summaryrefslogtreecommitdiff
path: root/hosts/vidhar/pgbackrest
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/vidhar/pgbackrest')
-rw-r--r--hosts/vidhar/pgbackrest/ca/.gitignore1
-rw-r--r--hosts/vidhar/pgbackrest/ca/srv01.uniworx.de.crt11
-rw-r--r--hosts/vidhar/pgbackrest/ca/surtr.crt13
-rw-r--r--hosts/vidhar/pgbackrest/ca/surtr.key26
-rw-r--r--hosts/vidhar/pgbackrest/ca/vidhar.crt13
-rw-r--r--hosts/vidhar/pgbackrest/ca/vidhar.key26
-rw-r--r--hosts/vidhar/pgbackrest/default.nix22
-rw-r--r--hosts/vidhar/pgbackrest/tls.crt12
-rw-r--r--hosts/vidhar/pgbackrest/tls.key26
9 files changed, 108 insertions, 42 deletions
diff --git a/hosts/vidhar/pgbackrest/ca/.gitignore b/hosts/vidhar/pgbackrest/ca/.gitignore
new file mode 100644
index 00000000..aa000280
--- /dev/null
+++ b/hosts/vidhar/pgbackrest/ca/.gitignore
@@ -0,0 +1 @@
srv01.uniworx.de.key \ No newline at end of file
diff --git a/hosts/vidhar/pgbackrest/ca/srv01.uniworx.de.crt b/hosts/vidhar/pgbackrest/ca/srv01.uniworx.de.crt
new file mode 100644
index 00000000..30fde613
--- /dev/null
+++ b/hosts/vidhar/pgbackrest/ca/srv01.uniworx.de.crt
@@ -0,0 +1,11 @@
1-----BEGIN CERTIFICATE-----
2MIIBqDCCASigAwIBAgIPQAAAAGQYUD0qjVeBUIVWMAUGAytlcTAfMR0wGwYDVQQD
3DBRwZ2JhY2tyZXN0LnlnZ2RyYXNpbDAeFw0yMzAzMjAxMjE3NDhaFw0zMzAzMjAx
4MjIyNDhaMBsxGTAXBgNVBAMMEHNydjAxLnVuaXdvcnguZGUwKjAFBgMrZXADIQBt
5dyvv3iMd0ozSKFFO0OoQgj/eqxgzxLak1iMhwgWQdqN/MH0wHwYDVR0jBBgwFoAU
677/J8STBwuv6808izIJbzpTAndowHQYDVR0OBBYEFHr4X6cwefOOMFrU6d0bOrKs
7n0p/MA4GA1UdDwEB/wQEAwIF4DAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsG
8AQUFBwMBBggrBgEFBQcDAjAFBgMrZXEDcwDtwm/OO+yMHvmvxQVt9f+slS+Zioqc
9AbPeeg5HMnrS3ZSoin+++8DJgY0q1A7DGwjq9KQAZ+jXYYD42B4zKoKqvvW5Kgq5
10fk0r67VBa7RCBPhrSmRWSRK01UTE9jIaAEQt2bQN+MyGgL/fyFnVB+pRNgA=
11-----END CERTIFICATE-----
diff --git a/hosts/vidhar/pgbackrest/ca/surtr.crt b/hosts/vidhar/pgbackrest/ca/surtr.crt
new file mode 100644
index 00000000..68c87a00
--- /dev/null
+++ b/hosts/vidhar/pgbackrest/ca/surtr.crt
@@ -0,0 +1,13 @@
1-----BEGIN CERTIFICATE-----
2MIICAzCCAYOgAwIBAgIPQAAAAGQYSfwSfBJj7b7QMAUGAytlcTAfMR0wGwYDVQQD
3DBRwZ2JhY2tyZXN0LnlnZ2RyYXNpbDAeFw0yMzAzMjAxMTUxMDdaFw0zMzAzMjAx
