blob: 899b0e0f67d39ca763fe05a3f79fcb5d45f03e55 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
|
{ config, flake, flakeInputs, ... }:
let
surtrRepoCfg = flake.nixosConfigurations."surtr".config.services.pgbackrest.settings.surtr;
in {
config = {
services.pgbackrest = {
enable = true;
package = flakeInputs.nixpkgs-stable.legacyPackages.${config.nixpkgs.system}.pgbackrest;
tlsServer = {
enable = true;
user = "pgbackrest";
group = "pgbackrest";
};
settings = {
"surtr" = {
pg1-host-type = "tls";
pg1-host = "pgbackrest.surtr.yggdrasil";
pg1-host-ca-file = toString ./ca/ca.crt;
pg1-host-cert-file = toString ./ca/vidhar.crt;
pg1-host-key-file = config.sops.secrets."pgbackrest.key".path;
inherit (surtrRepoCfg) pg1-path;
# repo1-host-type = "tls";
# repo1-host = "pgbackrest.surtr.yggdrasil";
# repo1-host-ca-file = toString ./ca/ca.crt;
# repo1-host-cert-file = toString ./tls.crt;
# repo1-host-key-file = config.sops.secrets."pgbackrest.key".path;
# repo1-retention-full-type = "time";
# repo1-retention-full = 7;
# repo1-retention-archive = 2;
repo2-path = "/var/lib/pgbackrest";
repo2-retention-full-type = "time";
repo2-retention-full = 14;
repo2-retention-archive = 7;
};
"srv01.uniworx.de" = {
pg1-host-type = "tls";
# pg1-host = "2a03:4000:5e:e55::";
pg1-host = "srv01.uniworx.de";
pg1-host-ca-file = toString ./ca/ca.crt;
pg1-host-cert-file = toString ./ca/vidhar.crt;
pg1-host-key-file = config.sops.secrets."pgbackrest.key".path;
pg1-path = "/var/lib/postgresql/15";
repo2-path = "/var/lib/pgbackrest";
repo2-retention-full-type = "time";
repo2-retention-full = 14;
repo2-retention-archive = 7;
};
"global" = {
compress-type = "zst";
compress-level = 9;
archive-async = true;
spool-path = "/var/spool/pgbackrest";
};
"global:server" = {
tls-server-address = "2a03:4000:52:ada:4:1::";
tls-server-ca-file = toString ./ca/ca.crt;
tls-server-cert-file = toString ./ca/vidhar.crt;
tls-server-key-file = config.sops.secrets."pgbackrest.key".path;
tls-server-auth = ["surtr.yggdrasil=surtr" "srv01.uniworx.de=srv01.uniworx.de"];
};
"global:archive-push" = {
process-max = 6;
};
"global:archive-get" = {
process-max = 6;
};
};
backups."surtr-daily" = {
stanza = "surtr";
repo = "2";
user = "pgbackrest";
group = "pgbackrest";
timerConfig.OnCalendar = "daily Europe/Berlin";
};
backups."srv01.uniworx.de-daily" = {
stanza = "srv01.uniworx.de";
repo = "2";
user = "pgbackrest";
group = "pgbackrest";
timerConfig.OnCalendar = "daily Europe/Berlin";
};
};
systemd.tmpfiles.rules = [
"d /var/lib/pgbackrest 0750 pgbackrest pgbackrest - -"
"d /var/spool/pgbackrest 0750 pgbackrest pgbackrest - -"
];
users = {
users.pgbackrest = {
name = "pgbackrest";
group = "pgbackrest";
isSystemUser = true;
home = "/var/lib/pgbackrest";
};
groups.pgbackrest = {};
};
systemd.services."pgbackrest-tls-server".serviceConfig = {
StateDirectory = [ "pgbackrest" ];
StateDirectoryMode = "0750";
};
sops.secrets."pgbackrest.key" = {
format = "binary";
sopsFile = ./ca/vidhar.key;
owner = "pgbackrest";
group = "pgbackrest";
mode = "0400";
};
};
}
|
