From f131537a629d8443261e4dd4defa54323a424c05 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Mon, 20 Mar 2023 13:27:21 +0100 Subject: vidhar/pgbackrest: srv01.uniworx.de --- hosts/vidhar/network/ruleset.nft | 2 +- hosts/vidhar/pgbackrest/ca/.gitignore | 1 + hosts/vidhar/pgbackrest/ca/srv01.uniworx.de.crt | 11 +++++++++++ hosts/vidhar/pgbackrest/ca/surtr.crt | 13 +++++++++++++ hosts/vidhar/pgbackrest/ca/surtr.key | 26 +++++++++++++++++++++++++ hosts/vidhar/pgbackrest/ca/vidhar.crt | 13 +++++++++++++ hosts/vidhar/pgbackrest/ca/vidhar.key | 26 +++++++++++++++++++++++++ hosts/vidhar/pgbackrest/default.nix | 22 +++++++++++++++++---- hosts/vidhar/pgbackrest/tls.crt | 12 ------------ hosts/vidhar/pgbackrest/tls.key | 26 ------------------------- 10 files changed, 109 insertions(+), 43 deletions(-) create mode 100644 hosts/vidhar/pgbackrest/ca/.gitignore create mode 100644 hosts/vidhar/pgbackrest/ca/srv01.uniworx.de.crt create mode 100644 hosts/vidhar/pgbackrest/ca/surtr.crt create mode 100644 hosts/vidhar/pgbackrest/ca/surtr.key create mode 100644 hosts/vidhar/pgbackrest/ca/vidhar.crt create mode 100644 hosts/vidhar/pgbackrest/ca/vidhar.key delete mode 100644 hosts/vidhar/pgbackrest/tls.crt delete mode 100644 hosts/vidhar/pgbackrest/tls.key (limited to 'hosts/vidhar') diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index 30db0ac3..404f2f13 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft @@ -191,7 +191,7 @@ table inet filter { iifname { lan, mgmt } udp dport 69 counter name tftp-rx accept - iifname yggdrasil tcp dport 8432 counter name pgbackrest-rx accept + tcp dport 8432 counter name pgbackrest-rx accept ct state { established, related } counter name established-rx accept diff --git a/hosts/vidhar/pgbackrest/ca/.gitignore b/hosts/vidhar/pgbackrest/ca/.gitignore new file mode 100644 index 00000000..aa000280 --- /dev/null +++ b/hosts/vidhar/pgbackrest/ca/.gitignore @@ -0,0 +1 @@ +srv01.uniworx.de.key \ No newline at end of file diff --git a/hosts/vidhar/pgbackrest/ca/srv01.uniworx.de.crt b/hosts/vidhar/pgbackrest/ca/srv01.uniworx.de.crt new file mode 100644 index 00000000..30fde613 --- /dev/null +++ b/hosts/vidhar/pgbackrest/ca/srv01.uniworx.de.crt @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBqDCCASigAwIBAgIPQAAAAGQYUD0qjVeBUIVWMAUGAytlcTAfMR0wGwYDVQQD +DBRwZ2JhY2tyZXN0LnlnZ2RyYXNpbDAeFw0yMzAzMjAxMjE3NDhaFw0zMzAzMjAx +MjIyNDhaMBsxGTAXBgNVBAMMEHNydjAxLnVuaXdvcnguZGUwKjAFBgMrZXADIQBt +dyvv3iMd0ozSKFFO0OoQgj/eqxgzxLak1iMhwgWQdqN/MH0wHwYDVR0jBBgwFoAU +77/J8STBwuv6808izIJbzpTAndowHQYDVR0OBBYEFHr4X6cwefOOMFrU6d0bOrKs +n0p/MA4GA1UdDwEB/wQEAwIF4DAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsG +AQUFBwMBBggrBgEFBQcDAjAFBgMrZXEDcwDtwm/OO+yMHvmvxQVt9f+slS+Zioqc +AbPeeg5HMnrS3ZSoin+++8DJgY0q1A7DGwjq9KQAZ+jXYYD42B4zKoKqvvW5Kgq5 +fk0r67VBa7RCBPhrSmRWSRK01UTE9jIaAEQt2bQN+MyGgL/fyFnVB+pRNgA= +-----END CERTIFICATE----- diff --git a/hosts/vidhar/pgbackrest/ca/surtr.crt b/hosts/vidhar/pgbackrest/ca/surtr.crt new file mode 100644 index 00000000..68c87a00 --- /dev/null +++ b/hosts/vidhar/pgbackrest/ca/surtr.crt @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIICAzCCAYOgAwIBAgIPQAAAAGQYSfwSfBJj7b7QMAUGAytlcTAfMR0wGwYDVQQD +DBRwZ2JhY2tyZXN0LnlnZ2RyYXNpbDAeFw0yMzAzMjAxMTUxMDdaFw0zMzAzMjAx +MTU2MDdaMBoxGDAWBgNVBAMMD3N1cnRyLnlnZ2RyYXNpbDAqMAUGAytlcAMhANLe +9LEKiZEOIuxMwDxB2nDda7MlNHY81fDsyBOJ9FCNo4HaMIHXMB8GA1UdIwQYMBaA +FO+/yfEkwcLr+vNPIsyCW86UwJ3aMB0GA1UdDgQWBBSxBMEOYYuWhuLSHVsMv8JA +GNAKqDAOBgNVHQ8BAf8EBAMCBeAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggr +BgEFBQcDAQYIKwYBBQUHAwIwWAYDVR0RBFEwT4IdcGdiYWNrcmVzdC5zdXJ0ci55 +Z2dkcmFzaWwubGmCGnBnYmFja3Jlc3Quc3VydHIueWdnZHJhc2lsghJzdXJ0ci55 +Z2dkcmFzaWwubGkwBQYDK2VxA3MAy8wcBmyFeMUMuE7Bkm+3wNWwXcHXyqMMLFi7 +yyB3KrzyyIXPmv6wD/ntUpv/FlRj6DbDSqd+G7MA81T1eea2KDBEkGKp/AKtBCYh +vfU2W46HqlPhlOZqwoxysnqoDyBFnwG0GIoV4sosUjmx7ufpMCMA +-----END CERTIFICATE----- diff --git a/hosts/vidhar/pgbackrest/ca/surtr.key b/hosts/vidhar/pgbackrest/ca/surtr.key new file mode 100644 index 00000000..fba5af94 --- /dev/null +++ b/hosts/vidhar/pgbackrest/ca/surtr.key @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:njpzC4SmemRUBYWPCli0JHwoH/LDbepxcfomTc3yfneO29CD37bb5BLtcoQHOFbHBC4V3NggO733KLMAzkn7cot5zRcYDbJTd9qdoIiuvC/IDd0yrdk1ZahsyXFzm2e1xcHgnC7XJ9Dphd6Bsv2Zx1K5f8KXHY8=,iv:z8W9oXsv+m4dtEnc7Xa57jZfRCbmfR1nFOrCkuDIftE=,tag:d7VFFsIId2M3tEjor3a4NA==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age19a7j77w267z04zls7m28a8hj4a0g5af6ltye2d5wypg33c3l89csd4r9zq", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPdEhqTXg3dG9WMUFNUXM2\nQ3dWbng0cGNFazVRY21qTWUzajZDRHVuWGtrCjlZaXlMUGJvZ25mMXNvZVlMamFm\nSkE2TjU5UjNKL0k4b0dXeTZ4TFpneEEKLS0tIC9VTndTNHZkaFZIT2lSdzFQWXJu\nU2MvS3BxSXF1K2VUbmh6UytWbXl5YkEKZRdPZDT4SSbXnujmDYtjDGymfm+0hrG+\nrSoaEIXxtfTDh73NSvtIdcGYvxK9Ub/XhsKc+ZUv70a/ISVx+4nBTQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2023-03-20T11:54:11Z", + "mac": "ENC[AES256_GCM,data:a0Fxd5DGdf/U+xVKEAWWTcfRjOGraNGJW5SqKQC3Pwp9n7dYZT4SYYt1nGV2GhJta45B/QClexFcNRHOyLZqoeTtEUSxk39UejLsP4DeNAheUuZjyMgj0dRbPyfptEIJVuw5RwJz9zCmxtbfke9limmswya1YShd7uXTg3qXLTk=,iv:+rKP0mS+t3Xyqi5MimNlAqgRuBx/VC4jepP02Hq8vwg=,tag:goIwbvskjgK1tQ4R7BMnRg==,type:str]", + "pgp": [ + { + "created_at": "2023-03-20T11:54:10Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAX+wqYxyHaTy1LFShNNUtFgppJObtd1mVVFafpNT3qAAw\nt9XzxiOzsI0tLkHImCtXAqtbLgyxXXIfASG7K4aYmzBfwmI4pi14Z+hu/eKLuQhl\n0l4B+upjcYU3wdRFCjpEn5WADsHn8nZ50E9+iECNOodLs67o6iWaEpfCJvyUf1Qp\nzOKrhdJL87UJgO31w2OdkUj4s9NwYU9cYLMl68aXOQMduJgVKgPmyx4PnQHRJ60m\n=ULUa\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +} \ No newline at end of file diff --git a/hosts/vidhar/pgbackrest/ca/vidhar.crt b/hosts/vidhar/pgbackrest/ca/vidhar.crt new file mode 100644 index 00000000..ae19aeb9 --- /dev/null +++ b/hosts/vidhar/pgbackrest/ca/vidhar.crt @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB5zCCAWegAwIBAgIPQAAAAGQYScgWpuQT5StRMAUGAytlcTAfMR0wGwYDVQQD +DBRwZ2JhY2tyZXN0LnlnZ2RyYXNpbDAeFw0yMzAzMjAxMTUwMTVaFw0zMzAzMjAx +MTU1MTVaMBsxGTAXBgNVBAMMEHZpZGhhci55Z2dkcmFzaWwwKjAFBgMrZXADIQDT +mn6hoycEGEO5XFZAB36MZR9om3+LRLtLmXl+zdW3AqOBvTCBujAfBgNVHSMEGDAW +gBTvv8nxJMHC6/rzTyLMglvOlMCd2jAdBgNVHQ4EFgQUn8LxcubPh60X8yX64X4G +tg9voegwDgYDVR0PAQH/BAQDAgXgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYI +KwYBBQUHAwEGCCsGAQUFBwMCMDsGA1UdEQQ0MDKCE3ZpZGhhci55Z2dkcmFzaWwu +bGmCG3BnYmFja3Jlc3QudmlkaGFyLnlnZ2RyYXNpbDAFBgMrZXEDcwDRRSlz+0Ab +bXNIhZizqXZZoEcrMObeCVj7OpYX8UtGhx0pqA2PGMRFoaeFnzIT0rfQqjzFlbiX +5oDSW5RQbu2mhR8wpwQVWaQRMEcHoAJXLE23GvQJyHSM7fV3DpkPD3W8Zm+Rwzra +NY9tiz2XqpXYCgA= +-----END CERTIFICATE----- diff --git a/hosts/vidhar/pgbackrest/ca/vidhar.key b/hosts/vidhar/pgbackrest/ca/vidhar.key new file mode 100644 index 00000000..f63f523f --- /dev/null +++ b/hosts/vidhar/pgbackrest/ca/vidhar.key @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:q2IvDnv0pJSsE77Rf4Jg9+OCYZEEOsteZy9nn1/WqEiyx3z3LMLE3+F9Rka7PUNachG6ZrDo21Et8DHsvqrr7tbCIH0ha/3cRTwXfzdgvJ/PmkMXTmG01Juc9JKqjf42oo23AErMXVji/4D293Bc6SZjtkQCj/w=,iv:5H5Wi1hv7u1O2YhPsB9wxrFvi2Zy+U1Z06sAk4MwNnA=,tag:HspX+dYLJ15xJRHBobv1PA==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzQUNZQ2R0M3NlTjQ3d1ZG\nVWh0QXBtU3MzZDIrOTI4NUgrdkFTdmRuZ0JnCks1WWo4eFNuV1VKOUprUzcxYUdG\nTlFsQm8weWk1SzRUY3d6bElLVStJNncKLS0tIFdsVENmYlFnYVVlMllySC9zcS9E\nbnc5MjV5eGF1TVppbXRMVExNNHM1RDAKUEkoOo8Xedtg5F4PReXhTHWmaEtJm/q/\n5v8otv3CMtZsSaCzdNuYxF5Wr6qfYG6rjigX92M2vJ4E2hcyluAqtQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2023-03-20T11:55:15Z", + "mac": "ENC[AES256_GCM,data:hrjyc62poTD8CviGxhPrmOng/AtBV4wNTGOPibrUj3zfphW9S2dEctdfeQr8VWvF4scYk9Nodw9ijyrSR33NjL8Qes5aOnLHnMZgZ32ecaSCyt7pBTmvAiqwdCy1zY7M/jWSREOjkfsjzvf0hInKmX4qQ8E/PGiUFR6f0DCJUqY=,iv:bewcBberJWtc6ghwL037BLsbbQPJnBosqw+zrWDbChY=,tag:btwOB0+OTAo4qdNXapvHXA==,type:str]", + "pgp": [ + { + "created_at": "2023-03-20T11:55:15Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAa9uU7TZpS6E1pQaFJI22TNHOeXZRgo+mUvT/aiCep2sw\nRRYY6xD95AgVIGCiq+V+8tVfDZavzi0AragttwL/gUKVky2x76XQPdmd+EjWU45E\n0l4BfaIQTddySkWGUDiLorMzfJ7cfelY6EUZZwm8CM+rIOK9ygc6lggybU3QVPCL\n/ZP4+vpuVt/KRNLgbEESmA0iSZ1BtMqnlhPA1bg9MnAeuK3/z/jRQN2S56IPIxmX\n=tDR1\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +} \ No newline at end of file diff --git a/hosts/vidhar/pgbackrest/default.nix b/hosts/vidhar/pgbackrest/default.nix index 49644e51..ebee2cd0 100644 --- a/hosts/vidhar/pgbackrest/default.nix +++ b/hosts/vidhar/pgbackrest/default.nix @@ -18,7 +18,7 @@ in { pg1-host-type = "tls"; pg1-host = "pgbackrest.surtr.yggdrasil"; pg1-host-ca-file = toString ./ca/ca.crt; - pg1-host-cert-file = toString ./tls.crt; + pg1-host-cert-file = toString ./ca/vidhar.crt; pg1-host-key-file = config.sops.secrets."pgbackrest.key".path; inherit (surtrRepoCfg) pg1-path; @@ -37,6 +37,20 @@ in { repo2-retention-archive = 7; }; + "srv01.uniworx.de" = { + pg1-host-type = "tls"; + pg1-host = "srv01.uniworx.de"; + pg1-host-ca-file = toString ./ca/ca.crt; + pg1-host-cert-file = toString ./ca/srv01.uniworx.de.crt; + pg1-host-key-file = config.sops.secrets."pgbackrest.key".path; + pg1-path = "/var/lib/postgresql/15"; + + repo2-path = "/var/lib/pgbackrest"; + repo2-retention-full-type = "time"; + repo2-retention-full = 14; + repo2-retention-archive = 7; + }; + "global" = { compress-type = "zst"; compress-level = 9; @@ -46,9 +60,9 @@ in { }; "global:server" = { - tls-server-address = "2a03:4000:52:ada:1:1::"; + tls-server-address = "2a03:4000:52:ada:4:1::"; tls-server-ca-file = toString ./ca/ca.crt; - tls-server-cert-file = toString ./tls.crt; + tls-server-cert-file = toString ./ca/vidhar.crt; tls-server-key-file = config.sops.secrets."pgbackrest.key".path; tls-server-auth = ["surtr.yggdrasil=surtr"]; }; @@ -92,7 +106,7 @@ in { sops.secrets."pgbackrest.key" = { format = "binary"; - sopsFile = ./tls.key; + sopsFile = ./ca/vidhar.key; owner = "pgbackrest"; group = "pgbackrest"; mode = "0400"; diff --git a/hosts/vidhar/pgbackrest/tls.crt b/hosts/vidhar/pgbackrest/tls.crt deleted file mode 100644 index e807d423..00000000 --- a/hosts/vidhar/pgbackrest/tls.crt +++ /dev/null @@ -1,12 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIB0jCCAVKgAwIBAgIPQAAAAGN7p+4PBkv3Tn05MAUGAytlcTAfMR0wGwYDVQQD -DBRwZ2JhY2tyZXN0LnlnZ2RyYXNpbDAeFw0yMjExMjExNjI2MDVaFw0zMjExMjEx -NjMxMDVaMBsxGTAXBgNVBAMMEHZpZGhhci55Z2dkcmFzaWwwKjAFBgMrZXADIQDy -Wj+rp1Nvyj5TiIdmVV7HW0LUnX2aIQSd8eh5B54BaaOBqDCBpTAfBgNVHSMEGDAW -gBTvv8nxJMHC6/rzTyLMglvOlMCd2jAdBgNVHQ4EFgQUXU/P0Nq4GmxaL3V8Mq39 -YqggieEwDgYDVR0PAQH/BAQDAgXgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYI -KwYBBQUHAwEGCCsGAQUFBwMCMCYGA1UdEQQfMB2CG3BnYmFja3Jlc3QudmlkaGFy -LnlnZ2RyYXNpbDAFBgMrZXEDcwBa1HCz42U2W8lhL3iFQJp/ZoPGm7Iluibvvnh/ -h8ka4mhIcx8mtYp0L04Lte9JWEx+MgOOso6Tk4Bh7xPjJY1uUkwP9ZwsrsJPqIj1 -1nwtHtUiNr3L4IpJkEo3s/52S41KiaiZ0cXnFE2b8pwLTHIJAwA= ------END CERTIFICATE----- diff --git a/hosts/vidhar/pgbackrest/tls.key b/hosts/vidhar/pgbackrest/tls.key deleted file mode 100644 index 9218b7b0..00000000 --- a/hosts/vidhar/pgbackrest/tls.key +++ /dev/null @@ -1,26 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:LnaklO60F6ZXJh0mYwG0e9LTU5qmZWKq2/0YxXeH1QAnEcJIWnrTWwQegL3UJYMf3kOqKJmAcc2VX1nrxe+GRAUUwgVojxS+VFxeSjACNnpe0Zgfgj5ps3GJME3gpmfey+fgnbIFkI8w5UpRtvz7Evj6dJHMGTE=,iv:Q5rIm2GFjJT0ensa+5ILN/yNhjHyxFhZh5q6hh8hDW0=,tag:bCGcF2v+JnWexJb4C35dWA==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtcmNKbVA3VnB1eHZVcm9u\nWTFMRTlGdDRWM01TYUNmK3lUU3hIYmx4Q0VzCk81RFVWYWx1ZFYwVW5sRW93WWRU\nVVJmSWpmcnM5QjlFczloMjBBRE80OFEKLS0tIEVDdEN4Q2E2bDNuMDQ4Q2s3WnF3\nVW84b0JKZ0xGdzVZd2NQOGgrMEpOczAKoorQ99mTL66IEp2Ckl+lYirbKd6NPh6Z\nJ7Ygv2BIKhHsgEhx4sWrakapEUeze88hDd+9oaofZvENx5xPgCzBCA==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2022-11-21T14:21:06Z", - "mac": "ENC[AES256_GCM,data:OQnaCFEsi5Xka2L7KoC0UX0L+NtihG1hk7koxH51WiiL/JF1NrOs7PpgNbhVzqiAPWlBF1X/2ZhWyEZris9iVZ9RKa1lgF2VXjuwVHZNGA9G9Dr0ipriupOEdQABRA2MM0PlfdW7CdbzxmBcA4uwfL3m4b0uMB87A/cRG8mSm3U=,iv:2yuhHIjWRHipcOx+2hFUx2RJG/L/icGMH0QxR9w+MTM=,tag:pnwNVPzyqu4t6AklWd6HGA==,type:str]", - "pgp": [ - { - "created_at": "2023-01-30T11:02:25Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAraO/4uAAKwQ6+Cs83SuApQ4xbR5QcTp2zlVWzoxoD1Aw\n+67QzvTMmAr9tayCv/HjYJvnjT7vQfIHaRFr/ewXh37B05jfPUFe17hdlT8lUi7Q\n0l4B+WTgJH+d0pUaCo3RedCEFR+pbemaDFIosA6z//cpbM4nNc6sI32BUBw7eQC1\neVjR6n2iNiYNPsk6vgrKnF1/TBGnNAjap/eJi0Ro5J0ng/BFu4SFeEAvMocrDkJ9\n=isPu\n-----END PGP MESSAGE-----\n", - "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" - } - ], - "unencrypted_suffix": "_unencrypted", - "version": "3.7.3" - } -} \ No newline at end of file -- cgit v1.2.3