enable client certificate checking

This commit is contained in:
Pim Kunis 2023-11-25 13:41:49 +01:00
parent d523da899c
commit 51f84c42ba
2 changed files with 9 additions and 7 deletions

View file

@ -39,6 +39,8 @@
# Should wait until this is merged in nixos-unstable. # Should wait until this is merged in nixos-unstable.
# pkgs-unstable.nixos-anywhere # pkgs-unstable.nixos-anywhere
pkgs-unstable.deploy-rs pkgs-unstable.deploy-rs
pkgs.openssl
pkgs.postgresql_15
]; ];
}; };

View file

@ -21,17 +21,17 @@ in {
enableTCPIP = true; enableTCPIP = true;
dataDir = lib.mkIf config.custom.dataDisk.enable dataDir = lib.mkIf config.custom.dataDisk.enable
"/mnt/data/postgresql/${config.services.postgresql.package.psqlSchema}"; "/mnt/data/postgresql/${config.services.postgresql.package.psqlSchema}";
# dataDir =
# "/mnt/data/postgresql/${config.services.postgresql.package.psqlSchema}";
# TODO: for now trust, replace this with client certificate later
authentication = '' authentication = ''
hostssl terraformstates terraform all trust hostssl terraformstates terraform all cert
''; '';
settings = { settings = let
ssl = true; serverCert = builtins.toFile "postgresql_server.crt"
ssl_cert_file = builtins.toFile "postgresql_server.crt"
(builtins.readFile ../../postgresql_server.crt); (builtins.readFile ../../postgresql_server.crt);
in {
ssl = true;
ssl_cert_file = serverCert;
ssl_key_file = config.age.secrets."postgresql_server.key".path; ssl_key_file = config.age.secrets."postgresql_server.key".path;
ssl_ca_file = serverCert;
}; };
ensureUsers = [{ ensureUsers = [{
name = "terraform"; name = "terraform";