4MTU2MDdaMBoxGDAWBgNVBAMMD3N1cnRyLnlnZ2RyYXNpbDAqMAUGAytlcAMhANLe
59LEKiZEOIuxMwDxB2nDda7MlNHY81fDsyBOJ9FCNo4HaMIHXMB8GA1UdIwQYMBaA
6FO+/yfEkwcLr+vNPIsyCW86UwJ3aMB0GA1UdDgQWBBSxBMEOYYuWhuLSHVsMv8JA
7GNAKqDAOBgNVHQ8BAf8EBAMCBeAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggr
8BgEFBQcDAQYIKwYBBQUHAwIwWAYDVR0RBFEwT4IdcGdiYWNrcmVzdC5zdXJ0ci55
9Z2dkcmFzaWwubGmCGnBnYmFja3Jlc3Quc3VydHIueWdnZHJhc2lsghJzdXJ0ci55
10Z2dkcmFzaWwubGkwBQYDK2VxA3MAy8wcBmyFeMUMuE7Bkm+3wNWwXcHXyqMMLFi7
11yyB3KrzyyIXPmv6wD/ntUpv/FlRj6DbDSqd+G7MA81T1eea2KDBEkGKp/AKtBCYh
12vfU2W46HqlPhlOZqwoxysnqoDyBFnwG0GIoV4sosUjmx7ufpMCMA
13-----END CERTIFICATE-----
diff --git a/hosts/vidhar/pgbackrest/ca/surtr.key b/hosts/vidhar/pgbackrest/ca/surtr.key
new file mode 100644
index 00000000..fba5af94
--- /dev/null
+++ b/hosts/vidhar/pgbackrest/ca/surtr.key
@@ -0,0 +1,26 @@
1{
2 "data": "ENC[AES256_GCM,data:njpzC4SmemRUBYWPCli0JHwoH/LDbepxcfomTc3yfneO29CD37bb5BLtcoQHOFbHBC4V3NggO733KLMAzkn7cot5zRcYDbJTd9qdoIiuvC/IDd0yrdk1ZahsyXFzm2e1xcHgnC7XJ9Dphd6Bsv2Zx1K5f8KXHY8=,iv:z8W9oXsv+m4dtEnc7Xa57jZfRCbmfR1nFOrCkuDIftE=,tag:d7VFFsIId2M3tEjor3a4NA==,type:str]",
3 "sops": {
4 "kms": null,
5 "gcp_kms": null,
6 "azure_kv": null,
7 "hc_vault": null,
8 "age": [
9 {
10 "recipient": "age19a7j77w267z04zls7m28a8hj4a0g5af6ltye2d5wypg33c3l89csd4r9zq",
11 "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPdEhqTXg3dG9WMUFNUXM2\nQ3dWbng0cGNFazVRY21qTWUzajZDRHVuWGtrCjlZaXlMUGJvZ25mMXNvZVlMamFm\nSkE2TjU5UjNKL0k4b0dXeTZ4TFpneEEKLS0tIC9VTndTNHZkaFZIT2lSdzFQWXJu\nU2MvS3BxSXF1K2VUbmh6UytWbXl5YkEKZRdPZDT4SSbXnujmDYtjDGymfm+0hrG+\nrSoaEIXxtfTDh73NSvtIdcGYvxK9Ub/XhsKc+ZUv70a/ISVx+4nBTQ==\n-----END AGE ENCRYPTED FILE-----\n"
12 }
13 ],
14 "lastmodified": "2023-03-20T11:54:11Z",
15 "mac": "ENC[AES256_GCM,data:a0Fxd5DGdf/U+xVKEAWWTcfRjOGraNGJW5SqKQC3Pwp9n7dYZT4SYYt1nGV2GhJta45B/QClexFcNRHOyLZqoeTtEUSxk39UejLsP4DeNAheUuZjyMgj0dRbPyfptEIJVuw5RwJz9zCmxtbfke9limmswya1YShd7uXTg3qXLTk=,iv:+rKP0mS+t3Xyqi5MimNlAqgRuBx/VC4jepP02Hq8vwg=,tag:goIwbvskjgK1tQ4R7BMnRg==,type:str]",
16 "pgp": [
17 {
18 "created_at": "2023-03-20T11:54:10Z",
