{ config, flake, flakeInputs, ... }: let surtrRepoCfg = flake.nixosConfigurations."surtr".config.services.pgbackrest.settings.surtr; nixpkgs-pgbackrest = import (flakeInputs.nixpkgs-pgbackrest.outPath + "/pkgs/top-level") { overlays = [ flake.overlays.libdscp ]; localSystem = config.nixpkgs.system; }; in { config = { assertions = [ (let inherit (config.services.pgbackrest.package) version; in { assertion = version == "2.45"; message = "Presumably incompatible pgBackRest version: ${version}"; }) ]; services.pgbackrest = { enable = true; package = nixpkgs-pgbackrest.pgbackrest; dscpPackage = nixpkgs-pgbackrest.libdscp; tlsServer = { enable = true; user = "pgbackrest"; group = "pgbackrest"; }; settings = { "surtr" = { pg1-host-type = "tls"; pg1-host = "pgbackrest.surtr.yggdrasil"; pg1-host-ca-file = toString ./ca/ca.crt; pg1-host-cert-file = toString ./ca/vidhar.crt; pg1-host-key-file = config.sops.secrets."pgbackrest.key".path; inherit (surtrRepoCfg) pg1-path; # repo1-host-type = "tls"; # repo1-host = "pgbackrest.surtr.yggdrasil"; # repo1-host-ca-file = toString ./ca/ca.crt; # repo1-host-cert-file = toString ./tls.crt; # repo1-host-key-file = config.sops.secrets."pgbackrest.key".path; # repo1-retention-full-type = "time"; # repo1-retention-full = 7; # repo1-retention-archive = 2; repo2-path = "/var/lib/pgbackrest"; repo2-retention-full-type = "time"; repo2-retention-full = 14; repo2-retention-archive = 7; }; "srv01.uniworx.de" = { pg1-host-type = "tls"; # pg1-host = "2a03:4000:5e:e55::"; pg1-host = "srv01.uniworx.de"; pg1-host-ca-file = toString ./ca/ca.crt; pg1-host-cert-file = toString ./ca/vidhar.crt; pg1-host-key-file = config.sops.secrets."pgbackrest.key".path; pg1-path = "/var/lib/postgresql/15"; repo2-path = "/var/lib/pgbackrest"; repo2-retention-full-type = "time"; repo2-retention-full = 14; repo2-retention-archive = 7; }; "srv02.uniworx.de" = { pg1-host-type = "tls"; pg1-host = "srv02.uniworx.de"; pg1-host-ca-file = toString ./ca/ca.crt; pg1-host-cert-file = toString ./ca/vidhar.crt; pg1-host-key-file = config.sops.secrets."pgbackrest.key".path; pg1-path = "/var/lib/postgresql/15"; repo2-path = "/var/lib/pgbackrest"; repo2-retention-full-type = "time"; repo2-retention-full = 14; repo2-retention-archive = 7; }; "global" = { compress-type = "zst"; compress-level = 9; archive-async = true; spool-path = "/var/spool/pgbackrest"; }; "global:server" = { tls-server-address = "2a03:4000:52:ada:4:1::"; tls-server-ca-file = toString ./ca/ca.crt; tls-server-cert-file = toString ./ca/vidhar.crt; tls-server-key-file = config.sops.secrets."pgbackrest.key".path; tls-server-auth = ["surtr.yggdrasil=surtr" "srv01.uniworx.de=srv01.uniworx.de" "srv02.uniworx.de=srv02.uniworx.de"]; }; "global:archive-push" = { process-max = 6; }; "global:archive-get" = { process-max = 6; }; }; backups."surtr-daily" = { stanza = "surtr"; repo = "2"; user = "pgbackrest"; group = "pgbackrest"; timerConfig.OnCalendar = "daily Europe/Berlin"; }; backups."srv01.uniworx.de-daily" = { stanza = "srv01.uniworx.de"; repo = "2"; user = "pgbackrest"; group = "pgbackrest"; timerConfig.OnCalendar = "daily Europe/Berlin"; }; backups."srv02.uniworx.de-daily" = { stanza = "srv02.uniworx.de"; repo = "2"; user = "pgbackrest"; group = "pgbackrest"; timerConfig.OnCalendar = "daily Europe/Berlin"; }; }; systemd.tmpfiles.rules = [ "d /var/lib/pgbackrest 0770 pgbackrest pgbackrest - -" "d /var/spool/pgbackrest 0770 pgbackrest pgbackrest - -" "d /tmp/pgbackrest 0770 pgbackrest pgbackrest - -" ]; users = { users.pgbackrest = { name = "pgbackrest"; group = "pgbackrest"; isSystemUser = true; home = "/var/lib/pgbackrest"; }; groups.pgbackrest = { members = [ "postgres" ]; }; }; systemd.services."pgbackrest-tls-server".serviceConfig = { StateDirectory = [ "pgbackrest" ]; StateDirectoryMode = "0750"; }; sops.secrets."pgbackrest.key" = { format = "binary"; sopsFile = ./ca/vidhar.key; owner = "pgbackrest"; group = "pgbackrest"; mode = "0400"; }; }; }