feat: add azure postgres backups

still need to change the placeholder secrets

Author: langsjo

tikpannu-nixos-config/modules/backup/azure/default.nix

@@ -0,0 +1,31 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.services.tik-backup;
+in
+{
+  imports = [
+    ./postgresql.nix
+  ];
+
+  options.services.tik-backup = {
+    azure.enable = (lib.mkEnableOption "backing up of Azure data") // {
+      default = cfg.enable;
+      defaultText = lib.literalExpression ''
+        config.services.tik-backup.enable
+      '';
+    };
+  };
+
+  config.assertions = [
+    {
+      assertion = cfg.azure.enable -> cfg.enable;
+      message = ''
+        `services.tik-backup.azure.enable` cannot be enabled without `services.tik-backup.enable`
+      '';
+    }
+  ];
+}

tikpannu-nixos-config/modules/backup/azure/postgresql.nix

@@ -0,0 +1,94 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  cfg = config.services.tik-backup;
+  subdir = "azure-psql";
+  user = "azure-psql";
+
+  stagingScript = pkgs.writeShellApplication {
+    name = "stage-azure-psql-backup";
+    runtimeInputs = with pkgs; [
+      postgresql
+    ];
+    text = builtins.readFile ./stage-postgresql.sh;
+  };
+in
+{
+  options.services.tik-backup.azure = {
+    postgresql = {
+      enable = (lib.mkEnableOption "backing up postgresql databases") // {
+        default = cfg.azure.enable;
+        defaultText = lib.literalExpression ''
+          config.services.tik-backup.azure.enable
+        '';
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.azure.postgresql.enable {
+    assertions = [
+      {
+        assertion = cfg.azure.postgresql.enable -> cfg.azure.enable;
+        message = ''
+          `services.tik-backup.azure.postgresql.enable` cannot be enabled without `services.tik-backup.azure.enable`
+        '';
+      }
+    ];
+
+    sops = {
+      secrets =
+        lib.genAttrs
+          [
+            "azure/pguser"
+            "azure/pghost"
+            "azure/pgpass"
+          ]
+          (name: {
+            sopsFile = ../../secrets/backup.yaml;
+          });
+      templates.azure-psql-envfile = {
+        owner = user;
+        content = ''
+          PGUSER=${config.sops.placeholder."azure/pguser"}
+          PGHOST=${config.sops.placeholder."azure/pghost"}
+          PGPASSWORD=${config.sops.placeholder."azure/pgpass"}
+        '';
+      };
+    };
+
+    services.tik-backup = {
+      stagingServices = [ "stage-azure-psql.service" ];
+      stagingSubdirs = [
+        {
+          inherit subdir user;
+        }
+      ];
+    };
+
+    systemd.services.stage-azure-psql = {
+      description = "Backup Azure postgresql databases";
+      wants = [ "network-online.target" ];
+      after = [ "network-online.target" ];
+      restartIfChanged = false;
+      serviceConfig = {
+        Type = "oneshot";
+        EnvironmentFile = config.sops.templates.azure-psql-envfile.path;
+        ExecStart = ''${lib.getExe stagingScript} "${cfg.stagingDir}/${subdir}/"'';
+        User = user;
+        Group = user;
+      };
+    };
+
+    users = {
+      users.${user} = {
+        isSystemUser = true;
+        group = user;
+      };
+      groups.${user} = { };
+    };
+  };
+}