19 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAX+wqYxyHaTy1LFShNNUtFgppJObtd1mVVFafpNT3qAAw\nt9XzxiOzsI0tLkHImCtXAqtbLgyxXXIfASG7K4aYmzBfwmI4pi14Z+hu/eKLuQhl\n0l4B+upjcYU3wdRFCjpEn5WADsHn8nZ50E9+iECNOodLs67o6iWaEpfCJvyUf1Qp\nzOKrhdJL87UJgO31w2OdkUj4s9NwYU9cYLMl68aXOQMduJgVKgPmyx4PnQHRJ60m\n=ULUa\n-----END PGP MESSAGE-----\n",
20 "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
21 }
22 ],
23 "unencrypted_suffix": "_unencrypted",
24 "version": "3.7.3"
25 }
26} \ No newline at end of file
diff --git a/hosts/vidhar/pgbackrest/ca/vidhar.crt b/hosts/vidhar/pgbackrest/ca/vidhar.crt
new file mode 100644
index 00000000..ae19aeb9
--- /dev/null
+++ b/hosts/vidhar/pgbackrest/ca/vidhar.crt
@@ -0,0 +1,13 @@
1-----BEGIN CERTIFICATE-----
2MIIB5zCCAWegAwIBAgIPQAAAAGQYScgWpuQT5StRMAUGAytlcTAfMR0wGwYDVQQD
3DBRwZ2JhY2tyZXN0LnlnZ2RyYXNpbDAeFw0yMzAzMjAxMTUwMTVaFw0zMzAzMjAx
4MTU1MTVaMBsxGTAXBgNVBAMMEHZpZGhhci55Z2dkcmFzaWwwKjAFBgMrZXADIQDT
5mn6hoycEGEO5XFZAB36MZR9om3+LRLtLmXl+zdW3AqOBvTCBujAfBgNVHSMEGDAW
6gBTvv8nxJMHC6/rzTyLMglvOlMCd2jAdBgNVHQ4EFgQUn8LxcubPh60X8yX64X4G
7tg9voegwDgYDVR0PAQH/BAQDAgXgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYI
8KwYBBQUHAwEGCCsGAQUFBwMCMDsGA1UdEQQ0MDKCE3ZpZGhhci55Z2dkcmFzaWwu
9bGmCG3BnYmFja3Jlc3QudmlkaGFyLnlnZ2RyYXNpbDAFBgMrZXEDcwDRRSlz+0Ab
10bXNIhZizqXZZoEcrMObeCVj7OpYX8UtGhx0pqA2PGMRFoaeFnzIT0rfQqjzFlbiX
115oDSW5RQbu2mhR8wpwQVWaQRMEcHoAJXLE23GvQJyHSM7fV3DpkPD3W8Zm+Rwzra
12NY9tiz2XqpXYCgA=
13-----END CERTIFICATE-----
diff --git a/hosts/vidhar/pgbackrest/ca/vidhar.key b/hosts/vidhar/pgbackrest/ca/vidhar.key
new file mode 100644
index 00000000..f63f523f
--- /dev/null
+++ b/hosts/vidhar/pgbackrest/ca/vidhar.key
@@ -0,0 +1,26 @@
1{
2 "data": "ENC[AES256_GCM,data:q2IvDnv0pJSsE77Rf4Jg9+OCYZEEOsteZy9nn1/WqEiyx3z3LMLE3+F9Rka7PUNachG6ZrDo21Et8DHsvqrr7tbCIH0ha/3cRTwXfzdgvJ/PmkMXTmG01Juc9JKqjf42oo23AErMXVji/4D293Bc6SZjtkQCj/w=,iv:5H5Wi1hv7u1O2YhPsB9wxrFvi2Zy+U1Z06sAk4MwNnA=,tag:HspX+dYLJ15xJRHBobv1PA==,type:str]",
3 "sops": {
4 "kms": null,
5 "gcp_kms": null,
6 "azure_kv": null,
7 "hc_vault": null,
8 "age": [
9 {
10 "recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l",
