From 68bfb287e1e24f7baa70e30718cd225ef45e40c2 Mon Sep 17 00:00:00 2001
From: Linnea <linnealovespie@proton.me>
Date: Thu, 30 Oct 2025 19:49:29 -0700
Subject: [PATCH 1/5] try to add db service

---
 .env.sample |  1 +
 compose.yml | 32 +++++++++++++++++++++++++++++++-
 2 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/.env.sample b/.env.sample
index 0fd8b31..0fe97a1 100644
--- a/.env.sample
+++ b/.env.sample
@@ -28,4 +28,5 @@ LETS_ENCRYPT_ENV=production
 
 SECRET_SECRET_KEY_VERSION=v1
 SECRET_JWT_KEY_VERSION=v1
+SECRET_DB_PASSWORD_VERSION=v1
 
diff --git a/compose.yml b/compose.yml
index 0fb9937..8e75c21 100644
--- a/compose.yml
+++ b/compose.yml
@@ -6,15 +6,21 @@ services:
     image: baserow/baserow:1.35.3
     networks:
       - proxy
+      - internal
     environment:
       - BASEROW_PUBLIC_URL=https://${DOMAIN}
       - SECRET_KEY_FILE=/run/secrets/secret_key
       - BASEROW_JWT_SIGNING_KEY_FILE=/run/secrets/jwt_key
       - BASEROW_CADDY_ADDRESSES=:80 
       - BASEROW_BUILDER_DOMAINS=${WILDCARD_DOMAIN}
+      - DATABASE_HOST=db
+      - DATABASE_NAME=postgres
+      - DATABASE_USER=postgres
+      - DATABASE_PASSWORD_FILE=/run/secrets/db_password
     secrets:
       - secret_key
       - jwt_key
+      - db_password
     deploy:
       restart_policy:
         condition: on-failure
@@ -37,16 +43,37 @@ services:
       timeout: 10s
       retries: 10
       start_period: 1m
-
     volumes:
       - baserow_data:/baserow/data
+  db:
+    image: postgres:15
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_USER=postgres
+      - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
+      - POSTGRES_DB=postgres
+    networks:
+      internal: 
+    deploy:
+      restart_policy:
+        condition: on-failure
+    secrets:
+      - db_password
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready", "-U", "postgres"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
       
 volumes:
   baserow_data:
+  postgres_data: 
 
 networks:
   proxy:
     external: true
+  internal: 
 
 secrets:
   secret_key:
@@ -55,3 +82,6 @@ secrets:
   jwt_key:
     external: true
     name: ${STACK_NAME}_jwt_key_${SECRET_JWT_KEY_VERSION}
+  db_password:
+    external: true
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
-- 
2.49.0


From d17155f799947e035aa24470de48e0baedb1d194 Mon Sep 17 00:00:00 2001
From: Linnea <linnealovespie@proton.me>
Date: Thu, 30 Oct 2025 20:13:24 -0700
Subject: [PATCH 2/5] update secret version

---
 .env.sample |  4 ++--
 compose.yml | 26 ++++++++++++++------------
 2 files changed, 16 insertions(+), 14 deletions(-)

diff --git a/.env.sample b/.env.sample
index 0fe97a1..e09b851 100644
--- a/.env.sample
+++ b/.env.sample
@@ -26,7 +26,7 @@ LETS_ENCRYPT_ENV=production
 # SECRET_EMAIL_SMTP_PASSWORD_VERSION=v1
 #
 
