enable client certificate checking
This commit is contained in:
parent
d523da899c
commit
51f84c42ba
2 changed files with 9 additions and 7 deletions
|
@ -39,6 +39,8 @@
|
||||||
# Should wait until this is merged in nixos-unstable.
|
# Should wait until this is merged in nixos-unstable.
|
||||||
# pkgs-unstable.nixos-anywhere
|
# pkgs-unstable.nixos-anywhere
|
||||||
pkgs-unstable.deploy-rs
|
pkgs-unstable.deploy-rs
|
||||||
|
pkgs.openssl
|
||||||
|
pkgs.postgresql_15
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -21,17 +21,17 @@ in {
|
||||||
enableTCPIP = true;
|
enableTCPIP = true;
|
||||||
dataDir = lib.mkIf config.custom.dataDisk.enable
|
dataDir = lib.mkIf config.custom.dataDisk.enable
|
||||||
"/mnt/data/postgresql/${config.services.postgresql.package.psqlSchema}";
|
"/mnt/data/postgresql/${config.services.postgresql.package.psqlSchema}";
|
||||||
# dataDir =
|
|
||||||
# "/mnt/data/postgresql/${config.services.postgresql.package.psqlSchema}";
|
|
||||||
# TODO: for now trust, replace this with client certificate later
|
|
||||||
authentication = ''
|
authentication = ''
|
||||||
hostssl terraformstates terraform all trust
|
hostssl terraformstates terraform all cert
|
||||||
'';
|
'';
|
||||||
settings = {
|
settings = let
|
||||||
ssl = true;
|
serverCert = builtins.toFile "postgresql_server.crt"
|
||||||
ssl_cert_file = builtins.toFile "postgresql_server.crt"
|
|
||||||
(builtins.readFile ../../postgresql_server.crt);
|
(builtins.readFile ../../postgresql_server.crt);
|
||||||
|
in {
|
||||||
|
ssl = true;
|
||||||
|
ssl_cert_file = serverCert;
|
||||||
ssl_key_file = config.age.secrets."postgresql_server.key".path;
|
ssl_key_file = config.age.secrets."postgresql_server.key".path;
|
||||||
|
ssl_ca_file = serverCert;
|
||||||
};
|
};
|
||||||
ensureUsers = [{
|
ensureUsers = [{
|
||||||
name = "terraform";
|
name = "terraform";
|
||||||
|
|
Loading…
Reference in a new issue