tsuki/postgres: misc:

- add postgresql backup service
- harden systemd unit
- increase max_connections
This commit is contained in:
Oystein Kristoffer Tveit 2023-07-12 01:58:28 +02:00
parent 82ea6e9f5a
commit 20de3c260f
Signed by: oysteikt
GPG Key ID: 9F2F7D8250F35146
1 changed files with 38 additions and 3 deletions

View File

@ -1,5 +1,6 @@
{ config, pkgs, lib, secrets, ... }: { { config, pkgs, lib, secrets, ... }: let
cfg = config.services.postgresql;
in {
services.postgresql = { services.postgresql = {
enable = true; enable = true;
enableTCPIP = true; enableTCPIP = true;
@ -11,7 +12,9 @@
''; '';
port = secrets.ports.postgres; port = secrets.ports.postgres;
dataDir = "${config.machineVars.dataDrives.drives.postgres}/${config.services.postgresql.package.psqlSchema}"; dataDir = "${config.machineVars.dataDrives.drives.postgres}/${config.services.postgresql.package.psqlSchema}";
# settings = {}; settings = {
max_connections = 150;
};
}; };
services.postgresqlBackup = { services.postgresqlBackup = {
@ -20,5 +23,37 @@
backupAll = true; backupAll = true;
}; };
systemd.services.postgresqlBackup = {
requires = [ "postgresql.service" "data2-backup.mount" ];
};
systemd.services.postgresql = {
requires = [ "data2-postgres.mount" ];
serviceConfig = {
Restart = "always";
RestartSec = 3;
ReadWritePaths = [ cfg.dataDir ];
NoNewPrivileges = true;
PrivateDevices = true;
ProtectClock = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
# PrivateMounts = true;
RestrictSUIDSGID = true;
ProtectHostname = true;
LockPersonality = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
ProtectProc = "invisible";
ProtectHome = true;
# PrivateNetwork = true;
PrivateUsers = true;
PrivateTmp = true;
UMask = "0077";
# RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
SystemCallArchitectures = "native";
};
};
environment.systemPackages = [ config.services.postgresql.package ]; environment.systemPackages = [ config.services.postgresql.package ];
} }