vidhar/pgbackrest: srv01.uniworx.de

13 files changed, 113 insertions, 86 deletions

diff --git a/hosts/surtr/postgresql/default.nix b/hosts/surtr/postgresql/default.nix
index f0edfbac..54693b50 100644
--- a/hosts/surtr/postgresql/default.nix
+++ b/hosts/surtr/postgresql/default.nix
@@ -20,9 +20,9 @@ in {
           repo1-retention-archive = 2;
 
           repo2-host-type = "tls";
-          repo2-host = "pgbackrest.vidhar.yggdrasil";
+          repo2-host = "vidhar.yggdrasil.li";
           repo2-host-ca-file = toString ../../vidhar/pgbackrest/ca/ca.crt;
-          repo2-host-cert-file = toString ./pgbackrest.crt;
+          repo2-host-cert-file = toString ../../vidhar/pgbackrest/ca/surtr.crt;
           repo2-host-key-file = config.sops.secrets."pgbackrest.key".path;
           repo2-retention-full-type = "time";
           repo2-retention-full = 14;
@@ -40,7 +40,7 @@ in {
         "global:server" = {
           tls-server-address = "2a03:4000:52:ada:1::";
           tls-server-ca-file = toString ../../vidhar/pgbackrest/ca/ca.crt;
-          tls-server-cert-file = toString ./pgbackrest.crt;
+          tls-server-cert-file = toString ../../vidhar/pgbackrest/ca/surtr.crt;
           tls-server-key-file = config.sops.secrets."pgbackrest.key".path;
           tls-server-auth = ["vidhar.yggdrasil=surtr"];
         };
@@ -64,7 +64,7 @@ in {
 
     sops.secrets."pgbackrest.key" = {
       format = "binary";
-      sopsFile = ./pgbackrest.key;
+      sopsFile = ../../vidhar/pgbackrest/ca/surtr.key;
       owner = "postgres";
       group = "postgres";
       mode = "0400";
diff --git a/hosts/surtr/postgresql/pgbackrest.crt b/hosts/surtr/postgresql/pgbackrest.crt
deleted file mode 100644
index b4dc4d97..00000000
--- a/hosts/surtr/postgresql/pgbackrest.crt
+++ /dev/null
@@ -1,13 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB7zCCAW+gAwIBAgIPQAAAAGN7p/Q5SZ7JU43JMAUGAytlcTAfMR0wGwYDVQQD
-DBRwZ2JhY2tyZXN0LnlnZ2RyYXNpbDAeFw0yMjExMjExNjI2MTFaFw0zMjExMjEx
-NjMxMTFaMBoxGDAWBgNVBAMMD3N1cnRyLnlnZ2RyYXNpbDAqMAUGAytlcAMhABIl
-okEGkov33jgsrF0QA4CKQILbIWkZ2tn+UUhXxxyDo4HGMIHDMB8GA1UdIwQYMBaA
-FO+/yfEkwcLr+vNPIsyCW86UwJ3aMB0GA1UdDgQWBBQnVeShLYsqF35OmmzLJEV5
-dfenhjAOBgNVHQ8BAf8EBAMCBeAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggr
-BgEFBQcDAgYIKwYBBQUHAwEwRAYDVR0RBD0wO4IdcGdiYWNrcmVzdC5zdXJ0ci55
-Z2dkcmFzaWwubGmCGnBnYmFja3Jlc3Quc3VydHIueWdnZHJhc2lsMAUGAytlcQNz
-AJqqMDWN1Ym5XANRKWcCh09j0Rej3V64XZlOOP7qFF9Gh4QJXeCvDMjX4LOeRUmi
-lB8iosdRN9MSANI4kfwYBnzgn3BNMrvMI4faEOuVnd6X2ulsJdNbJNQzB3hRVsNf
-b+QNBV+PpTUgR4k9e1XWX+wwAA==
