jonmro/pvv-nixos-config
1
0
Fork 0
forked from Drift/pvv-nixos-config
Code Pull Requests Activity

bicep: setup ACME cert for postgres

Browse Source
This commit is contained in:
Oystein Kristoffer Tveit
2023-08-12 02:55:20 +02:00
parent fa67504275
commit a5c83866ca
3 changed files with 44 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
hosts/bicep/services/postgres.nix
View File

@@ -1,4 +1,7 @@
{ pkgs, ... }:
{ config, pkgs, ... }:
let
sslCert = config.security.acme.certs."postgres.pvv.ntnu.no";
in
{
services.postgresql = {
enable = true;
@@ -66,9 +69,23 @@
track_wal_io_timing = true;
maintenance_io_concurrency = 100;
wal_recycle = true;
# SSL
ssl = true;
ssl_cert_file = "/run/credentials/postgresql.service/cert";
ssl_key_file = "/run/credentials/postgresql.service/key";
};
};
systemd.services.postgresql.serviceConfig = {
LoadCredential = [
"cert:${sslCert.directory}/cert.pem"
"key:${sslCert.directory}/key.pem"
];
};
users.groups.acme.members = [ "postgres" ];
networking.firewall.allowedTCPPorts = [ 5432 ];
networking.firewall.allowedUDPPorts = [ 5432 ];