summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--.sops.yaml39
-rw-r--r--hosts/surtr/postgresql/default.nix8
-rw-r--r--hosts/surtr/postgresql/pgbackrest.crt13
-rw-r--r--hosts/surtr/postgresql/pgbackrest.key26
-rw-r--r--hosts/vidhar/network/ruleset.nft2
-rw-r--r--hosts/vidhar/pgbackrest/ca/.gitignore1
-rw-r--r--hosts/vidhar/pgbackrest/ca/srv01.uniworx.de.crt11
-rw-r--r--hosts/vidhar/pgbackrest/ca/surtr.crt13
-rw-r--r--hosts/vidhar/pgbackrest/ca/surtr.key26
-rw-r--r--hosts/vidhar/pgbackrest/ca/vidhar.crt13
-rw-r--r--hosts/vidhar/pgbackrest/ca/vidhar.key26
-rw-r--r--hosts/vidhar/pgbackrest/default.nix22
-rw-r--r--hosts/vidhar/pgbackrest/tls.crt12
-rw-r--r--hosts/vidhar/pgbackrest/tls.key26
14 files changed, 113 insertions, 125 deletions
diff --git a/.sops.yaml b/.sops.yaml
deleted file mode 100644
index 268904a1..00000000
--- a/.sops.yaml
+++ /dev/null
@@ -1,39 +0,0 @@
1keys:
2 - &admin_gkleen 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51
3 - &machine_surtr age19a7j77w267z04zls7m28a8hj4a0g5af6ltye2d5wypg33c3l89csd4r9zq
4 - &machine_sif age1ure0athvtnaqqw48pe0y3upqdzmkaen9h70yggd9va4hva6avd8qqm6s4d # F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8
5 - &machine_vidhar age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l # A1C7C95E6CAF0A965CB47277BCF50A89C1B1F362
6
7creation_rules:
8 - path_regex: ^hosts/surtr/vpn/surtr\.priv$
9 key_groups:
10 - age: [ *machine_surtr ]
11 pgp: [ *admin_gkleen ]
12 - path_regex: ^hosts/surtr/vpn/sif\.priv$
13 key_groups:
14 - age: [ *machine_sif ]
15 pgp: [ *admin_gkleen ]
16 - path_regex: ^hosts/surtr/email/ca/[^/]+.*$
17 key_groups:
18 - pgp: [ *admin_gkleen ]
19 - path_regex: ^hosts/surtr/vpn/[^/]+.*$
20 - path_regex: ^(.*/)?surtr(-private)?(/.+|\..+)?$
21 key_groups:
22 - age: [ *machine_surtr ]
23 pgp: [ *admin_gkleen ]
24 - path_regex: ^hosts/vidhar/borg/jotnar/ymir$
25 key_groups:
26 - pgp: [ *admin_gkleen ]
27 - path_regex: ^hosts/vidhar/borg/jotnar/[^/]+.*$
28 - path_regex: ^hosts/vidhar/(prometheus|pgbackrest)/ca/[^/]+.*$
29 key_groups:
30 - pgp: [ *admin_gkleen ]
31 - path_regex: ^(.*/)?vidhar(-private)?(/.+|\..+)?$
32 key_groups:
33 - age: [ *machine_vidhar ]
34 pgp: [ *admin_gkleen ]
35 - path_regex: ^(.*/)?sif(-private)?(/.+|\..+)?$
36 key_groups:
37 - age: [ *machine_sif ]
38 pgp: [ *admin_gkleen ]
39
diff --git a/hosts/surtr/postgresql/default.nix b/hosts/surtr/postgresql/default.nix
index f0edfbac..54693b50 100644
--- a/hosts/surtr/postgresql/default.nix
+++ b/hosts/surtr/postgresql/default.nix
@@ -20,9 +20,9 @@ in {
