feat(whitby): Include PostgreSQL dumps in Restic backups r/1531

Changes the restic backup service to run as root, rather than git, and
include the PostgreSQL dumps in its scope.

The on-machine credentials have already been placed in the right
location in /var/backup/restic

Fixes: 27
Change-Id: Iae76357442f07596a2297ce7b6d51aae392d2074
Reviewed-on: https://cl.tvl.fyi/c/depot/+/1541
Reviewed-by: kanepyork <rikingcoding@gmail.com>
Reviewed-by: glittershark <grfn@gws.fyi>
Tested-by: BuildkiteCI

1 files changed, 6 insertions, 7 deletions

diff --git a/ops/nixos/whitby/default.nix b/ops/nixos/whitby/default.nix
index 7eb85e5e80..899dee0971 100644
--- a/ops/nixos/whitby/default.nix
+++ b/ops/nixos/whitby/default.nix
@@ -286,17 +286,16 @@ in lib.fix(self: {
     };
   };
 
-  # Regularly back up Gerrit to Google Cloud Storage.
-  systemd.services.restic-gerrit = {
-    description = "Gerrit backups to Google Cloud Storage";
-    script = "${nixpkgs.restic}/bin/restic backup /var/lib/gerrit";
-    serviceConfig.User = "git";
+  # Regularly back up whitby to Google Cloud Storage.
+  systemd.services.restic = {
+    description = "Backups to Google Cloud Storage";
+    script = "${nixpkgs.restic}/bin/restic backup /var/lib/gerrit /var/backup/postgresql";
 
     environment = {
       GOOGLE_PROJECT_ID = "tazjins-infrastructure";
-      GOOGLE_APPLICATION_CREDENTIALS = "/var/lib/git/restic/gcp-key.json";
+      GOOGLE_APPLICATION_CREDENTIALS = "/var/backup/restic/gcp-key.json";
       RESTIC_REPOSITORY = "gs:tvl-fyi-backups:/whitby";
-      RESTIC_PASSWORD_FILE = "/var/lib/git/restic/secret";
+      RESTIC_PASSWORD_FILE = "/var/backup/restic/secret";
       RESTIC_EXCLUDE_FILE = builtins.toFile "exclude-files" ''
         /var/lib/gerrit/tmp
       '';