-SECRET_SECRET_KEY_VERSION=v1
-SECRET_JWT_KEY_VERSION=v1
+# SECRET_SECRET_KEY_VERSION=v1
+# SECRET_JWT_KEY_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
 
diff --git a/compose.yml b/compose.yml
index 8e75c21..3f1f194 100644
--- a/compose.yml
+++ b/compose.yml
@@ -4,22 +4,24 @@ version: "3.8"
 services:
   app:
     image: baserow/baserow:1.35.3
+    depends_on: 
+      - db
     networks:
       - proxy
       - internal
     environment:
       - BASEROW_PUBLIC_URL=https://${DOMAIN}
-      - SECRET_KEY_FILE=/run/secrets/secret_key
-      - BASEROW_JWT_SIGNING_KEY_FILE=/run/secrets/jwt_key
-      - BASEROW_CADDY_ADDRESSES=:80 
-      - BASEROW_BUILDER_DOMAINS=${WILDCARD_DOMAIN}
+      # - SECRET_KEY_FILE=/run/secrets/secret_key
+      # - BASEROW_JWT_SIGNING_KEY_FILE=/run/secrets/jwt_key
+      # - BASEROW_CADDY_ADDRESSES=:80 
+      # - BASEROW_BUILDER_DOMAINS=${WILDCARD_DOMAIN}
       - DATABASE_HOST=db
       - DATABASE_NAME=postgres
       - DATABASE_USER=postgres
       - DATABASE_PASSWORD_FILE=/run/secrets/db_password
     secrets:
-      - secret_key
-      - jwt_key
+      # - secret_key
+      # - jwt_key
       - db_password
     deploy:
       restart_policy:
@@ -76,12 +78,12 @@ networks:
   internal: 
 
 secrets:
-  secret_key:
-    external: true
-    name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
-  jwt_key:
-    external: true
-    name: ${STACK_NAME}_jwt_key_${SECRET_JWT_KEY_VERSION}
+  # secret_key:
+  #   external: true
+  #   name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
+  # jwt_key:
+  #   external: true
+  #   name: ${STACK_NAME}_jwt_key_${SECRET_JWT_KEY_VERSION}
   db_password:
     external: true
     name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
-- 
2.49.0


From 25ed229656720b0949e58631f9998da597005c65 Mon Sep 17 00:00:00 2001
From: Linnea <linnealovespie@proton.me>
Date: Thu, 30 Oct 2025 20:14:57 -0700
Subject: [PATCH 3/5] uncomment

---
 compose.yml | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/compose.yml b/compose.yml
index 3f1f194..dccb0ab 100644
--- a/compose.yml
+++ b/compose.yml
@@ -11,17 +11,17 @@ services:
       - internal
     environment:
       - BASEROW_PUBLIC_URL=https://${DOMAIN}
-      # - SECRET_KEY_FILE=/run/secrets/secret_key
-      # - BASEROW_JWT_SIGNING_KEY_FILE=/run/secrets/jwt_key
-      # - BASEROW_CADDY_ADDRESSES=:80 
-      # - BASEROW_BUILDER_DOMAINS=${WILDCARD_DOMAIN}
+      - SECRET_KEY_FILE=/run/secrets/secret_key
+      - BASEROW_JWT_SIGNING_KEY_FILE=/run/secrets/jwt_key
+      - BASEROW_CADDY_ADDRESSES=:80 
+      - BASEROW_BUILDER_DOMAINS=${WILDCARD_DOMAIN}
       - DATABASE_HOST=db
       - DATABASE_NAME=postgres
       - DATABASE_USER=postgres
       - DATABASE_PASSWORD_FILE=/run/secrets/db_password
     secrets:
-      # - secret_key
-      # - jwt_key
+      - secret_key
+      - jwt_key
       - db_password
     deploy:
       restart_policy:
@@ -78,12 +78,12 @@ networks:
   internal: 
 
 secrets:
-  # secret_key:
-  #   external: true
-  #   name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
-  # jwt_key:
-  #   external: true
-  #   name: ${STACK_NAME}_jwt_key_${SECRET_JWT_KEY_VERSION}
+  secret_key:
+    external: true
+    name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
+  jwt_key:
+    external: true
+    name: ${STACK_NAME}_jwt_key_${SECRET_JWT_KEY_VERSION}
   db_password:
     external: true
     name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
-- 
2.49.0


From 26cd26d509d348a0395cfdc6cffc1822d4f94365 Mon Sep 17 00:00:00 2001
From: Linnea <linnealovespie@proton.me>
Date: Thu, 30 Oct 2025 20:15:49 -0700
Subject: [PATCH 4/5] uncomment