20 repo1-retention-archive = 2; 20 repo1-retention-archive = 2;
21 21
22 repo2-host-type = "tls"; 22 repo2-host-type = "tls";
23 repo2-host = "pgbackrest.vidhar.yggdrasil"; 23 repo2-host = "vidhar.yggdrasil.li";
24 repo2-host-ca-file = toString ../../vidhar/pgbackrest/ca/ca.crt; 24 repo2-host-ca-file = toString ../../vidhar/pgbackrest/ca/ca.crt;
25 repo2-host-cert-file = toString ./pgbackrest.crt; 25 repo2-host-cert-file = toString ../../vidhar/pgbackrest/ca/surtr.crt;
26 repo2-host-key-file = config.sops.secrets."pgbackrest.key".path; 26 repo2-host-key-file = config.sops.secrets."pgbackrest.key".path;
27 repo2-retention-full-type = "time"; 27 repo2-retention-full-type = "time";
28 repo2-retention-full = 14; 28 repo2-retention-full = 14;
@@ -40,7 +40,7 @@ in {
40 "global:server" = { 40 "global:server" = {
41 tls-server-address = "2a03:4000:52:ada:1::"; 41 tls-server-address = "2a03:4000:52:ada:1::";
42 tls-server-ca-file = toString ../../vidhar/pgbackrest/ca/ca.crt; 42 tls-server-ca-file = toString ../../vidhar/pgbackrest/ca/ca.crt;
43 tls-server-cert-file = toString ./pgbackrest.crt; 43 tls-server-cert-file = toString ../../vidhar/pgbackrest/ca/surtr.crt;
44 tls-server-key-file = config.sops.secrets."pgbackrest.key".path; 44 tls-server-key-file = config.sops.secrets."pgbackrest.key".path;
45 tls-server-auth = ["vidhar.yggdrasil=surtr"]; 45 tls-server-auth = ["vidhar.yggdrasil=surtr"];
46 }; 46 };
@@ -64,7 +64,7 @@ in {
64 64
65 sops.secrets."pgbackrest.key" = { 65 sops.secrets."pgbackrest.key" = {
66 format = "binary"; 66 format = "binary";
67 sopsFile = ./pgbackrest.key; 67 sopsFile = ../../vidhar/pgbackrest/ca/surtr.key;
68 owner = "postgres"; 68 owner = "postgres";
69 group = "postgres"; 69 group = "postgres";
70 mode = "0400"; 70 mode = "0400";
diff --git a/hosts/surtr/postgresql/pgbackrest.crt b/hosts/surtr/postgresql/pgbackrest.crt
deleted file mode 100644
index b4dc4d97..00000000
--- a/hosts/surtr/postgresql/pgbackrest.crt
+++ /dev/null
@@ -1,13 +0,0 @@
1-----BEGIN CERTIFICATE-----
2MIIB7zCCAW+gAwIBAgIPQAAAAGN7p/Q5SZ7JU43JMAUGAytlcTAfMR0wGwYDVQQD
3DBRwZ2JhY2tyZXN0LnlnZ2RyYXNpbDAeFw0yMjExMjExNjI2MTFaFw0zMjExMjEx
4NjMxMTFaMBoxGDAWBgNVBAMMD3N1cnRyLnlnZ2RyYXNpbDAqMAUGAytlcAMhABIl
5okEGkov33jgsrF0QA4CKQILbIWkZ2tn+UUhXxxyDo4HGMIHDMB8GA1UdIwQYMBaA
6FO+/yfEkwcLr+vNPIsyCW86UwJ3aMB0GA1UdDgQWBBQnVeShLYsqF35OmmzLJEV5
7dfenhjAOBgNVHQ8BAf8EBAMCBeAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggr
8BgEFBQcDAgYIKwYBBQUHAwEwRAYDVR0RBD0wO4IdcGdiYWNrcmVzdC5zdXJ0ci55
