1.7 KiB
Per-service backup record — template
Copy this file to roles/<service>/BACKUP.md when building a stateful service
role (ADR-022). It is the per-service backup record: what state the service holds,
how it is captured consistently, and how it is restored. The structured parts are
rendered from the role's backup__* data (the single source of truth that also
drives /check-backup) — keep the data authoritative and regenerate this file rather
than hand-editing the tables. The prose "Restore notes" tail is hand-written.
A stateless service (holds no persistent data) does not get a BACKUP.md; it sets
backup__state: false with a reason in its role defaults instead.
Delete this preamble in the copy and start from the heading below.
Backup —
State captured
Rendered from backup__*:
| What | Source | How captured |
|---|---|---|
| data dir(s) | <backup__paths[*]> |
file-level, pulled read-only |
| database | <backup__dumps[*].cmd> → <backup__dumps[*].dest> |
logical dump (default; ADR-022 Decision 7) |
- Quiesce:
<backup__quiesce>—truemeans the service is stopped → backed up → restarted (escape hatch for data that cannot be dumped live; ADR-022 Decision 7 B). - RPO: ~24 h (nightly; ADR-022 Decision 2).
Restore procedure
- Re-provision the host (Terraform) and redeploy this role (Ansible) — Model A.
restic restorethe latest snapshot for<backup__service>into<backup__paths>.- Replay each
<backup__dumps[*].dest>into its database. - Confirm with this role's
VERIFY.mdchecks (ADR-008/017).
Restore notes
Prose the data can't capture — ordering gotchas, "restore the DB before the data dir", known-tricky migrations.