tikpannu-nixos-config/modules/backup/azure/stage-postgresql.sh

@@ -0,0 +1,61 @@
+# $1 = target directory to stage to
+set -euo pipefail
+
+die() {
+  echo "${1:?}" >&2
+  exit "${2:-1}"
+}
+
+targetdir="$1"
+if [[ -z "$targetdir" || ! -d "$targetdir" || ! -w "$targetdir" ]]; then
+  die "fatal: target directory should be passed as the first argument"
+fi
+
+
+: "${PGHOST:?}"
+: "${PGUSER:?}"
+: "${PGPASSWORD:?}"
+
+db_list=$(
+  psql -d postgres --no-align --tuples-only -c \
+  "SELECT datname FROM pg_database
+  WHERE datistemplate = false
+  AND datname NOT IN ('postgres', 'azure_maintenance', 'azure_sys');"
+) || {
+  die "fatal: failed to list databases with psql"
+}
+
+if [[ -z "$db_list" ]]; then
+  die "fatal: no databases found"
+fi
+
+# read newline separated string into array indices
+mapfile -t databases_arr <<< "$db_list"
+
+echo "Found postgresql databases:"
+printf "%s\n" "${databases_arr[@]}"
+
+all_succeeded=true
+[[ -d "$targetdir" ]] || die "fatal: target directory '$targetdir' does not exist"
+
+for db in "${databases_arr[@]}"; do
+  [[ -n "$db" ]] || continue
+
+  outTarget="$targetdir/$db.dump"
+  echo "Staging $db to $outTarget"
+  if ! pg_dump -d "$db" --format=directory --compress=none -f "$outTarget"; then
+    echo "ERROR: failed to stage $db" >&2
+    all_succeeded=false
+  else
+    echo "Staged $db"
+  fi
+done
+
+# Allow backup group to read and delete all
+chmod -R g+rwX "$targetdir"/*
+
+if [[ "$all_succeeded" != true ]]; then
+  die "Not all databases were staged, failing..."
+fi
+
+echo "Done"

tikpannu-nixos-config/modules/backup/configuration.nix

@@ -1,6 +1,7 @@
 {
   services.tik-backup = {
     enable = true;
+    azure.enable = true;
     storageboxServer = "u563055.your-storagebox.de";
     storageboxMountPath = "/mnt/backup";
     stagingDir = "/var/lib/backup";

tikpannu-nixos-config/modules/backup/default.nix

@@ -4,6 +4,7 @@ let
 in
 {
   imports = [
+    ./azure
     ./configuration.nix
     ./storagebox.nix
     ./secrets.nix

tikpannu-nixos-config/modules/secrets/backup.yaml

@@ -1,6 +1,10 @@
 storagebox-credentials: ENC[AES256_GCM,data:1O1uDtmpty4Dc/rf65y8RalGLeBjZTK3JDG6bwSiyBSeJXuNH9Cf0ABF343A9j1/djNk1bS1eWWXrA8=,iv:9R4KChsmqPdzE4eEwbLlsmp+N91ez/2thv5qQUWQjdU=,tag:G903ZbTtY4fzPXP8SbC+eg==,type:str]
 restic-password: ENC[AES256_GCM,data:lEP6UAPyESSrt5sXsxMomj2BKbmGoFMYBBKzaCImFvgZT5YKdWjEYFFoqZt+X8Aldd1JCCA5fNy3Jt+1LjNzxw==,iv:EjlNSLSH4wAs0Pxan2EywjIS9Ef+/JJ1T16mQvIPbHQ=,tag:VEwmngYfgRB9qaBUA6OB7g==,type:str]
 gatus-token: ENC[AES256_GCM,data:j+ZoY6ekV2R/WfdqEklsuK48ieXhCTWTnDsKBolxSpI=,iv:X1TQuPOpezUurS0XoaY4XXbIhzv2dRcFGvxCUS4I/fg=,tag:m1x98Z6JFkFCQny8K3Sugg==,type:str]
+azure:
+  pguser: ENC[AES256_GCM,data:LwgJWacmgaNlv78=,iv:+iBqlUAONePoTtXwGKogN9Q1mgT6Mg5PFeGOxMCcJ64=,tag:yGBYh/weKtdHp/emDB4E9w==,type:str]
+  pghost: ENC[AES256_GCM,data:2+s5U+mv3MJj4Rw=,iv:sT0ivRVGY7DtNSAHcpHT7BQd9n6fCefA04n71biNWmM=,tag:ex2bn6xInOa0GaJKQK4p4A==,type:str]
+  pgpass: ENC[AES256_GCM,data:L+Uuu5eGaxn3jN0=,iv:d2Zm7jFcd/GZvUfcHFGmmZuz9QjAniFCDogIzilm5P4=,tag:VQaySczOt1XiiWy7Y050xw==,type:str]
 sops:
   age:
     - recipient: age1lp4pv3x95n2z4dh024f0ev05gnwrwf7n67z0c75cxa2vtus704msxgv700
@@ -31,7 +35,7 @@ sops:
         ErFcJu5H3iDzyafp5QPEwiT1WU070LvVofxkcmIbyDI5ARAv7jiut7O9B1LjZ2Un
         dJU=
         -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2026-03-26T13:17:52Z"
-  mac: ENC[AES256_GCM,data:2clPaNZBmLpEXUx0sJz9OAstZndGYuXNN2h3hd9adsjAthj6LeHjrBMNS2Syx4NQAH7dX1kdplY8ZJNJALCasf6HKEkD9HcUGNawZwNE+fK4vMNv5MW47B7vXEVcDYnRSPI9BjgUzY15//9tMit7nw89FAuuxmgOE6H6b1DdaYU=,iv:Xkbz8gEtC9ivJABtwMG4+rfPJ2tR5dDoStrMo+6PpRg=,tag:CJ7MaVfEDZ9Hlx0667e9mQ==,type:str]
+  lastmodified: "2026-03-31T17:00:20Z"
+  mac: ENC[AES256_GCM,data:mRovsL4LM6dBVncpEi86/2qjtzQOQGEy/VLi1fFL/ZvsgzIoIFxmwfBMgUuIEFbqEfl7UWOwaj9HgBob/njBujdqclBpOo4gekY/7qwNDWS4yLRQzqj9j0MBW/P6WOXTlpl1PpzVqBMEq1t0yLC/YPlX9L+IFjRWVlIXoMEpFC0=,iv:eKmTaU6RljaCP5Wgrfd7zP5ub1AoWSezAxhGhGovay8=,tag:Hpg1xPp7OjX/wThWhyv9lA==,type:str]
   unencrypted_suffix: _unencrypted
   version: 3.11.0