9Z2dkcmFzaWwubGmCGnBnYmFja3Jlc3Quc3VydHIueWdnZHJhc2lsMAUGAytlcQNz
10AJqqMDWN1Ym5XANRKWcCh09j0Rej3V64XZlOOP7qFF9Gh4QJXeCvDMjX4LOeRUmi
11lB8iosdRN9MSANI4kfwYBnzgn3BNMrvMI4faEOuVnd6X2ulsJdNbJNQzB3hRVsNf
12b+QNBV+PpTUgR4k9e1XWX+wwAA==
13-----END CERTIFICATE-----
diff --git a/hosts/surtr/postgresql/pgbackrest.key b/hosts/surtr/postgresql/pgbackrest.key
deleted file mode 100644
index c7057e6b..00000000
--- a/hosts/surtr/postgresql/pgbackrest.key
+++ /dev/null
@@ -1,26 +0,0 @@
1{
2 "data": "ENC[AES256_GCM,data:Bg4fIAqIGLF1P1P583vQnHhjzrD8fdnS5tA/7SuSdBRJjVaRzB0bieEv+2i9WxgaStG9TTUSmClCVUsbR5gy7MoV6Br4AL17Y++R6wPpJbQJvtMMDJB2xg+THU/Ex61dendcWqPYh73Wn4U9uBE/wC1eVrShXRM=,iv:YG/foZwVcrzi6hdk7Vk0sYZ92LMbmiKg1SbAgPaeUNM=,tag:lAcoxUfQXB4vvc6XnIcA/g==,type:str]",
3 "sops": {
4 "kms": null,
5 "gcp_kms": null,
6 "azure_kv": null,
7 "hc_vault": null,
8 "age": [
9 {
10 "recipient": "age19a7j77w267z04zls7m28a8hj4a0g5af6ltye2d5wypg33c3l89csd4r9zq",
11 "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzM08wK2tWTGZqSXlkZkNC\nZmZGRVZONm8rU0tpUXVrQnZRSVlUd2JuOUU0Cno4MlVyYk5ILzB4TEtyMTdRUzJl\nUTdnOEcvMFkwZlZ1QmpEREJVNFhNYTgKLS0tIFg1QnlxeXZBYkpXVEppTUFEcnNC\nVEFnUnEwWjI2aFYvZ2EvRW5LR1NVQncK3K1sspt2zHemubUglQBkTRLvXUQyndiv\nQtaU/f5m3f70UoydE7jK1WfEbpUujjaTv5qZeQhA85OtsjRs20SRdA==\n-----END AGE ENCRYPTED FILE-----\n"
12 }
13 ],
14 "lastmodified": "2022-11-21T14:30:27Z",
15 "mac": "ENC[AES256_GCM,data:Dsfc1XrGl4abSnDqRl/IwC11bVy+kHz1RaI0V/nkkaJ3fM/qTXPVc5mMoWCiPn1nz5BTABQRSnrf79qHc0wpZ1WUpn07yOf7JejJ/T/bUC7D8BuoVdWRh1og+NzWCEIwaGXg0Eo04yli+GXisdM3YVM9g3BrxYrSInjnNZFyB+Q=,iv:T5QprwIhB8ZWwmmfWVtxkXqbMB1onW+wX7GPIFMn+z0=,tag:zMi77nMepajhg2Djgz8rBA==,type:str]",
16 "pgp": [
17 {
18 "created_at": "2023-01-30T11:02:32Z",
19 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA8rLHh5XmLvkM8spHa/iIxYYSecBwXitGydVcegMQQEgw\nKKxjDQ+6ffkdVqRt/9L9rg+LVcU5q0a8cxr6uRrTOVwdLyukczh1cj0qX+fjfLXc\n0lwBmw3j8IKtFLQYYiK8z+IAaujhlg8vRQyCaMfMWO0ZXA8NkhZlYhEBcwbvV/M2\nCVCcoUXeo+kimv+8eYg0jrmegCr2FI9f/FQSU1QnEg4sQiVe2i50Im8MC/8TTQ==\n=1j/D\n-----END PGP MESSAGE-----\n",
20 "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
21 }
22 ],
23 "unencrypted_suffix": "_unencrypted",
24 "version": "3.7.3"
25 }
26} \ No newline at end of file
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index 30db0ac3..404f2f13 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -191,7 +191,7 @@ table inet filter {
191 191
192 iifname { lan, mgmt } udp dport 69 counter name tftp-rx accept 192 iifname { lan, mgmt } udp dport 69 counter name tftp-rx accept
193 193
