6 files changed, 62 insertions, 6 deletions

diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index 42a9e80d..b0797d8a 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -4,7 +4,7 @@ with lib;
 
 {
   imports = with flake.nixosModules.systemProfiles; [
-    ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest
+    ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./postgresql.nix ./immich.nix
     tmpfs-root zfs
     initrd-all-crypto-modules default-locale openssh rebuild-machines
     build-server
@@ -136,7 +136,7 @@ with lib;
       wantedBy = ["basic.target"];
       serviceConfig = {
         ExecStart = pkgs.writeShellScript "limit-pstate-start" ''
-          echo 60 > /sys/devices/system/cpu/intel_pstate/max_perf_pct
+          echo 50 > /sys/devices/system/cpu/intel_pstate/max_perf_pct
         '';
         RemainAfterExit = true;
         ExecStop = pkgs.writeShellScript "limit-pstate-stop" ''
diff --git a/hosts/vidhar/immich.nix b/hosts/vidhar/immich.nix
new file mode 100644
index 00000000..a1f145a8
--- /dev/null
+++ b/hosts/vidhar/immich.nix
@@ -0,0 +1,10 @@
+{ ... }:
+
+{
+  config = {
+    services.immich = {
+      enable = true;
+      host = "2a03:4000:52:ada:4:1::";
+    };
+  };
+}
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index 9f519302..10fd4c51 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -1,4 +1,5 @@
 define icmp_protos = { ipv6-icmp, icmp, igmp }
+define bifrost_surtr = 2a03:4000:52:ada:4::/128
 
 table arp filter {
   limit lim_arp_local {
@@ -90,6 +91,7 @@ table inet filter {
   counter http-rx {}
   counter tftp-rx {}
   counter pgbackrest-rx {}
+  counter immich-rx {}
 
   counter established-rx {}
 
@@ -118,6 +120,7 @@ table inet filter {
   counter http-tx {}
   counter tftp-tx {}
   counter pgbackrest-tx {}
+  counter immich-tx {}
 
   counter tx {}
 
@@ -193,6 +196,8 @@ table inet filter {
 
     tcp dport 8432 counter name pgbackrest-rx accept
 
+    iifname bifrost tcp dport 2283 ip6 saddr $bifrost_surtr counter name immich-rx accept
+
     ct state { established, related } counter name established-rx accept
 
 
@@ -240,6 +245,8 @@ table inet filter {
 
     tcp sport 8432 counter name pgbackrest-tx accept
 
+    iifname bifrost tcp sport 2283 ip6 daddr $bifrost_surtr counter name immich-tx accept
+
 
     counter name tx
   }
diff --git a/hosts/vidhar/pgbackrest/default.nix b/hosts/vidhar/pgbackrest/default.nix
index ffb149f5..1e0828ce 100644
--- a/hosts/vidhar/pgbackrest/default.nix
+++ b/hosts/vidhar/pgbackrest/default.nix
@@ -130,8 +130,9 @@ in {
     };
 
     systemd.tmpfiles.rules = [
-      "d /var/lib/pgbackrest 0750 pgbackrest pgbackrest - -"
-      "d /var/spool/pgbackrest 0750 pgbackrest pgbackrest - -"
+      "d /var/lib/pgbackrest 0770 pgbackrest pgbackrest - -"
+      "d /var/spool/pgbackrest 0770 pgbackrest pgbackrest - -"
+      "d /tmp/pgbackrest 0770 pgbackrest pgbackrest - -"
     ];
 
     users = {
@@ -141,7 +142,9 @@ in {
         isSystemUser = true;
         home = "/var/lib/pgbackrest";
       };
-      groups.pgbackrest = {};
+      groups.pgbackrest = {
+        members = [ "postgres" ];
+      };
     };
 
     systemd.services."pgbackrest-tls-server".serviceConfig = {
diff --git a/hosts/vidhar/postgresql.nix b/hosts/vidhar/postgresql.nix
new file mode 100644
index 00000000..7e44e69f
--- /dev/null
+++ b/hosts/vidhar/postgresql.nix
@@ -0,0 +1,36 @@
+{ pkgs, config, flake, flakeInputs, ... }:
+
+let
+  nixpkgs-pgbackrest = import (flakeInputs.nixpkgs-pgbackrest.outPath + "/pkgs/top-level") {
+    overlays = [ flake.overlays.libdscp ];
+    localSystem = config.nixpkgs.system;
+  };
+in {
+  config = {
+    services.postgresql = {
+      enable = true;
+      package = pkgs.postgresql_15;
+    };
+
+    services.pgbackrest = {
+      settings."vidhar" = {
+        pg1-path = config.services.postgresql.dataDir;
+
+        repo1-path = "/var/lib/pgbackrest";
+        repo1-retention-full-type = "time";
+        repo1-retention-full = 14;
+        repo1-retention-archive = 7;
+      };
+
+      backups."vidhar-daily" = {
+        stanza = "vidhar";
+        repo = "1";
+        timerConfig.OnCalendar = "daily";
+      };
+    };
+
+    systemd.services.postgresql.serviceConfig = {
+      ReadWritePaths = [ "/var/spool/pgbackrest" "/var/lib/pgbackrest/archive/vidhar" ];
+    };
+  };
+}
diff --git a/hosts/vidhar/zfs.nix b/hosts/vidhar/zfs.nix
index 518c3287..9d667fd6 100644
--- a/hosts/vidhar/zfs.nix
+++ b/hosts/vidhar/zfs.nix
@@ -34,7 +34,7 @@ with lib;
         };
 
       "/etc/zfs/zfs-list.cache" =
-        { device = "ssd-raid1/local/zfs-zfs--list.cache";
+        { device = "ssd-raid1/local/etc-zfs-zfs--list.cache";
           fsType = "zfs";
           neededForBoot = true;
         };