Use snakeoil certs for postgresql #69
|
@ -1,7 +1,4 @@
|
||||||
{ config, pkgs, ... }:
|
{ config, pkgs, ... }:
|
||||||
let
|
|
||||||
sslCert = config.security.acme.certs."postgres.pvv.ntnu.no";
|
|
||||||
in
|
|
||||||
{
|
{
|
||||||
services.postgresql = {
|
services.postgresql = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -79,12 +76,16 @@ in
|
||||||
|
|
||||||
systemd.services.postgresql.serviceConfig = {
|
systemd.services.postgresql.serviceConfig = {
|
||||||
LoadCredential = [
|
LoadCredential = [
|
||||||
"cert:${sslCert.directory}/cert.pem"
|
"cert:/etc/certs/postgres.crt"
|
||||||
"key:${sslCert.directory}/key.pem"
|
"key:/etc/certs/postgres.key"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
users.groups.acme.members = [ "postgres" ];
|
environment.snakeoil-certs."/etc/certs/postgres" = {
|
||||||
|
owner = "postgres";
|
||||||
|
group = "postgres";
|
||||||
|
subject = "/C=NO/O=Programvareverkstedet/CN=postgres.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
|
||||||
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 5432 ];
|
networking.firewall.allowedTCPPorts = [ 5432 ];
|
||||||
networking.firewall.allowedUDPPorts = [ 5432 ];
|
networking.firewall.allowedUDPPorts = [ 5432 ];
|
||||||
|
|
|
@ -50,7 +50,7 @@ in
|
||||||
serviceConfig.Type = "oneshot";
|
serviceConfig.Type = "oneshot";
|
||||||
script = let
|
script = let
|
||||||
openssl = lib.getExe pkgs.openssl;
|
openssl = lib.getExe pkgs.openssl;
|
||||||
in lib.concatMapStringsSep "\n----------------\n" ({ name, value }: ''
|
in lib.concatMapStringsSep "\n" ({ name, value }: ''
|
||||||
mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}")
|
mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}")
|
||||||
if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate}
|
if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate}
|
||||||
then
|
then
|
||||||
|
@ -69,6 +69,8 @@ in
|
||||||
chown "${value.owner}:${value.group}" "${value.certificateKey}"
|
chown "${value.owner}:${value.group}" "${value.certificateKey}"
|
||||||
chmod "${value.mode}" "${value.certificate}"
|
chmod "${value.mode}" "${value.certificate}"
|
||||||
chmod "${value.mode}" "${value.certificateKey}"
|
chmod "${value.mode}" "${value.certificateKey}"
|
||||||
|
|
||||||
|
echo "\n-----------------\n"
|
||||||
'') (lib.attrsToList cfg);
|
'') (lib.attrsToList cfg);
|
||||||
};
|
};
|
||||||
systemd.timers."generate-snakeoil-certs" = {
|
systemd.timers."generate-snakeoil-certs" = {
|
||||||
|
|
Loading…
Reference in New Issue