From fbf8bb2ad6d380470dedd8cfb825201e3a23b53f Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Fri, 24 Nov 2023 10:31:23 +0100 Subject: [PATCH 1/6] working postgresql installation --- machines/default.nix | 2 + modules/custom.nix | 44 +++++++++++++++++++- postgresql_server.crt | 67 ++++++++++++++++++++++++++++++ secrets/README.md | 5 +++ secrets/postgresql_server.key.age | Bin 0 -> 1932 bytes secrets/secrets.nix | 6 ++- 6 files changed, 121 insertions(+), 3 deletions(-) create mode 100644 postgresql_server.crt create mode 100644 secrets/README.md create mode 100644 secrets/postgresql_server.key.age diff --git a/machines/default.nix b/machines/default.nix index 83fc5db..fad2e3d 100644 --- a/machines/default.nix +++ b/machines/default.nix @@ -11,6 +11,8 @@ hostCert = builtins.readFile ./jefke_host_ed25519-cert.pub; userCert = builtins.readFile ./jefke_user_ed25519-cert.pub; }; + + terraformDatabase.enable = true; }; }; }; diff --git a/modules/custom.nix b/modules/custom.nix index ea7e381..6f721b3 100644 --- a/modules/custom.nix +++ b/modules/custom.nix @@ -1,4 +1,4 @@ -{ lib, config, ... }: { +{ pkgs, lib, config, ... }: { options = { custom = { dataDisk.enable = lib.mkOption { @@ -40,11 +40,51 @@ ''; }; }; + + terraformDatabase.enable = lib.mkOption { + default = false; + type = lib.types.bool; + description = '' + Whether to start a postgreSQL database for Terraform states + ''; + }; }; }; config = { - fileSystems."/dev/data" = + fileSystems."/mnt/data" = lib.mkIf config.custom.dataDisk.enable { device = "/dev/sda1"; }; + + services.postgresql = lib.mkIf config.custom.terraformDatabase.enable { + enable = true; + ensureDatabases = [ "terraformstates" ]; + package = pkgs.postgresql_15; + enableTCPIP = true; + dataDir = + "/mnt/data/postgresql/${config.services.postgresql.package.psqlSchema}"; + # TODO: for now trust, replace this with client certificate later + authentication = '' + hostssl terraformstates all all trust + ''; + settings = { + ssl = true; + # TODO: create key pair for server + ssl_cert_file = builtins.toFile "postgresql_server.crt" + (builtins.readFile ../postgresql_server.crt); + ssl_key_file = config.age.secrets."postgresql_server.key".path; + }; + }; + + age.secrets."postgresql_server.key" = { + file = ../secrets/postgresql_server.key.age; + mode = "400"; + owner = builtins.toString config.ids.uids.postgres; + group = builtins.toString config.ids.gids.postgres; + }; + + # age.secrets."postgresql_server.key" = + # lib.mkIf config.custom.terraformDatabase.enable { + # file = ../secrets/postgresql_server.key.age; + # }; }; } diff --git a/postgresql_server.crt b/postgresql_server.crt new file mode 100644 index 0000000..e6bb806 --- /dev/null +++ b/postgresql_server.crt @@ -0,0 +1,67 @@ +Certificate: + Data: + Version: 1 (0x0) + Serial Number: + ef:2f:4d:d4:26:7e:33:1b + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN=jefke.hyp + Validity + Not Before: Nov 22 19:12:03 2023 GMT + Not After : Oct 29 19:12:03 2123 GMT + Subject: CN=jefke.hyp + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c7:ab:eb:9c:d0:7f:4f:f1:ba:65:0a:8b:07:7b: + 2e:5b:f0:26:82:33:c9:73:e6:91:cc:11:94:05:1c: + 8d:67:29:cb:5e:67:35:02:80:54:af:99:4b:aa:ce: + e8:56:62:be:63:cb:b2:4a:b0:a9:28:12:e2:77:50: + 7d:d5:d2:3b:48:d8:32:59:25:26:ff:a6:5c:f6:eb: + ae:5b:3d:7a:14:10:ba:90:9c:6f:1f:b9:d8:99:0e: + b7:09:5e:62:69:c4:c0:c6:27:b0:d3:60:0d:47:4c: + a5:11:53:f2:f1:4a:f9:a6:bc:d6:a3:35:a2:e8:e5: + a9:d1:60:e8:e5:18:ce:d2:60:80:4e:dc:48:ae:7f: + b7:ea:76:51:28:39:a4:b0:95:82:95:93:98:b2:9f: + 23:c9:81:69:59:a3:e4:f7:5a:1c:01:31:96:c1:4b: + 59:21:f8:a2:e6:9e:21:78:0e:6b:c1:68:c7:5c:16: + 9a:06:54:df:b6:77:1d:2d:89:d0:c8:9e:db:b5:d4: + 8c:fb:b9:4f:b7:6e:39:5f:39:8e:48:73:76:7d:46: + 6e:1f:8d:14:cb:40:b5:ff:c6:f0:c0:44:3c:ed:52: + 3f:4f:7b:69:63:93:c6:41:e6:5e:ed:33:50:20:46: + db:93:bf:e8:52:51:95:f1:81:73:58:da:67:21:7b: + 12:bd + Exponent: 65537 (0x10001) + Signature Algorithm: sha256WithRSAEncryption + aa:5c:89:41:a6:b7:3d:65:87:ca:50:c4:f3:58:aa:d3:b4:55: + b1:a7:8d:18:26:17:e5:8a:21:24:a1:49:53:77:31:5b:55:63: + be:01:d8:fe:b7:06:7c:da:07:1f:94:6a:de:96:ad:ca:3b:20: + 2a:e1:35:90:19:83:6d:37:d1:15:12:de:3c:0e:46:be:66:a1: + 6a:1d:ec:72:dc:46:79:69:e4:af:77:c8:ff:cd:d6:7d:16:88: + ab:44:fd:70:fc:40:47:ff:43:95:11:5a:9a:56:0c:d2:dd:7c: + 3b:87:aa:10:26:fa:25:a3:a0:43:8a:1b:ec:54:11:7e:65:67: + d2:06:e1:3e:3b:e1:0e:b0:80:ef:4b:35:3f:fc:34:1d:95:2e: + ee:c1:67:38:da:b3:74:86:4b:95:8c:0c:1d:51:28:c1:42:e9: + 77:68:d7:ec:3b:66:30:c6:e5:2a:62:ea:15:fb:24:56:cf:02: + d0:25:54:a7:58:15:b5:2a:71:93:56:c0:69:7a:36:18:6c:31: + b1:8e:3c:77:d7:77:ac:fc:e1:94:c5:08:bb:35:ac:48:5f:6b: + 8b:c8:c8:78:f4:a9:ca:4f:9d:51:54:89:97:c9:af:a1:fa:71: + df:58:f6:ff:04:7c:c8:1c:95:6b:1a:e3:a7:f6:43:1c:27:94: + 10:03:ce:ec +-----BEGIN CERTIFICATE----- +MIICpjCCAY4CCQDvL03UJn4zGzANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAlq +ZWZrZS5oeXAwIBcNMjMxMTIyMTkxMjAzWhgPMjEyMzEwMjkxOTEyMDNaMBQxEjAQ +BgNVBAMMCWplZmtlLmh5cDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AMer65zQf0/xumUKiwd7LlvwJoIzyXPmkcwRlAUcjWcpy15nNQKAVK+ZS6rO6FZi +vmPLskqwqSgS4ndQfdXSO0jYMlklJv+mXPbrrls9ehQQupCcbx+52JkOtwleYmnE +wMYnsNNgDUdMpRFT8vFK+aa81qM1oujlqdFg6OUYztJggE7cSK5/t+p2USg5pLCV +gpWTmLKfI8mBaVmj5PdaHAExlsFLWSH4ouaeIXgOa8Fox1wWmgZU37Z3HS2J0Mie +27XUjPu5T7duOV85jkhzdn1Gbh+NFMtAtf/G8MBEPO1SP097aWOTxkHmXu0zUCBG +25O/6FJRlfGBc1jaZyF7Er0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAqlyJQaa3 +PWWHylDE81iq07RVsaeNGCYX5YohJKFJU3cxW1VjvgHY/rcGfNoHH5Rq3patyjsg +KuE1kBmDbTfRFRLePA5Gvmahah3sctxGeWnkr3fI/83WfRaIq0T9cPxAR/9DlRFa +mlYM0t18O4eqECb6JaOgQ4ob7FQRfmVn0gbhPjvhDrCA70s1P/w0HZUu7sFnONqz +dIZLlYwMHVEowULpd2jX7DtmMMblKmLqFfskVs8C0CVUp1gVtSpxk1bAaXo2GGwx +sY48d9d3rPzhlMUIuzWsSF9ri8jIePSpyk+dUVSJl8mvofpx31j2/wR8yByVaxrj +p/ZDHCeUEAPO7A== +-----END CERTIFICATE----- diff --git a/secrets/README.md b/secrets/README.md new file mode 100644 index 0000000..ef3c05b --- /dev/null +++ b/secrets/README.md @@ -0,0 +1,5 @@ +To create a secret: + +```bash +nix run github:ryantm/agenix# -- -e secret.age +`` diff --git a/secrets/postgresql_server.key.age b/secrets/postgresql_server.key.age new file mode 100644 index 0000000000000000000000000000000000000000..21954cc8c359232bf97808188db55e05c829262f GIT binary patch literal 1932 zcmV;72XpvgXJsvAZewzJaCB*JZZ2HhDxjHCZ-iD?vd-LPB>lSTG7$Vk<*oc{g%n zQE_x*Wq5aUc4##@Yc_RyXhKVPa$`3|I5=oBR9Ib7cy2Z&eB{ zEiE8Mb2d3wO>SapYh^_@M{;^fV{cGtVq|epGjVJ(L~1!&LSi(=K<#OOQ32T><|7uEfdj}O}Sbv{YAxiP4t@ykJ3saRy4Ex z`RkrajR}K)_&D~-u$?sYDz;BgBRo8L15k=uF#7Otq-+T`jL*zuAfY*eq(K#+7MU*oVm;A^K z16ML;R$v?avX;CY08|jv3(zZ;ap9fWJoDR?%NUmf^F<|Sz@0(q&L`iUx^4#;bM^?` z^s{;>Gn|&vd>XmU&D^S2zSpJ;yJR<5fz%+IJ`)jWB(z_KD*p`4tZ~4mitgtmBQ;CpTLJt(D+mKp?$%n`Bymi z>m0RxpA1zALsqO_>`MUTXQ(!ZR&B6jAy;*`ljztYo2+)_#gauOD?W#TD48Xo6;~|D z#4OuVZPgEu|3%WwKbH5hpsWe*m9LtP{=*}^fF(dav!z;4@_k)wwK{soAB2)eIW>lp zMQBi)xI&h0dvj=B<6yPXpGoU}ud5%V;-%4f=6E~eIo?h_LXNn5E@rrm9$V@@aG|ci zI@ov1j*;Rp7CyYO%l@P0r{GG+W%(lIxHa7w9ulOAZopp}_}nSt;mw!4wmjcuqvp=^ zD_HuR2$P>Qp&^|T6`}g|c{QS-kCejZ&{H^8MvYzc!)S6CJ7-!{auV-K40RNrilL^h zS5Q9Smv*#@4WUVd7^Zfq3Avexb3k?8cA*rJmpt6P(22QDA7qSMjG(n~y4&4uLeIs> zfhVLgid1pR+wsCPUY2;=XyUP?+nmaQDg?9*sa9*|+KK)BOy*=w5%wg?#qWMYy8y$9VJp}A!+NY1H>VP9K?GXT2df46vO+SEEjBUhd3hlMZokPQEFLEl>o)7lG1>xHlD*~6ht#gF zv7NrY9R{^08ukfUTUc?i{RAj<)o1-R&GB#w1$}4aF>p6EtCZrpcPZ5xOZ4p8Ebu^r z+6M`uz7934d69Z_)Pb-ATihQ!?EIKFQ2KnnkB0A>N-ZfrWSq^lI0WT4ym?7ArWocd zYt^9T!ncqXW^jZjEu`t%p3DzEbnwy)4QkAhFIamW~Ld)`Ch zCOFu=>Xh8(j~AUN%h%*sBu)_m!q7U|9tz#>lmTr3$hM-$&Zd8jrdKv)3sr8#(`8zQ zpr9f*!Gip|kP_2QmnTf^oN99Qa(+u)++OF6e~ukCa8b#JsAP@Ad4J_g^)TX ziQnW?uK4HkM$b{5pPT6IrpzWBJ<5({C|jWa80Ik%GwhA%2Tm-ebB&-(@hkdnc6$?H zefYLd&>#a6fquXe)gqM8*>tc>jF7}~p@O2+l?hsrW85x!K(V6@3a<-gPo1I6nuxD4 zKnR%r&8j}-|NA77>VLVEn(GW452dh91 Date: Fri, 24 Nov 2023 10:48:18 +0100 Subject: [PATCH 2/6] add terraform user permit terraformstates db access to terraform user --- modules/custom.nix | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/modules/custom.nix b/modules/custom.nix index 6f721b3..aebc25b 100644 --- a/modules/custom.nix +++ b/modules/custom.nix @@ -64,15 +64,18 @@ "/mnt/data/postgresql/${config.services.postgresql.package.psqlSchema}"; # TODO: for now trust, replace this with client certificate later authentication = '' - hostssl terraformstates all all trust + hostssl terraformstates terraform all trust ''; settings = { ssl = true; - # TODO: create key pair for server ssl_cert_file = builtins.toFile "postgresql_server.crt" (builtins.readFile ../postgresql_server.crt); ssl_key_file = config.age.secrets."postgresql_server.key".path; }; + ensureUsers = [{ + name = "terraform"; + ensurePermissions = { "DATABASE