From 5b1c04e4b885bf64190d9d6193554a228b68dd71 Mon Sep 17 00:00:00 2001 From: h7x4 Date: Mon, 26 Aug 2024 18:37:11 +0200 Subject: [PATCH] bicep/postgres: use snakeoil certs --- hosts/bicep/services/postgres.nix | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/hosts/bicep/services/postgres.nix b/hosts/bicep/services/postgres.nix index df92735..516af7d 100644 --- a/hosts/bicep/services/postgres.nix +++ b/hosts/bicep/services/postgres.nix @@ -1,7 +1,4 @@ { config, pkgs, ... }: -let - sslCert = config.security.acme.certs."postgres.pvv.ntnu.no"; -in { services.postgresql = { enable = true; @@ -79,12 +76,16 @@ in systemd.services.postgresql.serviceConfig = { LoadCredential = [ - "cert:${sslCert.directory}/cert.pem" - "key:${sslCert.directory}/key.pem" + "cert:/etc/certs/postgres.crt" + "key:/etc/certs/postgres.key" ]; }; - users.groups.acme.members = [ "postgres" ]; + environment.snakeoil-certs."/etc/certs/postgres" = { + owner = "postgres"; + group = "postgres"; + subject = "/C=NO/O=Programvareverkstedet/CN=postgres.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no"; + }; networking.firewall.allowedTCPPorts = [ 5432 ]; networking.firewall.allowedUDPPorts = [ 5432 ];