nix-dotfiles/hosts/tsuki/services/postgres.nix

{ config, pkgs, lib, ... }: let
  cfg = config.services.postgresql;
in {
  services.postgresql = {
    enable = true;
    enableTCPIP = true;
    authentication = pkgs.lib.mkOverride 10 ''
      local all all trust
      host all all 127.0.0.1/32 trust
      host all all ::1/128 trust
    '';
    settings = {
      # Source: https://pgtune.leopard.in.ua/
      # DB Version: 15
      # OS Type: linux
      # DB Type: mixed
      # Total Memory (RAM): 12 GB
      # CPUs num: 12
      # Connections num: 150
      # Data Storage: hdd
      
      max_connections = 150;
      shared_buffers = "3GB";
      effective_cache_size = "9GB";
      maintenance_work_mem = "768MB";
      checkpoint_completion_target = 0.9;
      wal_buffers = "16MB";
      default_statistics_target = 100;
      random_page_cost = 4;
      effective_io_concurrency = 2;
      work_mem = "2621kB";
      min_wal_size = "1GB";
      max_wal_size = "4GB";
      max_worker_processes = 12;
      max_parallel_workers_per_gather = 4;
      max_parallel_workers = 12;
      max_parallel_maintenance_workers = 4;
    };
  };

  services.postgresqlBackup = {
    enable = true;
    location = "/data/backup/postgres";
    backupAll = true;
  };

  systemd.services.postgresqlBackup = {
    requires = [ "postgresql.service" ];
  };

  systemd.services.postgresql = {
    serviceConfig = {
      Restart = "always";
      RestartSec = 3;
      ReadWritePaths = [ cfg.dataDir ];
      NoNewPrivileges = true;
      PrivateDevices = true;
      ProtectClock = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      # PrivateMounts = true;
      RestrictSUIDSGID = true;
      ProtectHostname = true;
      LockPersonality = true;
      ProtectKernelTunables = true;
      ProtectSystem = "strict";
      ProtectProc = "invisible";
      ProtectHome = true;
      # PrivateNetwork = true;
      PrivateUsers = true;
      PrivateTmp = true;
      UMask = "0077";
      # RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
      SystemCallArchitectures = "native";
    };
  };

  environment.systemPackages = [ config.services.postgresql.package ];
}