terraformstates" = "ALL PRIVILEGES"; }; + }]; }; age.secrets."postgresql_server.key" = { @@ -81,10 +84,5 @@ owner = builtins.toString config.ids.uids.postgres; group = builtins.toString config.ids.gids.postgres; }; - - # age.secrets."postgresql_server.key" = - # lib.mkIf config.custom.terraformDatabase.enable { - # file = ../secrets/postgresql_server.key.age; - # }; }; } -- 2.45.2 From c01d15a3e7bf5bd2aaa9cc26d293c2f084998be2 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Fri, 24 Nov 2023 10:53:18 +0100 Subject: [PATCH 3/6] allow postgresql traffic in nftables --- nftables.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/nftables.conf b/nftables.conf index 56490a4..46dd6cb 100644 --- a/nftables.conf +++ b/nftables.conf @@ -14,6 +14,7 @@ table inet nixos-fw { chain input-allow { tcp dport 22 accept + tcp dport 5432 accept comment "PostgreSQL server" icmp type echo-request accept comment "allow ping" icmpv6 type != { nd-redirect, 139 } accept comment "Accept all ICMPv6 messages except redirects and node information queries (type 139). See RFC 4890, section 4.4." ip6 daddr fe80::/64 udp dport 546 accept comment "DHCPv6 client" -- 2.45.2 From d523da899c328f6a5ba0b2dce779b8fdc90c724c Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Fri, 24 Nov 2023 13:52:51 +0100 Subject: [PATCH 4/6] refactor module logic --- configuration.nix | 17 +----- modules/agenix.nix | 10 --- modules/custom.nix | 88 --------------------------- modules/custom/data-disk.nix | 19 ++++++ modules/custom/default.nix | 3 + modules/custom/ssh-certificates.nix | 65 ++++++++++++++++++++ modules/custom/terraform-database.nix | 49 +++++++++++++++ 7 files changed, 139 insertions(+), 112 deletions(-) delete mode 100644 modules/agenix.nix delete mode 100644 modules/custom.nix create mode 100644 modules/custom/data-disk.nix create mode 100644 modules/custom/default.nix create mode 100644 modules/custom/ssh-certificates.nix create mode 100644 modules/custom/terraform-database.nix diff --git a/configuration.nix b/configuration.nix index 509622b..950b605 100644 --- a/configuration.nix +++ b/configuration.nix @@ -2,8 +2,7 @@ imports = [ (modulesPath + "/installer/scan/not-detected.nix") ./modules/disk-config.nix - ./modules/agenix.nix - ./modules/custom.nix + ./modules/custom ./modules/uptimed.nix ]; @@ -55,12 +54,6 @@ PasswordAuthentication = false; KbdInteractiveAuthentication = false; }; - extraConfig = '' - HostCertificate ${ - builtins.toFile "host_ed25519-cert.pub" config.custom.ssh.hostCert - } - HostKey ${config.age.secrets.host_ed25519.path} - ''; }; xserver = { @@ -92,12 +85,6 @@ }; }; - extraConfig = '' - CertificateFile ${ - builtins.toFile "user_ed25519-cert.pub" config.custom.ssh.userCert - } - IdentityFile ${config.age.secrets.user_ed25519.path} - ''; }; neovim = { @@ -186,4 +173,6 @@ hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + + age.identityPaths = [ "/root/age_ed25519" ]; } diff --git a/modules/agenix.nix b/modules/agenix.nix deleted file mode 100644 index de2b883..0000000 --- a/modules/agenix.