8 files changed, 183 insertions, 2 deletions
diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index fc04d3f5..5c23dea2 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -4,7 +4,7 @@ with lib;
 {
  imports = with flake.nixosModules.systemProfiles; [
-    ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg
+    ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest
    tmpfs-root zfs
    initrd-all-crypto-modules default-locale openssh rebuild-machines
    build-server
diff --git a/hosts/vidhar/dns/zones/yggdrasil.soa b/hosts/vidhar/dns/zones/yggdrasil.soa
index 3d9d4d83..045e49f8 100644
--- a/hosts/vidhar/dns/zones/yggdrasil.soa
+++ b/hosts/vidhar/dns/zones/yggdrasil.soa
@@ -1,7 +1,7 @@
 $ORIGIN yggdrasil.
 $TTL 300
 @ IN SOA vidhar.yggdrasil. root.yggdrasil.li. (
-  2022101601 ; serial
+  2022112101 ; serial
  300        ; refresh
  300        ; retry
  300        ; expire
@@ -16,8 +16,11 @@ sif		IN	AAAA	2a03:4000:52:ada:1:2::
 grafana.vidhar          IN      CNAME   vidhar.yggdrasil.
 prometheus.vidhar       IN      CNAME   vidhar.yggdrasil.
+pgbackrest.vidhar       IN      CNAME   vidhar.yggdrasil.
 nfsroot.vidhar          IN      CNAME   vidhar.lan.yggdrasil.
+pgbackrest.surtr        IN      CNAME   surtr.yggdrasil.
 vidhar.lan      IN      A       10.141.0.1
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index 473f8a20..da3a9048 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -87,6 +87,7 @@ table inet filter {
  counter samba-rx {}
  counter http-rx {}
  counter tftp-rx {}
+  counter pgbackrest-rx {}
  counter established-rx {}
@@ -114,6 +115,7 @@ table inet filter {
  counter samba-tx {}
  counter http-tx {}
  counter tftp-tx {}
+  counter pgbackrest-tx {}
  counter tx {}
@@ -189,6 +191,8 @@ table inet filter {
    iifname { lan, mgmt } udp dport 69 counter name tftp-rx accept
+    iifname yggdrasil tcp dport 8432 counter name pgbackrest-rx accept
    ct state {established, related} counter name established-rx accept
@@ -235,6 +239,8 @@ table inet filter {
    udp sport 69 counter name tftp-tx accept
    udp dport 69 counter name tftp-tx accept
+    tcp sport 8432 counter name pgbackrest-tx accept
    counter name tx
  }
diff --git a/hosts/vidhar/pgbackrest/ca/ca.crt b/hosts/vidhar/pgbackrest/ca/ca.crt
new file mode 100644
index 00000000..6be81a1d
--- /dev/null
+++ b/hosts/vidhar/pgbackrest/ca/ca.crt
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBrjCCAS6gAwIBAgIUXY4sW3OoefBUAZqzZIvlv284d64wBQYDK2VxMB8xHTAb
+BgNVBAMMFHBnYmFja3Jlc3QueWdnZHJhc2lsMB4XDTIyMTEyMTE0MTUzMloXDTMy
+MTEyMTE0MjAzMlowHzEdMBsGA1UEAwwUcGdiYWNrcmVzdC55Z2dkcmFzaWwwQzAF
+BgMrZXEDOgDeYXclDR4mFv4plX6mKS1j5VxF1bFgoQbAuqb/c7KMZe/RxNiiyp82
+ZCAfIaNMIFV3lMMc/j7VkICjYzBhMB8GA1UdIwQYMBaAFO+/yfEkwcLr+vNPIsyC
+W86UwJ3aMB0GA1UdDgQWBBTvv8nxJMHC6/rzTyLMglvOlMCd2jAOBgNVHQ8BAf8E
+BAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAFBgMrZXEDcwCJifNBFrOgzYYnZtvR6jig