194 iifname yggdrasil tcp dport 8432 counter name pgbackrest-rx accept 194 tcp dport 8432 counter name pgbackrest-rx accept
195 195
196 ct state { established, related } counter name established-rx accept 196 ct state { established, related } counter name established-rx accept
197 197
diff --git a/hosts/vidhar/pgbackrest/ca/.gitignore b/hosts/vidhar/pgbackrest/ca/.gitignore
new file mode 100644
index 00000000..aa000280
--- /dev/null
+++ b/hosts/vidhar/pgbackrest/ca/.gitignore
@@ -0,0 +1 @@
srv01.uniworx.de.key \ No newline at end of file
diff --git a/hosts/vidhar/pgbackrest/ca/srv01.uniworx.de.crt b/hosts/vidhar/pgbackrest/ca/srv01.uniworx.de.crt
new file mode 100644
index 00000000..30fde613
--- /dev/null
+++ b/hosts/vidhar/pgbackrest/ca/srv01.uniworx.de.crt
@@ -0,0 +1,11 @@
1-----BEGIN CERTIFICATE-----
2MIIBqDCCASigAwIBAgIPQAAAAGQYUD0qjVeBUIVWMAUGAytlcTAfMR0wGwYDVQQD
3DBRwZ2JhY2tyZXN0LnlnZ2RyYXNpbDAeFw0yMzAzMjAxMjE3NDhaFw0zMzAzMjAx
4MjIyNDhaMBsxGTAXBgNVBAMMEHNydjAxLnVuaXdvcnguZGUwKjAFBgMrZXADIQBt
5dyvv3iMd0ozSKFFO0OoQgj/eqxgzxLak1iMhwgWQdqN/MH0wHwYDVR0jBBgwFoAU
677/J8STBwuv6808izIJbzpTAndowHQYDVR0OBBYEFHr4X6cwefOOMFrU6d0bOrKs
7n0p/MA4GA1UdDwEB/wQEAwIF4DAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsG
8AQUFBwMBBggrBgEFBQcDAjAFBgMrZXEDcwDtwm/OO+yMHvmvxQVt9f+slS+Zioqc
9AbPeeg5HMnrS3ZSoin+++8DJgY0q1A7DGwjq9KQAZ+jXYYD42B4zKoKqvvW5Kgq5
10fk0r67VBa7RCBPhrSmRWSRK01UTE9jIaAEQt2bQN+MyGgL/fyFnVB+pRNgA=
11-----END CERTIFICATE-----
diff --git a/hosts/vidhar/pgbackrest/ca/surtr.crt b/hosts/vidhar/pgbackrest/ca/surtr.crt
new file mode 100644
index 00000000..68c87a00
--- /dev/null
+++ b/hosts/vidhar/pgbackrest/ca/surtr.crt
@@ -0,0 +1,13 @@
1-----BEGIN CERTIFICATE-----
2MIICAzCCAYOgAwIBAgIPQAAAAGQYSfwSfBJj7b7QMAUGAytlcTAfMR0wGwYDVQQD
3DBRwZ2JhY2tyZXN0LnlnZ2RyYXNpbDAeFw0yMzAzMjAxMTUxMDdaFw0zMzAzMjAx
4MTU2MDdaMBoxGDAWBgNVBAMMD3N1cnRyLnlnZ2RyYXNpbDAqMAUGAytlcAMhANLe
59LEKiZEOIuxMwDxB2nDda7MlNHY81fDsyBOJ9FCNo4HaMIHXMB8GA1UdIwQYMBaA
6FO+/yfEkwcLr+vNPIsyCW86UwJ3aMB0GA1UdDgQWBBSxBMEOYYuWhuLSHVsMv8JA
7GNAKqDAOBgNVHQ8BAf8EBAMCBeAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggr
8BgEFBQcDAQYIKwYBBQUHAwIwWAYDVR0RBFEwT4IdcGdiYWNrcmVzdC5zdXJ0ci55
9Z2dkcmFzaWwubGmCGnBnYmFja3Jlc3Quc3VydHIueWdnZHJhc2lsghJzdXJ0ci55
10Z2dkcmFzaWwubGkwBQYDK2VxA3MAy8wcBmyFeMUMuE7Bkm+3wNWwXcHXyqMMLFi7
11yyB3KrzyyIXPmv6wD/ntUpv/FlRj6DbDSqd+G7MA81T1eea2KDBEkGKp/AKtBCYh
12vfU2W46HqlPhlOZqwoxysnqoDyBFnwG0GIoV4sosUjmx7ufpMCMA
13-----END CERTIFICATE-----
diff --git a/hosts/vidhar/pgbackrest/ca/surtr.key b/hosts/vidhar/pgbackrest/ca/surtr.key
