flake.nix

@@ -25,6 +25,7 @@
             inputs.kpp.nixosModules.default
             course-management.nixosModules.default
             ./hosts/quitte/configuration.nix
+            ./modules/bacula.nix
             ./modules/options.nix
             ./modules/base.nix
             ./modules/sops.nix

modules/bacula.nix

@@ -0,0 +1,39 @@
+{ config, ... }:
+{
+  sops.secrets = {
+    "bacula/password".owner = "bacula";
+    "bacula/keypair".owner = "bacula";
+    "bacula/masterkey".owner = "bacula";
+  };
+  services.bacula-fd = {
+    enable = true;
+    name = "ifsr-quitte";
+    extraClientConfig = ''
+      WorkingDirectory = /var/lib/bacula
+      Pid Directory = /run/bacula
+      Maximum Concurrent Jobs = 20
+      FDAddress = 141.30.30.169
+      PKI Signatures = Yes
+      PKI Encryption = Yes
+      PKI Keypair = ${config.sops.secrets."bacula/keypair".path}
+      PKI Master Key = ${config.sops.secrets."bacula/masterkey".path}
+    '';
+    extraMessagesConfig = ''
+      Name = Standard
+      directory = abel-dir = all, !skipped, !restored
+    '';
+    director."abel-dir".password = "@${config.sops.secrets."bacula/password".path}";
+  };
+  environment.etc."bacula/bconsole.conf".text = ''
+    Director {
+      Name = abel-dir
+      DIRport = 9101
+      address = 10.144.0.11
+      Password = @${config.sops.secrests."bacula/password".path}
+    }
+    Console {
+      Name = ifsr-quitte-console
+      Password = @${config.sops.secrests."bacula/password".path}
+    }
+  '';
+}

modules/course-management.nix

@@ -5,7 +5,8 @@ in
 {
   sops.secrets =
     let inherit (config.services.course-management) user;
-    in {
+    in
+    {
       "course-management/secret-key".owner = user;
       "course-management/adminpass".owner = user;
     };
@@ -33,7 +34,7 @@ in
   };
 
   services.postgresql = {
-    enable = true;
+    enable = lib.mkForce true; # upstream bacula config wants to disable it, so we need to force
     ensureUsers = [{
       name = "course-management";
       ensurePermissions = {