summaryrefslogtreecommitdiff
path: root/hosts/vidhar/pgbackrest/default.nix
blob: 1e0828ce4a231a6bcd62c41a27a80ec83a16c857 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
{ config, flake, flakeInputs, ... }:

let
  surtrRepoCfg = flake.nixosConfigurations."surtr".config.services.pgbackrest.settings.surtr;

  nixpkgs-pgbackrest = import (flakeInputs.nixpkgs-pgbackrest.outPath + "/pkgs/top-level") {
    overlays = [ flake.overlays.libdscp ];
    localSystem = config.nixpkgs.system;
  };
in {
  config = {
    assertions = [
      (let
        inherit (config.services.pgbackrest.package) version;
      in { assertion = version == "2.45"; message = "Presumably incompatible pgBackRest version: ${version}"; })
    ];

    services.pgbackrest = {
      enable = true;
      package = nixpkgs-pgbackrest.pgbackrest;
      dscpPackage = nixpkgs-pgbackrest.libdscp;

      tlsServer = {
        enable = true;

        user = "pgbackrest";
        group = "pgbackrest";
      };

      settings = {
        "surtr" = {
          pg1-host-type = "tls";
          pg1-host = "pgbackrest.surtr.yggdrasil";
          pg1-host-ca-file = toString ./ca/ca.crt;
          pg1-host-cert-file = toString ./ca/vidhar.crt;
          pg1-host-key-file = config.sops.secrets."pgbackrest.key".path;
          inherit (surtrRepoCfg) pg1-path;

          # repo1-host-type = "tls";
          # repo1-host = "pgbackrest.surtr.yggdrasil";
          # repo1-host-ca-file = toString ./ca/ca.crt;
          # repo1-host-cert-file = toString ./tls.crt;
          # repo1-host-key-file = config.sops.secrets."pgbackrest.key".path;
          # repo1-retention-full-type = "time";
          # repo1-retention-full = 7;
          # repo1-retention-archive = 2;

          repo2-path = "/var/lib/pgbackrest";
          repo2-retention-full-type = "time";
          repo2-retention-full = 14;
          repo2-retention-archive = 7;
        };

        "srv01.uniworx.de" = {
          pg1-host-type = "tls";
          # pg1-host = "2a03:4000:5e:e55::";
          pg1-host = "srv01.uniworx.de";
          pg1-host-ca-file = toString ./ca/ca.crt;
          pg1-host-cert-file = toString ./ca/vidhar.crt;
          pg1-host-key-file = config.sops.secrets."pgbackrest.key".path;
          pg1-path = "/var/lib/postgresql/15";

          repo2-path = "/var/lib/pgbackrest";
          repo2-retention-full-type = "time";
          repo2-retention-full = 14;
          repo2-retention-archive = 7;
        };

        "srv02.uniworx.de" = {
          pg1-host-type = "tls";
          pg1-host = "srv02.uniworx.de";
          pg1-host-ca-file = toString ./ca/ca.crt;
          pg1-host-cert-file = toString ./ca/vidhar.crt;
          pg1-host-key-file = config.sops.secrets."pgbackrest.key".path;
          pg1-path = "/var/lib/postgresql/15";

          repo2-path = "/var/lib/pgbackrest";
          repo2-retention-full-type = "time";
          repo2-retention-full = 14;
          repo2-retention-archive = 7;
        };

        "global" = {
          compress-type = "zst";
          compress-level = 9;

          archive-async = true;
          spool-path = "/var/spool/pgbackrest";
        };

        "global:server" = {
          tls-server-address = "2a03:4000:52:ada:4:1::";
          tls-server-ca-file = toString ./ca/ca.crt;
          tls-server-cert-file = toString ./ca/vidhar.crt;
          tls-server-key-file = config.sops.secrets."pgbackrest.key".path;
          tls-server-auth = ["surtr.yggdrasil=surtr" "srv01.uniworx.de=srv01.uniworx.de" "srv02.uniworx.de=srv02.uniworx.de"];
        };

        "global:archive-push" = {
          process-max = 6;
        };
        "global:archive-get" = {
          process-max = 6;
        };
      };

      backups."surtr-daily" = {
        stanza = "surtr";
        repo = "2";
        user = "pgbackrest";
        group = "pgbackrest";
        timerConfig.OnCalendar = "daily Europe/Berlin";
      };

      backups."srv01.uniworx.de-daily" = {
        stanza = "srv01.uniworx.de";
        repo = "2";
        user = "pgbackrest";
        group = "pgbackrest";
        timerConfig.OnCalendar = "daily Europe/Berlin";
      };

      backups."srv02.uniworx.de-daily" = {
        stanza = "srv02.uniworx.de";
        repo = "2";
        user = "pgbackrest";
        group = "pgbackrest";
        timerConfig.OnCalendar = "daily Europe/Berlin";
      };
    };

    systemd.tmpfiles.rules = [
      "d /var/lib/pgbackrest 0770 pgbackrest pgbackrest - -"
      "d /var/spool/pgbackrest 0770 pgbackrest pgbackrest - -"
      "d /tmp/pgbackrest 0770 pgbackrest pgbackrest - -"
    ];

    users = {
      users.pgbackrest = {
        name = "pgbackrest";
        group = "pgbackrest";
        isSystemUser = true;
        home = "/var/lib/pgbackrest";
      };
      groups.pgbackrest = {
        members = [ "postgres" ];
      };
    };

    systemd.services."pgbackrest-tls-server".serviceConfig = {
      StateDirectory = [ "pgbackrest" ];
      StateDirectoryMode = "0750";
    };

    sops.secrets."pgbackrest.key" = {
      format = "binary";
      sopsFile = ./ca/vidhar.key;
      owner = "pgbackrest";
      group = "pgbackrest";
      mode = "0400";
    };
  };
}