From ba86ae504d8ea9796e43c1b061aa070761cd1323 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Mon, 21 Nov 2022 18:58:56 +0100
Subject: pgbackrest

---
 hosts/vidhar/pgbackrest/ca/ca.crt   |  12 +++++
 hosts/vidhar/pgbackrest/ca/ca.key   |  21 ++++++++
 hosts/vidhar/pgbackrest/default.nix | 101 ++++++++++++++++++++++++++++++++++++
 hosts/vidhar/pgbackrest/tls.crt     |  12 +++++
 hosts/vidhar/pgbackrest/tls.key     |  26 ++++++++++
 5 files changed, 172 insertions(+)
 create mode 100644 hosts/vidhar/pgbackrest/ca/ca.crt
 create mode 100644 hosts/vidhar/pgbackrest/ca/ca.key
 create mode 100644 hosts/vidhar/pgbackrest/default.nix
 create mode 100644 hosts/vidhar/pgbackrest/tls.crt
 create mode 100644 hosts/vidhar/pgbackrest/tls.key

(limited to 'hosts/vidhar/pgbackrest')

diff --git a/hosts/vidhar/pgbackrest/ca/ca.crt b/hosts/vidhar/pgbackrest/ca/ca.crt
new file mode 100644
index 00000000..6be81a1d
--- /dev/null
+++ b/hosts/vidhar/pgbackrest/ca/ca.crt
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBrjCCAS6gAwIBAgIUXY4sW3OoefBUAZqzZIvlv284d64wBQYDK2VxMB8xHTAb
+BgNVBAMMFHBnYmFja3Jlc3QueWdnZHJhc2lsMB4XDTIyMTEyMTE0MTUzMloXDTMy
+MTEyMTE0MjAzMlowHzEdMBsGA1UEAwwUcGdiYWNrcmVzdC55Z2dkcmFzaWwwQzAF
+BgMrZXEDOgDeYXclDR4mFv4plX6mKS1j5VxF1bFgoQbAuqb/c7KMZe/RxNiiyp82
+ZCAfIaNMIFV3lMMc/j7VkICjYzBhMB8GA1UdIwQYMBaAFO+/yfEkwcLr+vNPIsyC
+W86UwJ3aMB0GA1UdDgQWBBTvv8nxJMHC6/rzTyLMglvOlMCd2jAOBgNVHQ8BAf8E
+BAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAFBgMrZXEDcwCJifNBFrOgzYYnZtvR6jig
+OJp3JQRDCpIeFegO2Hnt8CN/y0dLsGI9OS9LsKq7/2NlHGUfqBpoPACQJcI+DDgd
+EZcU+ibTfJmYOu8E3ZbMnbuB22MS7+WPcqAy4Jq/P0C8Ifz83VubogwgcPlLLRiC
+FgA=
+-----END CERTIFICATE-----
diff --git a/hosts/vidhar/pgbackrest/ca/ca.key b/hosts/vidhar/pgbackrest/ca/ca.key
new file mode 100644
index 00000000..4c92fb3f
--- /dev/null
+++ b/hosts/vidhar/pgbackrest/ca/ca.key
@@ -0,0 +1,21 @@
+{
+	"data": "ENC[AES256_GCM,data:wSkqm/wM9f4HixP3obg6kA1d4cpNOMAnEsfNO5O47LKGZOpAmONTSqfVrLPoL3ZiLacYIuAYWk5hR/n0MkRinrHAmI/HHh/66G4LoIX2HZU2QmdsTJh4sVRbby8S/rfEVAlmJ10JYL2nZvyEt4JANmGC1WARXtR7eIGEU7Cv0SmAdXv9VsDYDxorupU4//gid7CpFj4cjS/5c2Y8,iv:Ix1Zg68ewK5QPqsWj+7Lxeete5AHPJHKWx+M4Z1M4Uk=,tag:aS2kAsTbmF1iYxwdvH528Q==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2022-11-21T14:20:32Z",
+		"mac": "ENC[AES256_GCM,data:9iFROHIjheIRb2dTR2VAyZLsM+z6RiPMQPV3qwgGvJfeSGEFWsv9Jg7lBhWAJvWKfEZVptClnGAMbUh2bGTkLbT1JOy10xJsVGk5FrUpPuYT3stJeynNKxfloeoF9WKSIdSLx3blO0bZzqyjmCxR2rJk8FtslWqJUEJsHtYhnyY=,iv:XJT56EroPUlWnWlPIp/vsJIzO3FxZAsZbf0knxXHvuw=,tag:k8zThN9xS6pHq+waAy/HQQ==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2022-11-21T14:20:31Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA0laIXY2D02+/42Fkyxp/H/4DRxpxKGdqoRfFv5LwhAQw\n3M7DZeg0b8rWgC9BL17w54PY1EekyMzW/IxyRTyV0ffYXmn1IJ9VuqMXMteP+i/A\n0lwBdJIPACe5A0IfAMwcguzAB9kwuIkMykvaE9OjtcR/HFF8VU86GoPM0Gc/kUNS\nPbABAy6OuxFZEvziiT56EJ+gbb7u1JlwIrX7zjVAKWeKxQQyFd2gLDIczlD6uw==\n=gmbw\n-----END PGP MESSAGE-----\n",
