oysteikt/nix-dotfiles
oysteikt
/
nix-dotfiles
2
1
Fork 0
Code Issues Pull Requests Activity

tsuki/postgres: misc: 

- add postgresql backup service
- harden systemd unit
- increase max_connections
This commit is contained in:
Oystein Kristoffer Tveit 2023-07-12 01:58:28 +02:00
parent 82ea6e9f5a
commit 20de3c260f
Signed by: oysteikt
GPG Key ID: 9F2F7D8250F35146
1 changed files with 38 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
hosts/tsuki/services/postgres.nix
View File

@ -1,5 +1,6 @@
{ config, pkgs, lib, secrets, ... }: {
{ config, pkgs, lib, secrets, ... }: let
cfg = config.services.postgresql;
in {
services.postgresql = {
enable = true;
enableTCPIP = true;
@ -11,7 +12,9 @@
'';
port = secrets.ports.postgres;
dataDir = "${config.machineVars.dataDrives.drives.postgres}/${config.services.postgresql.package.psqlSchema}";
# settings = {};
settings = {
max_connections = 150;
};
};
services.postgresqlBackup = {
@ -20,5 +23,37 @@
backupAll = true;
};
systemd.services.postgresqlBackup = {
requires = [ "postgresql.service" "data2-backup.mount" ];
};
systemd.services.postgresql = {
requires = [ "data2-postgres.mount" ];
serviceConfig = {
Restart = "always";
RestartSec = 3;
ReadWritePaths = [ cfg.dataDir ];
NoNewPrivileges = true;
PrivateDevices = true;
ProtectClock = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
# PrivateMounts = true;
RestrictSUIDSGID = true;
ProtectHostname = true;
LockPersonality = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
ProtectProc = "invisible";
ProtectHome = true;
# PrivateNetwork = true;
PrivateUsers = true;
PrivateTmp = true;
UMask = "0077";
# RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
SystemCallArchitectures = "native";
};
};
environment.systemPackages = [ config.services.postgresql.package ];
}