init mindy

.sops.yaml

@@ -1,6 +1,7 @@
 keys:
   - &host_tahani age1njjegjjdqzfnrr54f536yl4lduqgna3wuv7ef6vtl9jw5cju0grsgy62tm
   - &host_michael age187jl7e4k9n4guygkmpuqzeh0wenefwrfkpvuyhvwjrjwxqpzassqq3x67j
+  - &host_mindy ageXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
   - &host_jason age1ez6j3r5wdp0tjy7n5qzv5vfakdc2nh2zeu388zu7a80l0thv052syxq5e2
   - &host_chidi age1tlymdmaukhwupzrhszspp26lgd8s64rw4vu9lwc7gsgrjm78095s9fe9l3
 creation_rules:
@@ -9,5 +10,6 @@ creation_rules:
       - age:
         - *host_tahani
         - *host_michael
+        - *host_mindy
         - *host_jason
         - *host_chidi

flake.nix

@@ -40,7 +40,7 @@
 				constants = import ./lib/constants.nix;
 				user = constants.user;
 				darwinHosts = ["chidi" "jason"];
-				nixosHosts = ["michael" "tahani"];
+				nixosHosts = ["michael" "mindy" "tahani"];
 				overlays = import ./overlays {inherit inputs;};
 			in {
 				systems = [

hosts/mindy/default.nix

@@ -0,0 +1,145 @@
+{
+	config,
+	modulesPath,
+	hostname,
+	inputs,
+	pkgs,
+	user,
+	constants,
+	...
+}: {
+	imports = [
+		(modulesPath + "/installer/scan/not-detected.nix")
+		(modulesPath + "/profiles/qemu-guest.nix")
+		./disk-config.nix
+		./hardware-configuration.nix
+		../../profiles/core.nix
+		../../profiles/fail2ban.nix
+		../../profiles/nixos.nix
+		../../profiles/postgresql.nix
+		../../profiles/tailscale.nix
+		inputs.disko.nixosModules.disko
+		inputs.sops-nix.nixosModules.sops
+	];
+
+	sops.secrets.mindy-pgbackrest = {
+		sopsFile = ../../secrets/mindy-pgbackrest;
+		format = "binary";
+	};
+
+	environment.systemPackages = [pkgs.pgbackrest];
+
+	environment.etc."pgbackrest/pgbackrest.conf".text = ''
+		[global]
+		repo1-type=s3
+		repo1-s3-endpoint=s3.eu-central-003.backblazeb2.com
+		repo1-s3-bucket=mindy-pgbackrest
+		repo1-s3-region=eu-central-003
+		repo1-path=/backups
+		repo1-retention-full=7
+		repo1-retention-diff=7
+		repo1-cipher-type=aes-256-cbc
+		compress-type=zst
+		compress-level=3
+		process-max=2
+		log-level-console=info
+		log-level-file=detail
+		log-path=/var/log/pgbackrest
+		spool-path=/var/spool/pgbackrest
+
+		[main]
+		pg1-path=/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}
+		pg1-user=postgres
+	'';
+
+	systemd.services.pgbackrest-backup = {
+		description = "pgBackRest Full Backup";
+		after = ["postgresql.service"];
+		requires = ["postgresql.service"];
+		path = [pkgs.pgbackrest];
+		serviceConfig = {
+			Type = "oneshot";
+			User = "postgres";
+			EnvironmentFile = "/run/secrets/mindy-pgbackrest";
+		};
+		script = ''
+			pgbackrest --stanza=main backup --type=full
+		'';
+	};
+
+	systemd.timers.pgbackrest-backup = {
+		wantedBy = ["timers.target"];
+		timerConfig = {
+			OnCalendar = "daily";
+			Persistent = true;
+			RandomizedDelaySec = "1h";
+		};
+	};
+
+	systemd.services.pgbackrest-backup-diff = {
+		description = "pgBackRest Differential Backup";
+		after = ["postgresql.service"];
+		requires = ["postgresql.service"];
+		path = [pkgs.pgbackrest];
+		serviceConfig = {
+			Type = "oneshot";
+			User = "postgres";
+			EnvironmentFile = "/run/secrets/mindy-pgbackrest";
+		};
+		script = ''
+			pgbackrest --stanza=main backup --type=diff
+		'';
+	};
+
+	systemd.timers.pgbackrest-backup-diff = {
+		wantedBy = ["timers.target"];
+		timerConfig = {
+			OnCalendar = "hourly";
+			Persistent = true;
+			RandomizedDelaySec = "5m";
+		};
+	};
+
+	systemd.tmpfiles.rules = [
+		"d /var/lib/pgbackrest 0750 postgres postgres -"
+		"d /var/log/pgbackrest 0750 postgres postgres -"
+		"d /var/spool/pgbackrest 0750 postgres postgres -"
+	];
+
+	home-manager.users.${user} = {
+		pkgs,
+		lib,
+		...
+	}: {
+		_module.args = {inherit user constants inputs;};
+		imports = [
+			inputs.nixvim.homeModules.nixvim
+			../../profiles/bash.nix
+			../../profiles/bat.nix
+			../../profiles/direnv.nix
+			../../profiles/eza.nix
+			../../profiles/fish.nix
+			../../profiles/fzf.nix
+			../../profiles/git.nix
+			../../profiles/home.nix
+			../../profiles/jjui.nix
+			../../profiles/jujutsu.nix
+			../../profiles/lazygit.nix
+			../../profiles/neovim
+			../../profiles/ripgrep.nix
+			../../profiles/ssh.nix
+			../../profiles/starship.nix
+			../../profiles/zoxide.nix
+		];
+	};
+
+	services.openssh = {
+		enable = true;
+		settings = {
+			PermitRootLogin = "yes";
+			PasswordAuthentication = false;
+		};
+	};
+
+	networking.hostName = hostname;
+}