---
 .env.sample | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.env.sample b/.env.sample
index e09b851..0fe97a1 100644
--- a/.env.sample
+++ b/.env.sample
@@ -26,7 +26,7 @@ LETS_ENCRYPT_ENV=production
 # SECRET_EMAIL_SMTP_PASSWORD_VERSION=v1
 #
 
-# SECRET_SECRET_KEY_VERSION=v1
-# SECRET_JWT_KEY_VERSION=v1
+SECRET_SECRET_KEY_VERSION=v1
+SECRET_JWT_KEY_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
 
-- 
2.49.0


From a866918e92bc7e0505c6bd47a48d7dd6bf78fcfe Mon Sep 17 00:00:00 2001
From: Linnea <linnealovespie@proton.me>
Date: Mon, 3 Nov 2025 19:26:40 -0800
Subject: [PATCH 5/5] add backup labels

---
 abra.sh      |  1 +
 compose.yml  | 19 ++++++++++++++++---
 pg_backup.sh | 34 ++++++++++++++++++++++++++++++++++
 3 files changed, 51 insertions(+), 3 deletions(-)
 create mode 100644 abra.sh
 create mode 100644 pg_backup.sh

diff --git a/abra.sh b/abra.sh
new file mode 100644
index 0000000..edfd512
--- /dev/null
+++ b/abra.sh
@@ -0,0 +1 @@
+export PG_BACKUP_VERSION=v1
\ No newline at end of file
diff --git a/compose.yml b/compose.yml
index dccb0ab..641329b 100644
--- a/compose.yml
+++ b/compose.yml
@@ -60,13 +60,21 @@ services:
     deploy:
       restart_policy:
         condition: on-failure
+      labels:
+        backupbot.backup.pre-hook: "/pg_backup.sh backup"
+        backupbot.backup.volumes.postgres.path: "backup.sql"
+        backupbot.restore.post-hook: '/pg_backup.sh restore'
+    configs:
+        - source: pg_backup
+          target: /pg_backup.sh
+          mode: 0555
     secrets:
       - db_password
     healthcheck:
       test: ["CMD-SHELL", "pg_isready", "-U", "postgres"]
-      interval: 10s
-      timeout: 5s
-      retries: 5
+      interval: 30s
+      timeout: 10s
+      retries: 10
       
 volumes:
   baserow_data:
@@ -87,3 +95,8 @@ secrets:
   db_password:
     external: true
     name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+
+configs:
+  pg_backup:
+    name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
+    file: pg_backup.sh
diff --git a/pg_backup.sh b/pg_backup.sh
new file mode 100644
index 0000000..e83074d
--- /dev/null
+++ b/pg_backup.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+
+set -e
+
+BACKUP_FILE='/var/lib/postgresql/data/backup.sql'
+
+function backup {
+  export PGPASSWORD=$(cat /run/secrets/db_password)
+  pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE
+}
+
+function restore {
+    cd /var/lib/postgresql/data/
+    restore_config(){
+        # Restore allowed connections
+        cat pg_hba.conf.bak > pg_hba.conf
+        su postgres -c 'pg_ctl reload'
+    }
+    # Don't allow any other connections than local
+    cp pg_hba.conf pg_hba.conf.bak
+    echo "local all all trust" > pg_hba.conf
+    su postgres -c 'pg_ctl reload'
+    trap restore_config EXIT INT TERM
+
+    # Recreate Database
+    psql -U ${POSTGRES_USER} -d postgres -c "DROP DATABASE ${POSTGRES_DB} WITH (FORCE);" 
+    createdb -U ${POSTGRES_USER} ${POSTGRES_DB}
+    psql -U ${POSTGRES_USER} -d ${POSTGRES_DB} -1 -f $BACKUP_FILE
+
+    trap - EXIT INT TERM
+    restore_config
+}
+
+$@
-- 
2.49.0