feat(whitby): Configure Gerrit backups on whitby r/1268

Change-Id: I84245fb809725853a301f217cdb11eacc1984cae Reviewed-on: https://cl.tvl.fyi/c/depot/+/1103 Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi>
author: Vincent Ambo <mail@tazj.in> 2020-07-12T13·46+0100
committer: tazjin <mail@tazj.in> 2020-07-12T14·11+0000
commit: 356dde149f9a15a4f801a582c5f029f3a9812937 (patch)
tree: a802bd4945a3f5a3a9e749de35f38c4c6b4cbfcd
parent: e035c46c6ea0e0f8542fc119dd71ef8bd1887f76 (diff)
1 files changed, 22 insertions, 0 deletions
diff --git a/ops/nixos/whitby/default.nix b/ops/nixos/whitby/default.nix
index 4441c7d8dacd..9015efac1ce2 100644
--- a/ops/nixos/whitby/default.nix
+++ b/ops/nixos/whitby/default.nix
@@ -220,6 +220,28 @@ in {
     };
   };
 
+  # Regularly back up Gerrit to Google Cloud Storage.
+  systemd.services.restic-gerrit = {
+    description = "Gerrit backups to Google Cloud Storage";
+    script = "${nixpkgs.restic}/bin/restic backup /var/lib/gerrit";
+    serviceConfig.User = "git";
+
+    environment = {
+      GOOGLE_PROJECT_ID = "tazjins-infrastructure";
+      GOOGLE_APPLICATION_CREDENTIALS = "/var/lib/git/restic/gcp-key.json";
+      RESTIC_REPOSITORY = "gs:tvl-fyi-backups:/whitby";
+      RESTIC_PASSWORD_FILE = "/var/lib/git/restic/secret";
+      RESTIC_EXCLUDE_FILE = builtins.toFile "exclude-files" ''
+        /var/lib/gerrit/tmp
+      '';
+    };
+  };
+
+  systemd.timers.restic-gerrit = {
+    wantedBy = [ "multi-user.target" ];
+    timerConfig.OnCalendar = "hourly";
+  };
+
   security.sudo.extraRules = [
     {
       groups = ["wheel"];
author	Vincent Ambo <mail@tazj.in>	2020-07-12T13·46+0100
committer	tazjin <mail@tazj.in>	2020-07-12T14·11+0000
commit	356dde149f9a15a4f801a582c5f029f3a9812937 (patch)
tree	a802bd4945a3f5a3a9e749de35f38c4c6b4cbfcd
parent	e035c46c6ea0e0f8542fc119dd71ef8bd1887f76 (diff)