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ config, ... }: { - age = { - identityPaths = [ "/root/age_ed25519" ]; - - secrets = { - "host_ed25519".file = config.custom.ssh.hostKey; - "user_ed25519".file = config.custom.ssh.userKey; - }; - }; -} diff --git a/modules/custom.nix b/modules/custom.nix deleted file mode 100644 index aebc25b..0000000 --- a/modules/custom.nix +++ /dev/null @@ -1,88 +0,0 @@ -{ pkgs, lib, config, ... }: { - options = { - custom = { - dataDisk.enable = lib.mkOption { - default = false; - type = lib.types.bool; - description = '' - Whether to automatically mount /dev/sda1 on /mnt/data - ''; - }; - - ssh = { - hostCert = lib.mkOption { - type = lib.types.str; - description = '' - SSH host certificate - ''; - }; - - userCert = lib.mkOption { - type = lib.types.str; - description = '' - SSH user certificate - ''; - }; - - hostKey = lib.mkOption { - default = ../secrets/${config.networking.hostName}_host_ed25519.age; - type = lib.types.path; - description = '' - SSH host key - ''; - }; - - userKey = lib.mkOption { - default = ../secrets/${config.networking.hostName}_user_ed25519.age; - type = lib.types.path; - description = '' - SSH user key - ''; - }; - }; - - terraformDatabase.enable = lib.mkOption { - default = false; - type = lib.types.bool; - description = '' - Whether to start a postgreSQL database for Terraform states - ''; - }; - }; - }; - - config = { - fileSystems."/mnt/data" = - lib.mkIf config.custom.dataDisk.enable { device = "/dev/sda1"; }; - - services.postgresql = lib.mkIf config.custom.terraformDatabase.enable { - enable = true; - ensureDatabases = [ "terraformstates" ]; - package = pkgs.postgresql_15; - enableTCPIP = true; - dataDir = - "/mnt/data/postgresql/${config.services.postgresql.package.psqlSchema}"; - # TODO: for now trust, replace this with client certificate later - authentication = '' - hostssl terraformstates terraform all trust - ''; - settings = { - ssl = true; - ssl_cert_file = builtins.toFile "postgresql_server.crt" - (builtins.readFile ../postgresql_server.crt); - ssl_key_file = config.age.secrets."postgresql_server.key".path; - }; - ensureUsers = [{ - name = "terraform"; - ensurePermissions = { "DATABASE terraformstates" = "ALL PRIVILEGES"; }; - }]; - }; - - age.secrets."postgresql_server.key" = { - file = ../secrets/postgresql_server.key.age; - mode = "400"; - owner = builtins.toString config.ids.uids.postgres; - group = builtins.toString config.ids.gids.postgres; - }; - }; -} diff --git a/modules/custom/data-disk.nix b/modules/custom/data-disk.nix new file mode 100644 index 0000000..4e2d485 --- /dev/null +++ b/modules/custom/data-disk.nix @@ -0,0 +1,19 @@ +{ lib, config, ... }: +let cfg = config.custom.dataDisk; +in { + options = { + custom = { + dataDisk.enable = lib.mkOption { + default = false; + type = lib.types.bool; + description = '' + Whether to automatically mount /dev/sda1 on /mnt/data + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable { + fileSystems."