bicep: setup ACME cert for postgres

hosts/bicep/acmeCert.nix

@@ -0,0 +1,24 @@
+{ values, ... }:
+{
+  users.groups.acme.members = [ "nginx" ];
+
+  security.acme.certs."postgres.pvv.ntnu.no" = {
+    group = "acme";
+    extraDomainNames = [
+      # "postgres.pvv.org"
+      "bicep.pvv.ntnu.no"
+      # "bicep.pvv.org"
+      # values.hosts.bicep.ipv4
+      # values.hosts.bicep.ipv6
+    ];
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."postgres.pvv.ntnu.no" = {
+      forceSSL = true;
+      enableACME = true;
+      # useACMEHost = "postgres.pvv.ntnu.no";
+    };
+  };
+}

hosts/bicep/configuration.nix

@@ -7,6 +7,8 @@
     ../../misc/metrics-exporters.nix
     ./services/nginx
 
+    ./acmeCert.nix
+
     ./services/mysql.nix
     ./services/postgres.nix
     ./services/mysql.nix

hosts/bicep/services/postgres.nix

@@ -1,4 +1,7 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
+let
+  sslCert = config.security.acme.certs."postgres.pvv.ntnu.no";
+in
 {
   services.postgresql = {
     enable = true;
@@ -66,9 +69,23 @@
       track_wal_io_timing = true;
       maintenance_io_concurrency = 100;
       wal_recycle = true;
+
+      # SSL
+      ssl = true;
+      ssl_cert_file = "/run/credentials/postgresql.service/cert";
+      ssl_key_file = "/run/credentials/postgresql.service/key";
     };
   };
 
+  systemd.services.postgresql.serviceConfig = {
+    LoadCredential = [
+      "cert:${sslCert.directory}/cert.pem"
+      "key:${sslCert.directory}/key.pem"
+    ];
+  };
+
+  users.groups.acme.members = [ "postgres" ];
+
   networking.firewall.allowedTCPPorts = [ 5432 ];
   networking.firewall.allowedUDPPorts = [ 5432 ];