diff options
Diffstat (limited to 'hosts/vidhar/pgbackrest/default.nix')
| -rw-r--r-- | hosts/vidhar/pgbackrest/default.nix | 101 |
1 files changed, 101 insertions, 0 deletions
diff --git a/hosts/vidhar/pgbackrest/default.nix b/hosts/vidhar/pgbackrest/default.nix new file mode 100644 index 00000000..49644e51 --- /dev/null +++ b/hosts/vidhar/pgbackrest/default.nix | |||
| @@ -0,0 +1,101 @@ | |||
| 1 | { config, flake, ... }: | ||
| 2 | |||
| 3 | let | ||
| 4 | surtrRepoCfg = flake.nixosConfigurations."surtr".config.services.pgbackrest.settings.surtr; | ||
| 5 | in { | ||
| 6 | config = { | ||
| 7 | services.pgbackrest = { | ||
| 8 | enable = true; | ||
| 9 | tlsServer = { | ||
| 10 | enable = true; | ||
| 11 | |||
| 12 | user = "pgbackrest"; | ||
| 13 | group = "pgbackrest"; | ||
| 14 | }; | ||
| 15 | |||
| 16 | settings = { | ||
| 17 | "surtr" = { | ||
| 18 | pg1-host-type = "tls"; | ||
| 19 | pg1-host = "pgbackrest.surtr.yggdrasil"; | ||
| 20 | pg1-host-ca-file = toString ./ca/ca.crt; | ||
| 21 | pg1-host-cert-file = toString ./tls.crt; | ||
| 22 | pg1-host-key-file = config.sops.secrets."pgbackrest.key".path; | ||
| 23 | inherit (surtrRepoCfg) pg1-path; | ||
| 24 | |||
| 25 | # repo1-host-type = "tls"; | ||
| 26 | # repo1-host = "pgbackrest.surtr.yggdrasil"; | ||
| 27 | # repo1-host-ca-file = toString ./ca/ca.crt; | ||
| 28 | # repo1-host-cert-file = toString ./tls.crt; | ||
| 29 | # repo1-host-key-file = config.sops.secrets."pgbackrest.key".path; | ||
| 30 | # repo1-retention-full-type = "time"; | ||
| 31 | # repo1-retention-full = 7; | ||
| 32 | # repo1-retention-archive = 2; | ||
| 33 | |||
| 34 | repo2-path = "/var/lib/pgbackrest"; | ||
| 35 | repo2-retention-full-type = "time"; | ||
| 36 | repo2-retention-full = 14; | ||
| 37 | repo2-retention-archive = 7; | ||
| 38 | }; | ||
| 39 | |||
| 40 | "global" = { | ||
| 41 | compress-type = "zst"; | ||
| 42 | compress-level = 9; | ||
| 43 | |||
| 44 | archive-async = true; | ||
| 45 | spool-path = "/var/spool/pgbackrest"; | ||
| 46 | }; | ||
| 47 | |||
| 48 | "global:server" = { | ||
| 49 | tls-server-address = "2a03:4000:52:ada:1:1::"; | ||
| 50 | tls-server-ca-file = toString ./ca/ca.crt; | ||
| 51 | tls-server-cert-file = toString ./tls.crt; | ||
| 52 | tls-server-key-file = config.sops.secrets."pgbackrest.key".path; | ||
| 53 | tls-server-auth = ["surtr.yggdrasil=surtr"]; | ||
| 54 | }; | ||
| 55 | |||
| 56 | "global:archive-push" = { | ||
| 57 | process-max = 6; | ||
| 58 | }; | ||
| 59 | "global:archive-get" = { | ||
| 60 | process-max = 6; | ||
| 61 | }; | ||
| 62 | }; | ||
| 63 | |||
| 64 | backups."surtr-daily" = { | ||
| 65 | stanza = "surtr"; | ||
| 66 | repo = "2"; | ||
| 67 | user = "pgbackrest"; | ||
| 68 | group = "pgbackrest"; | ||
| 69 | timerConfig.OnCalendar = "daily Europe/Berlin"; | ||
| 70 | }; | ||
| 71 | }; | ||
| 72 | |||
| 73 | systemd.tmpfiles.rules = [ | ||
| 74 | "d /var/lib/pgbackrest 0750 pgbackrest pgbackrest - -" | ||
| 75 | "d /var/spool/pgbackrest 0750 pgbackrest pgbackrest - -" | ||
| 76 | ]; | ||
| 77 | |||
| 78 | users = { | ||
| 79 | users.pgbackrest = { | ||
| 80 | name = "pgbackrest"; | ||
| 81 | group = "pgbackrest"; | ||
| 82 | isSystemUser = true; | ||
| 83 | home = "/var/lib/pgbackrest"; | ||
| 84 | }; | ||
| 85 | groups.pgbackrest = {}; | ||
| 86 | }; | ||
| 87 | |||
| 88 | systemd.services."pgbackrest-tls-server".serviceConfig = { | ||
| 89 | StateDirectory = [ "pgbackrest" ]; | ||
| 90 | StateDirectoryMode = "0750"; | ||
| 91 | }; | ||
| 92 | |||
| 93 | sops.secrets."pgbackrest.key" = { | ||
| 94 | format = "binary"; | ||
| 95 | sopsFile = ./tls.key; | ||
| 96 | owner = "pgbackrest"; | ||
| 97 | group = "pgbackrest"; | ||
| 98 | mode = "0400"; | ||
| 99 | }; | ||
| 100 | }; | ||
| 101 | } | ||