/mnt/data" = { device = "/dev/sda1"; }; + }; +} diff --git a/modules/custom/default.nix b/modules/custom/default.nix new file mode 100644 index 0000000..ceeaefa --- /dev/null +++ b/modules/custom/default.nix @@ -0,0 +1,3 @@ +{ + imports = [ ./terraform-database.nix ./data-disk.nix ./ssh-certificates.nix ]; +} diff --git a/modules/custom/ssh-certificates.nix b/modules/custom/ssh-certificates.nix new file mode 100644 index 0000000..456ff21 --- /dev/null +++ b/modules/custom/ssh-certificates.nix @@ -0,0 +1,65 @@ +{ lib, config, ... }: +let + cfg = config.custom.ssh; + hostCert = builtins.toFile "host_ed25519-cert.pub" cfg.hostCert; + userCert = builtins.toFile "user_ed25519-cert.pub" cfg.userCert; +in { + options = { + custom = { + ssh = { + hostCert = lib.mkOption { + type = lib.types.str; + description = '' + SSH host certificate + ''; + }; + + userCert = lib.mkOption { + type = lib.types.str; + description = '' + SSH user certificate + ''; + }; + + hostKey = lib.mkOption { + default = + ../../secrets/${config.networking.hostName}_host_ed25519.age; + type = lib.types.path; + description = '' + SSH host key + ''; + }; + + userKey = lib.mkOption { + default = + ../../secrets/${config.networking.hostName}_user_ed25519.age; + type = lib.types.path; + description = '' + SSH user key + ''; + }; + }; + }; + }; + + config = { + services.openssh = { + extraConfig = '' + HostCertificate ${hostCert} + HostKey ${config.age.secrets.host_ed25519.path} + ''; + }; + + programs.ssh = { + extraConfig = '' + CertificateFile ${userCert} + IdentityFile ${config.age.secrets.user_ed25519.path} + ''; + }; + + age.secrets = { + "host_ed25519".file = cfg.hostKey; + "user_ed25519".file = cfg.userKey; + }; + }; +} diff --git a/modules/custom/terraform-database.nix b/modules/custom/terraform-database.nix new file mode 100644 index 0000000..06b5611 --- /dev/null +++ b/modules/custom/terraform-database.nix @@ -0,0 +1,49 @@ +{ pkgs, lib, config, ... }: +let cfg = config.custom.terraformDatabase; +in { + options = { + custom = { + terraformDatabase.enable = lib.mkOption { + default = false; + type = lib.types.bool; + description = '' + Whether to start a postgreSQL database for Terraform states + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable { + services.postgresql = { + enable = true; + ensureDatabases = [ "terraformstates" ]; + package = pkgs.postgresql_15; + enableTCPIP = true; + dataDir = lib.mkIf config.custom.dataDisk.enable + "/mnt/data/postgresql/${config.services.postgresql.package.psqlSchema}"; + # dataDir = + # "/mnt/data/postgresql/${config.services.postgresql.package.psqlSchema}"; + # TODO: