feat(tazjin/camden): Regularly back up Gerrit to GCS r/982

This configures a timer that will push hourly, incremental backups of
Gerrit's state (including repositories) to GCS.

The GCS bucket tvl-fyi-backups is an Archive-class bucket in the
tazjins-infrastructure project.

Change-Id: I3bb5b084d8dd929bc4c3e51ddfb524b78d9445cb
Reviewed-on: https://cl.tvl.fyi/c/depot/+/397
Reviewed-by: glittershark <grfn@gws.fyi>

1 files changed, 27 insertions, 1 deletions

diff --git a/users/tazjin/nixos/camden/default.nix b/users/tazjin/nixos/camden/default.nix
index 9bdebac5f5..d74189c0cb 100644
--- a/users/tazjin/nixos/camden/default.nix
+++ b/users/tazjin/nixos/camden/default.nix
@@ -129,12 +129,14 @@ in lib.fix(self: {
       curl
       direnv
       emacs26-nox
-      gnupg
       git
+      gnupg
+      google-cloud-sdk
       htop
       jq
       pass
       pciutils
+      restic
       ripgrep
     ]);
 
@@ -460,5 +462,29 @@ in lib.fix(self: {
     };
   };
 
+  # Regularly back up Gerrit to Google Cloud Storage.
+  systemd.user.services.restic-gerrit = {
+    description = "Gerrit backups to Google Cloud Storage";
+    script = "${nixpkgs.restic}/bin/restic backup /var/lib/gerrit";
+    environment = {
+      RESTIC_REPOSITORY = "gs:tvl-fyi-backups:/camden";
+      RESTIC_PASSWORD_FILE = "%h/.config/restic/secret";
+      RESTIC_EXCLUDE_FILE = builtins.toFile "exclude-files" ''
+        /var/lib/gerrit/etc/secure.config
+        /var/lib/gerrit/etc/ssh_host_*_key
+        /var/lib/gerrit/etc/ssh_host_*_key
+        /var/lib/gerrit/etc/ssh_host_*_key
+        /var/lib/gerrit/etc/ssh_host_*_key
+        /var/lib/gerrit/etc/ssh_host_*_key
+        /var/lib/gerrit/tmp
+      '';
+    };
+  };
+
+  systemd.user.timers.restic-gerrit = {
+    wantedBy = [ "timers.target" ];
+    timerConfig.OnCalendar = "hourly";
+  };
+
   system.stateVersion = "19.09";
 })