summaryrefslogtreecommitdiff
path: root/hosts/vidhar/pgbackrest/default.nix
blob: ebee2cd035ad3070cc497283401ed57ee35a2548 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
{ config, flake, ... }:

let
  surtrRepoCfg = flake.nixosConfigurations."surtr".config.services.pgbackrest.settings.surtr;
in {
  config = {
    services.pgbackrest = {
      enable = true;
      tlsServer = {
        enable = true;

        user = "pgbackrest";
        group = "pgbackrest";
      };

      settings = {
        "surtr" = {
          pg1-host-type = "tls";
          pg1-host = "pgbackrest.surtr.yggdrasil";
          pg1-host-ca-file = toString ./ca/ca.crt;
          pg1-host-cert-file = toString ./ca/vidhar.crt;
          pg1-host-key-file = config.sops.secrets."pgbackrest.key".path;
          inherit (surtrRepoCfg) pg1-path;

          # repo1-host-type = "tls";
          # repo1-host = "pgbackrest.surtr.yggdrasil";
          # repo1-host-ca-file = toString ./ca/ca.crt;
          # repo1-host-cert-file = toString ./tls.crt;
          # repo1-host-key-file = config.sops.secrets."pgbackrest.key".path;
          # repo1-retention-full-type = "time";
          # repo1-retention-full = 7;
          # repo1-retention-archive = 2;

          repo2-path = "/var/lib/pgbackrest";
          repo2-retention-full-type = "time";
          repo2-retention-full = 14;
          repo2-retention-archive = 7;
        };

        "srv01.uniworx.de" = {
          pg1-host-type = "tls";
          pg1-host = "srv01.uniworx.de";
          pg1-host-ca-file = toString ./ca/ca.crt;
          pg1-host-cert-file = toString ./ca/srv01.uniworx.de.crt;
          pg1-host-key-file = config.sops.secrets."pgbackrest.key".path;
          pg1-path = "/var/lib/postgresql/15";

          repo2-path = "/var/lib/pgbackrest";
          repo2-retention-full-type = "time";
          repo2-retention-full = 14;
          repo2-retention-archive = 7;
        };

        "global" = {
          compress-type = "zst";
          compress-level = 9;

          archive-async = true;
          spool-path = "/var/spool/pgbackrest";
        };

        "global:server" = {
          tls-server-address = "2a03:4000:52:ada:4:1::";
          tls-server-ca-file = toString ./ca/ca.crt;
          tls-server-cert-file = toString ./ca/vidhar.crt;
          tls-server-key-file = config.sops.secrets."pgbackrest.key".path;
          tls-server-auth = ["surtr.yggdrasil=surtr"];
        };

        "global:archive-push" = {
          process-max = 6;
        };
        "global:archive-get" = {
          process-max = 6;
        };
      };

      backups."surtr-daily" = {
        stanza = "surtr";
        repo = "2";
        user = "pgbackrest";
        group = "pgbackrest";
        timerConfig.OnCalendar = "daily Europe/Berlin";
      };
    };

    systemd.tmpfiles.rules = [
      "d /var/lib/pgbackrest 0750 pgbackrest pgbackrest - -"
      "d /var/spool/pgbackrest 0750 pgbackrest pgbackrest - -"
    ];

    users = {
      users.pgbackrest = {
        name = "pgbackrest";
        group = "pgbackrest";
        isSystemUser = true;
        home = "/var/lib/pgbackrest";
      };
      groups.pgbackrest = {};
    };

    systemd.services."pgbackrest-tls-server".serviceConfig = {
      StateDirectory = [ "pgbackrest" ];
      StateDirectoryMode = "0750";
    };

    sops.secrets."pgbackrest.key" = {
      format = "binary";
      sopsFile = ./ca/vidhar.key;
      owner = "pgbackrest";
      group = "pgbackrest";
      mode = "0400";
    };
  };
}