tikpannu-nixos-config/tests/backups.nix

@@ -11,8 +11,41 @@
       ./base-pannu-config.nix
     ];
 
-    services.tik-backup.enable = lib.mkForce true;
+    services.tik-backup = {
+      enable = lib.mkForce true;
+      azure.enable = lib.mkForce true;
+      azure.postgresql.enable = lib.mkForce true;
+    };
 
+    # Enable a local PostgreSQL server and create mock DBs for the test VM.
+    services.postgresql = {
+      enable = lib.mkForce true;
+      ensureDatabases = [
+        "mock1"
+        "mock2"
+        "mock3"
+      ];
+      ensureUsers = [
+        {
+          name = "azure-psql-backup";
+          ensureClauses = {
+            password = "verygoodpass";
+          };
+        }
+      ];
+    };
+
+    systemd.services.stage-azure-psql = {
+      requires = [ "postgresql.target" ];
+      after = [ "postgresql.target" ];
+      serviceConfig.EnvironmentFile = lib.mkForce (
+        pkgs.writeText "envfile" ''
+          PGHOST=127.0.0.1
+          PGUSER=azure-psql-backup
+          PGPASSWORD=verygoodpass
+        ''
+      );
+    };
     # Enable discourse for the backup logic, not to run it
     services.discourse.enable = lib.mkForce true;
     systemd.services.discourse.wantedBy = lib.mkForce [ ];
@@ -51,14 +84,19 @@
 
     pannu.succeed("systemctl start restic-backups-tik-backup.service")
     unit_succeeded("discourse-stage-backup.service")
+    unit_succeeded("stage-azure-psql.service")
+
+
+    # Backup user must be able to clean up this dir
+    pannu.succeed("sudo -u backup sh -c 'rm -rf /var/lib/backup/*'")
 
     _, stdout = pannu.execute("restic-tik-backup ls latest")
     print("Backed up files:")
     print(stdout)
 
     # At least min_files files must exist in the backup. This does not include
     # directories.
-    min_files = 1
+    min_files = 4
     stdout = pannu.succeed(f''''
       restic-tik-backup ls --json latest \\
       | jq --exit-status --slurp \\

tikpannu-nixos-config/tests/base-pannu-config.nix

@@ -48,7 +48,10 @@ in
     };
   };
 
-  services.tik-backup.enable = mkWeakForce false;
+  services.tik-backup = {
+    enable = mkWeakForce false;
+    azure.enable = mkWeakForce false;
+  };
   services.restic.backups.tik-backup = lib.mkIf config.services.tik-backup.enable {
     passwordFile = mkWeakForce resticPassFile.outPath;
   };