+OJp3JQRDCpIeFegO2Hnt8CN/y0dLsGI9OS9LsKq7/2NlHGUfqBpoPACQJcI+DDgd
+EZcU+ibTfJmYOu8E3ZbMnbuB22MS7+WPcqAy4Jq/P0C8Ifz83VubogwgcPlLLRiC
+FgA=
+-----END CERTIFICATE-----
diff --git a/hosts/vidhar/pgbackrest/ca/ca.key b/hosts/vidhar/pgbackrest/ca/ca.key
new file mode 100644
index 00000000..4c92fb3f
--- /dev/null
+++ b/hosts/vidhar/pgbackrest/ca/ca.key
@@ -0,0 +1,21 @@
+{
+        "data": "ENC[AES256_GCM,data:wSkqm/wM9f4HixP3obg6kA1d4cpNOMAnEsfNO5O47LKGZOpAmONTSqfVrLPoL3ZiLacYIuAYWk5hR/n0MkRinrHAmI/HHh/66G4LoIX2HZU2QmdsTJh4sVRbby8S/rfEVAlmJ10JYL2nZvyEt4JANmGC1WARXtR7eIGEU7Cv0SmAdXv9VsDYDxorupU4//gid7CpFj4cjS/5c2Y8,iv:Ix1Zg68ewK5QPqsWj+7Lxeete5AHPJHKWx+M4Z1M4Uk=,tag:aS2kAsTbmF1iYxwdvH528Q==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": null,
+                "lastmodified": "2022-11-21T14:20:32Z",
+                "mac": "ENC[AES256_GCM,data:9iFROHIjheIRb2dTR2VAyZLsM+z6RiPMQPV3qwgGvJfeSGEFWsv9Jg7lBhWAJvWKfEZVptClnGAMbUh2bGTkLbT1JOy10xJsVGk5FrUpPuYT3stJeynNKxfloeoF9WKSIdSLx3blO0bZzqyjmCxR2rJk8FtslWqJUEJsHtYhnyY=,iv:XJT56EroPUlWnWlPIp/vsJIzO3FxZAsZbf0knxXHvuw=,tag:k8zThN9xS6pHq+waAy/HQQ==,type:str]",
+                "pgp": [
+                        {
+                                "created_at": "2022-11-21T14:20:31Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA0laIXY2D02+/42Fkyxp/H/4DRxpxKGdqoRfFv5LwhAQw\n3M7DZeg0b8rWgC9BL17w54PY1EekyMzW/IxyRTyV0ffYXmn1IJ9VuqMXMteP+i/A\n0lwBdJIPACe5A0IfAMwcguzAB9kwuIkMykvaE9OjtcR/HFF8VU86GoPM0Gc/kUNS\nPbABAy6OuxFZEvziiT56EJ+gbb7u1JlwIrX7zjVAKWeKxQQyFd2gLDIczlD6uw==\n=gmbw\n-----END PGP MESSAGE-----\n",
+                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+                        }
+                ],
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.7.3"
+        }
+}
+\ No newline at end of file
diff --git a/hosts/vidhar/pgbackrest/default.nix b/hosts/vidhar/pgbackrest/default.nix
new file mode 100644
index 00000000..49644e51
--- /dev/null
+++ b/hosts/vidhar/pgbackrest/default.nix
@@ -0,0 +1,101 @@
+{ config, flake, ... }:
+let
+  surtrRepoCfg = flake.nixosConfigurations."surtr".config.services.pgbackrest.settings.surtr;
+in {
+  config = {
+    services.pgbackrest = {
+      enable = true;
+      tlsServer = {
+        enable = true;
+        user = "pgbackrest";
+        group = "pgbackrest";
+      };
+      settings = {
+        "surtr" = {
+          pg1-host-type = "tls";
+          pg1-host = "pgbackrest.surtr.yggdrasil";
+          pg1-host-ca-file = toString ./ca/ca.crt;
+          pg1-host-cert-file = toString ./tls.crt;
+          pg1-host-key-file = config.sops.secrets."pgbackrest.key".path;
+          inherit (surtrRepoCfg) pg1-path;
+          # repo1-host-type = "tls";
+          # repo1-host = "pgbackrest.surtr.yggdrasil";
+          # repo1-host-ca-file = toString ./ca/ca.crt;
+          # repo1-host-cert-file = toString ./tls.crt;
+          # repo1-host-key-file = config.sops.secrets."pgbackrest.key".path;