+				"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}
\ No newline at end of file
diff --git a/hosts/vidhar/pgbackrest/default.nix b/hosts/vidhar/pgbackrest/default.nix
new file mode 100644
index 00000000..49644e51
--- /dev/null
+++ b/hosts/vidhar/pgbackrest/default.nix
@@ -0,0 +1,101 @@
+{ config, flake, ... }:
+
+let
+  surtrRepoCfg = flake.nixosConfigurations."surtr".config.services.pgbackrest.settings.surtr;
+in {
+  config = {
+    services.pgbackrest = {
+      enable = true;
+      tlsServer = {
+        enable = true;
+
+        user = "pgbackrest";
+        group = "pgbackrest";
+      };
+
+      settings = {
+        "surtr" = {
+          pg1-host-type = "tls";
+          pg1-host = "pgbackrest.surtr.yggdrasil";
+          pg1-host-ca-file = toString ./ca/ca.crt;
+          pg1-host-cert-file = toString ./tls.crt;
+          pg1-host-key-file = config.sops.secrets."pgbackrest.key".path;
+          inherit (surtrRepoCfg) pg1-path;
+
+          # repo1-host-type = "tls";
+          # repo1-host = "pgbackrest.surtr.yggdrasil";
+          # repo1-host-ca-file = toString ./ca/ca.crt;
+          # repo1-host-cert-file = toString ./tls.crt;
+          # repo1-host-key-file = config.sops.secrets."pgbackrest.key".path;
+          # repo1-retention-full-type = "time";
+          # repo1-retention-full = 7;
+          # repo1-retention-archive = 2;
+
+          repo2-path = "/var/lib/pgbackrest";
+          repo2-retention-full-type = "time";
+          repo2-retention-full = 14;
+          repo2-retention-archive = 7;
+        };
+
+        "global" = {
+          compress-type = "zst";
+          compress-level = 9;
+
+          archive-async = true;
+          spool-path = "/var/spool/pgbackrest";
+        };
+
+        "global:server" = {
+          tls-server-address = "2a03:4000:52:ada:1:1::";
+          tls-server-ca-file = toString ./ca/ca.crt;
+          tls-server-cert-file = toString ./tls.crt;
+          tls-server-key-file = config.sops.secrets."pgbackrest.key".path;
+          tls-server-auth = ["surtr.yggdrasil=surtr"];
+        };
+
+        "global:archive-push" = {
+          process-max = 6;
+        };
+        "global:archive-get" = {
+          process-max = 6;
+        };
+      };
+
+      backups."surtr-daily" = {
+        stanza = "surtr";
+        repo = "2";
+        user = "pgbackrest";
+        group = "pgbackrest";
+        timerConfig.OnCalendar = "daily Europe/Berlin";
+      };
+    };
+
+    systemd.tmpfiles.rules = [
+      "d /var/lib/pgbackrest 0750 pgbackrest pgbackrest - -"
+      "d /var/spool/pgbackrest 0750 pgbackrest pgbackrest - -"
+    ];
+
+    users = {
+      users.pgbackrest = {
+        name = "pgbackrest";
+        group = "pgbackrest";
+        isSystemUser = true;
+        home = "/var/lib/pgbackrest";
+      };
+      groups.pgbackrest = {};
+    };
+
+    systemd.services."pgbackrest-tls-server".serviceConfig = {
+      StateDirectory = [ "pgbackrest" ];
+      StateDirectoryMode = "0750";