------END CERTIFICATE-----
diff --git a/hosts/surtr/postgresql/pgbackrest.key b/hosts/surtr/postgresql/pgbackrest.key
deleted file mode 100644
index c7057e6b..00000000
--- a/hosts/surtr/postgresql/pgbackrest.key
+++ /dev/null
@@ -1,26 +0,0 @@
-{
-        "data": "ENC[AES256_GCM,data:Bg4fIAqIGLF1P1P583vQnHhjzrD8fdnS5tA/7SuSdBRJjVaRzB0bieEv+2i9WxgaStG9TTUSmClCVUsbR5gy7MoV6Br4AL17Y++R6wPpJbQJvtMMDJB2xg+THU/Ex61dendcWqPYh73Wn4U9uBE/wC1eVrShXRM=,iv:YG/foZwVcrzi6hdk7Vk0sYZ92LMbmiKg1SbAgPaeUNM=,tag:lAcoxUfQXB4vvc6XnIcA/g==,type:str]",
-        "sops": {
-                "kms": null,
-                "gcp_kms": null,
-                "azure_kv": null,
-                "hc_vault": null,
-                "age": [
-                        {
-                                "recipient": "age19a7j77w267z04zls7m28a8hj4a0g5af6ltye2d5wypg33c3l89csd4r9zq",
-                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzM08wK2tWTGZqSXlkZkNC\nZmZGRVZONm8rU0tpUXVrQnZRSVlUd2JuOUU0Cno4MlVyYk5ILzB4TEtyMTdRUzJl\nUTdnOEcvMFkwZlZ1QmpEREJVNFhNYTgKLS0tIFg1QnlxeXZBYkpXVEppTUFEcnNC\nVEFnUnEwWjI2aFYvZ2EvRW5LR1NVQncK3K1sspt2zHemubUglQBkTRLvXUQyndiv\nQtaU/f5m3f70UoydE7jK1WfEbpUujjaTv5qZeQhA85OtsjRs20SRdA==\n-----END AGE ENCRYPTED FILE-----\n"
-                        }
-                ],
-                "lastmodified": "2022-11-21T14:30:27Z",
-                "mac": "ENC[AES256_GCM,data:Dsfc1XrGl4abSnDqRl/IwC11bVy+kHz1RaI0V/nkkaJ3fM/qTXPVc5mMoWCiPn1nz5BTABQRSnrf79qHc0wpZ1WUpn07yOf7JejJ/T/bUC7D8BuoVdWRh1og+NzWCEIwaGXg0Eo04yli+GXisdM3YVM9g3BrxYrSInjnNZFyB+Q=,iv:T5QprwIhB8ZWwmmfWVtxkXqbMB1onW+wX7GPIFMn+z0=,tag:zMi77nMepajhg2Djgz8rBA==,type:str]",
-                "pgp": [
-                        {
-                                "created_at": "2023-01-30T11:02:32Z",
-                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA8rLHh5XmLvkM8spHa/iIxYYSecBwXitGydVcegMQQEgw\nKKxjDQ+6ffkdVqRt/9L9rg+LVcU5q0a8cxr6uRrTOVwdLyukczh1cj0qX+fjfLXc\n0lwBmw3j8IKtFLQYYiK8z+IAaujhlg8vRQyCaMfMWO0ZXA8NkhZlYhEBcwbvV/M2\nCVCcoUXeo+kimv+8eYg0jrmegCr2FI9f/FQSU1QnEg4sQiVe2i50Im8MC/8TTQ==\n=1j/D\n-----END PGP MESSAGE-----\n",
-                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
-                        }
-                ],
-                "unencrypted_suffix": "_unencrypted",
-                "version": "3.7.3"
-        }
-}
\ No newline at end of file
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index 30db0ac3..404f2f13 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -191,7 +191,7 @@ table inet filter {
 
