From bc89904efad4bfd1693f547f39a3ad2943d587de Mon Sep 17 00:00:00 2001
From: Erwin Boskma <erwin@datarift.nl>
Date: Thu, 3 Oct 2024 08:34:20 +0200
Subject: [PATCH] loki: Initial setup of barman

---
 machines/loki/barman.nix        |  32 +++++++++
 machines/loki/configuration.nix |   5 ++
 machines/loki/secrets.yaml      |   7 +-
 modules/barman/default.nix      | 114 ++++++++++++++++++++++++++++++++
 4 files changed, 155 insertions(+), 3 deletions(-)
 create mode 100644 machines/loki/barman.nix
 create mode 100644 modules/barman/default.nix

diff --git a/machines/loki/barman.nix b/machines/loki/barman.nix
new file mode 100644
index 0000000..6f9b6a2
--- /dev/null
+++ b/machines/loki/barman.nix
@@ -0,0 +1,32 @@
+{ pkgs, config, ... }:
+{
+  services.barman = {
+    enable = true;
+    package = (
+      pkgs.barman.overrideAttrs (prevAttrs: {
+        propagatedBuildInputs = prevAttrs.propagatedBuildInputs ++ [ pkgs.python3Packages.distutils ];
+      })
+    );
+
+    settings = {
+      barman = {
+        # log_file = "/var/log/barman/barman.log";
+        configuration_files_directory = "/etc/barman.d";
+        create_slot = "auto";
+      };
+    };
+    servers = {
+      ha = {
+        description = "Home Assistant database";
+        conninfo = "host=10.0.0.254 user=postgres dbname=homeassistant passfile=${config.sops.secrets.barman-passwords.path}";
+        wal_streaming_conninfo = "host=10.0.0.254 user=postgres dbname=homeassistant passfile=${config.sops.secrets.barman-passwords.path}";
+        streaming_archiver = true;
+        backup_method = "postgres";
+        slot_name = "barman";
+        retention_policy = "RECOVERY WINDOW OF 4 WEEKS";
+      };
+    };
+
+    # passwordsFile = config.sops.secrets.barman-passwords.path;
+  };
+}
diff --git a/machines/loki/configuration.nix b/machines/loki/configuration.nix
index 853b636..5fe664c 100644
--- a/machines/loki/configuration.nix
+++ b/machines/loki/configuration.nix
@@ -8,6 +8,7 @@
     nixos-hardware.nixosModules.common-pc-ssd
 
     # ./vm.nix
+    ./barman.nix
 
     ../../users/erwin
     ../../users/root
@@ -543,6 +544,10 @@
       owner = "systemd-network";
     };
     k3s-token = { };
+
+    barman-passwords = {
+      owner = "barman";
+    };
   };
 