11 "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzQUNZQ2R0M3NlTjQ3d1ZG\nVWh0QXBtU3MzZDIrOTI4NUgrdkFTdmRuZ0JnCks1WWo4eFNuV1VKOUprUzcxYUdG\nTlFsQm8weWk1SzRUY3d6bElLVStJNncKLS0tIFdsVENmYlFnYVVlMllySC9zcS9E\nbnc5MjV5eGF1TVppbXRMVExNNHM1RDAKUEkoOo8Xedtg5F4PReXhTHWmaEtJm/q/\n5v8otv3CMtZsSaCzdNuYxF5Wr6qfYG6rjigX92M2vJ4E2hcyluAqtQ==\n-----END AGE ENCRYPTED FILE-----\n"
12 }
13 ],
14 "lastmodified": "2023-03-20T11:55:15Z",
15 "mac": "ENC[AES256_GCM,data:hrjyc62poTD8CviGxhPrmOng/AtBV4wNTGOPibrUj3zfphW9S2dEctdfeQr8VWvF4scYk9Nodw9ijyrSR33NjL8Qes5aOnLHnMZgZ32ecaSCyt7pBTmvAiqwdCy1zY7M/jWSREOjkfsjzvf0hInKmX4qQ8E/PGiUFR6f0DCJUqY=,iv:bewcBberJWtc6ghwL037BLsbbQPJnBosqw+zrWDbChY=,tag:btwOB0+OTAo4qdNXapvHXA==,type:str]",
16 "pgp": [
17 {
18 "created_at": "2023-03-20T11:55:15Z",
19 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAa9uU7TZpS6E1pQaFJI22TNHOeXZRgo+mUvT/aiCep2sw\nRRYY6xD95AgVIGCiq+V+8tVfDZavzi0AragttwL/gUKVky2x76XQPdmd+EjWU45E\n0l4BfaIQTddySkWGUDiLorMzfJ7cfelY6EUZZwm8CM+rIOK9ygc6lggybU3QVPCL\n/ZP4+vpuVt/KRNLgbEESmA0iSZ1BtMqnlhPA1bg9MnAeuK3/z/jRQN2S56IPIxmX\n=tDR1\n-----END PGP MESSAGE-----\n",
20 "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
21 }
22 ],
23 "unencrypted_suffix": "_unencrypted",
24 "version": "3.7.3"
25 }
26} \ No newline at end of file
diff --git a/hosts/vidhar/pgbackrest/default.nix b/hosts/vidhar/pgbackrest/default.nix
index 49644e51..ebee2cd0 100644
--- a/hosts/vidhar/pgbackrest/default.nix
+++ b/hosts/vidhar/pgbackrest/default.nix
@@ -18,7 +18,7 @@ in {
18 pg1-host-type = "tls"; 18 pg1-host-type = "tls";
19 pg1-host = "pgbackrest.surtr.yggdrasil"; 19 pg1-host = "pgbackrest.surtr.yggdrasil";
20 pg1-host-ca-file = toString ./ca/ca.crt; 20 pg1-host-ca-file = toString ./ca/ca.crt;
21 pg1-host-cert-file = toString ./tls.crt; 21 pg1-host-cert-file = toString ./ca/vidhar.crt;
22 pg1-host-key-file = config.sops.secrets."pgbackrest.key".path; 22 pg1-host-key-file = config.sops.secrets."pgbackrest.key".path;
23 inherit (surtrRepoCfg) pg1-path; 23 inherit (surtrRepoCfg) pg1-path;
24 24
@@ -37,6 +37,20 @@ in {
37 repo2-retention-archive = 7; 37 repo2-retention-archive = 7;
38 }; 38 };
39 39
40 "srv01.uniworx.de" = {
41 pg1-host-type = "tls";
42 pg1-host = "srv01.uniworx.de";
