1
0
Fork 0

bicep/postgres: use snakeoil certs

This commit is contained in:
Oystein Kristoffer Tveit 2024-08-26 18:37:11 +02:00 committed by Oystein Kristoffer Tveit
parent 3fa7f67027
commit 5b1c04e4b8
1 changed files with 7 additions and 6 deletions

View File

@ -1,7 +1,4 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
let
sslCert = config.security.acme.certs."postgres.pvv.ntnu.no";
in
{ {
services.postgresql = { services.postgresql = {
enable = true; enable = true;
@ -79,12 +76,16 @@ in
systemd.services.postgresql.serviceConfig = { systemd.services.postgresql.serviceConfig = {
LoadCredential = [ LoadCredential = [
"cert:${sslCert.directory}/cert.pem" "cert:/etc/certs/postgres.crt"
"key:${sslCert.directory}/key.pem" "key:/etc/certs/postgres.key"
]; ];
}; };
users.groups.acme.members = [ "postgres" ]; environment.snakeoil-certs."/etc/certs/postgres" = {
owner = "postgres";
group = "postgres";
subject = "/C=NO/O=Programvareverkstedet/CN=postgres.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
};
networking.firewall.allowedTCPPorts = [ 5432 ]; networking.firewall.allowedTCPPorts = [ 5432 ];
networking.firewall.allowedUDPPorts = [ 5432 ]; networking.firewall.allowedUDPPorts = [ 5432 ];