summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2023-10-01 18:52:42 +0200
committerGregor Kleen <gkleen@yggdrasil.li>2023-10-01 18:52:42 +0200
commitaa02038dfa3005a910e8c1b0885843786c8aa58c (patch)
tree43806d160c34fa425a58e76fc3ad347c64165a45
parent703f9a96a3ac014366c8151d306e9a3bc03b9df4 (diff)
downloadnixos-aa02038dfa3005a910e8c1b0885843786c8aa58c.tar
nixos-aa02038dfa3005a910e8c1b0885843786c8aa58c.tar.gz
nixos-aa02038dfa3005a910e8c1b0885843786c8aa58c.tar.bz2
nixos-aa02038dfa3005a910e8c1b0885843786c8aa58c.tar.xz
nixos-aa02038dfa3005a910e8c1b0885843786c8aa58c.zip
vidhar(pgbackrest): srv02.uniworx.de
-rw-r--r--hosts/vidhar/pgbackrest/ca/.gitignore3
-rw-r--r--hosts/vidhar/pgbackrest/ca/srv02.uniworx.de.crt11
-rw-r--r--hosts/vidhar/pgbackrest/default.nix30
3 files changed, 42 insertions, 2 deletions
diff --git a/hosts/vidhar/pgbackrest/ca/.gitignore b/hosts/vidhar/pgbackrest/ca/.gitignore
index aa000280..11adcd4d 100644
--- a/hosts/vidhar/pgbackrest/ca/.gitignore
+++ b/hosts/vidhar/pgbackrest/ca/.gitignore
@@ -1 +1,2 @@
1srv01.uniworx.de.key \ No newline at end of file 1srv01.uniworx.de.key
2srv02.uniworx.de.key
diff --git a/hosts/vidhar/pgbackrest/ca/srv02.uniworx.de.crt b/hosts/vidhar/pgbackrest/ca/srv02.uniworx.de.crt
new file mode 100644
index 00000000..e083c867
--- /dev/null
+++ b/hosts/vidhar/pgbackrest/ca/srv02.uniworx.de.crt
@@ -0,0 +1,11 @@
1-----BEGIN CERTIFICATE-----
2MIIBqDCCASigAwIBAgIPQAAAAGUZo5s1jqHzUfQfMAUGAytlcTAfMR0wGwYDVQQD
3DBRwZ2JhY2tyZXN0LnlnZ2RyYXNpbDAeFw0yMzEwMDExNjQ2MDJaFw0zMzEwMDEx
4NjUxMDJaMBsxGTAXBgNVBAMMEHNydjAyLnVuaXdvcnguZGUwKjAFBgMrZXADIQDv
5TvJV+mY48X0v2H/Vf36C9pql6Ob4dC+4IFPeiKKVBqN/MH0wHwYDVR0jBBgwFoAU
677/J8STBwuv6808izIJbzpTAndowHQYDVR0OBBYEFPkCU142blj3GWjKotoQuew7
7R2+fMA4GA1UdDwEB/wQEAwIF4DAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsG
8AQUFBwMBBggrBgEFBQcDAjAFBgMrZXEDcwDfi8qRpcJ8B/9gGpEC8bfz93QgHDX1
925wiTcRI4VDO9XStL2Md9IRsbYtzqR2Rs9Vl2KFDLHG3QwD3bE7jeobJoLqtBcXC
10JhzOxbsoUn7YG7RR6yW13sOGsj+ccnguN+hnwX5CDCjsOOT5TXgKQ5C7GwA=
11-----END CERTIFICATE-----
diff --git a/hosts/vidhar/pgbackrest/default.nix b/hosts/vidhar/pgbackrest/default.nix
index 899b0e0f..0f86ebe9 100644
--- a/hosts/vidhar/pgbackrest/default.nix
+++ b/hosts/vidhar/pgbackrest/default.nix
@@ -4,6 +4,12 @@ let
4 surtrRepoCfg = flake.nixosConfigurations."surtr".config.services.pgbackrest.settings.surtr; 4 surtrRepoCfg = flake.nixosConfigurations."surtr".config.services.pgbackrest.settings.surtr;
5in { 5in {
6 config = { 6 config = {
7 assertions = [
8 (let
9 inherit (config.services.pgbackrest.package) version;
10 in { assertion = version == "2.45"; message = "Presumably incompatible pgBackRest version: ${version}"; })
11 ];
12
7 services.pgbackrest = { 13 services.pgbackrest = {
8 enable = true; 14 enable = true;
9 package = flakeInputs.nixpkgs-stable.legacyPackages.${config.nixpkgs.system}.pgbackrest; 15 package = flakeInputs.nixpkgs-stable.legacyPackages.${config.nixpkgs.system}.pgbackrest;
@@ -54,6 +60,20 @@ in {
54 repo2-retention-archive = 7; 60 repo2-retention-archive = 7;
55 }; 61 };
56 62
63 "srv02.uniworx.de" = {
64 pg1-host-type = "tls";
65 pg1-host = "srv02.uniworx.de";
66 pg1-host-ca-file = toString ./ca/ca.crt;
67 pg1-host-cert-file = toString ./ca/vidhar.crt;
68 pg1-host-key-file = config.sops.secrets."pgbackrest.key".path;
69 pg1-path = "/var/lib/postgresql/15";
70
71 repo2-path = "/var/lib/pgbackrest";
72 repo2-retention-full-type = "time";
73 repo2-retention-full = 14;
74 repo2-retention-archive = 7;
75 };
76
57 "global" = { 77 "global" = {
58 compress-type = "zst"; 78 compress-type = "zst";
59 compress-level = 9; 79 compress-level = 9;
@@ -67,7 +87,7 @@ in {
67 tls-server-ca-file = toString ./ca/ca.crt; 87 tls-server-ca-file = toString ./ca/ca.crt;
68 tls-server-cert-file = toString ./ca/vidhar.crt; 88 tls-server-cert-file = toString ./ca/vidhar.crt;
69 tls-server-key-file = config.sops.secrets."pgbackrest.key".path; 89 tls-server-key-file = config.sops.secrets."pgbackrest.key".path;
70 tls-server-auth = ["surtr.yggdrasil=surtr" "srv01.uniworx.de=srv01.uniworx.de"]; 90 tls-server-auth = ["surtr.yggdrasil=surtr" "srv01.uniworx.de=srv01.uniworx.de" "srv02.uniworx.de=srv02.uniworx.de"];
71 }; 91 };
72 92
73 "global:archive-push" = { 93 "global:archive-push" = {
@@ -93,6 +113,14 @@ in {
93 group = "pgbackrest"; 113 group = "pgbackrest";
94 timerConfig.OnCalendar = "daily Europe/Berlin"; 114 timerConfig.OnCalendar = "daily Europe/Berlin";
95 }; 115 };
116
117 backups."srv02.uniworx.de-daily" = {
118 stanza = "srv02.uniworx.de";
119 repo = "2";
120 user = "pgbackrest";
121 group = "pgbackrest";
122 timerConfig.OnCalendar = "daily Europe/Berlin";
123 };
96 }; 124 };
97 125
98 systemd.tmpfiles.rules = [ 126 systemd.tmpfiles.rules = [