43 pg1-host-ca-file = toString ./ca/ca.crt;
44 pg1-host-cert-file = toString ./ca/srv01.uniworx.de.crt;
45 pg1-host-key-file = config.sops.secrets."pgbackrest.key".path;
46 pg1-path = "/var/lib/postgresql/15";
47
48 repo2-path = "/var/lib/pgbackrest";
49 repo2-retention-full-type = "time";
50 repo2-retention-full = 14;
51 repo2-retention-archive = 7;
52 };
53
40 "global" = { 54 "global" = {
41 compress-type = "zst"; 55 compress-type = "zst";
42 compress-level = 9; 56 compress-level = 9;
@@ -46,9 +60,9 @@ in {
46 }; 60 };
47 61
48 "global:server" = { 62 "global:server" = {
49 tls-server-address = "2a03:4000:52:ada:1:1::"; 63 tls-server-address = "2a03:4000:52:ada:4:1::";
50 tls-server-ca-file = toString ./ca/ca.crt; 64 tls-server-ca-file = toString ./ca/ca.crt;
51 tls-server-cert-file = toString ./tls.crt; 65 tls-server-cert-file = toString ./ca/vidhar.crt;
52 tls-server-key-file = config.sops.secrets."pgbackrest.key".path; 66 tls-server-key-file = config.sops.secrets."pgbackrest.key".path;
53 tls-server-auth = ["surtr.yggdrasil=surtr"]; 67 tls-server-auth = ["surtr.yggdrasil=surtr"];
54 }; 68 };
@@ -92,7 +106,7 @@ in {
92 106
93 sops.secrets."pgbackrest.key" = { 107 sops.secrets."pgbackrest.key" = {
94 format = "binary"; 108 format = "binary";
95 sopsFile = ./tls.key; 109 sopsFile = ./ca/vidhar.key;
96 owner = "pgbackrest"; 110 owner = "pgbackrest";
97 group = "pgbackrest"; 111 group = "pgbackrest";
98 mode = "0400"; 112 mode = "0400";
diff --git a/hosts/vidhar/pgbackrest/tls.crt b/hosts/vidhar/pgbackrest/tls.crt
deleted file mode 100644
index e807d423..00000000
--- a/hosts/vidhar/pgbackrest/tls.crt
+++ /dev/null
@@ -1,12 +0,0 @@
1-----BEGIN CERTIFICATE-----
2MIIB0jCCAVKgAwIBAgIPQAAAAGN7p+4PBkv3Tn05MAUGAytlcTAfMR0wGwYDVQQD
3DBRwZ2JhY2tyZXN0LnlnZ2RyYXNpbDAeFw0yMjExMjExNjI2MDVaFw0zMjExMjEx
4NjMxMDVaMBsxGTAXBgNVBAMMEHZpZGhhci55Z2dkcmFzaWwwKjAFBgMrZXADIQDy
5Wj+rp1Nvyj5TiIdmVV7HW0LUnX2aIQSd8eh5B54BaaOBqDCBpTAfBgNVHSMEGDAW
6gBTvv8nxJMHC6/rzTyLMglvOlMCd2jAdBgNVHQ4EFgQUXU/P0Nq4GmxaL3V8Mq39
7YqggieEwDgYDVR0PAQH/BAQDAgXgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYI
8KwYBBQUHAwEGCCsGAQUFBwMCMCYGA1UdEQQfMB2CG3BnYmFja3Jlc3QudmlkaGFy