new file mode 100644
index 00000000..fba5af94
--- /dev/null
+++ b/hosts/vidhar/pgbackrest/ca/surtr.key
@@ -0,0 +1,26 @@
1{
2 "data": "ENC[AES256_GCM,data:njpzC4SmemRUBYWPCli0JHwoH/LDbepxcfomTc3yfneO29CD37bb5BLtcoQHOFbHBC4V3NggO733KLMAzkn7cot5zRcYDbJTd9qdoIiuvC/IDd0yrdk1ZahsyXFzm2e1xcHgnC7XJ9Dphd6Bsv2Zx1K5f8KXHY8=,iv:z8W9oXsv+m4dtEnc7Xa57jZfRCbmfR1nFOrCkuDIftE=,tag:d7VFFsIId2M3tEjor3a4NA==,type:str]",
3 "sops": {
4 "kms": null,
5 "gcp_kms": null,
6 "azure_kv": null,
7 "hc_vault": null,
8 "age": [
9 {
10 "recipient": "age19a7j77w267z04zls7m28a8hj4a0g5af6ltye2d5wypg33c3l89csd4r9zq",
11 "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPdEhqTXg3dG9WMUFNUXM2\nQ3dWbng0cGNFazVRY21qTWUzajZDRHVuWGtrCjlZaXlMUGJvZ25mMXNvZVlMamFm\nSkE2TjU5UjNKL0k4b0dXeTZ4TFpneEEKLS0tIC9VTndTNHZkaFZIT2lSdzFQWXJu\nU2MvS3BxSXF1K2VUbmh6UytWbXl5YkEKZRdPZDT4SSbXnujmDYtjDGymfm+0hrG+\nrSoaEIXxtfTDh73NSvtIdcGYvxK9Ub/XhsKc+ZUv70a/ISVx+4nBTQ==\n-----END AGE ENCRYPTED FILE-----\n"
12 }
13 ],
14 "lastmodified": "2023-03-20T11:54:11Z",
15 "mac": "ENC[AES256_GCM,data:a0Fxd5DGdf/U+xVKEAWWTcfRjOGraNGJW5SqKQC3Pwp9n7dYZT4SYYt1nGV2GhJta45B/QClexFcNRHOyLZqoeTtEUSxk39UejLsP4DeNAheUuZjyMgj0dRbPyfptEIJVuw5RwJz9zCmxtbfke9limmswya1YShd7uXTg3qXLTk=,iv:+rKP0mS+t3Xyqi5MimNlAqgRuBx/VC4jepP02Hq8vwg=,tag:goIwbvskjgK1tQ4R7BMnRg==,type:str]",
16 "pgp": [
17 {
18 "created_at": "2023-03-20T11:54:10Z",
19 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAX+wqYxyHaTy1LFShNNUtFgppJObtd1mVVFafpNT3qAAw\nt9XzxiOzsI0tLkHImCtXAqtbLgyxXXIfASG7K4aYmzBfwmI4pi14Z+hu/eKLuQhl\n0l4B+upjcYU3wdRFCjpEn5WADsHn8nZ50E9+iECNOodLs67o6iWaEpfCJvyUf1Qp\nzOKrhdJL87UJgO31w2OdkUj4s9NwYU9cYLMl68aXOQMduJgVKgPmyx4PnQHRJ60m\n=ULUa\n-----END PGP MESSAGE-----\n",
20 "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
21 }
22 ],
23 "unencrypted_suffix": "_unencrypted",
24 "version": "3.7.3"
25 }
26} \ No newline at end of file
diff --git a/hosts/vidhar/pgbackrest/ca/vidhar.crt b/hosts/vidhar/pgbackrest/ca/vidhar.crt
new file mode 100644
index 00000000..ae19aeb9
--- /dev/null
+++ b/hosts/vidhar/pgbackrest/ca/vidhar.crt
@@ -0,0 +1,13 @@
1-----BEGIN CERTIFICATE-----
2MIIB5zCCAWegAwIBAgIPQAAAAGQYScgWpuQT5StRMAUGAytlcTAfMR0wGwYDVQQD
3DBRwZ2JhY2tyZXN0LnlnZ2RyYXNpbDAeFw0yMzAzMjAxMTUwMTVaFw0zMzAzMjAx
4MTU1MTVaMBsxGTAXBgNVBAMMEHZpZGhhci55Z2dkcmFzaWwwKjAFBgMrZXADIQDT
5mn6hoycEGEO5XFZAB36MZR9om3+LRLtLmXl+zdW3AqOBvTCBujAfBgNVHSMEGDAW
6gBTvv8nxJMHC6/rzTyLMglvOlMCd2jAdBgNVHQ4EFgQUn8LxcubPh60X8yX64X4G
7tg9voegwDgYDVR0PAQH/BAQDAgXgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYI
