From 017483b17da59c4e18bf9bfc2b28768cc4947916 Mon Sep 17 00:00:00 2001
From: Pim Kunis <pim@kunis.nl>
Date: Wed, 28 May 2025 23:39:50 +0200
Subject: [PATCH] Backup authentik

---
 machines/atlas/configuration.nix |  5 +++++
 nixos/backups-ng.nix             | 37 +++++++++++++++++++-------------
 2 files changed, 27 insertions(+), 15 deletions(-)

diff --git a/machines/atlas/configuration.nix b/machines/atlas/configuration.nix
index 708939d..373d393 100644
--- a/machines/atlas/configuration.nix
+++ b/machines/atlas/configuration.nix
@@ -23,6 +23,11 @@
         deploymentName = "database";
         deploymentNamespace = "nextcloud";
       };
+
+      authentik = {
+        paths = ["/mnt/longhorn/persistent/volumes/authentik-db" "/mnt/longhorn/persistent/volumes/authentik-redis"];
+        scaleDeployments = false;
+      };
     };
 
     deployment = {
diff --git a/nixos/backups-ng.nix b/nixos/backups-ng.nix
index 6d160e3..3a7c76b 100644
--- a/nixos/backups-ng.nix
+++ b/nixos/backups-ng.nix
@@ -9,6 +9,10 @@
       paths = lib.mkOption {
         type = with lib.types; listOf str;
       };
+      scaleDeployments = lib.mkOption {
+        type = lib.types.bool;
+        default = true;
+      };
       deploymentName = lib.mkOption {
         type = lib.types.str;
       };
@@ -32,21 +36,7 @@ in {
   # TODO: should have some timeout and alerting?
   config = {
     services.borgbackup.jobs =
-      lib.mapAttrs (name: c: {
-        inherit (c) paths;
-        repo = "ssh://w553a7cb@w553a7cb.repo.borgbase.com/./repo";
-        startAt = "*-*-* 00:00:00";
-        # TODO: low benefit, but we could set borgbase's host keys here as they are published online.
-        environment.BORG_RSH = "ssh -i ${config.sops.secrets."borg/borgbasePrivateKey".path} -o StrictHostKeychecking=no";
-        postHook = "${pkgs.k3s}/bin/kubectl scale deployment -n ${c.deploymentNamespace} ${c.deploymentName} --replicas=${toString c.replicaCount}";
-        archiveBaseName = name;
-
-        prune.keep = {
-          within = "7d";
-          weekly = 4;
-          monthly = 6;
-        };
-
+      lib.mapAttrs (name: c: let
         preHook = ''
           ${pkgs.k3s}/bin/kubectl scale deployment -n ${c.deploymentNamespace} ${c.deploymentName} --replicas=0
 
@@ -55,6 +45,23 @@ in {
             sleep 2
           done
         '';
+        postHook = "${pkgs.k3s}/bin/kubectl scale deployment -n ${c.deploymentNamespace} ${c.deploymentName} --replicas=${toString c.replicaCount}";
+      in {
+        inherit (c) paths;
+        repo = "ssh://w553a7cb@w553a7cb.repo.borgbase.com/./repo";
+        startAt = "*-*-* 00:00:00";
+        # TODO: low benefit, but we could set borgbase's host keys here as they are published online.
+        environment.BORG_RSH = "ssh -i ${config.sops.secrets."borg/borgbasePrivateKey".path} -o StrictHostKeychecking=no";
+        postHook = lib.mkIf c.scaleDeployments postHook;
+        archiveBaseName = name;
+
+        prune.keep = {
+          within = "7d";
+          weekly = 4;
+          monthly = 6;
+        };
+
+        preHook = lib.mkIf c.scaleDeployments preHook;
 
         encryption = {
           passCommand = "cat ${config.sops.secrets."borg/borgPassphrase".path}";