refactor: use mkHetznerMachine for db-01

Signed-off-by: Lander Van den Bulcke <landervandenbulcke@gmail.com>
2025-09-19 17:49:16 +02:00 · 2025-09-19 17:49:16 +02:00 · 89857b9978
commit 89857b9978
parent 3aa3570617
6 changed files with 39 additions and 103 deletions
--- a/hosts/servers/db-01.nix
+++ b/hosts/servers/db-01.nix
@ -0,0 +1,83 @@
+{ config, pkgs, ... }:
+{
+  services.postgresql = {
+    enable = true;
+    enableTCPIP = true;
+    authentication = pkgs.lib.mkOverride 10 ''
+      #type database dbuser origin-address auth-method
+      local all all trust
+      host all all 100.64.0.0/24 trust # trust tailnet
+    '';
+    ensureDatabases = [
+      "authelia"
+      "forgejo"
+      "lldap"
+    ];
+    ensureUsers = [
+      {
+        name = "authelia";
+        ensureDBOwnership = true;
+      }
+      {
+        name = "forgejo";
+        ensureDBOwnership = true;
+      }
+      {
+        name = "lldap";
+        ensureDBOwnership = true;
+      }
+    ];
+  };
+
+  services.postgresqlBackup = {
+    enable = true;
+    startAt = "*-*-* 02:00:00";
+    databases = [
+      "authelia"
+      "forgejo"
+      "lldap"
+    ];
+  };
+
+  services.restic.backups = {
+    postgresql = {
+      initialize = true;
+
+      repositoryFile = config.sops.secrets.restic-repository.path;
+      passwordFile = config.sops.secrets.restic-password.path;
+      environmentFile = config.sops.secrets.restic-environment.path;
+
+      timerConfig = {
+        OnCalendar = "03:00";
+        Persistent = true;
+      };
+
+      paths = [
+        "/var/backup/postgresql"
+      ];
+
+      pruneOpts = [
+        "--keep-daily 7"
+        "--keep-weekly 5"
+        "--keep-weekly 12"
+      ];
+    };
+  };
+
+  sops = {
+    defaultSopsFile = ./db-01.yaml;
+    secrets = {
+      restic-environment = {
+        owner = "root";
+      };
+      restic-password = {
+        owner = "root";
+      };
+      restic-repository = {
+        owner = "root";
+      };
+    };
+  };
+
+  system.stateVersion = "25.05";
+}