     iifname { lan, mgmt } udp dport 69 counter name tftp-rx accept
 
-    iifname yggdrasil tcp dport 8432 counter name pgbackrest-rx accept
+    tcp dport 8432 counter name pgbackrest-rx accept
 
     ct state { established, related } counter name established-rx accept
 
diff --git a/hosts/vidhar/pgbackrest/ca/.gitignore b/hosts/vidhar/pgbackrest/ca/.gitignore
new file mode 100644
index 00000000..aa000280
--- /dev/null
+++ b/hosts/vidhar/pgbackrest/ca/.gitignore
@@ -0,0 +1 @@
+srv01.uniworx.de.key
\ No newline at end of file
diff --git a/hosts/vidhar/pgbackrest/ca/srv01.uniworx.de.crt b/hosts/vidhar/pgbackrest/ca/srv01.uniworx.de.crt
new file mode 100644
index 00000000..30fde613
--- /dev/null
+++ b/hosts/vidhar/pgbackrest/ca/srv01.uniworx.de.crt
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBqDCCASigAwIBAgIPQAAAAGQYUD0qjVeBUIVWMAUGAytlcTAfMR0wGwYDVQQD
+DBRwZ2JhY2tyZXN0LnlnZ2RyYXNpbDAeFw0yMzAzMjAxMjE3NDhaFw0zMzAzMjAx
+MjIyNDhaMBsxGTAXBgNVBAMMEHNydjAxLnVuaXdvcnguZGUwKjAFBgMrZXADIQBt
+dyvv3iMd0ozSKFFO0OoQgj/eqxgzxLak1iMhwgWQdqN/MH0wHwYDVR0jBBgwFoAU
+77/J8STBwuv6808izIJbzpTAndowHQYDVR0OBBYEFHr4X6cwefOOMFrU6d0bOrKs
+n0p/MA4GA1UdDwEB/wQEAwIF4DAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsG
+AQUFBwMBBggrBgEFBQcDAjAFBgMrZXEDcwDtwm/OO+yMHvmvxQVt9f+slS+Zioqc
+AbPeeg5HMnrS3ZSoin+++8DJgY0q1A7DGwjq9KQAZ+jXYYD42B4zKoKqvvW5Kgq5
+fk0r67VBa7RCBPhrSmRWSRK01UTE9jIaAEQt2bQN+MyGgL/fyFnVB+pRNgA=
+-----END CERTIFICATE-----
diff --git a/hosts/vidhar/pgbackrest/ca/surtr.crt b/hosts/vidhar/pgbackrest/ca/surtr.crt
new file mode 100644
index 00000000..68c87a00
--- /dev/null
+++ b/hosts/vidhar/pgbackrest/ca/surtr.crt
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIICAzCCAYOgAwIBAgIPQAAAAGQYSfwSfBJj7b7QMAUGAytlcTAfMR0wGwYDVQQD
+DBRwZ2JhY2tyZXN0LnlnZ2RyYXNpbDAeFw0yMzAzMjAxMTUxMDdaFw0zMzAzMjAx
+MTU2MDdaMBoxGDAWBgNVBAMMD3N1cnRyLnlnZ2RyYXNpbDAqMAUGAytlcAMhANLe
+9LEKiZEOIuxMwDxB2nDda7MlNHY81fDsyBOJ9FCNo4HaMIHXMB8GA1UdIwQYMBaA
+FO+/yfEkwcLr+vNPIsyCW86UwJ3aMB0GA1UdDgQWBBSxBMEOYYuWhuLSHVsMv8JA
+GNAKqDAOBgNVHQ8BAf8EBAMCBeAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggr
+BgEFBQcDAQYIKwYBBQUHAwIwWAYDVR0RBFEwT4IdcGdiYWNrcmVzdC5zdXJ0ci55
+Z2dkcmFzaWwubGmCGnBnYmFja3Jlc3Quc3VydHIueWdnZHJhc2lsghJzdXJ0ci55
+Z2dkcmFzaWwubGkwBQYDK2VxA3MAy8wcBmyFeMUMuE7Bkm+3wNWwXcHXyqMMLFi7
+yyB3KrzyyIXPmv6wD/ntUpv/FlRj6DbDSqd+G7MA81T1eea2KDBEkGKp/AKtBCYh
+vfU2W46HqlPhlOZqwoxysnqoDyBFnwG0GIoV4sosUjmx7ufpMCMA
+-----END CERTIFICATE-----
diff --git a/hosts/vidhar/pgbackrest/ca/surtr.key b/hosts/vidhar/pgbackrest/ca/surtr.key
new file mode 100644
index 00000000..fba5af94
--- /dev/null