+          # repo1-retention-full-type = "time";
+          # repo1-retention-full = 7;
+          # repo1-retention-archive = 2;
+          repo2-path = "/var/lib/pgbackrest";
+          repo2-retention-full-type = "time";
+          repo2-retention-full = 14;
+          repo2-retention-archive = 7;
+        };
+        "global" = {
+          compress-type = "zst";
+          compress-level = 9;
+          archive-async = true;
+          spool-path = "/var/spool/pgbackrest";
+        };
+        "global:server" = {
+          tls-server-address = "2a03:4000:52:ada:1:1::";
+          tls-server-ca-file = toString ./ca/ca.crt;
+          tls-server-cert-file = toString ./tls.crt;
+          tls-server-key-file = config.sops.secrets."pgbackrest.key".path;
+          tls-server-auth = ["surtr.yggdrasil=surtr"];
+        };
+        "global:archive-push" = {
+          process-max = 6;
+        };
+        "global:archive-get" = {
+          process-max = 6;
+        };
+      };
+      backups."surtr-daily" = {
+        stanza = "surtr";
+        repo = "2";
+        user = "pgbackrest";
+        group = "pgbackrest";
+        timerConfig.OnCalendar = "daily Europe/Berlin";
+      };
+    };
+    systemd.tmpfiles.rules = [
+      "d /var/lib/pgbackrest 0750 pgbackrest pgbackrest - -"
+      "d /var/spool/pgbackrest 0750 pgbackrest pgbackrest - -"
+    ];
+    users = {
+      users.pgbackrest = {
+        name = "pgbackrest";
+        group = "pgbackrest";
+        isSystemUser = true;
+        home = "/var/lib/pgbackrest";
+      };
+      groups.pgbackrest = {};
+    };
+    systemd.services."pgbackrest-tls-server".serviceConfig = {
+      StateDirectory = [ "pgbackrest" ];
+      StateDirectoryMode = "0750";
+    };
+    sops.secrets."pgbackrest.key" = {
+      format = "binary";
+      sopsFile = ./tls.key;
+      owner = "pgbackrest";
+      group = "pgbackrest";
+      mode = "0400";
+    };
+  };
+}
diff --git a/hosts/vidhar/pgbackrest/tls.crt b/hosts/vidhar/pgbackrest/tls.crt
new file mode 100644
index 00000000..e807d423
--- /dev/null
+++ b/hosts/vidhar/pgbackrest/tls.crt
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB0jCCAVKgAwIBAgIPQAAAAGN7p+4PBkv3Tn05MAUGAytlcTAfMR0wGwYDVQQD
+DBRwZ2JhY2tyZXN0LnlnZ2RyYXNpbDAeFw0yMjExMjExNjI2MDVaFw0zMjExMjEx
+NjMxMDVaMBsxGTAXBgNVBAMMEHZpZGhhci55Z2dkcmFzaWwwKjAFBgMrZXADIQDy
+Wj+rp1Nvyj5TiIdmVV7HW0LUnX2aIQSd8eh5B54BaaOBqDCBpTAfBgNVHSMEGDAW
+gBTvv8nxJMHC6/rzTyLMglvOlMCd2jAdBgNVHQ4EFgQUXU/P0Nq4GmxaL3V8Mq39
+YqggieEwDgYDVR0PAQH/BAQDAgXgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYI
+KwYBBQUHAwEGCCsGAQUFBwMCMCYGA1UdEQQfMB2CG3BnYmFja3Jlc3QudmlkaGFy
+LnlnZ2RyYXNpbDAFBgMrZXEDcwBa1HCz42U2W8lhL3iFQJp/ZoPGm7Iluibvvnh/
+h8ka4mhIcx8mtYp0L04Lte9JWEx+MgOOso6Tk4Bh7xPjJY1uUkwP9ZwsrsJPqIj1
+1nwtHtUiNr3L4IpJkEo3s/52S41KiaiZ0cXnFE2b8pwLTHIJAwA=
+-----END CERTIFICATE-----
diff --git a/hosts/vidhar/pgbackrest/tls.key b/hosts/vidhar/pgbackrest/tls.key
