.gpg
+      ${s3cmd} put mastodon.sql.gz.gpg ${bucket}/
+
+      rm mastodon.sql.gz.gpg
+    '';
+
   # Until merge of https://github.com/NixOS/nixpkgs/pull/202408
   systemd.services.mastodon-sidekiq.serviceConfig.ExecStart =
     lib.mkForce "${sidekiq-manager}";

secrets.nix.example

@@ -3,6 +3,15 @@
     ""
   ];
 
+  backup = {
+    password = "";
+    accessKey = "";
+    secretKey = "";
+    host = "";
+    hostBucket = "";
+    bucket = "";
+  };
+
   smtpPassword = "";
 
   vapidPublicKey = "";