+++ b/hosts/vidhar/pgbackrest/ca/surtr.key
@@ -0,0 +1,26 @@
+{
+        "data": "ENC[AES256_GCM,data:njpzC4SmemRUBYWPCli0JHwoH/LDbepxcfomTc3yfneO29CD37bb5BLtcoQHOFbHBC4V3NggO733KLMAzkn7cot5zRcYDbJTd9qdoIiuvC/IDd0yrdk1ZahsyXFzm2e1xcHgnC7XJ9Dphd6Bsv2Zx1K5f8KXHY8=,iv:z8W9oXsv+m4dtEnc7Xa57jZfRCbmfR1nFOrCkuDIftE=,tag:d7VFFsIId2M3tEjor3a4NA==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": [
+                        {
+                                "recipient": "age19a7j77w267z04zls7m28a8hj4a0g5af6ltye2d5wypg33c3l89csd4r9zq",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPdEhqTXg3dG9WMUFNUXM2\nQ3dWbng0cGNFazVRY21qTWUzajZDRHVuWGtrCjlZaXlMUGJvZ25mMXNvZVlMamFm\nSkE2TjU5UjNKL0k4b0dXeTZ4TFpneEEKLS0tIC9VTndTNHZkaFZIT2lSdzFQWXJu\nU2MvS3BxSXF1K2VUbmh6UytWbXl5YkEKZRdPZDT4SSbXnujmDYtjDGymfm+0hrG+\nrSoaEIXxtfTDh73NSvtIdcGYvxK9Ub/XhsKc+ZUv70a/ISVx+4nBTQ==\n-----END AGE ENCRYPTED FILE-----\n"
+                        }
+                ],
+                "lastmodified": "2023-03-20T11:54:11Z",
+                "mac": "ENC[AES256_GCM,data:a0Fxd5DGdf/U+xVKEAWWTcfRjOGraNGJW5SqKQC3Pwp9n7dYZT4SYYt1nGV2GhJta45B/QClexFcNRHOyLZqoeTtEUSxk39UejLsP4DeNAheUuZjyMgj0dRbPyfptEIJVuw5RwJz9zCmxtbfke9limmswya1YShd7uXTg3qXLTk=,iv:+rKP0mS+t3Xyqi5MimNlAqgRuBx/VC4jepP02Hq8vwg=,tag:goIwbvskjgK1tQ4R7BMnRg==,type:str]",
+                "pgp": [
+                        {
+                                "created_at": "2023-03-20T11:54:10Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAX+wqYxyHaTy1LFShNNUtFgppJObtd1mVVFafpNT3qAAw\nt9XzxiOzsI0tLkHImCtXAqtbLgyxXXIfASG7K4aYmzBfwmI4pi14Z+hu/eKLuQhl\n0l4B+upjcYU3wdRFCjpEn5WADsHn8nZ50E9+iECNOodLs67o6iWaEpfCJvyUf1Qp\nzOKrhdJL87UJgO31w2OdkUj4s9NwYU9cYLMl68aXOQMduJgVKgPmyx4PnQHRJ60m\n=ULUa\n-----END PGP MESSAGE-----\n",
+                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+                        }
+                ],
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.7.3"
+        }
+}
\ No newline at end of file
diff --git a/hosts/vidhar/pgbackrest/ca/vidhar.crt b/hosts/vidhar/pgbackrest/ca/vidhar.crt
new file mode 100644
index 00000000..ae19aeb9
--- /dev/null
+++ b/hosts/vidhar/pgbackrest/ca/vidhar.crt
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB5zCCAWegAwIBAgIPQAAAAGQYScgWpuQT5StRMAUGAytlcTAfMR0wGwYDVQQD
+DBRwZ2JhY2tyZXN0LnlnZ2RyYXNpbDAeFw0yMzAzMjAxMTUwMTVaFw0zMzAzMjAx
+MTU1MTVaMBsxGTAXBgNVBAMMEHZpZGhhci55Z2dkcmFzaWwwKjAFBgMrZXADIQDT
+mn6hoycEGEO5XFZAB36MZR9om3+LRLtLmXl+zdW3AqOBvTCBujAfBgNVHSMEGDAW
+gBTvv8nxJMHC6/rzTyLMglvOlMCd2jAdBgNVHQ4EFgQUn8LxcubPh60X8yX64X4G
+tg9voegwDgYDVR0PAQH/BAQDAgXgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYI
+KwYBBQUHAwEGCCsGAQUFBwMCMDsGA1UdEQQ0MDKCE3ZpZGhhci55Z2dkcmFzaWwu
+bGmCG3BnYmFja3Jlc3QudmlkaGFyLnlnZ2RyYXNpbDAFBgMrZXEDcwDRRSlz+0Ab
+bXNIhZizqXZZoEcrMObeCVj7OpYX8UtGhx0pqA2PGMRFoaeFnzIT0rfQqjzFlbiX
+5oDSW5RQbu2mhR8wpwQVWaQRMEcHoAJXLE23GvQJyHSM7fV3DpkPD3W8Zm+Rwzra
+NY9tiz2XqpXYCgA=
+-----END CERTIFICATE-----
diff --git a/hosts/vidhar/pgbackrest/ca/vidhar.key b/hosts/vidhar/pgbackrest/ca/vidhar.key
new file mode 100644
index 00000000..f63f523f
--- /dev/null
+++ b/hosts/vidhar/pgbackrest/ca/vidhar.key
@@ -0,0 +1,26 @@
+{
+        "data": "ENC[AES256_GCM,data:q2IvDnv0pJSsE77Rf4Jg9+OCYZEEOsteZy9nn1/WqEiyx3z3LMLE3+F9Rka7PUNachG6ZrDo21Et8DHsvqrr7tbCIH0ha/3cRTwXfzdgvJ/PmkMXTmG01Juc9JKqjf42oo23AErMXVji/4D293Bc6SZjtkQCj/w=,iv:5H5Wi1hv7u1O2YhPsB9wxrFvi2Zy+U1Z06sAk4MwNnA=,tag:HspX+dYLJ15xJRHBobv1PA==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": [
+                        {
+                                "recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzQUNZQ2R0M3NlTjQ3d1ZG\nVWh0QXBtU3MzZDIrOTI4NUgrdkFTdmRuZ0JnCks1WWo4eFNuV1VKOUprUzcxYUdG\nTlFsQm8weWk1SzRUY3d6bElLVStJNncKLS0tIFdsVENmYlFnYVVlMllySC9zcS9E\nbnc5MjV5eGF1TVppbXRMVExNNHM1RDAKUEkoOo8Xedtg5F4PReXhTHWmaEtJm/q/\n5v8otv3CMtZsSaCzdNuYxF5Wr6qfYG6rjigX92M2vJ4E2hcyluAqtQ==\n-----END AGE ENCRYPTED FILE-----\n"
+                        }
+                ],
+                "lastmodified": "2023-03-20T11:55:15Z",
+                "mac": "ENC[AES256_GCM,data:hrjyc62poTD8CviGxhPrmOng/AtBV4wNTGOPibrUj3zfphW9S2dEctdfeQr8VWvF4scYk9Nodw9ijyrSR33NjL8Qes5aOnLHnMZgZ32ecaSCyt7pBTmvAiqwdCy1zY7M/jWSREOjkfsjzvf0hInKmX4qQ8E/PGiUFR6f0DCJUqY=,iv:bewcBberJWtc6ghwL037BLsbbQPJnBosqw+zrWDbChY=,tag:btwOB0+OTAo4qdNXapvHXA==,type:str]",
+                "pgp": [
+                        {
+                                "created_at": "2023-03-20T11:55:15Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAa9uU7TZpS6E1pQaFJI22TNHOeXZRgo+mUvT/aiCep2sw\nRRYY6xD95AgVIGCiq+V+8tVfDZavzi0AragttwL/gUKVky2x76XQPdmd+EjWU45E\n0l4BfaIQTddySkWGUDiLorMzfJ7cfelY6EUZZwm8CM+rIOK9ygc6lggybU3QVPCL\n/ZP4+vpuVt/KRNLgbEESmA0iSZ1BtMqnlhPA1bg9MnAeuK3/z/jRQN2S56IPIxmX\n=tDR1\n-----END PGP MESSAGE-----\n",
+                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+                        }
+                ],
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.7.3"
+        }
+}
\ No newline at end of file
diff --git a/hosts/vidhar/pgbackrest/default.nix b/hosts/vidhar/pgbackrest/default.nix
index 49644e51..ebee2cd0 100644
