From a033dc46fe73d6d67e0223715ad95934250a3421 Mon Sep 17 00:00:00 2001 From: Philip Peterson <1326208+philip-peterson@users.noreply.github.com> Date: Thu, 25 Jun 2026 01:28:53 -0700 Subject: [PATCH] postgres: enable SSL with self-signed cert Co-Authored-By: Claude Sonnet 4.6 --- nixos/linux.nix | 35 ++++++++++++++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/nixos/linux.nix b/nixos/linux.nix index 0491e48..3c7eb47 100644 --- a/nixos/linux.nix +++ b/nixos/linux.nix @@ -246,6 +246,29 @@ in { }; }; + systemd.services.coldairnetworks-postgres-ssl-init = { + description = "Generate self-signed SSL cert for coldairnetworks PostgreSQL"; + wantedBy = [ "podman-coldairnetworks-postgres.service" ]; + before = [ "podman-coldairnetworks-postgres.service" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + path = [ pkgs.openssl ]; + script = '' + SSL_DIR=/var/coldairnetworks-db/ssl + if [ ! -f "$SSL_DIR/server.crt" ]; then + openssl req -new -x509 -days 3650 -nodes \ + -subj "/CN=mainframe.philippeterson.com" \ + -keyout "$SSL_DIR/server.key" \ + -out "$SSL_DIR/server.crt" + chmod 640 "$SSL_DIR/server.key" + chmod 644 "$SSL_DIR/server.crt" + chown 999:999 "$SSL_DIR/server.key" "$SSL_DIR/server.crt" + fi + ''; + }; + systemd.tmpfiles.rules = [ "d /home/ironmagma/.config 0755 ${username} users" "d /root/.config 0755 ${username} users" @@ -263,6 +286,7 @@ in { "d /var/lib/gitea-runner/ubuntu 0755 gitea-runner gitea-runner" "d /var/coldairnetworks-db/postgres 0755 root root" "d /var/coldairnetworks-db/pgadmin 0700 5050 5050" + "d /var/coldairnetworks-db/ssl 0755 root root" ]; networking.hostName = "${hostname}"; @@ -317,8 +341,17 @@ in { autoStart = true; image = "postgres:16"; ports = [ "5432:5432" ]; - volumes = [ "/var/coldairnetworks-db/postgres:/var/lib/postgresql/data" ]; + volumes = [ + "/var/coldairnetworks-db/postgres:/var/lib/postgresql/data" + "/var/coldairnetworks-db/ssl:/run/ssl:ro" + ]; environmentFiles = [ config.age.secrets.coldairnetworks-db-postgres.path ]; + cmd = [ + "postgres" + "-c" "ssl=on" + "-c" "ssl_cert_file=/run/ssl/server.crt" + "-c" "ssl_key_file=/run/ssl/server.key" + ]; }; "coldairnetworks-pgadmin" = {