forked from Drift/pvv-nixos-config
bicep: setup ACME cert for postgres
This commit is contained in:
parent
fa67504275
commit
a5c83866ca
24
hosts/bicep/acmeCert.nix
Normal file
24
hosts/bicep/acmeCert.nix
Normal file
@ -0,0 +1,24 @@
|
||||
{ values, ... }:
|
||||
{
|
||||
users.groups.acme.members = [ "nginx" ];
|
||||
|
||||
security.acme.certs."postgres.pvv.ntnu.no" = {
|
||||
group = "acme";
|
||||
extraDomainNames = [
|
||||
# "postgres.pvv.org"
|
||||
"bicep.pvv.ntnu.no"
|
||||
# "bicep.pvv.org"
|
||||
# values.hosts.bicep.ipv4
|
||||
# values.hosts.bicep.ipv6
|
||||
];
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts."postgres.pvv.ntnu.no" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
# useACMEHost = "postgres.pvv.ntnu.no";
|
||||
};
|
||||
};
|
||||
}
|
@ -7,6 +7,8 @@
|
||||
../../misc/metrics-exporters.nix
|
||||
./services/nginx
|
||||
|
||||
./acmeCert.nix
|
||||
|
||||
./services/mysql.nix
|
||||
./services/postgres.nix
|
||||
./services/mysql.nix
|
||||
|
@ -1,4 +1,7 @@
|
||||
{ pkgs, ... }:
|
||||
{ config, pkgs, ... }:
|
||||
let
|
||||
sslCert = config.security.acme.certs."postgres.pvv.ntnu.no";
|
||||
in
|
||||
{
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
@ -66,9 +69,23 @@
|
||||
track_wal_io_timing = true;
|
||||
maintenance_io_concurrency = 100;
|
||||
wal_recycle = true;
|
||||
|
||||
# SSL
|
||||
ssl = true;
|
||||
ssl_cert_file = "/run/credentials/postgresql.service/cert";
|
||||
ssl_key_file = "/run/credentials/postgresql.service/key";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.postgresql.serviceConfig = {
|
||||
LoadCredential = [
|
||||
"cert:${sslCert.directory}/cert.pem"
|
||||
"key:${sslCert.directory}/key.pem"
|
||||
];
|
||||
};
|
||||
|
||||
users.groups.acme.members = [ "postgres" ];
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 5432 ];
|
||||
networking.firewall.allowedUDPPorts = [ 5432 ];
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user