8KwYBBQUHAwEGCCsGAQUFBwMCMDsGA1UdEQQ0MDKCE3ZpZGhhci55Z2dkcmFzaWwu
9bGmCG3BnYmFja3Jlc3QudmlkaGFyLnlnZ2RyYXNpbDAFBgMrZXEDcwDRRSlz+0Ab
10bXNIhZizqXZZoEcrMObeCVj7OpYX8UtGhx0pqA2PGMRFoaeFnzIT0rfQqjzFlbiX
115oDSW5RQbu2mhR8wpwQVWaQRMEcHoAJXLE23GvQJyHSM7fV3DpkPD3W8Zm+Rwzra
12NY9tiz2XqpXYCgA=
13-----END CERTIFICATE-----
diff --git a/hosts/vidhar/pgbackrest/ca/vidhar.key b/hosts/vidhar/pgbackrest/ca/vidhar.key
new file mode 100644
index 00000000..f63f523f
--- /dev/null
+++ b/hosts/vidhar/pgbackrest/ca/vidhar.key
@@ -0,0 +1,26 @@
1{
2 "data": "ENC[AES256_GCM,data:q2IvDnv0pJSsE77Rf4Jg9+OCYZEEOsteZy9nn1/WqEiyx3z3LMLE3+F9Rka7PUNachG6ZrDo21Et8DHsvqrr7tbCIH0ha/3cRTwXfzdgvJ/PmkMXTmG01Juc9JKqjf42oo23AErMXVji/4D293Bc6SZjtkQCj/w=,iv:5H5Wi1hv7u1O2YhPsB9wxrFvi2Zy+U1Z06sAk4MwNnA=,tag:HspX+dYLJ15xJRHBobv1PA==,type:str]",
3 "sops": {
4 "kms": null,
5 "gcp_kms": null,
6 "azure_kv": null,
7 "hc_vault": null,
8 "age": [
9 {
10 "recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l",
11 "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzQUNZQ2R0M3NlTjQ3d1ZG\nVWh0QXBtU3MzZDIrOTI4NUgrdkFTdmRuZ0JnCks1WWo4eFNuV1VKOUprUzcxYUdG\nTlFsQm8weWk1SzRUY3d6bElLVStJNncKLS0tIFdsVENmYlFnYVVlMllySC9zcS9E\nbnc5MjV5eGF1TVppbXRMVExNNHM1RDAKUEkoOo8Xedtg5F4PReXhTHWmaEtJm/q/\n5v8otv3CMtZsSaCzdNuYxF5Wr6qfYG6rjigX92M2vJ4E2hcyluAqtQ==\n-----END AGE ENCRYPTED FILE-----\n"
12 }
13 ],
14 "lastmodified": "2023-03-20T11:55:15Z",
15 "mac": "ENC[AES256_GCM,data:hrjyc62poTD8CviGxhPrmOng/AtBV4wNTGOPibrUj3zfphW9S2dEctdfeQr8VWvF4scYk9Nodw9ijyrSR33NjL8Qes5aOnLHnMZgZ32ecaSCyt7pBTmvAiqwdCy1zY7M/jWSREOjkfsjzvf0hInKmX4qQ8E/PGiUFR6f0DCJUqY=,iv:bewcBberJWtc6ghwL037BLsbbQPJnBosqw+zrWDbChY=,tag:btwOB0+OTAo4qdNXapvHXA==,type:str]",
16 "pgp": [
17 {
18 "created_at": "2023-03-20T11:55:15Z",
19 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAa9uU7TZpS6E1pQaFJI22TNHOeXZRgo+mUvT/aiCep2sw\nRRYY6xD95AgVIGCiq+V+8tVfDZavzi0AragttwL/gUKVky2x76XQPdmd+EjWU45E\n0l4BfaIQTddySkWGUDiLorMzfJ7cfelY6EUZZwm8CM+rIOK9ygc6lggybU3QVPCL\n/ZP4+vpuVt/KRNLgbEESmA0iSZ1BtMqnlhPA1bg9MnAeuK3/z/jRQN2S56IPIxmX\n=tDR1\n-----END PGP MESSAGE-----\n",
20 "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
21 }
22 ],
23 "unencrypted_suffix": "_unencrypted",
24 "version": "3.7.3"
25 }
26} \ No newline at end of file
diff --git a/hosts/vidhar/pgbackrest/default.nix b/hosts/vidhar/pgbackrest/default.nix
index 49644e51..ebee2cd0 100644
--- a/hosts/vidhar/pgbackrest/default.nix
+++ b/hosts/vidhar/pgbackrest/default.nix
@@ -18,7 +18,7 @@ in {
18 pg1-host-type = "tls"; 18 pg1-host-type = "tls";