for now trust, replace this with client certificate later + authentication = '' + hostssl terraformstates terraform all trust + ''; + settings = { + ssl = true; + ssl_cert_file = builtins.toFile "postgresql_server.crt" + (builtins.readFile ../../postgresql_server.crt); + ssl_key_file = config.age.secrets."postgresql_server.key".path; + }; + ensureUsers = [{ + name = "terraform"; + ensurePermissions = { "DATABASE terraformstates" = "ALL PRIVILEGES"; }; + }]; + }; + + age.secrets."postgresql_server.key" = { + file = ../../secrets/postgresql_server.key.age; + mode = "400"; + owner = builtins.toString config.ids.uids.postgres; + group = builtins.toString config.ids.gids.postgres; + }; + }; +} -- 2.45.2 From 51f84c42ba5bccfb335e51934b92e99f63a446cb Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 25 Nov 2023 13:41:49 +0100 Subject: [PATCH 5/6] enable client certificate checking --- flake.nix | 2 ++ modules/custom/terraform-database.nix | 14 +++++++------- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/flake.nix b/flake.nix index a3151c5..aa1690b 100644 --- a/flake.nix +++ b/flake.nix @@ -39,6 +39,8 @@ # Should wait until this is merged in nixos-unstable. # pkgs-unstable.nixos-anywhere pkgs-unstable.deploy-rs + pkgs.openssl + pkgs.postgresql_15 ]; }; diff --git a/modules/custom/terraform-database.nix b/modules/custom/terraform-database.nix index 06b5611..bdad8a7 100644 --- a/modules/custom/terraform-database.nix +++ b/modules/custom/terraform-database.nix @@ -21,17 +21,17 @@ in { enableTCPIP = true; dataDir = lib.mkIf config.custom.dataDisk.enable "/mnt/data/postgresql/${config.services.postgresql.package.psqlSchema}"; - # dataDir = - # "/mnt/data/postgresql/${config.services.postgresql.package.psqlSchema}"; - # TODO: for now trust, replace this with client certificate later authentication = '' - hostssl terraformstates terraform all trust + hostssl terraformstates terraform all cert ''; - settings = { - ssl = true; - ssl_cert_file = builtins.toFile "postgresql_server.crt" + settings = let + serverCert = builtins.toFile "postgresql_server.crt" (builtins.readFile ../../postgresql_server.crt); + in { + ssl = true; + ssl_cert_file = serverCert; ssl_key_file = config.age.secrets."postgresql_server.key".path; + ssl_ca_file = serverCert; }; ensureUsers = [{ name = "terraform"; -- 2.45.2 From d1d52e0d96877aa48530a6f863a93a3c09e9142c Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 25 Nov 2023 14:43:37 +0100 Subject: [PATCH 6/6] add psql env variables to .envrc --- .envrc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.envrc b/.envrc index c4b17d7..6923c90 100644 --- a/.envrc +++ b/.envrc @@ -1 +1,5 @@ use_flake +export PGSSLROOTCERT=~/.config/home/postgresql_server.crt +export PGSSLMODE=verify-ca +export PGSSLCERT=~/.config/home/postgresql_client.crt +export PGSSLKEY=~/.config/home/postgresql_client.key -- 2.45.2