forked from Drift/pvv-nixos-config
bicep/postgres: use snakeoil certs
This commit is contained in:
parent
3fa7f67027
commit
5b1c04e4b8
|
@ -1,7 +1,4 @@
|
||||||
{ config, pkgs, ... }:
|
{ config, pkgs, ... }:
|
||||||
let
|
|
||||||
sslCert = config.security.acme.certs."postgres.pvv.ntnu.no";
|
|
||||||
in
|
|
||||||
{
|
{
|
||||||
services.postgresql = {
|
services.postgresql = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -79,12 +76,16 @@ in
|
||||||
|
|
||||||
systemd.services.postgresql.serviceConfig = {
|
systemd.services.postgresql.serviceConfig = {
|
||||||
LoadCredential = [
|
LoadCredential = [
|
||||||
"cert:${sslCert.directory}/cert.pem"
|
"cert:/etc/certs/postgres.crt"
|
||||||
"key:${sslCert.directory}/key.pem"
|
"key:/etc/certs/postgres.key"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
users.groups.acme.members = [ "postgres" ];
|
environment.snakeoil-certs."/etc/certs/postgres" = {
|
||||||
|
owner = "postgres";
|
||||||
|
group = "postgres";
|
||||||
|
subject = "/C=NO/O=Programvareverkstedet/CN=postgres.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
|
||||||
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 5432 ];
|
networking.firewall.allowedTCPPorts = [ 5432 ];
|
||||||
networking.firewall.allowedUDPPorts = [ 5432 ];
|
networking.firewall.allowedUDPPorts = [ 5432 ];
|
||||||
|
|
Loading…
Reference in New Issue