hosts/bicep/services/postgres.nix

@@ -1,4 +1,7 @@
 { config, pkgs, ... }:
+let
+  sslCert = config.security.acme.certs."postgres.pvv.ntnu.no";
+in
 {
   services.postgresql = {
     enable = true;
@@ -76,16 +79,12 @@
 
   systemd.services.postgresql.serviceConfig = {
     LoadCredential = [
-      "cert:/etc/certs/postgres.crt"
+      "cert:${sslCert.directory}/cert.pem"
-      "key:/etc/certs/postgres.key"
+      "key:${sslCert.directory}/key.pem"
     ];
   };
 
-  environment.snakeoil-certs."/etc/certs/postgres" = {
+  users.groups.acme.members = [ "postgres" ];
-    owner = "postgres";
-    group = "postgres";
-    subject = "/C=NO/O=Programvareverkstedet/CN=postgres.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
-  };
 
   networking.firewall.allowedTCPPorts = [ 5432 ];
   networking.firewall.allowedUDPPorts = [ 5432 ];

modules/snakeoil-certs.nix

@@ -50,7 +50,7 @@ in
       serviceConfig.Type = "oneshot";
       script = let
         openssl = lib.getExe pkgs.openssl;
-      in lib.concatMapStringsSep "\n" ({ name, value }: ''
+      in lib.concatMapStringsSep "\n----------------\n" ({ name, value }: ''
         mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}")
         if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate}
         then
@@ -69,8 +69,6 @@ in
         chown "${value.owner}:${value.group}" "${value.certificateKey}"
         chmod "${value.mode}" "${value.certificate}"
         chmod "${value.mode}" "${value.certificateKey}"
-
-        echo "\n-----------------\n"
       '') (lib.attrsToList cfg);
     };
     systemd.timers."generate-snakeoil-certs" = {