From ba86ae504d8ea9796e43c1b061aa070761cd1323 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Mon, 21 Nov 2022 18:58:56 +0100
Subject: pgbackrest

---
 hosts/vidhar/pgbackrest/default.nix | 101 ++++++++++++++++++++++++++++++++++++
 1 file changed, 101 insertions(+)
 create mode 100644 hosts/vidhar/pgbackrest/default.nix

(limited to 'hosts/vidhar/pgbackrest/default.nix')

diff --git a/hosts/vidhar/pgbackrest/default.nix b/hosts/vidhar/pgbackrest/default.nix
new file mode 100644
index 00000000..49644e51
--- /dev/null
+++ b/hosts/vidhar/pgbackrest/default.nix
@@ -0,0 +1,101 @@
+{ config, flake, ... }:
+
+let
+  surtrRepoCfg = flake.nixosConfigurations."surtr".config.services.pgbackrest.settings.surtr;
+in {
+  config = {
+    services.pgbackrest = {
+      enable = true;
+      tlsServer = {
+        enable = true;
+
+        user = "pgbackrest";
+        group = "pgbackrest";
+      };
+
+      settings = {
+        "surtr" = {
+          pg1-host-type = "tls";
+          pg1-host = "pgbackrest.surtr.yggdrasil";
+          pg1-host-ca-file = toString ./ca/ca.crt;
+          pg1-host-cert-file = toString ./tls.crt;
+          pg1-host-key-file = config.sops.secrets."pgbackrest.key".path;
+          inherit (surtrRepoCfg) pg1-path;
+
+          # repo1-host-type = "tls";
+          # repo1-host = "pgbackrest.surtr.yggdrasil";
+          # repo1-host-ca-file = toString ./ca/ca.crt;
+          # repo1-host-cert-file = toString ./tls.crt;
+          # repo1-host-key-file = config.sops.secrets."pgbackrest.key".path;
+          # repo1-retention-full-type = "time";
+          # repo1-retention-full = 7;
+          # repo1-retention-archive = 2;
+
+          repo2-path = "/var/lib/pgbackrest";
+          repo2-retention-full-type = "time";
+          repo2-retention-full = 14;
+          repo2-retention-archive = 7;
+        };
+
+        "global" = {
+          compress-type = "zst";
+          compress-level = 9;
+
+          archive-async = true;
+          spool-path = "/var/spool/pgbackrest";
+        };
+
+        "global:server" = {
+          tls-server-address = "2a03:4000:52:ada:1:1::";
+          tls-server-ca-file = toString ./ca/ca.crt;
+          tls-server-cert-file = toString ./tls.crt;
+          tls-server-key-file = config.sops.secrets."pgbackrest.key".path;
+          tls-server-auth = ["surtr.yggdrasil=surtr"];
+        };
+
+        "global:archive-push" = {
+          process-max = 6;
+        };
+        "global:archive-get" = {
+          process-max = 6;
+        };
+      };
+
+      backups."surtr-daily" = {
+        stanza = "surtr";
+        repo = "2";
+        user = "pgbackrest";
+        group = "pgbackrest";
+        timerConfig.OnCalendar = "daily Europe/Berlin";
+      };
+    };
+
+    systemd.tmpfiles.rules = [
+      "d /var/lib/pgbackrest 0750 pgbackrest pgbackrest - -"
+      "d /var/spool/pgbackrest 0750 pgbackrest pgbackrest - -"
+    ];
+
+    users = {
+      users.pgbackrest = {
+        name = "pgbackrest";
+        group = "pgbackrest";
+        isSystemUser = true;
+        home = "/var/lib/pgbackrest";
+      };
+      groups.pgbackrest = {};
+    };
+
+    systemd.services."pgbackrest-tls-server".serviceConfig = {
+      StateDirectory = [ "pgbackrest" ];
+      StateDirectoryMode = "0750";
+    };
+
+    sops.secrets."pgbackrest.key" = {
+      format = "binary";
+      sopsFile = ./tls.key;
+      owner = "pgbackrest";
+      group = "pgbackrest";
+      mode = "0400";
+    };
+  };
+}
-- 
cgit v1.2.3