hosts/mindy/disk-config.nix

@@ -0,0 +1,37 @@
+{
+	disko.devices = {
+		disk = {
+			main = {
+				type = "disk";
+				device = "/dev/sda";
+				content = {
+					type = "gpt";
+					partitions = {
+						boot = {
+							size = "1M";
+							type = "EF02";
+						};
+						ESP = {
+							size = "512M";
+							type = "EF00";
+							content = {
+								type = "filesystem";
+								format = "vfat";
+								mountpoint = "/boot";
+								mountOptions = ["umask=0077"];
+							};
+						};
+						root = {
+							size = "100%";
+							content = {
+								type = "filesystem";
+								format = "ext4";
+								mountpoint = "/";
+							};
+						};
+					};
+				};
+			};
+		};
+	};
+}

hosts/mindy/hardware-configuration.nix

@@ -0,0 +1,18 @@
+{
+	lib,
+	modulesPath,
+	...
+}: {
+	imports = [
+		(modulesPath + "/profiles/qemu-guest.nix")
+	];
+
+	boot.initrd.availableKernelModules = ["ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"];
+	boot.initrd.kernelModules = [];
+	boot.kernelModules = [];
+	boot.extraModulePackages = [];
+
+	nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+
+	networking.useDHCP = lib.mkDefault true;
+}

profiles/postgresql.nix

@@ -0,0 +1,27 @@
+{pkgs, ...}: {
+	services.postgresql = {
+		enable = true;
+		package = pkgs.postgresql_17;
+
+		settings = {
+			wal_level = "replica";
+			archive_mode = "on";
+			archive_command = "${pkgs.pgbackrest}/bin/pgbackrest --stanza=main archive-push %p";
+			max_wal_senders = 3;
+			max_connections = 100;
+			shared_buffers = "256MB";
+			log_connections = true;
+			log_disconnections = true;
+		};
+
+		authentication =
+			pkgs.lib.mkOverride 10 ''
+				local   all       all                         peer
+				host    all       all         127.0.0.1/32    scram-sha-256
+				host    all       all         ::1/128         scram-sha-256
+				host    all       all         100.64.0.0/10   scram-sha-256
+			'';
+	};
+
+	networking.firewall.interfaces."tailscale0".allowedTCPPorts = [5432];
+}

secrets/mindy-pgbackrest

@@ -0,0 +1,3 @@
+PGBACKREST_REPO1_S3_KEY=REPLACE_WITH_B2_APPLICATION_KEY_ID
+PGBACKREST_REPO1_S3_KEY_SECRET=REPLACE_WITH_B2_APPLICATION_KEY
+PGBACKREST_REPO1_CIPHER_PASS=REPLACE_WITH_ENCRYPTION_PASSPHRASE