9LnlnZ2RyYXNpbDAFBgMrZXEDcwBa1HCz42U2W8lhL3iFQJp/ZoPGm7Iluibvvnh/
10h8ka4mhIcx8mtYp0L04Lte9JWEx+MgOOso6Tk4Bh7xPjJY1uUkwP9ZwsrsJPqIj1
111nwtHtUiNr3L4IpJkEo3s/52S41KiaiZ0cXnFE2b8pwLTHIJAwA=
12-----END CERTIFICATE-----
diff --git a/hosts/vidhar/pgbackrest/tls.key b/hosts/vidhar/pgbackrest/tls.key
deleted file mode 100644
index 9218b7b0..00000000
--- a/hosts/vidhar/pgbackrest/tls.key
+++ /dev/null
@@ -1,26 +0,0 @@
1{
2 "data": "ENC[AES256_GCM,data:LnaklO60F6ZXJh0mYwG0e9LTU5qmZWKq2/0YxXeH1QAnEcJIWnrTWwQegL3UJYMf3kOqKJmAcc2VX1nrxe+GRAUUwgVojxS+VFxeSjACNnpe0Zgfgj5ps3GJME3gpmfey+fgnbIFkI8w5UpRtvz7Evj6dJHMGTE=,iv:Q5rIm2GFjJT0ensa+5ILN/yNhjHyxFhZh5q6hh8hDW0=,tag:bCGcF2v+JnWexJb4C35dWA==,type:str]",
3 "sops": {
4 "kms": null,
5 "gcp_kms": null,
6 "azure_kv": null,
7 "hc_vault": null,
8 "age": [
9 {
10 "recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l",
11 "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtcmNKbVA3VnB1eHZVcm9u\nWTFMRTlGdDRWM01TYUNmK3lUU3hIYmx4Q0VzCk81RFVWYWx1ZFYwVW5sRW93WWRU\nVVJmSWpmcnM5QjlFczloMjBBRE80OFEKLS0tIEVDdEN4Q2E2bDNuMDQ4Q2s3WnF3\nVW84b0JKZ0xGdzVZd2NQOGgrMEpOczAKoorQ99mTL66IEp2Ckl+lYirbKd6NPh6Z\nJ7Ygv2BIKhHsgEhx4sWrakapEUeze88hDd+9oaofZvENx5xPgCzBCA==\n-----END AGE ENCRYPTED FILE-----\n"
12 }
13 ],
14 "lastmodified": "2022-11-21T14:21:06Z",
15 "mac": "ENC[AES256_GCM,data:OQnaCFEsi5Xka2L7KoC0UX0L+NtihG1hk7koxH51WiiL/JF1NrOs7PpgNbhVzqiAPWlBF1X/2ZhWyEZris9iVZ9RKa1lgF2VXjuwVHZNGA9G9Dr0ipriupOEdQABRA2MM0PlfdW7CdbzxmBcA4uwfL3m4b0uMB87A/cRG8mSm3U=,iv:2yuhHIjWRHipcOx+2hFUx2RJG/L/icGMH0QxR9w+MTM=,tag:pnwNVPzyqu4t6AklWd6HGA==,type:str]",
16 "pgp": [
17 {
18 "created_at": "2023-01-30T11:02:25Z",
19 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAraO/4uAAKwQ6+Cs83SuApQ4xbR5QcTp2zlVWzoxoD1Aw\n+67QzvTMmAr9tayCv/HjYJvnjT7vQfIHaRFr/ewXh37B05jfPUFe17hdlT8lUi7Q\n0l4B+WTgJH+d0pUaCo3RedCEFR+pbemaDFIosA6z//cpbM4nNc6sI32BUBw7eQC1\neVjR6n2iNiYNPsk6vgrKnF1/TBGnNAjap/eJi0Ro5J0ng/BFu4SFeEAvMocrDkJ9\n=isPu\n-----END PGP MESSAGE-----\n",
20 "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
21 }
22 ],
23 "unencrypted_suffix": "_unencrypted",
24 "version": "3.7.3"
25 }
26} \ No newline at end of file