diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2023-10-01 18:52:42 +0200 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2023-10-01 18:52:42 +0200 |
commit | aa02038dfa3005a910e8c1b0885843786c8aa58c (patch) | |
tree | 43806d160c34fa425a58e76fc3ad347c64165a45 | |
parent | 703f9a96a3ac014366c8151d306e9a3bc03b9df4 (diff) | |
download | nixos-aa02038dfa3005a910e8c1b0885843786c8aa58c.tar nixos-aa02038dfa3005a910e8c1b0885843786c8aa58c.tar.gz nixos-aa02038dfa3005a910e8c1b0885843786c8aa58c.tar.bz2 nixos-aa02038dfa3005a910e8c1b0885843786c8aa58c.tar.xz nixos-aa02038dfa3005a910e8c1b0885843786c8aa58c.zip |
vidhar(pgbackrest): srv02.uniworx.de
-rw-r--r-- | hosts/vidhar/pgbackrest/ca/.gitignore | 3 | ||||
-rw-r--r-- | hosts/vidhar/pgbackrest/ca/srv02.uniworx.de.crt | 11 | ||||
-rw-r--r-- | hosts/vidhar/pgbackrest/default.nix | 30 |
3 files changed, 42 insertions, 2 deletions
diff --git a/hosts/vidhar/pgbackrest/ca/.gitignore b/hosts/vidhar/pgbackrest/ca/.gitignore index aa000280..11adcd4d 100644 --- a/hosts/vidhar/pgbackrest/ca/.gitignore +++ b/hosts/vidhar/pgbackrest/ca/.gitignore | |||
@@ -1 +1,2 @@ | |||
1 | srv01.uniworx.de.key \ No newline at end of file | 1 | srv01.uniworx.de.key |
2 | srv02.uniworx.de.key | ||
diff --git a/hosts/vidhar/pgbackrest/ca/srv02.uniworx.de.crt b/hosts/vidhar/pgbackrest/ca/srv02.uniworx.de.crt new file mode 100644 index 00000000..e083c867 --- /dev/null +++ b/hosts/vidhar/pgbackrest/ca/srv02.uniworx.de.crt | |||
@@ -0,0 +1,11 @@ | |||
1 | -----BEGIN CERTIFICATE----- | ||
2 | MIIBqDCCASigAwIBAgIPQAAAAGUZo5s1jqHzUfQfMAUGAytlcTAfMR0wGwYDVQQD | ||
3 | DBRwZ2JhY2tyZXN0LnlnZ2RyYXNpbDAeFw0yMzEwMDExNjQ2MDJaFw0zMzEwMDEx | ||
4 | NjUxMDJaMBsxGTAXBgNVBAMMEHNydjAyLnVuaXdvcnguZGUwKjAFBgMrZXADIQDv | ||
5 | TvJV+mY48X0v2H/Vf36C9pql6Ob4dC+4IFPeiKKVBqN/MH0wHwYDVR0jBBgwFoAU | ||
6 | 77/J8STBwuv6808izIJbzpTAndowHQYDVR0OBBYEFPkCU142blj3GWjKotoQuew7 | ||
7 | R2+fMA4GA1UdDwEB/wQEAwIF4DAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsG | ||
8 | AQUFBwMBBggrBgEFBQcDAjAFBgMrZXEDcwDfi8qRpcJ8B/9gGpEC8bfz93QgHDX1 | ||
9 | 25wiTcRI4VDO9XStL2Md9IRsbYtzqR2Rs9Vl2KFDLHG3QwD3bE7jeobJoLqtBcXC | ||
10 | JhzOxbsoUn7YG7RR6yW13sOGsj+ccnguN+hnwX5CDCjsOOT5TXgKQ5C7GwA= | ||
11 | -----END CERTIFICATE----- | ||
diff --git a/hosts/vidhar/pgbackrest/default.nix b/hosts/vidhar/pgbackrest/default.nix index 899b0e0f..0f86ebe9 100644 --- a/hosts/vidhar/pgbackrest/default.nix +++ b/hosts/vidhar/pgbackrest/default.nix | |||
@@ -4,6 +4,12 @@ let | |||
4 | surtrRepoCfg = flake.nixosConfigurations."surtr".config.services.pgbackrest.settings.surtr; | 4 | surtrRepoCfg = flake.nixosConfigurations."surtr".config.services.pgbackrest.settings.surtr; |
