diff --git a/1password/secrets.json b/1password/secrets.json index d53de47..9b7083c 100644 --- a/1password/secrets.json +++ b/1password/secrets.json @@ -82,6 +82,7 @@ }, { "name": "cloudflare-r2-token", + "namespace": "postgres-system", "itemPath": "vaults/Private/items/cloudflare" } ] diff --git a/flake.lock b/flake.lock index 687bd22..8c51ea0 100644 --- a/flake.lock +++ b/flake.lock @@ -18,6 +18,42 @@ "type": "github" } }, + "flake-utils_2": { + "locked": { + "lastModified": 1659877975, + "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "krew2nix": { + "inputs": { + "flake-utils": "flake-utils_2", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1716272275, + "narHash": "sha256-JWDyPhAJp263EVVsGrKwrJU+xdDReHsDmSe7A190/Cg=", + "owner": "eigengrau", + "repo": "krew2nix", + "rev": "0c1fecaab044dba1249c5d09366891ec467b4ad2", + "type": "github" + }, + "original": { + "owner": "eigengrau", + "repo": "krew2nix", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1756819007, @@ -37,6 +73,7 @@ "root": { "inputs": { "flake-utils": "flake-utils", + "krew2nix": "krew2nix", "nixpkgs": "nixpkgs" } }, diff --git a/flake.nix b/flake.nix index 2662b03..2036822 100644 --- a/flake.nix +++ b/flake.nix @@ -4,9 +4,14 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; flake-utils.url = "github:numtide/flake-utils"; + + krew2nix = { + url = "github:eigengrau/krew2nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; - outputs = { nixpkgs, flake-utils, ... }: flake-utils.lib.eachDefaultSystem (system: + outputs = { nixpkgs, flake-utils, krew2nix, ... }: flake-utils.lib.eachDefaultSystem (system: let lib = nixpkgs.lib; @@ -19,12 +24,16 @@ ]; }; }; + + kubectl = krew2nix.packages.${system}.kubectl; in { # Define the devShell for the current system devShell = pkgs.mkShell { buildInputs = with pkgs; [ kubernetes-helm - kubectl + (kubectl.withKrewPlugins (plugins: with plugins; [ + cnpg + ])) nil terraform tflint diff --git a/postgres/index.ts b/postgres/index.ts index 33776f8..0f149f4 100644 --- a/postgres/index.ts +++ b/postgres/index.ts @@ -35,7 +35,7 @@ export class PostgresCluster extends Construct { namespace: options.namespace, }); - const destinationPath = "s3://rihla-backups/"; + const destinationPath = "s3://homelab-backups/"; const endpointURL = options.backupR2EndpointURL; const barmanConfiguration = { @@ -321,7 +321,7 @@ export class PostgresCluster extends Construct { }, spec: { instances: 3, - maxSyncReplicas: 0, + maxSyncReplicas: 1, primaryUpdateStrategy: "unsupervised", certificates: { serverCASecret: certNames.server, @@ -346,12 +346,47 @@ export class PostgresCluster extends Construct { ], enableSuperuserAccess: false, bootstrap: { - initdb: { + recovery: { + source: "clusterBackup", database: "postgres", + owner: options.primaryUser, secret: { name: options.initSecretName, }, - postInitSQL: [`CREATE USER ${options.primaryUser} SUPERUSER;`], + }, + }, + externalClusters: [ + { + name: "clusterBackup", + plugin: { + name: "barman-cloud.cloudnative-pg.io", + parameters: { + barmanObjectName: "r2-postgres-backup-store", + serverName: "postgres-cluster", + }, + }, + }, + ], + managed: { + services: { + disabledDefaultServices: ["ro", "r"], + additional: [ + { + selectorType: "rw", + serviceTemplate: { + metadata: { + name: "postgres-cluster", + annotations: { + "external-dns.alpha.kubernetes.io/hostname": + "postgres.dogar.dev", + }, + }, + spec: { + type: "LoadBalancer", + }, + }, + }, + ], }, }, storage: {