diff options
Diffstat (limited to 'hosts/vidhar/pgbackrest')
| -rw-r--r-- | hosts/vidhar/pgbackrest/ca/.gitignore | 3 | ||||
| -rw-r--r-- | hosts/vidhar/pgbackrest/ca/srv02.uniworx.de.crt | 11 | ||||
| -rw-r--r-- | hosts/vidhar/pgbackrest/default.nix | 30 | 
3 files changed, 42 insertions, 2 deletions
| diff --git a/hosts/vidhar/pgbackrest/ca/.gitignore b/hosts/vidhar/pgbackrest/ca/.gitignore index aa000280..11adcd4d 100644 --- a/hosts/vidhar/pgbackrest/ca/.gitignore +++ b/hosts/vidhar/pgbackrest/ca/.gitignore | |||
| @@ -1 +1,2 @@ | |||
| 1 | srv01.uniworx.de.key \ No newline at end of file | 1 | srv01.uniworx.de.key | 
| 2 | srv02.uniworx.de.key | ||
| diff --git a/hosts/vidhar/pgbackrest/ca/srv02.uniworx.de.crt b/hosts/vidhar/pgbackrest/ca/srv02.uniworx.de.crt new file mode 100644 index 00000000..e083c867 --- /dev/null +++ b/hosts/vidhar/pgbackrest/ca/srv02.uniworx.de.crt | |||
| @@ -0,0 +1,11 @@ | |||
| 1 | -----BEGIN CERTIFICATE----- | ||
| 2 | MIIBqDCCASigAwIBAgIPQAAAAGUZo5s1jqHzUfQfMAUGAytlcTAfMR0wGwYDVQQD | ||
| 3 | DBRwZ2JhY2tyZXN0LnlnZ2RyYXNpbDAeFw0yMzEwMDExNjQ2MDJaFw0zMzEwMDEx | ||
| 4 | NjUxMDJaMBsxGTAXBgNVBAMMEHNydjAyLnVuaXdvcnguZGUwKjAFBgMrZXADIQDv | ||
| 5 | TvJV+mY48X0v2H/Vf36C9pql6Ob4dC+4IFPeiKKVBqN/MH0wHwYDVR0jBBgwFoAU | ||
| 6 | 77/J8STBwuv6808izIJbzpTAndowHQYDVR0OBBYEFPkCU142blj3GWjKotoQuew7 | ||
| 7 | R2+fMA4GA1UdDwEB/wQEAwIF4DAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsG | ||
| 8 | AQUFBwMBBggrBgEFBQcDAjAFBgMrZXEDcwDfi8qRpcJ8B/9gGpEC8bfz93QgHDX1 | ||
| 9 | 25wiTcRI4VDO9XStL2Md9IRsbYtzqR2Rs9Vl2KFDLHG3QwD3bE7jeobJoLqtBcXC | ||
| 10 | JhzOxbsoUn7YG7RR6yW13sOGsj+ccnguN+hnwX5CDCjsOOT5TXgKQ5C7GwA= | ||
| 11 | -----END CERTIFICATE----- | ||
| diff --git a/hosts/vidhar/pgbackrest/default.nix b/hosts/vidhar/pgbackrest/default.nix index 899b0e0f..0f86ebe9 100644 --- a/hosts/vidhar/pgbackrest/default.nix +++ b/hosts/vidhar/pgbackrest/default.nix | |||
| @@ -4,6 +4,12 @@ let | |||
| 4 | surtrRepoCfg = flake.nixosConfigurations."surtr".config.services.pgbackrest.settings.surtr; | 4 | surtrRepoCfg = flake.nixosConfigurations."surtr".config.services.pgbackrest.settings.surtr; | 
| 5 | in { | 5 | in { | 
| 6 | config = { | 6 | config = { | 
| 7 | assertions = [ | ||
| 8 | (let | ||
| 9 | inherit (config.services.pgbackrest.package) version; | ||
| 10 | in { assertion = version == "2.45"; message = "Presumably incompatible pgBackRest version: ${version}"; }) | ||
| 11 | ]; | ||
| 12 | |||