19 pg1-host = "pgbackrest.surtr.yggdrasil"; 19 pg1-host = "pgbackrest.surtr.yggdrasil";
20 pg1-host-ca-file = toString ./ca/ca.crt; 20 pg1-host-ca-file = toString ./ca/ca.crt;
21 pg1-host-cert-file = toString ./tls.crt; 21 pg1-host-cert-file = toString ./ca/vidhar.crt;
22 pg1-host-key-file = config.sops.secrets."pgbackrest.key".path; 22 pg1-host-key-file = config.sops.secrets."pgbackrest.key".path;
23 inherit (surtrRepoCfg) pg1-path; 23 inherit (surtrRepoCfg) pg1-path;
24 24
@@ -37,6 +37,20 @@ in {
37 repo2-retention-archive = 7; 37 repo2-retention-archive = 7;
38 }; 38 };
39 39
40 "srv01.uniworx.de" = {
41 pg1-host-type = "tls";
42 pg1-host = "srv01.uniworx.de";
43 pg1-host-ca-file = toString ./ca/ca.crt;
44 pg1-host-cert-file = toString ./ca/srv01.uniworx.de.crt;
45 pg1-host-key-file = config.sops.secrets."pgbackrest.key".path;
46 pg1-path = "/var/lib/postgresql/15";
47
48 repo2-path = "/var/lib/pgbackrest";
49 repo2-retention-full-type = "time";
50 repo2-retention-full = 14;
51 repo2-retention-archive = 7;
52 };
53
40 "global" = { 54 "global" = {
41 compress-type = "zst"; 55 compress-type = "zst";
42 compress-level = 9; 56 compress-level = 9;
@@ -46,9 +60,9 @@ in {
46 }; 60 };
47 61
48 "global:server" = { 62 "global:server" = {
49 tls-server-address = "2a03:4000:52:ada:1:1::"; 63 tls-server-address = "2a03:4000:52:ada:4:1::";
50 tls-server-ca-file = toString ./ca/ca.crt; 64 tls-server-ca-file = toString ./ca/ca.crt;
51 tls-server-cert-file = toString ./tls.crt; 65 tls-server-cert-file = toString ./ca/vidhar.crt;
52 tls-server-key-file = config.sops.secrets."pgbackrest.key".path; 66 tls-server-key-file = config.sops.secrets."pgbackrest.key".path;
53 tls-server-auth = ["surtr.yggdrasil=surtr"]; 67 tls-server-auth = ["surtr.yggdrasil=surtr"];
54 }; 68 };
@@ -92,7 +106,7 @@ in {
92 106
93 sops.secrets."pgbackrest.key" = { 107 sops.secrets."pgbackrest.key" = {
94 format = "binary"; 108 format = "binary";
95 sopsFile = ./tls.key; 109 sopsFile = ./ca/vidhar.key;
96 owner = "pgbackrest"; 110 owner = "pgbackrest";
97 group = "pgbackrest"; 111 group = "pgbackrest";
98 mode = "0400"; 112 mode = "0400";
diff --git a/hosts/vidhar/pgbackrest/tls.crt b/hosts/vidhar/pgbackrest/tls.crt
deleted file mode 100644
index e807d423..00000000
--- a/hosts/vidhar/pgbackrest/tls.crt
+++ /dev/null
@@ -1,12 +0,0 @@
1-----BEGIN CERTIFICATE-----
2MIIB0jCCAVKgAwIBAgIPQAAAAGN7p+4PBkv3Tn05MAUGAytlcTAfMR0wGwYDVQQD
3DBRwZ2JhY2tyZXN0LnlnZ2RyYXNpbDAeFw0yMjExMjExNjI2MDVaFw0zMjExMjEx
4NjMxMDVaMBsxGTAXBgNVBAMMEHZpZGhhci55Z2dkcmFzaWwwKjAFBgMrZXADIQDy