new file mode 100644
index 00000000..6ab308ac
--- /dev/null
+++ b/hosts/vidhar/pgbackrest/tls.key
@@ -0,0 +1,26 @@
+{
+        "data": "ENC[AES256_GCM,data:LnaklO60F6ZXJh0mYwG0e9LTU5qmZWKq2/0YxXeH1QAnEcJIWnrTWwQegL3UJYMf3kOqKJmAcc2VX1nrxe+GRAUUwgVojxS+VFxeSjACNnpe0Zgfgj5ps3GJME3gpmfey+fgnbIFkI8w5UpRtvz7Evj6dJHMGTE=,iv:Q5rIm2GFjJT0ensa+5ILN/yNhjHyxFhZh5q6hh8hDW0=,tag:bCGcF2v+JnWexJb4C35dWA==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": null,
+                "lastmodified": "2022-11-21T14:21:06Z",
+                "mac": "ENC[AES256_GCM,data:OQnaCFEsi5Xka2L7KoC0UX0L+NtihG1hk7koxH51WiiL/JF1NrOs7PpgNbhVzqiAPWlBF1X/2ZhWyEZris9iVZ9RKa1lgF2VXjuwVHZNGA9G9Dr0ipriupOEdQABRA2MM0PlfdW7CdbzxmBcA4uwfL3m4b0uMB87A/cRG8mSm3U=,iv:2yuhHIjWRHipcOx+2hFUx2RJG/L/icGMH0QxR9w+MTM=,tag:pnwNVPzyqu4t6AklWd6HGA==,type:str]",
+                "pgp": [
+                        {
+                                "created_at": "2022-11-21T14:21:06Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdARaz8S4iFbM7+9cUv/WGQDsbnv51AKznQzs3W31w4Cy0w\nh3UzddwF0lH57GYBnVN6S8h5zEjbtz6tRHVsim6ltnVGmsT+t+fmEbASoPF0mvmc\n0lwB9JoMB9l32cFeCQ6Y1Hxryvu/FeL+iXe+7zouKpW67HQ235+Zx5481xxOg1fy\nwmDb+iZ9R+iNO5twraf1BOG+3y8yrJpZV7SZq4H958Kk35QnHlRiPqDfkx9NEg==\n=GAV2\n-----END PGP MESSAGE-----\n",
+                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+                        },
+                        {
+                                "created_at": "2022-11-21T14:21:06Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DbYDvGI0HDr0SAQdAgjL9+LcR5m5vHngB9DWE2zfkjsQDsIKrEw2RLKrKdVMw\nQ5B131gL7QKEfAc0vd+HQDANo/pfB9ArI/lNkVvlBYfbO8paadJWvDt9fdmOtJ9J\n0lwBcT1xLhPxCrUVEY1Clsv4y3liNZ78iOBuqaOx0W1A7CQonM2B9ghTDq4bsEE0\n8CxD/mNCn/D8WOqu4dJg6wvIzkk6faSBCbxBjmzTcJ6oDj9RdnnnZ6M/uNWw7g==\n=jZqN\n-----END PGP MESSAGE-----\n",
+                                "fp": "A1C7C95E6CAF0A965CB47277BCF50A89C1B1F362"
+                        }
+                ],
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.7.3"
+        }
+}
+\ No newline at end of file

diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index fc04d3f5..5c23dea2 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix
@@ -4,7 +4,7 @@ with lib;
4		4
5	{	5	{
6	imports = with flake.nixosModules.systemProfiles; [	6	imports = with flake.nixosModules.systemProfiles; [
7	./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg	7	./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest
8	tmpfs-root zfs	8	tmpfs-root zfs
9	initrd-all-crypto-modules default-locale openssh rebuild-machines	9	initrd-all-crypto-modules default-locale openssh rebuild-machines
10	build-server	10	build-server


diff --git a/hosts/vidhar/dns/zones/yggdrasil.soa b/hosts/vidhar/dns/zones/yggdrasil.soa index 3d9d4d83..045e49f8 100644 --- a/hosts/vidhar/dns/zones/yggdrasil.soa +++ b/hosts/vidhar/dns/zones/yggdrasil.soa
@@ -1,7 +1,7 @@
1	$ORIGIN yggdrasil.	1	$ORIGIN yggdrasil.