5 | in { | 5 | in { |
6 | config = { | 6 | config = { |
7 | assertions = [ | ||
8 | (let | ||
9 | inherit (config.services.pgbackrest.package) version; | ||
10 | in { assertion = version == "2.45"; message = "Presumably incompatible pgBackRest version: ${version}"; }) | ||
11 | ]; | ||
12 | |||
7 | services.pgbackrest = { | 13 | services.pgbackrest = { |
8 | enable = true; | 14 | enable = true; |
9 | package = flakeInputs.nixpkgs-stable.legacyPackages.${config.nixpkgs.system}.pgbackrest; | 15 | package = flakeInputs.nixpkgs-stable.legacyPackages.${config.nixpkgs.system}.pgbackrest; |
@@ -54,6 +60,20 @@ in { | |||
54 | repo2-retention-archive = 7; | 60 | repo2-retention-archive = 7; |
55 | }; | 61 | }; |
56 | 62 | ||
63 | "srv02.uniworx.de" = { | ||
64 | pg1-host-type = "tls"; | ||
65 | pg1-host = "srv02.uniworx.de"; | ||
66 | pg1-host-ca-file = toString ./ca/ca.crt; | ||
67 | pg1-host-cert-file = toString ./ca/vidhar.crt; | ||
68 | pg1-host-key-file = config.sops.secrets."pgbackrest.key".path; | ||
69 | pg1-path = "/var/lib/postgresql/15"; | ||
70 | |||
71 | repo2-path = "/var/lib/pgbackrest"; | ||
72 | repo2-retention-full-type = "time"; | ||
73 | repo2-retention-full = 14; | ||
74 | repo2-retention-archive = 7; | ||
75 | }; | ||
76 | |||
57 | "global" = { | 77 | "global" = { |
58 | compress-type = "zst"; | 78 | compress-type = "zst"; |
59 | compress-level = 9; | 79 | compress-level = 9; |
@@ -67,7 +87,7 @@ in { | |||
67 | tls-server-ca-file = toString ./ca/ca.crt; | 87 | tls-server-ca-file = toString ./ca/ca.crt; |
68 | tls-server-cert-file = toString ./ca/vidhar.crt; | 88 | tls-server-cert-file = toString ./ca/vidhar.crt; |
69 | tls-server-key-file = config.sops.secrets."pgbackrest.key".path; | 89 | tls-server-key-file = config.sops.secrets."pgbackrest.key".path; |
70 | tls-server-auth = ["surtr.yggdrasil=surtr" "srv01.uniworx.de=srv01.uniworx.de"]; | 90 | tls-server-auth = ["surtr.yggdrasil=surtr" "srv01.uniworx.de=srv01.uniworx.de" "srv02.uniworx.de=srv02.uniworx.de"]; |
71 | }; | 91 | }; |
72 | 92 | ||
73 | "global:archive-push" = { | 93 | "global:archive-push" = { |
@@ -93,6 +113,14 @@ in { | |||
93 | group = "pgbackrest"; | 113 | group = "pgbackrest"; |
94 | timerConfig.OnCalendar = "daily Europe/Berlin"; | 114 | timerConfig.OnCalendar = "daily Europe/Berlin"; |
95 | }; | 115 | }; |
116 | |||
117 | backups."srv02.uniworx.de-daily" = { | ||
118 | stanza = "srv02.uniworx.de"; | ||
119 | repo = "2"; | ||
120 | user = "pgbackrest"; | ||
121 | group = "pgbackrest"; | ||
122 | timerConfig.OnCalendar = "daily Europe/Berlin"; | ||
123 | }; | ||
96 | }; | 124 | }; |
97 | 125 | ||
98 | systemd.tmpfiles.rules = [ | 126 | systemd.tmpfiles.rules = [ |