5Wj+rp1Nvyj5TiIdmVV7HW0LUnX2aIQSd8eh5B54BaaOBqDCBpTAfBgNVHSMEGDAW
6gBTvv8nxJMHC6/rzTyLMglvOlMCd2jAdBgNVHQ4EFgQUXU/P0Nq4GmxaL3V8Mq39
7YqggieEwDgYDVR0PAQH/BAQDAgXgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYI
8KwYBBQUHAwEGCCsGAQUFBwMCMCYGA1UdEQQfMB2CG3BnYmFja3Jlc3QudmlkaGFy
9LnlnZ2RyYXNpbDAFBgMrZXEDcwBa1HCz42U2W8lhL3iFQJp/ZoPGm7Iluibvvnh/
10h8ka4mhIcx8mtYp0L04Lte9JWEx+MgOOso6Tk4Bh7xPjJY1uUkwP9ZwsrsJPqIj1
111nwtHtUiNr3L4IpJkEo3s/52S41KiaiZ0cXnFE2b8pwLTHIJAwA=
12-----END CERTIFICATE-----
diff --git a/hosts/vidhar/pgbackrest/tls.key b/hosts/vidhar/pgbackrest/tls.key
deleted file mode 100644
index 9218b7b0..00000000
--- a/hosts/vidhar/pgbackrest/tls.key
+++ /dev/null
@@ -1,26 +0,0 @@
1{
2 "data": "ENC[AES256_GCM,data:LnaklO60F6ZXJh0mYwG0e9LTU5qmZWKq2/0YxXeH1QAnEcJIWnrTWwQegL3UJYMf3kOqKJmAcc2VX1nrxe+GRAUUwgVojxS+VFxeSjACNnpe0Zgfgj5ps3GJME3gpmfey+fgnbIFkI8w5UpRtvz7Evj6dJHMGTE=,iv:Q5rIm2GFjJT0ensa+5ILN/yNhjHyxFhZh5q6hh8hDW0=,tag:bCGcF2v+JnWexJb4C35dWA==,type:str]",
3 "sops": {
4 "kms": null,
5 "gcp_kms": null,
6 "azure_kv": null,
7 "hc_vault": null,
8 "age": [
9 {
10 "recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l",
11 "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtcmNKbVA3VnB1eHZVcm9u\nWTFMRTlGdDRWM01TYUNmK3lUU3hIYmx4Q0VzCk81RFVWYWx1ZFYwVW5sRW93WWRU\nVVJmSWpmcnM5QjlFczloMjBBRE80OFEKLS0tIEVDdEN4Q2E2bDNuMDQ4Q2s3WnF3\nVW84b0JKZ0xGdzVZd2NQOGgrMEpOczAKoorQ99mTL66IEp2Ckl+lYirbKd6NPh6Z\nJ7Ygv2BIKhHsgEhx4sWrakapEUeze88hDd+9oaofZvENx5xPgCzBCA==\n-----END AGE ENCRYPTED FILE-----\n"
12 }
13 ],
14 "lastmodified": "2022-11-21T14:21:06Z",
15 "mac": "ENC[AES256_GCM,data:OQnaCFEsi5Xka2L7KoC0UX0L+NtihG1hk7koxH51WiiL/JF1NrOs7PpgNbhVzqiAPWlBF1X/2ZhWyEZris9iVZ9RKa1lgF2VXjuwVHZNGA9G9Dr0ipriupOEdQABRA2MM0PlfdW7CdbzxmBcA4uwfL3m4b0uMB87A/cRG8mSm3U=,iv:2yuhHIjWRHipcOx+2hFUx2RJG/L/icGMH0QxR9w+MTM=,tag:pnwNVPzyqu4t6AklWd6HGA==,type:str]",
16 "pgp": [
17 {
18 "created_at": "2023-01-30T11:02:25Z",
19 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAraO/4uAAKwQ6+Cs83SuApQ4xbR5QcTp2zlVWzoxoD1Aw\n+67QzvTMmAr9tayCv/HjYJvnjT7vQfIHaRFr/ewXh37B05jfPUFe17hdlT8lUi7Q\n0l4B+WTgJH+d0pUaCo3RedCEFR+pbemaDFIosA6z//cpbM4nNc6sI32BUBw7eQC1\neVjR6n2iNiYNPsk6vgrKnF1/TBGnNAjap/eJi0Ro5J0ng/BFu4SFeEAvMocrDkJ9\n=isPu\n-----END PGP MESSAGE-----\n",
20 "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
21 }
22 ],
23 "unencrypted_suffix": "_unencrypted",
24 "version": "3.7.3"
25 }
26} \ No newline at end of file
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-21 11:48:53 +0000