summaryrefslogtreecommitdiff
path: root/hosts/vidhar/pgbackrest/default.nix
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2022-11-21 18:58:56 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2022-11-21 18:58:56 +0100
commitba86ae504d8ea9796e43c1b061aa070761cd1323 (patch)
tree4a675b01270402b20f6e442f9d87ce4dc3bb600b /hosts/vidhar/pgbackrest/default.nix
parent3705bb3ef68b56892ec840c23683d5728136b5fa (diff)
downloadnixos-ba86ae504d8ea9796e43c1b061aa070761cd1323.tar
nixos-ba86ae504d8ea9796e43c1b061aa070761cd1323.tar.gz
nixos-ba86ae504d8ea9796e43c1b061aa070761cd1323.tar.bz2
nixos-ba86ae504d8ea9796e43c1b061aa070761cd1323.tar.xz
nixos-ba86ae504d8ea9796e43c1b061aa070761cd1323.zip
pgbackrest
Diffstat (limited to 'hosts/vidhar/pgbackrest/default.nix')
-rw-r--r--hosts/vidhar/pgbackrest/default.nix101
1 files changed, 101 insertions, 0 deletions
diff --git a/hosts/vidhar/pgbackrest/default.nix b/hosts/vidhar/pgbackrest/default.nix
new file mode 100644
index 00000000..49644e51
--- /dev/null
+++ b/hosts/vidhar/pgbackrest/default.nix
@@ -0,0 +1,101 @@
1{ config, flake, ... }:
2
3let
4 surtrRepoCfg = flake.nixosConfigurations."surtr".config.services.pgbackrest.settings.surtr;
5in {
6 config = {
7 services.pgbackrest = {
8 enable = true;
9 tlsServer = {
10 enable = true;
11
12 user = "pgbackrest";
13 group = "pgbackrest";
14 };
15
16 settings = {
17 "surtr" = {
18 pg1-host-type = "tls";
19 pg1-host = "pgbackrest.surtr.yggdrasil";
20 pg1-host-ca-file = toString ./ca/ca.crt;
21 pg1-host-cert-file = toString ./tls.crt;
22 pg1-host-key-file = config.sops.secrets."pgbackrest.key".path;
23 inherit (surtrRepoCfg) pg1-path;
24
25 # repo1-host-type = "tls";
26 # repo1-host = "pgbackrest.surtr.yggdrasil";
27 # repo1-host-ca-file = toString ./ca/ca.crt;
28 # repo1-host-cert-file = toString ./tls.crt;
29 # repo1-host-key-file = config.sops.secrets."pgbackrest.key".path;
30 # repo1-retention-full-type = "time";
31 # repo1-retention-full = 7;
32 # repo1-retention-archive = 2;
33
34 repo2-path = "/var/lib/pgbackrest";
35 repo2-retention-full-type = "time";
36 repo2-retention-full = 14;
37 repo2-retention-archive = 7;
38 };
39
40 "global" = {
41 compress-type = "zst";
42 compress-level = 9;
43
44 archive-async = true;
45 spool-path = "/var/spool/pgbackrest";
46 };
47
48 "global:server" = {
49 tls-server-address = "2a03:4000:52:ada:1:1::";
50 tls-server-ca-file = toString ./ca/ca.crt;
51 tls-server-cert-file = toString ./tls.crt;
52 tls-server-key-file = config.sops.secrets."pgbackrest.key".path;
53 tls-server-auth = ["surtr.yggdrasil=surtr"];
54 };
55
56 "global:archive-push" = {
57 process-max = 6;
58 };
59 "global:archive-get" = {
60 process-max = 6;
61 };
62 };
63
64 backups."surtr-daily" = {
65 stanza = "surtr";
66 repo = "2";
67 user = "pgbackrest";
68 group = "pgbackrest";
69 timerConfig.OnCalendar = "daily Europe/Berlin";
70 };
71 };
72
73 systemd.tmpfiles.rules = [
74 "d /var/lib/pgbackrest 0750 pgbackrest pgbackrest - -"
75 "d /var/spool/pgbackrest 0750 pgbackrest pgbackrest - -"
76 ];
77
78 users = {
79 users.pgbackrest = {
80 name = "pgbackrest";
81 group = "pgbackrest";
82 isSystemUser = true;
83 home = "/var/lib/pgbackrest";
84 };
85 groups.pgbackrest = {};
86 };
87
88 systemd.services."pgbackrest-tls-server".serviceConfig = {
89 StateDirectory = [ "pgbackrest" ];
90 StateDirectoryMode = "0750";
91 };
92
93 sops.secrets."pgbackrest.key" = {
94 format = "binary";
95 sopsFile = ./tls.key;
96 owner = "pgbackrest";
97 group = "pgbackrest";
98 mode = "0400";
99 };
100 };
101}