pgbackrest

author: Gregor Kleen <gkleen@yggdrasil.li> 2022-11-21 18:58:56 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2022-11-21 18:58:56 +0100
commit: ba86ae504d8ea9796e43c1b061aa070761cd1323 (patch)
tree: 4a675b01270402b20f6e442f9d87ce4dc3bb600b /hosts/surtr
parent: 3705bb3ef68b56892ec840c23683d5728136b5fa (diff)
download: nixos-ba86ae504d8ea9796e43c1b061aa070761cd1323.tar
nixos-ba86ae504d8ea9796e43c1b061aa070761cd1323.tar.gz
nixos-ba86ae504d8ea9796e43c1b061aa070761cd1323.tar.bz2
nixos-ba86ae504d8ea9796e43c1b061aa070761cd1323.tar.xz
nixos-ba86ae504d8ea9796e43c1b061aa070761cd1323.zip
5 files changed, 114 insertions, 4 deletions
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix
index 9ac087c3..f6200cf3 100644
--- a/hosts/surtr/default.nix
+++ b/hosts/surtr/default.nix
@@ -2,7 +2,7 @@
 {
  imports = with flake.nixosModules.systemProfiles; [
    tmpfs-root qemu-guest openssh rebuild-machines zfs
-    ./zfs.nix ./dns ./tls ./http ./bifrost ./matrix ./postgresql.nix
+    ./zfs.nix ./dns ./tls ./http ./bifrost ./matrix ./postgresql
    ./prometheus ./email ./vpn ./borg.nix ./etebase
  ];
diff --git a/hosts/surtr/postgresql.nix b/hosts/surtr/postgresql/default.nix
index c10c5084..9cf494ae 100644
--- a/hosts/surtr/postgresql.nix
+++ b/hosts/surtr/postgresql/default.nix
@@ -1,4 +1,4 @@
-{ pkgs, sources, config, ... }:
+{ pkgs, sources, config, flake, ... }:
 let
  versioning = sources.psql-versioning.src;
 in {
@@ -8,6 +8,73 @@ in {
      package = pkgs.postgresql_14;
    };
+    services.pgbackrest = {
+      enable = true;
+      settings = {
+        "surtr" = {
+          pg1-path = config.services.postgresql.dataDir;
+          repo1-path = "/var/lib/pgbackrest";
+          repo1-retention-full-type = "time";
+          repo1-retention-full = 7;
+          repo1-retention-archive = 2;
+          repo2-host-type = "tls";
+          repo2-host = "pgbackrest.vidhar.yggdrasil";
+          repo2-host-ca-file = toString ../../vidhar/pgbackrest/ca/ca.crt;
+          repo2-host-cert-file = toString ./pgbackrest.crt;
+          repo2-host-key-file = config.sops.secrets."pgbackrest.key".path;
+          repo2-retention-full-type = "time";
+          repo2-retention-full = 14;
+          repo2-retention-archive = 7;
+        };
+        "global" = {
+          compress-type = "zst";
+          compress-level = 9;
+          archive-async = true;
+          spool-path = "/var/spool/pgbackrest";
+        };
+        "global:server" = {
+          tls-server-address = "2a03:4000:52:ada:1::";
+          tls-server-ca-file = toString ../../vidhar/pgbackrest/ca/ca.crt;
+          tls-server-cert-file = toString ./pgbackrest.crt;
+          tls-server-key-file = config.sops.secrets."pgbackrest.key".path;
+          tls-server-auth = ["vidhar.yggdrasil=surtr"];
+        };
+        "global:archive-push" = {