--- a/hosts/vidhar/pgbackrest/default.nix
+++ b/hosts/vidhar/pgbackrest/default.nix
@@ -18,7 +18,7 @@ in {
           pg1-host-type = "tls";
           pg1-host = "pgbackrest.surtr.yggdrasil";
           pg1-host-ca-file = toString ./ca/ca.crt;
-          pg1-host-cert-file = toString ./tls.crt;
+          pg1-host-cert-file = toString ./ca/vidhar.crt;
           pg1-host-key-file = config.sops.secrets."pgbackrest.key".path;
           inherit (surtrRepoCfg) pg1-path;
 
@@ -37,6 +37,20 @@ in {
           repo2-retention-archive = 7;
         };
 
+        "srv01.uniworx.de" = {
+          pg1-host-type = "tls";
+          pg1-host = "srv01.uniworx.de";
+          pg1-host-ca-file = toString ./ca/ca.crt;
+          pg1-host-cert-file = toString ./ca/srv01.uniworx.de.crt;
+          pg1-host-key-file = config.sops.secrets."pgbackrest.key".path;
+          pg1-path = "/var/lib/postgresql/15";
+
+          repo2-path = "/var/lib/pgbackrest";
+          repo2-retention-full-type = "time";
+          repo2-retention-full = 14;
+          repo2-retention-archive = 7;
+        };
+
         "global" = {
           compress-type = "zst";
           compress-level = 9;
@@ -46,9 +60,9 @@ in {
         };
 
         "global:server" = {
-          tls-server-address = "2a03:4000:52:ada:1:1::";
+          tls-server-address = "2a03:4000:52:ada:4:1::";
           tls-server-ca-file = toString ./ca/ca.crt;
-          tls-server-cert-file = toString ./tls.crt;
+          tls-server-cert-file = toString ./ca/vidhar.crt;
           tls-server-key-file = config.sops.secrets."pgbackrest.key".path;
           tls-server-auth = ["surtr.yggdrasil=surtr"];
         };
@@ -92,7 +106,7 @@ in {
 
     sops.secrets."pgbackrest.key" = {
       format = "binary";
-      sopsFile = ./tls.key;
+      sopsFile = ./ca/vidhar.key;
       owner = "pgbackrest";
       group = "pgbackrest";
       mode = "0400";
diff --git a/hosts/vidhar/pgbackrest/tls.crt b/hosts/vidhar/pgbackrest/tls.crt
deleted file mode 100644
index e807d423..00000000
--- a/hosts/vidhar/pgbackrest/tls.crt
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB0jCCAVKgAwIBAgIPQAAAAGN7p+4PBkv3Tn05MAUGAytlcTAfMR0wGwYDVQQD
-DBRwZ2JhY2tyZXN0LnlnZ2RyYXNpbDAeFw0yMjExMjExNjI2MDVaFw0zMjExMjEx
-NjMxMDVaMBsxGTAXBgNVBAMMEHZpZGhhci55Z2dkcmFzaWwwKjAFBgMrZXADIQDy
-Wj+rp1Nvyj5TiIdmVV7HW0LUnX2aIQSd8eh5B54BaaOBqDCBpTAfBgNVHSMEGDAW
-gBTvv8nxJMHC6/rzTyLMglvOlMCd2jAdBgNVHQ4EFgQUXU/P0Nq4GmxaL3V8Mq39
-YqggieEwDgYDVR0PAQH/BAQDAgXgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYI
-KwYBBQUHAwEGCCsGAQUFBwMCMCYGA1UdEQQfMB2CG3BnYmFja3Jlc3QudmlkaGFy
-LnlnZ2RyYXNpbDAFBgMrZXEDcwBa1HCz42U2W8lhL3iFQJp/ZoPGm7Iluibvvnh/
-h8ka4mhIcx8mtYp0L04Lte9JWEx+MgOOso6Tk4Bh7xPjJY1uUkwP9ZwsrsJPqIj1
-1nwtHtUiNr3L4IpJkEo3s/52S41KiaiZ0cXnFE2b8pwLTHIJAwA=
------END CERTIFICATE-----
diff --git a/hosts/vidhar/pgbackrest/tls.key b/hosts/vidhar/pgbackrest/tls.key
deleted file mode 100644
index 9218b7b0..00000000
--- a/hosts/vidhar/pgbackrest/tls.key
+++ /dev/null
@@ -1,26 +0,0 @@
-{
-        "data": "ENC[AES256_GCM,data:LnaklO60F6ZXJh0mYwG0e9LTU5qmZWKq2/0YxXeH1QAnEcJIWnrTWwQegL3UJYMf3kOqKJmAcc2VX1nrxe+GRAUUwgVojxS+VFxeSjACNnpe0Zgfgj5ps3GJME3gpmfey+fgnbIFkI8w5UpRtvz7Evj6dJHMGTE=,iv:Q5rIm2GFjJT0ensa+5ILN/yNhjHyxFhZh5q6hh8hDW0=,tag:bCGcF2v+JnWexJb4C35dWA==,type:str]",
-        "sops": {
-                "kms": null,
-                "gcp_kms": null,
-                "azure_kv": null,
-                "hc_vault": null,
-                "age": [
-                        {
-                                "recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l",
-                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtcmNKbVA3VnB1eHZVcm9u\nWTFMRTlGdDRWM01TYUNmK3lUU3hIYmx4Q0VzCk81RFVWYWx1ZFYwVW5sRW93WWRU\nVVJmSWpmcnM5QjlFczloMjBBRE80OFEKLS0tIEVDdEN4Q2E2bDNuMDQ4Q2s3WnF3\nVW84b0JKZ0xGdzVZd2NQOGgrMEpOczAKoorQ99mTL66IEp2Ckl+lYirbKd6NPh6Z\nJ7Ygv2BIKhHsgEhx4sWrakapEUeze88hDd+9oaofZvENx5xPgCzBCA==\n-----END AGE ENCRYPTED FILE-----\n"
-                        }
-                ],
-                "lastmodified": "2022-11-21T14:21:06Z",
-                "mac": "ENC[AES256_GCM,data:OQnaCFEsi5Xka2L7KoC0UX0L+NtihG1hk7koxH51WiiL/JF1NrOs7PpgNbhVzqiAPWlBF1X/2ZhWyEZris9iVZ9RKa1lgF2VXjuwVHZNGA9G9Dr0ipriupOEdQABRA2MM0PlfdW7CdbzxmBcA4uwfL3m4b0uMB87A/cRG8mSm3U=,iv:2yuhHIjWRHipcOx+2hFUx2RJG/L/icGMH0QxR9w+MTM=,tag:pnwNVPzyqu4t6AklWd6HGA==,type:str]",
-                "pgp": [
-                        {
-                                "created_at": "2023-01-30T11:02:25Z",
-                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAraO/4uAAKwQ6+Cs83SuApQ4xbR5QcTp2zlVWzoxoD1Aw\n+67QzvTMmAr9tayCv/HjYJvnjT7vQfIHaRFr/ewXh37B05jfPUFe17hdlT8lUi7Q\n0l4B+WTgJH+d0pUaCo3RedCEFR+pbemaDFIosA6z//cpbM4nNc6sI32BUBw7eQC1\neVjR6n2iNiYNPsk6vgrKnF1/TBGnNAjap/eJi0Ro5J0ng/BFu4SFeEAvMocrDkJ9\n=isPu\n-----END PGP MESSAGE-----\n",
-                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
-                        }
-                ],
-                "unencrypted_suffix": "_unencrypted",
-                "version": "3.7.3"
-        }
-}
\ No newline at end of file