2	$TTL 300	2	$TTL 300
3	@ IN SOA vidhar.yggdrasil. root.yggdrasil.li. (	3	@ IN SOA vidhar.yggdrasil. root.yggdrasil.li. (
4	2022101601 ; serial	4	2022112101 ; serial
5	300 ; refresh	5	300 ; refresh
6	300 ; retry	6	300 ; retry
7	300 ; expire	7	300 ; expire
@@ -16,8 +16,11 @@ sif IN AAAA 2a03:4000:52:ada:1:2::
16		16
17	grafana.vidhar IN CNAME vidhar.yggdrasil.	17	grafana.vidhar IN CNAME vidhar.yggdrasil.
18	prometheus.vidhar IN CNAME vidhar.yggdrasil.	18	prometheus.vidhar IN CNAME vidhar.yggdrasil.
		19	pgbackrest.vidhar IN CNAME vidhar.yggdrasil.
19	nfsroot.vidhar IN CNAME vidhar.lan.yggdrasil.	20	nfsroot.vidhar IN CNAME vidhar.lan.yggdrasil.
20		21
		22	pgbackrest.surtr IN CNAME surtr.yggdrasil.
		23
21		24
22	vidhar.lan IN A 10.141.0.1	25	vidhar.lan IN A 10.141.0.1
23		26


diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index 473f8a20..da3a9048 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft
@@ -87,6 +87,7 @@ table inet filter {
87	counter samba-rx {}	87	counter samba-rx {}
88	counter http-rx {}	88	counter http-rx {}
89	counter tftp-rx {}	89	counter tftp-rx {}
		90	counter pgbackrest-rx {}
90		91
91	counter established-rx {}	92	counter established-rx {}
92		93
@@ -114,6 +115,7 @@ table inet filter {
114	counter samba-tx {}	115	counter samba-tx {}
115	counter http-tx {}	116	counter http-tx {}
116	counter tftp-tx {}	117	counter tftp-tx {}
		118	counter pgbackrest-tx {}
117		119
118	counter tx {}	120	counter tx {}
119		121
@@ -189,6 +191,8 @@ table inet filter {
189		191
190	iifname { lan, mgmt } udp dport 69 counter name tftp-rx accept	192	iifname { lan, mgmt } udp dport 69 counter name tftp-rx accept
191		193
		194	iifname yggdrasil tcp dport 8432 counter name pgbackrest-rx accept
		195
192	ct state {established, related} counter name established-rx accept	196	ct state {established, related} counter name established-rx accept
193		197
194		198
@@ -235,6 +239,8 @@ table inet filter {
235	udp sport 69 counter name tftp-tx accept	239	udp sport 69 counter name tftp-tx accept
236	udp dport 69 counter name tftp-tx accept	240	udp dport 69 counter name tftp-tx accept
237		241
		242	tcp sport 8432 counter name pgbackrest-tx accept
		243
238		244
239	counter name tx	245	counter name tx
240	}	246	}


diff --git a/hosts/vidhar/pgbackrest/ca/ca.crt b/hosts/vidhar/pgbackrest/ca/ca.crt new file mode 100644 index 00000000..6be81a1d --- /dev/null +++ b/hosts/vidhar/pgbackrest/ca/ca.crt
@@ -0,0 +1,12 @@
		1	-----BEGIN CERTIFICATE-----
		2	MIIBrjCCAS6gAwIBAgIUXY4sW3OoefBUAZqzZIvlv284d64wBQYDK2VxMB8xHTAb
		3	BgNVBAMMFHBnYmFja3Jlc3QueWdnZHJhc2lsMB4XDTIyMTEyMTE0MTUzMloXDTMy
		4	MTEyMTE0MjAzMlowHzEdMBsGA1UEAwwUcGdiYWNrcmVzdC55Z2dkcmFzaWwwQzAF
		5	BgMrZXEDOgDeYXclDR4mFv4plX6mKS1j5VxF1bFgoQbAuqb/c7KMZe/RxNiiyp82
		6	ZCAfIaNMIFV3lMMc/j7VkICjYzBhMB8GA1UdIwQYMBaAFO+/yfEkwcLr+vNPIsyC
		7	W86UwJ3aMB0GA1UdDgQWBBTvv8nxJMHC6/rzTyLMglvOlMCd2jAOBgNVHQ8BAf8E
		8	BAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAFBgMrZXEDcwCJifNBFrOgzYYnZtvR6jig
		9	OJp3JQRDCpIeFegO2Hnt8CN/y0dLsGI9OS9LsKq7/2NlHGUfqBpoPACQJcI+DDgd
		10	EZcU+ibTfJmYOu8E3ZbMnbuB22MS7+WPcqAy4Jq/P0C8Ifz83VubogwgcPlLLRiC
		11	FgA=
		12	-----END CERTIFICATE-----


diff --git a/hosts/vidhar/pgbackrest/ca/ca.key b/hosts/vidhar/pgbackrest/ca/ca.key new file mode 100644 index 00000000..4c92fb3f --- /dev/null +++ b/hosts/vidhar/pgbackrest/ca/ca.key
@@ -0,0 +1,21 @@
		1	{
		2	"data": "ENC[AES256_GCM,data:wSkqm/wM9f4HixP3obg6kA1d4cpNOMAnEsfNO5O47LKGZOpAmONTSqfVrLPoL3ZiLacYIuAYWk5hR/n0MkRinrHAmI/HHh/66G4LoIX2HZU2QmdsTJh4sVRbby8S/rfEVAlmJ10JYL2nZvyEt4JANmGC1WARXtR7eIGEU7Cv0SmAdXv9VsDYDxorupU4//gid7CpFj4cjS/5c2Y8,iv:Ix1Zg68ewK5QPqsWj+7Lxeete5AHPJHKWx+M4Z1M4Uk=,tag:aS2kAsTbmF1iYxwdvH528Q==,type:str]",
		3	"sops": {
		4	"kms": null,
		5	"gcp_kms": null,
		6	"azure_kv": null,
		7	"hc_vault": null,
		8	"age": null,
		9	"lastmodified": "2022-11-21T14:20:32Z",
		10	"mac": "ENC[AES256_GCM,data:9iFROHIjheIRb2dTR2VAyZLsM+z6RiPMQPV3qwgGvJfeSGEFWsv9Jg7lBhWAJvWKfEZVptClnGAMbUh2bGTkLbT1JOy10xJsVGk5FrUpPuYT3stJeynNKxfloeoF9WKSIdSLx3blO0bZzqyjmCxR2rJk8FtslWqJUEJsHtYhnyY=,iv:XJT56EroPUlWnWlPIp/vsJIzO3FxZAsZbf0knxXHvuw=,tag:k8zThN9xS6pHq+waAy/HQQ==,type:str]",
		11	"pgp": [
		12	{
		13	"created_at": "2022-11-21T14:20:31Z",
		14	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA0laIXY2D02+/42Fkyxp/H/4DRxpxKGdqoRfFv5LwhAQw\n3M7DZeg0b8rWgC9BL17w54PY1EekyMzW/IxyRTyV0ffYXmn1IJ9VuqMXMteP+i/A\n0lwBdJIPACe5A0IfAMwcguzAB9kwuIkMykvaE9OjtcR/HFF8VU86GoPM0Gc/kUNS\nPbABAy6OuxFZEvziiT56EJ+gbb7u1JlwIrX7zjVAKWeKxQQyFd2gLDIczlD6uw==\n=gmbw\n-----END PGP MESSAGE-----\n",
		15	"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
		16	}
		17	],
		18	"unencrypted_suffix": "_unencrypted",
		19	"version": "3.7.3"
		20	}
		21	} \ No newline at end of file


diff --git a/hosts/vidhar/pgbackrest/default.nix b/hosts/vidhar/pgbackrest/default.nix new file mode 100644 index 00000000..49644e51 --- /dev/null +++ b/hosts/vidhar/pgbackrest/default.nix
@@ -0,0 +1,101 @@
		1	{ config, flake, ... }:
		2
		3	let
		4	surtrRepoCfg = flake.nixosConfigurations."surtr".config.services.pgbackrest.settings.surtr;
		5	in {
		6	config = {
		7	services.pgbackrest = {
		8	enable = true;
		9	tlsServer = {
		10	enable = true;
		11
		12	user = "pgbackrest";
		13	group = "pgbackrest";
		14	};
		15
		16	settings = {
		17	"surtr" = {
		18	pg1-host-type = "tls";
		19	pg1-host = "pgbackrest.surtr.yggdrasil";
		20	pg1-host-ca-file = toString ./ca/ca.crt;
		21	pg1-host-cert-file = toString ./tls.crt;
		22	pg1-host-key-file = config.sops.secrets."pgbackrest.key".path;
		23	inherit (surtrRepoCfg) pg1-path;
		24
		25	# repo1-host-type = "tls";
		26	# repo1-host = "pgbackrest.surtr.yggdrasil";
		27	# repo1-host-ca-file = toString ./ca/ca.crt;
		28	# repo1-host-cert-file = toString ./tls.crt;
		29	# repo1-host-key-file = config.sops.secrets."pgbackrest.key".path;
		30	# repo1-retention-full-type = "time";
		31	# repo1-retention-full = 7;
		32	# repo1-retention-archive = 2;
		33
		34	repo2-path = "/var/lib/pgbackrest";
		35	repo2-retention-full-type = "time";
		36	repo2-retention-full = 14;
		37	repo2-retention-archive = 7;
		38	};
		39
		40	"global" = {
		41	compress-type = "zst";
		42	compress-level = 9;
		43
		44	archive-async = true;
		45	spool-path = "/var/spool/pgbackrest";
		46	};
		47
		48	"global:server" = {
		49	tls-server-address = "2a03:4000:52:ada:1:1::";
		50	tls-server-ca-file = toString ./ca/ca.crt;
		51	tls-server-cert-file = toString ./tls.crt;
		52	tls-server-key-file = config.sops.secrets."pgbackrest.key".path;
		53	tls-server-auth = ["surtr.yggdrasil=surtr"];
		54	};
		55
		56	"global:archive-push" = {
		57	process-max = 6;
		58	};
		59	"global:archive-get" = {
		60	process-max = 6;
		61	};
		62	};
		63
		64	backups."surtr-daily" = {
		65	stanza = "surtr";
		66	repo = "2";
		67	user = "pgbackrest";
		68	group = "pgbackrest";
		69	timerConfig.OnCalendar = "daily Europe/Berlin";
		70	};
		71	};
		72
		73	systemd.tmpfiles.rules = [
		74	"d /var/lib/pgbackrest 0750 pgbackrest pgbackrest - -"
		75	"d /var/spool/pgbackrest 0750 pgbackrest pgbackrest - -"
		76	];
		77
		78	users = {
		79	users.pgbackrest = {
		80	name = "pgbackrest";
		81	group = "pgbackrest";
		82	isSystemUser = true;
		83	home = "/var/lib/pgbackrest";
		84	};
		85	groups.pgbackrest = {};
		86	};
		87
		88	systemd.services."pgbackrest-tls-server".serviceConfig = {
		89	StateDirectory = [ "pgbackrest" ];
		90	StateDirectoryMode = "0750";
		91	};
		92
		93	sops.secrets."pgbackrest.key" = {
		94	format = "binary";
		95	sopsFile = ./tls.key;
		96	owner = "pgbackrest";
		97	group = "pgbackrest";
		98	mode = "0400";
		99	};
		100	};
		101	}


diff --git a/hosts/vidhar/pgbackrest/tls.crt b/hosts/vidhar/pgbackrest/tls.crt new file mode 100644 index 00000000..e807d423 --- /dev/null +++ b/hosts/vidhar/pgbackrest/tls.crt
@@ -0,0 +1,12 @@
		1	-----BEGIN CERTIFICATE-----
		2	MIIB0jCCAVKgAwIBAgIPQAAAAGN7p+4PBkv3Tn05MAUGAytlcTAfMR0wGwYDVQQD