+          process-max = 2;
+        };
+        "global:archive-get" = {
+          process-max = 2;
+        };
+      };
+      tlsServer.enable = true;
+      backups."surtr-daily" = {
+        stanza = "surtr";
+        repo = "1";
+        timerConfig.OnCalendar = "daily";
+      };
+    };
+    sops.secrets."pgbackrest.key" = {
+      format = "binary";
+      sopsFile = ./pgbackrest.key;
+      owner = "postgres";
+      group = "postgres";
+      mode = "0400";
+    };
+    systemd.tmpfiles.rules = [
+      "d /var/lib/pgbackrest 0750 postgres postgres - -"
+      "d /var/spool/pgbackrest 0750 postgres postgres - -"
+    ];
    systemd.services.migrate-postgresql = {
      after = [ "postgresql.service" ];
      bindsTo = [ "postgresql.service" ];
diff --git a/hosts/surtr/postgresql/pgbackrest.crt b/hosts/surtr/postgresql/pgbackrest.crt
new file mode 100644
index 00000000..b4dc4d97
--- /dev/null
+++ b/hosts/surtr/postgresql/pgbackrest.crt
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB7zCCAW+gAwIBAgIPQAAAAGN7p/Q5SZ7JU43JMAUGAytlcTAfMR0wGwYDVQQD
+DBRwZ2JhY2tyZXN0LnlnZ2RyYXNpbDAeFw0yMjExMjExNjI2MTFaFw0zMjExMjEx
+NjMxMTFaMBoxGDAWBgNVBAMMD3N1cnRyLnlnZ2RyYXNpbDAqMAUGAytlcAMhABIl
+okEGkov33jgsrF0QA4CKQILbIWkZ2tn+UUhXxxyDo4HGMIHDMB8GA1UdIwQYMBaA
+FO+/yfEkwcLr+vNPIsyCW86UwJ3aMB0GA1UdDgQWBBQnVeShLYsqF35OmmzLJEV5
+dfenhjAOBgNVHQ8BAf8EBAMCBeAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggr
+BgEFBQcDAgYIKwYBBQUHAwEwRAYDVR0RBD0wO4IdcGdiYWNrcmVzdC5zdXJ0ci55
+Z2dkcmFzaWwubGmCGnBnYmFja3Jlc3Quc3VydHIueWdnZHJhc2lsMAUGAytlcQNz
+AJqqMDWN1Ym5XANRKWcCh09j0Rej3V64XZlOOP7qFF9Gh4QJXeCvDMjX4LOeRUmi
+lB8iosdRN9MSANI4kfwYBnzgn3BNMrvMI4faEOuVnd6X2ulsJdNbJNQzB3hRVsNf
+b+QNBV+PpTUgR4k9e1XWX+wwAA==
+-----END CERTIFICATE-----
diff --git a/hosts/surtr/postgresql/pgbackrest.key b/hosts/surtr/postgresql/pgbackrest.key
new file mode 100644
index 00000000..bc2af12d
--- /dev/null
+++ b/hosts/surtr/postgresql/pgbackrest.key
@@ -0,0 +1,26 @@
+{
+        "data": "ENC[AES256_GCM,data:Bg4fIAqIGLF1P1P583vQnHhjzrD8fdnS5tA/7SuSdBRJjVaRzB0bieEv+2i9WxgaStG9TTUSmClCVUsbR5gy7MoV6Br4AL17Y++R6wPpJbQJvtMMDJB2xg+THU/Ex61dendcWqPYh73Wn4U9uBE/wC1eVrShXRM=,iv:YG/foZwVcrzi6hdk7Vk0sYZ92LMbmiKg1SbAgPaeUNM=,tag:lAcoxUfQXB4vvc6XnIcA/g==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": null,
+                "lastmodified": "2022-11-21T14:30:27Z",
+                "mac": "ENC[AES256_GCM,data:Dsfc1XrGl4abSnDqRl/IwC11bVy+kHz1RaI0V/nkkaJ3fM/qTXPVc5mMoWCiPn1nz5BTABQRSnrf79qHc0wpZ1WUpn07yOf7JejJ/T/bUC7D8BuoVdWRh1og+NzWCEIwaGXg0Eo04yli+GXisdM3YVM9g3BrxYrSInjnNZFyB+Q=,iv:T5QprwIhB8ZWwmmfWVtxkXqbMB1onW+wX7GPIFMn+z0=,tag:zMi77nMepajhg2Djgz8rBA==,type:str]",
+                "pgp": [
+                        {
