Compare commits
No commits in common. "bb4662b3455ca6f6f862cc7266babd4d993d562b" and "3fa7f670271760dd4106277b938fe9e518adcabe" have entirely different histories.
bb4662b345
...
3fa7f67027
|
@ -1,4 +1,7 @@
|
||||||
{ config, pkgs, ... }:
|
{ config, pkgs, ... }:
|
||||||
|
let
|
||||||
|
sslCert = config.security.acme.certs."postgres.pvv.ntnu.no";
|
||||||
|
in
|
||||||
{
|
{
|
||||||
services.postgresql = {
|
services.postgresql = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -76,16 +79,12 @@
|
||||||
|
|
||||||
systemd.services.postgresql.serviceConfig = {
|
systemd.services.postgresql.serviceConfig = {
|
||||||
LoadCredential = [
|
LoadCredential = [
|
||||||
"cert:/etc/certs/postgres.crt"
|
"cert:${sslCert.directory}/cert.pem"
|
||||||
"key:/etc/certs/postgres.key"
|
"key:${sslCert.directory}/key.pem"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
environment.snakeoil-certs."/etc/certs/postgres" = {
|
users.groups.acme.members = [ "postgres" ];
|
||||||
owner = "postgres";
|
|
||||||
group = "postgres";
|
|
||||||
subject = "/C=NO/O=Programvareverkstedet/CN=postgres.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
|
|
||||||
};
|
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 5432 ];
|
networking.firewall.allowedTCPPorts = [ 5432 ];
|
||||||
networking.firewall.allowedUDPPorts = [ 5432 ];
|
networking.firewall.allowedUDPPorts = [ 5432 ];
|
||||||
|
|
|
@ -50,7 +50,7 @@ in
|
||||||
serviceConfig.Type = "oneshot";
|
serviceConfig.Type = "oneshot";
|
||||||
script = let
|
script = let
|
||||||
openssl = lib.getExe pkgs.openssl;
|
openssl = lib.getExe pkgs.openssl;
|
||||||
in lib.concatMapStringsSep "\n" ({ name, value }: ''
|
in lib.concatMapStringsSep "\n----------------\n" ({ name, value }: ''
|
||||||
mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}")
|
mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}")
|
||||||
if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate}
|
if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate}
|
||||||
then
|
then
|
||||||
|
@ -69,8 +69,6 @@ in
|
||||||
chown "${value.owner}:${value.group}" "${value.certificateKey}"
|
chown "${value.owner}:${value.group}" "${value.certificateKey}"
|
||||||
chmod "${value.mode}" "${value.certificate}"
|
chmod "${value.mode}" "${value.certificate}"
|
||||||
chmod "${value.mode}" "${value.certificateKey}"
|
chmod "${value.mode}" "${value.certificateKey}"
|
||||||
|
|
||||||
echo "\n-----------------\n"
|
|
||||||
'') (lib.attrsToList cfg);
|
'') (lib.attrsToList cfg);
|
||||||
};
|
};
|
||||||
systemd.timers."generate-snakeoil-certs" = {
|
systemd.timers."generate-snakeoil-certs" = {
|
||||||
|
|
Loading…
Reference in New Issue