From a5c83866ca7ab13295c59a969e1a9866f4747710 Mon Sep 17 00:00:00 2001 From: oysteikt Date: Sat, 12 Aug 2023 02:55:20 +0200 Subject: [PATCH] bicep: setup ACME cert for postgres --- hosts/bicep/acmeCert.nix | 24 ++++++++++++++++++++++++ hosts/bicep/configuration.nix | 2 ++ hosts/bicep/services/postgres.nix | 19 ++++++++++++++++++- 3 files changed, 44 insertions(+), 1 deletion(-) create mode 100644 hosts/bicep/acmeCert.nix diff --git a/hosts/bicep/acmeCert.nix b/hosts/bicep/acmeCert.nix new file mode 100644 index 0000000..da94921 --- /dev/null +++ b/hosts/bicep/acmeCert.nix @@ -0,0 +1,24 @@ +{ values, ... }: +{ + users.groups.acme.members = [ "nginx" ]; + + security.acme.certs."postgres.pvv.ntnu.no" = { + group = "acme"; + extraDomainNames = [ + # "postgres.pvv.org" + "bicep.pvv.ntnu.no" + # "bicep.pvv.org" + # values.hosts.bicep.ipv4 + # values.hosts.bicep.ipv6 + ]; + }; + + services.nginx = { + enable = true; + virtualHosts."postgres.pvv.ntnu.no" = { + forceSSL = true; + enableACME = true; + # useACMEHost = "postgres.pvv.ntnu.no"; + }; + }; +} diff --git a/hosts/bicep/configuration.nix b/hosts/bicep/configuration.nix index f333cf2..bb5d6cc 100644 --- a/hosts/bicep/configuration.nix +++ b/hosts/bicep/configuration.nix @@ -7,6 +7,8 @@ ../../misc/metrics-exporters.nix ./services/nginx + ./acmeCert.nix + ./services/mysql.nix ./services/postgres.nix ./services/mysql.nix diff --git a/hosts/bicep/services/postgres.nix b/hosts/bicep/services/postgres.nix index ca9799b..9aecdae 100644 --- a/hosts/bicep/services/postgres.nix +++ b/hosts/bicep/services/postgres.nix @@ -1,4 +1,7 @@ -{ pkgs, ... }: +{ config, pkgs, ... }: +let + sslCert = config.security.acme.certs."postgres.pvv.ntnu.no"; +in { services.postgresql = { enable = true; @@ -66,9 +69,23 @@ track_wal_io_timing = true; maintenance_io_concurrency = 100; wal_recycle = true; + + # SSL + ssl = true; + ssl_cert_file = "/run/credentials/postgresql.service/cert"; + ssl_key_file = "/run/credentials/postgresql.service/key"; }; }; + systemd.services.postgresql.serviceConfig = { + LoadCredential = [ + "cert:${sslCert.directory}/cert.pem" + "key:${sslCert.directory}/key.pem" + ]; + }; + + users.groups.acme.members = [ "postgres" ]; + networking.firewall.allowedTCPPorts = [ 5432 ]; networking.firewall.allowedUDPPorts = [ 5432 ];