+                                "created_at": "2022-11-21T14:30:27Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAi3pfg9DA+1v5r5sEijbkdwmOopWh05IuhRJxuy1btyAw\nuo0iV7VpngK8tFcBHnmhx3QsxIJo/gU+xrOwczW3RoSGrWo9tV2FantQPRp6f1aS\n0lwBEJSxmTApD/YDu3M6WhxN49/ZVEXG+KQ/mOdoBo0ITGKa6No0btMolzJ0bCJU\n+/avVdlDdZzfXo9XP0iJUoqh+1yMn+XdnD5deGac8a/QGvXZkxsYQ8KpK9sONA==\n=QyKr\n-----END PGP MESSAGE-----\n",
+                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+                        },
+                        {
+                                "created_at": "2022-11-21T14:30:27Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAYU2U/anEJ8JSiG7NBppmsFeogXN3ynOEdq2tHXf+mUww\nIS7kW1pqcGMjnf7RQNuL91Wek5GEk4T498IFadiYDImAfIdS5jeX2w7UvxWLX5OZ\n0lwBlnxOwkYRWZzAhB6jHthmk2zEc+0JKuFolXhrwXqsFwFGoLTO9fctJrV7ry0u\naM9DqXru+/cEUZJDSq5GYDQaxTjyaFMVwLVdfxrtFwc8YMlqU8vVoWTqLaUVYA==\n=Tg80\n-----END PGP MESSAGE-----\n",
+                                "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+                        }
+                ],
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.7.3"
+        }
+}
+\ No newline at end of file
diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft
index 51fcd498..4993b6b7 100644
--- a/hosts/surtr/ruleset.nft
+++ b/hosts/surtr/ruleset.nft
@@ -82,6 +82,7 @@ table inet filter {
  counter submissions-rx {}
  counter imaps-rx {}
  counter managesieve-rx {}
+  counter pgbackrest-rx {}
  counter established-rx {}
@@ -109,6 +110,7 @@ table inet filter {
  counter submissions-tx {}
  counter imaps-tx {}
  counter managesieve-tx {}
+  counter pgbackrest-tx {}
  counter tx {}
@@ -149,7 +151,7 @@ table inet filter {
    ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop
-    
    iifname lo counter name rx-lo accept
    iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
@@ -178,6 +180,7 @@ table inet filter {
    tcp dport 465 counter name submissions-rx accept
    tcp dport 993 counter name imaps-rx accept
    tcp dport 4190 counter name managesieve-rx accept
+    iifname yggdrasil tcp dport 8432 counter name pgbackrest-rx accept
    ct state {established, related} counter name established-rx accept
@@ -222,7 +225,8 @@ table inet filter {
    tcp sport 465 counter name submissions-tx accept
    tcp sport 993 counter name imaps-tx accept
    tcp sport 4190 counter name managesieve-tx accept
-    
+    tcp sport 8432 counter name pgbackrest-tx accept
    counter name tx
  }
author	Gregor Kleen <gkleen@yggdrasil.li>	2022-11-21 18:58:56 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2022-11-21 18:58:56 +0100
commit	ba86ae504d8ea9796e43c1b061aa070761cd1323 (patch)
tree	4a675b01270402b20f6e442f9d87ce4dc3bb600b /hosts/surtr
parent	3705bb3ef68b56892ec840c23683d5728136b5fa (diff)
download	nixos-ba86ae504d8ea9796e43c1b061aa070761cd1323.tar nixos-ba86ae504d8ea9796e43c1b061aa070761cd1323.tar.gz nixos-ba86ae504d8ea9796e43c1b061aa070761cd1323.tar.bz2 nixos-ba86ae504d8ea9796e43c1b061aa070761cd1323.tar.xz nixos-ba86ae504d8ea9796e43c1b061aa070761cd1323.zip

diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix index 9ac087c3..f6200cf3 100644 --- a/hosts/surtr/default.nix +++ b/hosts/surtr/default.nix
@@ -2,7 +2,7 @@
2	{	2	{
3	imports = with flake.nixosModules.systemProfiles; [	3	imports = with flake.nixosModules.systemProfiles; [
4	tmpfs-root qemu-guest openssh rebuild-machines zfs	4	tmpfs-root qemu-guest openssh rebuild-machines zfs
5	./zfs.nix ./dns ./tls ./http ./bifrost ./matrix ./postgresql.nix	5	./zfs.nix ./dns ./tls ./http ./bifrost ./matrix ./postgresql
6	./prometheus ./email ./vpn ./borg.nix ./etebase	6	./prometheus ./email ./vpn ./borg.nix ./etebase
7	];	7	];
8		8


diff --git a/hosts/surtr/postgresql.nix b/hosts/surtr/postgresql/default.nix index c10c5084..9cf494ae 100644 --- a/hosts/surtr/postgresql.nix +++ b/hosts/surtr/postgresql/default.nix
@@ -1,4 +1,4 @@
1	{ pkgs, sources, config, ... }:	1	{ pkgs, sources, config, flake, ... }:
2	let	2	let
3	versioning = sources.psql-versioning.src;	3	versioning = sources.psql-versioning.src;
4	in {	4	in {
@@ -8,6 +8,73 @@ in {
8	package = pkgs.postgresql_14;	8	package = pkgs.postgresql_14;
9	};	9	};
10		10
		11	services.pgbackrest = {
		12	enable = true;
		13	settings = {
		14	"surtr" = {
		15	pg1-path = config.services.postgresql.dataDir;
		16
		17	repo1-path = "/var/lib/pgbackrest";
		18	repo1-retention-full-type = "time";
		19	repo1-retention-full = 7;
		20	repo1-retention-archive = 2;
		21
		22	repo2-host-type = "tls";
		23	repo2-host = "pgbackrest.vidhar.yggdrasil";
		24	repo2-host-ca-file = toString ../../vidhar/pgbackrest/ca/ca.crt;
		25	repo2-host-cert-file = toString ./pgbackrest.crt;
		26	repo2-host-key-file = config.sops.secrets."pgbackrest.key".path;
		27	repo2-retention-full-type = "time";
		28	repo2-retention-full = 14;
		29	repo2-retention-archive = 7;
		30	};
		31
		32	"global" = {
		33	compress-type = "zst";
		34	compress-level = 9;
		35
		36	archive-async = true;
		37	spool-path = "/var/spool/pgbackrest";
		38	};
		39
		40	"global:server" = {
		41	tls-server-address = "2a03:4000:52:ada:1::";
		42	tls-server-ca-file = toString ../../vidhar/pgbackrest/ca/ca.crt;
		43	tls-server-cert-file = toString ./pgbackrest.crt;
		44	tls-server-key-file = config.sops.secrets."pgbackrest.key".path;
		45	tls-server-auth = ["vidhar.yggdrasil=surtr"];
		46	};
		47
		48	"global:archive-push" = {
		49	process-max = 2;
		50	};
		51	"global:archive-get" = {
		52	process-max = 2;
		53	};
		54	};
		55
		56	tlsServer.enable = true;
		57
		58	backups."surtr-daily" = {
		59	stanza = "surtr";
		60	repo = "1";
		61	timerConfig.OnCalendar = "daily";
		62	};
		63	};
		64
		65	sops.secrets."pgbackrest.key" = {
		66	format = "binary";
		67	sopsFile = ./pgbackrest.key;
		68	owner = "postgres";
		69	group = "postgres";
		70	mode = "0400";
		71	};
		72
		73	systemd.tmpfiles.rules = [
		74	"d /var/lib/pgbackrest 0750 postgres postgres - -"
		75	"d /var/spool/pgbackrest 0750 postgres postgres - -"
		76	];
		77
11	systemd.services.migrate-postgresql = {	78	systemd.services.migrate-postgresql = {
12	after = [ "postgresql.service" ];	79	after = [ "postgresql.service" ];
13	bindsTo = [ "postgresql.service" ];	80	bindsTo = [ "postgresql.service" ];


diff --git a/hosts/surtr/postgresql/pgbackrest.crt b/hosts/surtr/postgresql/pgbackrest.crt new file mode 100644 index 00000000..b4dc4d97 --- /dev/null +++ b/hosts/surtr/postgresql/pgbackrest.crt
@@ -0,0 +1,13 @@
		1	-----BEGIN CERTIFICATE-----
		2	MIIB7zCCAW+gAwIBAgIPQAAAAGN7p/Q5SZ7JU43JMAUGAytlcTAfMR0wGwYDVQQD
		3	DBRwZ2JhY2tyZXN0LnlnZ2RyYXNpbDAeFw0yMjExMjExNjI2MTFaFw0zMjExMjEx
		4	NjMxMTFaMBoxGDAWBgNVBAMMD3N1cnRyLnlnZ2RyYXNpbDAqMAUGAytlcAMhABIl
		5	okEGkov33jgsrF0QA4CKQILbIWkZ2tn+UUhXxxyDo4HGMIHDMB8GA1UdIwQYMBaA
		6	FO+/yfEkwcLr+vNPIsyCW86UwJ3aMB0GA1UdDgQWBBQnVeShLYsqF35OmmzLJEV5
		7	dfenhjAOBgNVHQ8BAf8EBAMCBeAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggr
		8	BgEFBQcDAgYIKwYBBQUHAwEwRAYDVR0RBD0wO4IdcGdiYWNrcmVzdC5zdXJ0ci55
		9	Z2dkcmFzaWwubGmCGnBnYmFja3Jlc3Quc3VydHIueWdnZHJhc2lsMAUGAytlcQNz
		10	AJqqMDWN1Ym5XANRKWcCh09j0Rej3V64XZlOOP7qFF9Gh4QJXeCvDMjX4LOeRUmi
		11	lB8iosdRN9MSANI4kfwYBnzgn3BNMrvMI4faEOuVnd6X2ulsJdNbJNQzB3hRVsNf
		12	b+QNBV+PpTUgR4k9e1XWX+wwAA==
		13	-----END CERTIFICATE-----


diff --git a/hosts/surtr/postgresql/pgbackrest.key b/hosts/surtr/postgresql/pgbackrest.key new file mode 100644 index 00000000..bc2af12d --- /dev/null +++ b/hosts/surtr/postgresql/pgbackrest.key
@@ -0,0 +1,26 @@
		1	{
		2	"data": "ENC[AES256_GCM,data:Bg4fIAqIGLF1P1P583vQnHhjzrD8fdnS5tA/7SuSdBRJjVaRzB0bieEv+2i9WxgaStG9TTUSmClCVUsbR5gy7MoV6Br4AL17Y++R6wPpJbQJvtMMDJB2xg+THU/Ex61dendcWqPYh73Wn4U9uBE/wC1eVrShXRM=,iv:YG/foZwVcrzi6hdk7Vk0sYZ92LMbmiKg1SbAgPaeUNM=,tag:lAcoxUfQXB4vvc6XnIcA/g==,type:str]",
		3	"sops": {
		4	"kms": null,
		5	"gcp_kms": null,
		6	"azure_kv": null,
		7	"hc_vault": null,
		8	"age": null,
		9	"lastmodified": "2022-11-21T14:30:27Z",
		10	"mac": "ENC[AES256_GCM,data:Dsfc1XrGl4abSnDqRl/IwC11bVy+kHz1RaI0V/nkkaJ3fM/qTXPVc5mMoWCiPn1nz5BTABQRSnrf79qHc0wpZ1WUpn07yOf7JejJ/T/bUC7D8BuoVdWRh1og+NzWCEIwaGXg0Eo04yli+GXisdM3YVM9g3BrxYrSInjnNZFyB+Q=,iv:T5QprwIhB8ZWwmmfWVtxkXqbMB1onW+wX7GPIFMn+z0=,tag:zMi77nMepajhg2Djgz8rBA==,type:str]",
		11	"pgp": [
		12	{
		13	"created_at": "2022-11-21T14:30:27Z",
		14	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAi3pfg9DA+1v5r5sEijbkdwmOopWh05IuhRJxuy1btyAw\nuo0iV7VpngK8tFcBHnmhx3QsxIJo/gU+xrOwczW3RoSGrWo9tV2FantQPRp6f1aS\n0lwBEJSxmTApD/YDu3M6WhxN49/ZVEXG+KQ/mOdoBo0ITGKa6No0btMolzJ0bCJU\n+/avVdlDdZzfXo9XP0iJUoqh+1yMn+XdnD5deGac8a/QGvXZkxsYQ8KpK9sONA==\n=QyKr\n-----END PGP MESSAGE-----\n",
