postgres: enable SSL with self-signed cert
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
034e422797
commit
a033dc46fe
1 changed files with 34 additions and 1 deletions
|
|
@ -246,6 +246,29 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
systemd.services.coldairnetworks-postgres-ssl-init = {
|
||||||
|
description = "Generate self-signed SSL cert for coldairnetworks PostgreSQL";
|
||||||
|
wantedBy = [ "podman-coldairnetworks-postgres.service" ];
|
||||||
|
before = [ "podman-coldairnetworks-postgres.service" ];
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
RemainAfterExit = true;
|
||||||
|
};
|
||||||
|
path = [ pkgs.openssl ];
|
||||||
|
script = ''
|
||||||
|
SSL_DIR=/var/coldairnetworks-db/ssl
|
||||||
|
if [ ! -f "$SSL_DIR/server.crt" ]; then
|
||||||
|
openssl req -new -x509 -days 3650 -nodes \
|
||||||
|
-subj "/CN=mainframe.philippeterson.com" \
|
||||||
|
-keyout "$SSL_DIR/server.key" \
|
||||||
|
-out "$SSL_DIR/server.crt"
|
||||||
|
chmod 640 "$SSL_DIR/server.key"
|
||||||
|
chmod 644 "$SSL_DIR/server.crt"
|
||||||
|
chown 999:999 "$SSL_DIR/server.key" "$SSL_DIR/server.crt"
|
||||||
|
fi
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
systemd.tmpfiles.rules = [
|
systemd.tmpfiles.rules = [
|
||||||
"d /home/ironmagma/.config 0755 ${username} users"
|
"d /home/ironmagma/.config 0755 ${username} users"
|
||||||
"d /root/.config 0755 ${username} users"
|
"d /root/.config 0755 ${username} users"
|
||||||
|
|
@ -263,6 +286,7 @@ in {
|
||||||
"d /var/lib/gitea-runner/ubuntu 0755 gitea-runner gitea-runner"
|
"d /var/lib/gitea-runner/ubuntu 0755 gitea-runner gitea-runner"
|
||||||
"d /var/coldairnetworks-db/postgres 0755 root root"
|
"d /var/coldairnetworks-db/postgres 0755 root root"
|
||||||
"d /var/coldairnetworks-db/pgadmin 0700 5050 5050"
|
"d /var/coldairnetworks-db/pgadmin 0700 5050 5050"
|
||||||
|
"d /var/coldairnetworks-db/ssl 0755 root root"
|
||||||
];
|
];
|
||||||
|
|
||||||
networking.hostName = "${hostname}";
|
networking.hostName = "${hostname}";
|
||||||
|
|
@ -317,8 +341,17 @@ in {
|
||||||
autoStart = true;
|
autoStart = true;
|
||||||
image = "postgres:16";
|
image = "postgres:16";
|
||||||
ports = [ "5432:5432" ];
|
ports = [ "5432:5432" ];
|
||||||
volumes = [ "/var/coldairnetworks-db/postgres:/var/lib/postgresql/data" ];
|
volumes = [
|
||||||
|
"/var/coldairnetworks-db/postgres:/var/lib/postgresql/data"
|
||||||
|
"/var/coldairnetworks-db/ssl:/run/ssl:ro"
|
||||||
|
];
|
||||||
environmentFiles = [ config.age.secrets.coldairnetworks-db-postgres.path ];
|
environmentFiles = [ config.age.secrets.coldairnetworks-db-postgres.path ];
|
||||||
|
cmd = [
|
||||||
|
"postgres"
|
||||||
|
"-c" "ssl=on"
|
||||||
|
"-c" "ssl_cert_file=/run/ssl/server.crt"
|
||||||
|
"-c" "ssl_key_file=/run/ssl/server.key"
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
"coldairnetworks-pgadmin" = {
|
"coldairnetworks-pgadmin" = {
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue