From aa02038dfa3005a910e8c1b0885843786c8aa58c Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Sun, 1 Oct 2023 18:52:42 +0200
Subject: vidhar(pgbackrest): srv02.uniworx.de

---
 hosts/vidhar/pgbackrest/ca/.gitignore           |  3 ++-
 hosts/vidhar/pgbackrest/ca/srv02.uniworx.de.crt | 11 +++++++++
 hosts/vidhar/pgbackrest/default.nix             | 30 ++++++++++++++++++++++++-
 3 files changed, 42 insertions(+), 2 deletions(-)
 create mode 100644 hosts/vidhar/pgbackrest/ca/srv02.uniworx.de.crt

diff --git a/hosts/vidhar/pgbackrest/ca/.gitignore b/hosts/vidhar/pgbackrest/ca/.gitignore
index aa000280..11adcd4d 100644
--- a/hosts/vidhar/pgbackrest/ca/.gitignore
+++ b/hosts/vidhar/pgbackrest/ca/.gitignore
@@ -1 +1,2 @@
-srv01.uniworx.de.key
\ No newline at end of file
+srv01.uniworx.de.key
+srv02.uniworx.de.key
diff --git a/hosts/vidhar/pgbackrest/ca/srv02.uniworx.de.crt b/hosts/vidhar/pgbackrest/ca/srv02.uniworx.de.crt
new file mode 100644
index 00000000..e083c867
--- /dev/null
+++ b/hosts/vidhar/pgbackrest/ca/srv02.uniworx.de.crt
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBqDCCASigAwIBAgIPQAAAAGUZo5s1jqHzUfQfMAUGAytlcTAfMR0wGwYDVQQD
+DBRwZ2JhY2tyZXN0LnlnZ2RyYXNpbDAeFw0yMzEwMDExNjQ2MDJaFw0zMzEwMDEx
+NjUxMDJaMBsxGTAXBgNVBAMMEHNydjAyLnVuaXdvcnguZGUwKjAFBgMrZXADIQDv
+TvJV+mY48X0v2H/Vf36C9pql6Ob4dC+4IFPeiKKVBqN/MH0wHwYDVR0jBBgwFoAU
+77/J8STBwuv6808izIJbzpTAndowHQYDVR0OBBYEFPkCU142blj3GWjKotoQuew7
+R2+fMA4GA1UdDwEB/wQEAwIF4DAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsG
+AQUFBwMBBggrBgEFBQcDAjAFBgMrZXEDcwDfi8qRpcJ8B/9gGpEC8bfz93QgHDX1
+25wiTcRI4VDO9XStL2Md9IRsbYtzqR2Rs9Vl2KFDLHG3QwD3bE7jeobJoLqtBcXC
+JhzOxbsoUn7YG7RR6yW13sOGsj+ccnguN+hnwX5CDCjsOOT5TXgKQ5C7GwA=
+-----END CERTIFICATE-----
diff --git a/hosts/vidhar/pgbackrest/default.nix b/hosts/vidhar/pgbackrest/default.nix
index 899b0e0f..0f86ebe9 100644
--- a/hosts/vidhar/pgbackrest/default.nix
+++ b/hosts/vidhar/pgbackrest/default.nix
@@ -4,6 +4,12 @@ let
   surtrRepoCfg = flake.nixosConfigurations."surtr".config.services.pgbackrest.settings.surtr;
 in {
   config = {
+    assertions = [
+      (let
+        inherit (config.services.pgbackrest.package) version;
+      in { assertion = version == "2.45"; message = "Presumably incompatible pgBackRest version: ${version}"; })
+    ];
+
     services.pgbackrest = {
       enable = true;
       package = flakeInputs.nixpkgs-stable.legacyPackages.${config.nixpkgs.system}.pgbackrest;
@@ -54,6 +60,20 @@ in {
           repo2-retention-archive = 7;
         };
 
+        "srv02.uniworx.de" = {
+          pg1-host-type = "tls";
+          pg1-host = "srv02.uniworx.de";
+          pg1-host-ca-file = toString ./ca/ca.crt;
+          pg1-host-cert-file = toString ./ca/vidhar.crt;
+          pg1-host-key-file = config.sops.secrets."pgbackrest.key".path;
+          pg1-path = "/var/lib/postgresql/15";
+
+          repo2-path = "/var/lib/pgbackrest";
+          repo2-retention-full-type = "time";
+          repo2-retention-full = 14;
+          repo2-retention-archive = 7;
+        };
+
         "global" = {
           compress-type = "zst";
           compress-level = 9;
@@ -67,7 +87,7 @@ in {
           tls-server-ca-file = toString ./ca/ca.crt;
           tls-server-cert-file = toString ./ca/vidhar.crt;
           tls-server-key-file = config.sops.secrets."pgbackrest.key".path;
-          tls-server-auth = ["surtr.yggdrasil=surtr" "srv01.uniworx.de=srv01.uniworx.de"];
+          tls-server-auth = ["surtr.yggdrasil=surtr" "srv01.uniworx.de=srv01.uniworx.de" "srv02.uniworx.de=srv02.uniworx.de"];
         };
 
         "global:archive-push" = {
@@ -93,6 +113,14 @@ in {
         group = "pgbackrest";
         timerConfig.OnCalendar = "daily Europe/Berlin";
       };
+
+      backups."srv02.uniworx.de-daily" = {
+        stanza = "srv02.uniworx.de";
+        repo = "2";
+        user = "pgbackrest";
+        group = "pgbackrest";
+        timerConfig.OnCalendar = "daily Europe/Berlin";
+      };
     };
 
     systemd.tmpfiles.rules = [
-- 
cgit v1.2.3