hosts/bicep/services/postgres.nix

@@ -1,7 +1,4 @@
 { config, pkgs, ... }:
-let
-  sslCert = config.security.acme.certs."postgres.pvv.ntnu.no";
-in
 {
   services.postgresql = {
     enable = true;
@@ -79,12 +76,16 @@ in
 
   systemd.services.postgresql.serviceConfig = {
     LoadCredential = [
-      "cert:${sslCert.directory}/cert.pem"
+      "cert:/etc/certs/postgres.crt"
-      "key:${sslCert.directory}/key.pem"
+      "key:/etc/certs/postgres.key"
     ];
   };
 
-  users.groups.acme.members = [ "postgres" ];
+  environment.snakeoil-certs."/etc/certs/postgres" = {
+    owner = "postgres";
+    group = "postgres";
+    subject = "/C=NO/O=Programvareverkstedet/CN=postgres.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
+  };
 
   networking.firewall.allowedTCPPorts = [ 5432 ];
   networking.firewall.allowedUDPPorts = [ 5432 ];

modules/snakeoil-certs.nix

@@ -50,7 +50,7 @@ in
       serviceConfig.Type = "oneshot";
       script = let
         openssl = lib.getExe pkgs.openssl;
-      in lib.concatMapStringsSep "\n----------------\n" ({ name, value }: ''
+      in lib.concatMapStringsSep "\n" ({ name, value }: ''
         mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}")
         if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate}
         then
@@ -69,6 +69,8 @@ in
         chown "${value.owner}:${value.group}" "${value.certificateKey}"
         chmod "${value.mode}" "${value.certificate}"
         chmod "${value.mode}" "${value.certificateKey}"
+
+        echo "\n-----------------\n"
       '') (lib.attrsToList cfg);
     };
     systemd.timers."generate-snakeoil-certs" = {