From 20de3c260f4e3693466522d9bfe215be822d0eac Mon Sep 17 00:00:00 2001 From: h7x4 Date: Wed, 12 Jul 2023 01:58:28 +0200 Subject: [PATCH] tsuki/postgres: misc: - add postgresql backup service - harden systemd unit - increase max_connections --- hosts/tsuki/services/postgres.nix | 41 ++++++++++++++++++++++++++++--- 1 file changed, 38 insertions(+), 3 deletions(-) diff --git a/hosts/tsuki/services/postgres.nix b/hosts/tsuki/services/postgres.nix index 2e8e22a..aa20b29 100644 --- a/hosts/tsuki/services/postgres.nix +++ b/hosts/tsuki/services/postgres.nix @@ -1,5 +1,6 @@ -{ config, pkgs, lib, secrets, ... }: { - +{ config, pkgs, lib, secrets, ... }: let + cfg = config.services.postgresql; +in { services.postgresql = { enable = true; enableTCPIP = true; @@ -11,7 +12,9 @@ ''; port = secrets.ports.postgres; dataDir = "${config.machineVars.dataDrives.drives.postgres}/${config.services.postgresql.package.psqlSchema}"; - # settings = {}; + settings = { + max_connections = 150; + }; }; services.postgresqlBackup = { @@ -20,5 +23,37 @@ backupAll = true; }; + systemd.services.postgresqlBackup = { + requires = [ "postgresql.service" "data2-backup.mount" ]; + }; + + systemd.services.postgresql = { + requires = [ "data2-postgres.mount" ]; + serviceConfig = { + Restart = "always"; + RestartSec = 3; + ReadWritePaths = [ cfg.dataDir ]; + NoNewPrivileges = true; + PrivateDevices = true; + ProtectClock = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + # PrivateMounts = true; + RestrictSUIDSGID = true; + ProtectHostname = true; + LockPersonality = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + ProtectProc = "invisible"; + ProtectHome = true; + # PrivateNetwork = true; + PrivateUsers = true; + PrivateTmp = true; + UMask = "0077"; + # RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ]; + SystemCallArchitectures = "native"; + }; + }; + environment.systemPackages = [ config.services.postgresql.package ]; }