		15	"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
		16	},
		17	{
		18	"created_at": "2022-11-21T14:30:27Z",
		19	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAYU2U/anEJ8JSiG7NBppmsFeogXN3ynOEdq2tHXf+mUww\nIS7kW1pqcGMjnf7RQNuL91Wek5GEk4T498IFadiYDImAfIdS5jeX2w7UvxWLX5OZ\n0lwBlnxOwkYRWZzAhB6jHthmk2zEc+0JKuFolXhrwXqsFwFGoLTO9fctJrV7ry0u\naM9DqXru+/cEUZJDSq5GYDQaxTjyaFMVwLVdfxrtFwc8YMlqU8vVoWTqLaUVYA==\n=Tg80\n-----END PGP MESSAGE-----\n",
		20	"fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
		21	}
		22	],
		23	"unencrypted_suffix": "_unencrypted",
		24	"version": "3.7.3"
		25	}
		26	} \ No newline at end of file


diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft index 51fcd498..4993b6b7 100644 --- a/hosts/surtr/ruleset.nft +++ b/hosts/surtr/ruleset.nft
@@ -82,6 +82,7 @@ table inet filter {
82	counter submissions-rx {}	82	counter submissions-rx {}
83	counter imaps-rx {}	83	counter imaps-rx {}
84	counter managesieve-rx {}	84	counter managesieve-rx {}
		85	counter pgbackrest-rx {}
85		86
86	counter established-rx {}	87	counter established-rx {}
87		88
@@ -109,6 +110,7 @@ table inet filter {
109	counter submissions-tx {}	110	counter submissions-tx {}
110	counter imaps-tx {}	111	counter imaps-tx {}
111	counter managesieve-tx {}	112	counter managesieve-tx {}
		113	counter pgbackrest-tx {}
112		114
113	counter tx {}	115	counter tx {}
114		116
@@ -149,7 +151,7 @@ table inet filter {
149		151
150		152
151	ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop	153	ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop
152		154
153		155
154	iifname lo counter name rx-lo accept	156	iifname lo counter name rx-lo accept
155	iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject	157	iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
@@ -178,6 +180,7 @@ table inet filter {
178	tcp dport 465 counter name submissions-rx accept	180	tcp dport 465 counter name submissions-rx accept
179	tcp dport 993 counter name imaps-rx accept	181	tcp dport 993 counter name imaps-rx accept
180	tcp dport 4190 counter name managesieve-rx accept	182	tcp dport 4190 counter name managesieve-rx accept
		183	iifname yggdrasil tcp dport 8432 counter name pgbackrest-rx accept
181		184
182	ct state {established, related} counter name established-rx accept	185	ct state {established, related} counter name established-rx accept
183		186
@@ -222,7 +225,8 @@ table inet filter {
222	tcp sport 465 counter name submissions-tx accept	225	tcp sport 465 counter name submissions-tx accept
223	tcp sport 993 counter name imaps-tx accept	226	tcp sport 993 counter name imaps-tx accept
224	tcp sport 4190 counter name managesieve-tx accept	227	tcp sport 4190 counter name managesieve-tx accept
225		228	tcp sport 8432 counter name pgbackrest-tx accept
		229
226		230
227	counter name tx	231	counter name tx
228	}	232	}