tsuki/postgres: misc:
- add postgresql backup service - harden systemd unit - increase max_connections
This commit is contained in:
parent
82ea6e9f5a
commit
20de3c260f
@ -1,5 +1,6 @@
|
||||
{ config, pkgs, lib, secrets, ... }: {
|
||||
|
||||
{ config, pkgs, lib, secrets, ... }: let
|
||||
cfg = config.services.postgresql;
|
||||
in {
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
enableTCPIP = true;
|
||||
@ -11,7 +12,9 @@
|
||||
'';
|
||||
port = secrets.ports.postgres;
|
||||
dataDir = "${config.machineVars.dataDrives.drives.postgres}/${config.services.postgresql.package.psqlSchema}";
|
||||
# settings = {};
|
||||
settings = {
|
||||
max_connections = 150;
|
||||
};
|
||||
};
|
||||
|
||||
services.postgresqlBackup = {
|
||||
@ -20,5 +23,37 @@
|
||||
backupAll = true;
|
||||
};
|
||||
|
||||
systemd.services.postgresqlBackup = {
|
||||
requires = [ "postgresql.service" "data2-backup.mount" ];
|
||||
};
|
||||
|
||||
systemd.services.postgresql = {
|
||||
requires = [ "data2-postgres.mount" ];
|
||||
serviceConfig = {
|
||||
Restart = "always";
|
||||
RestartSec = 3;
|
||||
ReadWritePaths = [ cfg.dataDir ];
|
||||
NoNewPrivileges = true;
|
||||
PrivateDevices = true;
|
||||
ProtectClock = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
# PrivateMounts = true;
|
||||
RestrictSUIDSGID = true;
|
||||
ProtectHostname = true;
|
||||
LockPersonality = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectSystem = "strict";
|
||||
ProtectProc = "invisible";
|
||||
ProtectHome = true;
|
||||
# PrivateNetwork = true;
|
||||
PrivateUsers = true;
|
||||
PrivateTmp = true;
|
||||
UMask = "0077";
|
||||
# RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
|
||||
SystemCallArchitectures = "native";
|
||||
};
|
||||
};
|
||||
|
||||
environment.systemPackages = [ config.services.postgresql.package ];
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user