   # This value determines the NixOS release from which the default
diff --git a/machines/loki/secrets.yaml b/machines/loki/secrets.yaml
index b42b502..252d566 100644
--- a/machines/loki/secrets.yaml
+++ b/machines/loki/secrets.yaml
@@ -5,6 +5,7 @@ livebook-password: ENC[AES256_GCM,data:FaMIr0GxLTvAzrYt7blGbJuGDbr+lDiIMnvY2c/r,
 renovate_env: ENC[AES256_GCM,data:mzeS0FXsycD4hWMzRMgeEgTY+x2QtYtxmhcFCJcjwlD/q577kprHaU8otr1sOu9mwNud7K8kJGk=,iv:MMhr6CPsyvmP7+dKJUwt9cjnATm9JKZ/KbG4Dkj7hJ0=,tag:ubLmcW/CtT/uPiyswvr93w==,type:str]
 wireguard-horus-privkey: ENC[AES256_GCM,data:JVhdbvNqfdPWFCg24F56Hmu1Tf/EA6BOqa1uPuu8C/FrJhNaGi4S+KYOook=,iv:z8cq4C5vu/QqJ3UZdL1zEH22Ht3rKSbdHgAQbRSk8Kk=,tag:AVBvV8wJqw5jgDRiES89eQ==,type:str]
 k3s-token: ENC[AES256_GCM,data:agr9ihvrufHJ+zsWUTT7tT6oXwhQfp1VjlzvL/YrjhfsQsWdA2wqQOBG8Fgi6gDlqz+3DwWr3wdy/jclEEwrnA==,iv:zgYrN9CSraugO+LMIpJ2jDvxjCnQ9a3GHj6ffO/K0uY=,tag:6en6lNNvNMyOVf1Rfow6ew==,type:str]
+barman-passwords: ENC[AES256_GCM,data:M7HCuXsq8kSqoEfbn94/Hdl1tvb93i5oDYOr+QeuDVD33aF/xxuOwDVZM7wz7OcuozV7f6URtMGDy26KaHqekWhn2hFoRi5WHOxjE7M6oYLP6V4F+IGQBeMOHjjzqjQ9ti/BfhGpi3oHf0RK4RxLCmoNzAfWuP6zZnCyKgwyxBVu6lCHG2I08CJ8w2novts8,iv:EMLqvGIb1WK71Aw+LWr7JrQydA89CTTOavsFUZ6M3G8=,tag:PXu0JVzHjbH9wQfijf9V7A==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -38,8 +39,8 @@ sops:
             c0dlMkVlRG9LYU00M2M3UGJpUkxDOWsKiwc5oM63ezv1TVng0zQOqILOxuRMU+j7
             hHl6AWg0iorXJ1IWmGxLINDAK/RQVEFLK6gRjfN7qB+6wdmrKl8seQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-02-07T22:49:34Z"
-    mac: ENC[AES256_GCM,data:e3HW2LmCFwxXt2QkKf7pGKrpBQLFETVzz6w4/EEtxSzcuFn7p/S0AYk/4/FPXO+Gke1ccklXINFb/Qk0KlaWeToNg3Pp19xt5b9apvJQsoXQOuzjxqHDRkwZjGIFsYUvVgt/YNXs3AsTJzeMq0RjaI96xbwCitKvZl+sJP1nUBY=,iv:vA8xjOljqXwHwG+aJuCORgcHcNGgNf4L9RRV+dZv4+w=,tag:1Ukh7LQ/yTurdANzygxvXQ==,type:str]
+    lastmodified: "2024-10-01T18:48:17Z"
+    mac: ENC[AES256_GCM,data:TjNyX17d3PaScsPidp1wTc4DVK2Jl5/QRmlfH3WN/Hs+lsPn9BvFHmuy50Fs9TLfDjTBQ4WdreWw3Tz2SSBw12WO9tt7vt2b8MudLr1EqHP2rGN6u6cxz9xKYSm0v8j+mJFuL3VJvGAKdSvHS0lxo3SooEhONGkrhDwPidhhcks=,iv:9DhtXHJo6JTGJY/nPCAt11x8ZZwv/1B37dSaqFVAOiE=,tag:xfnRBecHFKOY09VTMBh9dw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.0
diff --git a/modules/barman/default.nix b/modules/barman/default.nix
new file mode 100644
index 0000000..9ed0ece
--- /dev/null
+++ b/modules/barman/default.nix
@@ -0,0 +1,114 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+let
+  cfg = config.services.barman;
+  iniFormat = pkgs.formats.ini { };
+  defaultUser = "barman";
+  defaultHome = "/var/lib/barman";
+in
+{
+  options.services.barman = {
+    enable = lib.mkEnableOption "barman";
+    package = lib.mkPackageOption pkgs "barman" { };
+
+    settings = lib.mkOption {
+      description = "Global barman configuration that goes in the `[barman]` section of `barman.conf`";
+      type = lib.types.submodule { freeformType = iniFormat.type; };
+      example = {
+        barman_user = defaultUser;
+        barman_home = defaultHome;
+        log_file = "/var/log/barman/barman.log";
+      };
+    };
+
+    servers = lib.mkOption {
+      description = "Server configurations";
+      type = lib.types.submodule { freeformType = iniFormat.type; };
+      default = { };
+    };
+
+    # passwordsFile = lib.mkOption {
+    #   description = "Path to the PostgreSQL password file. See [the documentation](https://www.postgresql.org/docs/current/libpq-pgpass.html) for the format.";
+    #   type = lib.types.path;
+    #   default = null;
+    # };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.barman.settings = {
+      barman = {
+        barman_user = lib.mkDefault defaultUser;
+        barman_home = lib.mkDefault defaultHome;
+        compression = lib.mkDefault "pigz";
+        backup_compression = lib.mkDefault "zstd";
+      };
+    };
+
+    users.users."${cfg.settings.barman.barman_user}" = {
+      isSystemUser = true;
+      home = cfg.settings.barman.barman_home;
+      createHome = true;
+      group = cfg.settings.barman.barman_user;
+    };
+
+    users.groups."${cfg.settings.barman.barman_user}" = { };
+
+    environment = {
+      etc =
+        {
+          "barman.conf" = {
+            user = cfg.settings.barman.barman_user;
+            source = iniFormat.generate "barman.conf" cfg.settings;
+          };
+        }
+        // (lib.mapAttrs' (name: serverConfig: {
+          name = "barman.d/${name}.conf";
+          value = {
+            user = cfg.settings.barman.barman_user;
+            source = iniFormat.generate "${name}.conf" { "${name}" = serverConfig; };
+          };
+        }) cfg.servers);
+
+      systemPackages = [ cfg.package ];
+    };
+    systemd = {
+      timers.barman = {
+        description = "Update timer for barman";
+        partOf = [ "barman.service" ];
+        wantedBy = [ "timers.target" ];
+        timerConfig = {
+          OnCalendar = "*:*:0";
+        };
+      };
+
+      services.barman = {
+        description = "Run barman maintenance tasks";
+        path = with pkgs; [
+          cfg.package
+          bash
+          bzip2
+          gzip
+          lz4
+          pigz
+          postgresql
+          zstd
+        ];
+        # environment = {
+        #   PGPASSFILE = lib.mkIf (cfg.passwordsFile != null) cfg.passwordsFile;
+        # };
+
+        serviceConfig = {
+          Type = "oneshot";
+          User = cfg.settings.barman.barman_user;
+          ExecStart = "${cfg.package}/bin/barman cron";
+          WorkingDirectory = cfg.settings.barman.barman_home;
+        };
+      };
+    };
+
+  };
+}