common/postfix: init

2024-09-01 02:54:39 +02:00
4 changed files with 11 additions and 122 deletions
--- a/base/default.nix
+++ b/base/default.nix
@@ -1,4 +1,4 @@
-{ pkgs, lib, ... }:
+{ pkgs, ... }:
 {
  imports = [
@@ -19,8 +19,6 @@
    ./services/thermald.nix
  ];
  boot.tmp.cleanOnBoot = lib.mkDefault true;
  time.timeZone = "Europe/Oslo";
  i18n.defaultLocale = "en_US.UTF-8";
@@ -47,11 +45,6 @@
  programs.zsh.enable = true;
  security.sudo.execWheelOnly = true;
  security.sudo.extraConfig = ''
    Defaults lecture = never
  '';
  users.groups."drift".name = "drift";
  # Trusted users on the nix builder machines
--- a/base/services/openssh.nix
+++ b/base/services/openssh.nix
@@ -2,7 +2,6 @@
 {
  services.openssh = {
    enable = true;
    startWhenNeeded = true;
    extraConfig = ''
      PubkeyAcceptedAlgorithms=+ssh-rsa
      Match Group wheel
--- a/hosts/bicep/services/mysql.nix
+++ b/hosts/bicep/services/mysql.nix
@@ -1,7 +1,4 @@
 { pkgs, lib, config, values, ... }:
 let
  backupDir = "/var/lib/mysql/backups";
 in
 {
  sops.secrets."mysql/password" = {
    owner = "mysql";
@@ -39,6 +36,11 @@ in
    }];
  };
  services.mysqlBackup = {
    enable = true;
    location = "/var/lib/mysql/backups";
  };
  networking.firewall.allowedTCPPorts = [ 3306 ];
  systemd.services.mysql.serviceConfig = {
@@ -48,58 +50,4 @@ in
      values.ipv6-space
    ];
  };
  # NOTE: instead of having the upstream nixpkgs postgres backup unit trigger
  #       another unit, it was easier to just make one ourselves
  systemd.services."backup-mysql" = {
    description = "Backup MySQL data";
    requires = [ "mysql.service" ];
    path = [
      pkgs.coreutils
      pkgs.rsync
      pkgs.gzip
      config.services.mysql.package
    ];
    script = let
      rotations = 10;
      # rsyncTarget = "root@isvegg.pvv.ntnu.no:/mnt/backup1/bicep/mysql";
      rsyncTarget = "/data/backup/mysql";
    in ''
      set -eo pipefail
      mysqldump --all-databases | gzip -c -9 --rsyncable > "${backupDir}/$(date --iso-8601)-dump.sql.gz"
      while [ $(ls -1 "${backupDir}" | wc -l) -gt ${toString rotations} ]; do
        rm $(find "${backupDir}" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)
      done
      rsync -avz --delete "${backupDir}" '${rsyncTarget}'
    '';
    serviceConfig = {
      Type = "oneshot";
      User = "mysql";
      Group = "mysql";
      UMask = "0077";
      Nice = 19;
      IOSchedulingClass = "best-effort";
      IOSchedulingPriority = 7;
      ReadWritePaths = [
        backupDir
        "/data/backup/mysql" # NOTE: should not be part of this option once rsyncTarget is remote
      ];
    };
    startAt = "*-*-* 02:15:00";
  };
  systemd.tmpfiles.settings."10-mysql-backup".${backupDir}.d = {
    user = "mysql";
    group = "mysql";
    mode = "700";
  };
 }
--- a/hosts/bicep/services/postgres.nix
+++ b/hosts/bicep/services/postgres.nix
@@ -1,7 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, ... }:
 let
  backupDir = "/var/lib/postgresql/backups";
 in
 {
  services.postgresql = {
    enable = true;
@@ -93,57 +90,9 @@ in
  networking.firewall.allowedTCPPorts = [ 5432 ];
  networking.firewall.allowedUDPPorts = [ 5432 ];
-  # NOTE: instead of having the upstream nixpkgs postgres backup unit trigger
+  services.postgresqlBackup = {
-  #       another unit, it was easier to just make one ourselves
+    enable = true;
-  systemd.services."backup-postgresql" = {
+    location = "/var/lib/postgres/backups";
-    description = "Backup PostgreSQL data";
+    backupAll = true;
    requires = [ "postgresql.service" ];
    path = [
      pkgs.coreutils
      pkgs.rsync
      pkgs.gzip
      config.services.postgresql.package
    ];
    script = let
      rotations = 10;
      # rsyncTarget = "root@isvegg.pvv.ntnu.no:/mnt/backup1/bicep/postgresql";
      rsyncTarget = "/data/backup/postgresql";
    in ''
      set -eo pipefail
      pg_dumpall -U postgres | gzip -c -9 --rsyncable > "${backupDir}/$(date --iso-8601)-dump.sql.gz"
      while [ $(ls -1 "${backupDir}" | wc -l) -gt ${toString rotations} ]; do
        rm $(find "${backupDir}" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)
      done
      rsync -avz --delete "${backupDir}" '${rsyncTarget}'
    '';
    serviceConfig = {
      Type = "oneshot";
      User = "postgres";
      Group = "postgres";
      UMask = "0077";
      Nice = 19;
      IOSchedulingClass = "best-effort";
      IOSchedulingPriority = 7;
      ReadWritePaths = [
        backupDir
        "/data/backup/postgresql" # NOTE: should not be part of this option once rsyncTarget is remote
      ];
    };
    startAt = "*-*-* 01:15:00";
  };
  systemd.tmpfiles.settings."10-postgresql-backup".${backupDir}.d = {
    user = "postgres";
    group = "postgres";
    mode = "700";
  };
 }