		3	DBRwZ2JhY2tyZXN0LnlnZ2RyYXNpbDAeFw0yMjExMjExNjI2MDVaFw0zMjExMjEx
		4	NjMxMDVaMBsxGTAXBgNVBAMMEHZpZGhhci55Z2dkcmFzaWwwKjAFBgMrZXADIQDy
		5	Wj+rp1Nvyj5TiIdmVV7HW0LUnX2aIQSd8eh5B54BaaOBqDCBpTAfBgNVHSMEGDAW
		6	gBTvv8nxJMHC6/rzTyLMglvOlMCd2jAdBgNVHQ4EFgQUXU/P0Nq4GmxaL3V8Mq39
		7	YqggieEwDgYDVR0PAQH/BAQDAgXgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYI
		8	KwYBBQUHAwEGCCsGAQUFBwMCMCYGA1UdEQQfMB2CG3BnYmFja3Jlc3QudmlkaGFy
		9	LnlnZ2RyYXNpbDAFBgMrZXEDcwBa1HCz42U2W8lhL3iFQJp/ZoPGm7Iluibvvnh/
		10	h8ka4mhIcx8mtYp0L04Lte9JWEx+MgOOso6Tk4Bh7xPjJY1uUkwP9ZwsrsJPqIj1
		11	1nwtHtUiNr3L4IpJkEo3s/52S41KiaiZ0cXnFE2b8pwLTHIJAwA=
		12	-----END CERTIFICATE-----


diff --git a/hosts/vidhar/pgbackrest/tls.key b/hosts/vidhar/pgbackrest/tls.key new file mode 100644 index 00000000..6ab308ac --- /dev/null +++ b/hosts/vidhar/pgbackrest/tls.key
@@ -0,0 +1,26 @@
		1	{
		2	"data": "ENC[AES256_GCM,data:LnaklO60F6ZXJh0mYwG0e9LTU5qmZWKq2/0YxXeH1QAnEcJIWnrTWwQegL3UJYMf3kOqKJmAcc2VX1nrxe+GRAUUwgVojxS+VFxeSjACNnpe0Zgfgj5ps3GJME3gpmfey+fgnbIFkI8w5UpRtvz7Evj6dJHMGTE=,iv:Q5rIm2GFjJT0ensa+5ILN/yNhjHyxFhZh5q6hh8hDW0=,tag:bCGcF2v+JnWexJb4C35dWA==,type:str]",
		3	"sops": {
		4	"kms": null,
		5	"gcp_kms": null,
		6	"azure_kv": null,
		7	"hc_vault": null,
		8	"age": null,
		9	"lastmodified": "2022-11-21T14:21:06Z",
		10	"mac": "ENC[AES256_GCM,data:OQnaCFEsi5Xka2L7KoC0UX0L+NtihG1hk7koxH51WiiL/JF1NrOs7PpgNbhVzqiAPWlBF1X/2ZhWyEZris9iVZ9RKa1lgF2VXjuwVHZNGA9G9Dr0ipriupOEdQABRA2MM0PlfdW7CdbzxmBcA4uwfL3m4b0uMB87A/cRG8mSm3U=,iv:2yuhHIjWRHipcOx+2hFUx2RJG/L/icGMH0QxR9w+MTM=,tag:pnwNVPzyqu4t6AklWd6HGA==,type:str]",
		11	"pgp": [
		12	{
		13	"created_at": "2022-11-21T14:21:06Z",
		14	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdARaz8S4iFbM7+9cUv/WGQDsbnv51AKznQzs3W31w4Cy0w\nh3UzddwF0lH57GYBnVN6S8h5zEjbtz6tRHVsim6ltnVGmsT+t+fmEbASoPF0mvmc\n0lwB9JoMB9l32cFeCQ6Y1Hxryvu/FeL+iXe+7zouKpW67HQ235+Zx5481xxOg1fy\nwmDb+iZ9R+iNO5twraf1BOG+3y8yrJpZV7SZq4H958Kk35QnHlRiPqDfkx9NEg==\n=GAV2\n-----END PGP MESSAGE-----\n",
		15	"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
		16	},
		17	{
		18	"created_at": "2022-11-21T14:21:06Z",
		19	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DbYDvGI0HDr0SAQdAgjL9+LcR5m5vHngB9DWE2zfkjsQDsIKrEw2RLKrKdVMw\nQ5B131gL7QKEfAc0vd+HQDANo/pfB9ArI/lNkVvlBYfbO8paadJWvDt9fdmOtJ9J\n0lwBcT1xLhPxCrUVEY1Clsv4y3liNZ78iOBuqaOx0W1A7CQonM2B9ghTDq4bsEE0\n8CxD/mNCn/D8WOqu4dJg6wvIzkk6faSBCbxBjmzTcJ6oDj9RdnnnZ6M/uNWw7g==\n=jZqN\n-----END PGP MESSAGE-----\n",
		20	"fp": "A1C7C95E6CAF0A965CB47277BCF50A89C1B1F362"
		21	}
		22	],
		23	"unencrypted_suffix": "_unencrypted",
		24	"version": "3.7.3"
		25	}
		26	} \ No newline at end of file