Backup pipeline number two is live. ✅

Backup pipeline number two is live. ✅

A couple of weeks back I posted about restic snapshots from the Pi to the VPS. That covers most things, but not the Postgres database behind my portfolio. So I built a separate encrypted pipeline for it.

🔐 The flow: 🔹 A least-privilege postgres-backup-user role runs pg_dump 🔹 Output is piped through age for encryption (plaintext never lands on disk) 🔹 rclone uploads the encrypted dump to a private Backblaze B2 bucket 🔹 Lifecycle rules handle retention: 30 days for dailies, 180 for weeklies 🔹 Discord webhooks fire on failure

📦 B2 is cheap and S3-compatible, so swapping providers later is straightforward. The age encryption means the bucket holding my data is opaque even to Backblaze. The least-privilege role limits the blast radius if those credentials ever leak.

Same testing discipline as the restic job. Broke it on purpose, watched the alerting work, let it run unattended for a few days.

Two pipelines down. Both verified. The Pi and the VPS now both have proper recovery stories.