| 7 | services.pgbackrest = { | 13 | services.pgbackrest = { | 
| 8 | enable = true; | 14 | enable = true; | 
| 9 | package = flakeInputs.nixpkgs-stable.legacyPackages.${config.nixpkgs.system}.pgbackrest; | 15 | package = flakeInputs.nixpkgs-stable.legacyPackages.${config.nixpkgs.system}.pgbackrest; | 
| @@ -54,6 +60,20 @@ in { | |||
| 54 | repo2-retention-archive = 7; | 60 | repo2-retention-archive = 7; | 
| 55 | }; | 61 | }; | 
| 56 | 62 | ||
| 63 | "srv02.uniworx.de" = { | ||
| 64 | pg1-host-type = "tls"; | ||
| 65 | pg1-host = "srv02.uniworx.de"; | ||
| 66 | pg1-host-ca-file = toString ./ca/ca.crt; | ||
| 67 | pg1-host-cert-file = toString ./ca/vidhar.crt; | ||
| 68 | pg1-host-key-file = config.sops.secrets."pgbackrest.key".path; | ||
| 69 | pg1-path = "/var/lib/postgresql/15"; | ||
| 70 | |||
| 71 | repo2-path = "/var/lib/pgbackrest"; | ||
| 72 | repo2-retention-full-type = "time"; | ||
| 73 | repo2-retention-full = 14; | ||
| 74 | repo2-retention-archive = 7; | ||
| 75 | }; | ||
| 76 | |||
| 57 | "global" = { | 77 | "global" = { | 
| 58 | compress-type = "zst"; | 78 | compress-type = "zst"; | 
| 59 | compress-level = 9; | 79 | compress-level = 9; | 
| @@ -67,7 +87,7 @@ in { | |||
| 67 | tls-server-ca-file = toString ./ca/ca.crt; | 87 | tls-server-ca-file = toString ./ca/ca.crt; | 
| 68 | tls-server-cert-file = toString ./ca/vidhar.crt; | 88 | tls-server-cert-file = toString ./ca/vidhar.crt; | 
| 69 | tls-server-key-file = config.sops.secrets."pgbackrest.key".path; | 89 | tls-server-key-file = config.sops.secrets."pgbackrest.key".path; | 
| 70 | tls-server-auth = ["surtr.yggdrasil=surtr" "srv01.uniworx.de=srv01.uniworx.de"]; | 90 | tls-server-auth = ["surtr.yggdrasil=surtr" "srv01.uniworx.de=srv01.uniworx.de" "srv02.uniworx.de=srv02.uniworx.de"]; | 
| 71 | }; | 91 | }; | 
| 72 | 92 | ||
| 73 | "global:archive-push" = { | 93 | "global:archive-push" = { | 
| @@ -93,6 +113,14 @@ in { | |||
| 93 | group = "pgbackrest"; | 113 | group = "pgbackrest"; | 
| 94 | timerConfig.OnCalendar = "daily Europe/Berlin"; | 114 | timerConfig.OnCalendar = "daily Europe/Berlin"; | 
| 95 | }; | 115 | }; | 
| 116 | |||
| 117 | backups."srv02.uniworx.de-daily" = { | ||
| 118 | stanza = "srv02.uniworx.de"; | ||
| 119 | repo = "2"; | ||
| 120 | user = "pgbackrest"; | ||
| 121 | group = "pgbackrest"; | ||
| 122 | timerConfig.OnCalendar = "daily Europe/Berlin"; | ||
| 123 | }; | ||
| 96 | }; | 124 | }; | 
| 97 | 125 | ||
| 98 | systemd.tmpfiles.rules = [ | 126 | systemd.tmpfiles.rules = [ | 
