config/hosts/florp/configuration.nix

@@ -1,4 +1,4 @@
-{ lib, ... }: {
+{ lib, config, ... }: {
   imports = [
     ../../common
     ../../profiles/headless.nix
@@ -13,7 +13,9 @@
   };
   kyouma.nginx.defaultForbidden = "florp.social";
 
-  kyouma.restic = {
+  kyouma.restic = let
+    pgBackup = "/var/cache/postgresql.sql";
+  in {
     enable = true;
     remoteUser = "zh3485s1";
     timerConfig = {
@@ -22,9 +24,21 @@
     };
     paths = [
       "/var/lib/akkoma"
-      "/var/lib/postgresql"
       "/var/lib/secrets"
+      pgBackup
     ];
+
+    backupPrepareCommand = ''
+      umask 0077
+      rm -f -- ${pgBackup}
+      ${lib.getExe' config.services.postgresql.package "pg_dumpall"} \
+        -U ${config.services.postgresql.superUser} \
+        -f ${pgBackup}
+    '';
+
+    backupCleanupCommand = ''
+      rm -f -- ${pgBackup}
+    '';
   };
   systemd.network.networks."98-eth-default" = {
     address = [

modules/restic/default.nix

@@ -48,6 +48,19 @@ in {
         Persistent = true;
       };
     };
+
+    # FIXME: Can these be just inherited?
+    backupPrepareCommand = mkOption {
+      description = "preparation script";
+      type = with types; nullOr str;
+      default = null;
+    };
+
+    backupCleanupCommand = mkOption {
+      description = "cleanup script";
+      type = with types; nullOr str;
+      default = null;
+    };
   };
   config = lib.mkIf cfg.enable {
     sops.secrets."restic/${cfg.remoteUser}/password" = {