+    };
+
+    sops.secrets."pgbackrest.key" = {
+      format = "binary";
+      sopsFile = ./tls.key;
+      owner = "pgbackrest";
+      group = "pgbackrest";
+      mode = "0400";
+    };
+  };
+}
diff --git a/hosts/vidhar/pgbackrest/tls.crt b/hosts/vidhar/pgbackrest/tls.crt
new file mode 100644
index 00000000..e807d423
--- /dev/null
+++ b/hosts/vidhar/pgbackrest/tls.crt
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB0jCCAVKgAwIBAgIPQAAAAGN7p+4PBkv3Tn05MAUGAytlcTAfMR0wGwYDVQQD
+DBRwZ2JhY2tyZXN0LnlnZ2RyYXNpbDAeFw0yMjExMjExNjI2MDVaFw0zMjExMjEx
+NjMxMDVaMBsxGTAXBgNVBAMMEHZpZGhhci55Z2dkcmFzaWwwKjAFBgMrZXADIQDy
+Wj+rp1Nvyj5TiIdmVV7HW0LUnX2aIQSd8eh5B54BaaOBqDCBpTAfBgNVHSMEGDAW
+gBTvv8nxJMHC6/rzTyLMglvOlMCd2jAdBgNVHQ4EFgQUXU/P0Nq4GmxaL3V8Mq39
+YqggieEwDgYDVR0PAQH/BAQDAgXgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYI
+KwYBBQUHAwEGCCsGAQUFBwMCMCYGA1UdEQQfMB2CG3BnYmFja3Jlc3QudmlkaGFy
+LnlnZ2RyYXNpbDAFBgMrZXEDcwBa1HCz42U2W8lhL3iFQJp/ZoPGm7Iluibvvnh/
+h8ka4mhIcx8mtYp0L04Lte9JWEx+MgOOso6Tk4Bh7xPjJY1uUkwP9ZwsrsJPqIj1
+1nwtHtUiNr3L4IpJkEo3s/52S41KiaiZ0cXnFE2b8pwLTHIJAwA=
+-----END CERTIFICATE-----
diff --git a/hosts/vidhar/pgbackrest/tls.key b/hosts/vidhar/pgbackrest/tls.key
new file mode 100644
index 00000000..6ab308ac
--- /dev/null
+++ b/hosts/vidhar/pgbackrest/tls.key
@@ -0,0 +1,26 @@
+{
+	"data": "ENC[AES256_GCM,data:LnaklO60F6ZXJh0mYwG0e9LTU5qmZWKq2/0YxXeH1QAnEcJIWnrTWwQegL3UJYMf3kOqKJmAcc2VX1nrxe+GRAUUwgVojxS+VFxeSjACNnpe0Zgfgj5ps3GJME3gpmfey+fgnbIFkI8w5UpRtvz7Evj6dJHMGTE=,iv:Q5rIm2GFjJT0ensa+5ILN/yNhjHyxFhZh5q6hh8hDW0=,tag:bCGcF2v+JnWexJb4C35dWA==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2022-11-21T14:21:06Z",
+		"mac": "ENC[AES256_GCM,data:OQnaCFEsi5Xka2L7KoC0UX0L+NtihG1hk7koxH51WiiL/JF1NrOs7PpgNbhVzqiAPWlBF1X/2ZhWyEZris9iVZ9RKa1lgF2VXjuwVHZNGA9G9Dr0ipriupOEdQABRA2MM0PlfdW7CdbzxmBcA4uwfL3m4b0uMB87A/cRG8mSm3U=,iv:2yuhHIjWRHipcOx+2hFUx2RJG/L/icGMH0QxR9w+MTM=,tag:pnwNVPzyqu4t6AklWd6HGA==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2022-11-21T14:21:06Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdARaz8S4iFbM7+9cUv/WGQDsbnv51AKznQzs3W31w4Cy0w\nh3UzddwF0lH57GYBnVN6S8h5zEjbtz6tRHVsim6ltnVGmsT+t+fmEbASoPF0mvmc\n0lwB9JoMB9l32cFeCQ6Y1Hxryvu/FeL+iXe+7zouKpW67HQ235+Zx5481xxOg1fy\nwmDb+iZ9R+iNO5twraf1BOG+3y8yrJpZV7SZq4H958Kk35QnHlRiPqDfkx9NEg==\n=GAV2\n-----END PGP MESSAGE-----\n",
+				"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+			},
+			{
+				"created_at": "2022-11-21T14:21:06Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DbYDvGI0HDr0SAQdAgjL9+LcR5m5vHngB9DWE2zfkjsQDsIKrEw2RLKrKdVMw\nQ5B131gL7QKEfAc0vd+HQDANo/pfB9ArI/lNkVvlBYfbO8paadJWvDt9fdmOtJ9J\n0lwBcT1xLhPxCrUVEY1Clsv4y3liNZ78iOBuqaOx0W1A7CQonM2B9ghTDq4bsEE0\n8CxD/mNCn/D8WOqu4dJg6wvIzkk6faSBCbxBjmzTcJ6oDj9RdnnnZ6M/uNWw7g==\n=jZqN\n-----END PGP MESSAGE-----\n",
+				"fp": "A1C7C95E6CAF0A965CB47277BCF50A89C1B1F362"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}
\ No newline at end of file
-- 
cgit v1.2.3