From 421a05a82fbf14adb0be38ac881808e4bf4241df Mon Sep 17 00:00:00 2001
From: Pim Kunis <pim@kunis.nl>
Date: Sat, 25 Nov 2023 14:15:07 +0100
Subject: [PATCH] deploy files needed for postgresql auth

---
 home-manager/default.nix           |  11 ++++-
 home-manager/postgresql_client.crt |  17 ++++++++
 home-manager/postgresql_server.crt |  67 +++++++++++++++++++++++++++++
 secrets/postgresql_client.key.age  | Bin 0 -> 2091 bytes
 secrets/secrets.nix                |   1 +
 5 files changed, 95 insertions(+), 1 deletion(-)
 create mode 100644 home-manager/postgresql_client.crt
 create mode 100644 home-manager/postgresql_server.crt
 create mode 100644 secrets/postgresql_client.key.age

diff --git a/home-manager/default.nix b/home-manager/default.nix
index 093bb4e..ff75810 100644
--- a/home-manager/default.nix
+++ b/home-manager/default.nix
@@ -76,7 +76,11 @@
   # Let home-manager manage the X session
   xsession = { enable = true; };
 
-  xdg.userDirs.enable = true;
+  xdg = {
+    userDirs.enable = true;
+    configFile."home/postgresql_server.crt".source = ./postgresql_server.crt;
+    configFile."home/postgresql_client.crt".source = ./postgresql_client.crt;
+  };
 
   homeage = {
     identityPaths = [ "/home/pim/.ssh/age_ed25519" ];
@@ -96,6 +100,11 @@
       source = ../secrets/powerdns-api-key.json.age;
       symlinks = [ "${config.xdg.configHome}/home/powerdns-api-key.json" ];
     };
+
+    file."postgresql_client.key" = {
+      source = ../secrets/postgresql_client.key.age;
+      symlinks = [ "${config.xdg.configHome}/home/postgresql_client.key" ];
+    };
   };
 
   fonts.fontconfig.enable = true;
diff --git a/home-manager/postgresql_client.crt b/home-manager/postgresql_client.crt
new file mode 100644
index 0000000..b4710e8
--- /dev/null
+++ b/home-manager/postgresql_client.crt
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICrzCCAZcCFApupXAa2tPytpi3av47+az0Ggb4MA0GCSqGSIb3DQEBCwUAMBQx
+EjAQBgNVBAMMCWplZmtlLmh5cDAeFw0yMzExMjQyMjAzMjhaFw0yNDExMjMyMjAz
+MjhaMBQxEjAQBgNVBAMMCXRlcnJhZm9ybTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALeJ/fYUCmwislUw4XcCxivCUuWuUWI+t/nke9/hWEWTmDG4Z7/a
+IAKqsGk0zNATQViAXmYZwdYK70AKQhxat3OJcuZarsurOXVjVJdT4Wr5SxHGHjd0
+bwd8JzFZPIfgYCILCISFjCIfpD58kBq2bkvI4rpn4tb2iPunXp0+S8iHDMB5wAOb
+FgT0muuz9ua4R76nq79O9wLbAVf38CDR9bMGcPcKknz0sl37jr7A/pDvQzpFWO33
+eJb64b7Qe4CHslWFj1tdEkXaMpMNWHhc2TmtLtlt6a+RY1R9KdX5x0lQTyJnEwJZ
+8YTKnlMoNvkfBznuARFmNNmUYPoHE6WgonMCAwEAATANBgkqhkiG9w0BAQsFAAOC
+AQEAaH1HVPThhAkrXE4Zmh49D1zvq5uy6moV326/ovnPQfco2jYBYO5mYxBF32mx
+ShEanbJJKkFjWkQHmsWt7nrkeloz6q8sD19nLyyWmMj0Pd6wcLv017Zdo902fh27
+Rl8qZS44vEc+N/5gc2eINMfXm/JOdXYntOVpFO/I+6b9Q2iWFX3YUAXiIDiEYBvS
+BBqyXC2nVg6Lp1KVg+EaYW27sj8b5HHXnpEGdXduVmOWttdaQVjYslqmH7mUKi9f
+2U9FicMvw6KvkRki+SLKeZr2yIP1QQOnWg0BPbeCpMfdMSu/AtLkAtugZeT8p1Ko
+3hMMyKKzyyhiwpzvk21QFNZ5LA==
+-----END CERTIFICATE-----
diff --git a/home-manager/postgresql_server.crt b/home-manager/postgresql_server.crt
new file mode 100644
index 0000000..e6bb806
--- /dev/null
+++ b/home-manager/postgresql_server.crt
@@ -0,0 +1,67 @@
+Certificate:
+    Data:
+        Version: 1 (0x0)
+        Serial Number:
+            ef:2f:4d:d4:26:7e:33:1b
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=jefke.hyp
+        Validity
+            Not Before: Nov 22 19:12:03 2023 GMT
+            Not After : Oct 29 19:12:03 2123 GMT
+        Subject: CN=jefke.hyp
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:c7:ab:eb:9c:d0:7f:4f:f1:ba:65:0a:8b:07:7b:
+                    2e:5b:f0:26:82:33:c9:73:e6:91:cc:11:94:05:1c:
+                    8d:67:29:cb:5e:67:35:02:80:54:af:99:4b:aa:ce:
+                    e8:56:62:be:63:cb:b2:4a:b0:a9:28:12:e2:77:50:
+                    7d:d5:d2:3b:48:d8:32:59:25:26:ff:a6:5c:f6:eb:
+                    ae:5b:3d:7a:14:10:ba:90:9c:6f:1f:b9:d8:99:0e:
+                    b7:09:5e:62:69:c4:c0:c6:27:b0:d3:60:0d:47:4c:
+                    a5:11:53:f2:f1:4a:f9:a6:bc:d6:a3:35:a2:e8:e5:
+                    a9:d1:60:e8:e5:18:ce:d2:60:80:4e:dc:48:ae:7f:
+                    b7:ea:76:51:28:39:a4:b0:95:82:95:93:98:b2:9f:
+                    23:c9:81:69:59:a3:e4:f7:5a:1c:01:31:96:c1:4b:
+                    59:21:f8:a2:e6:9e:21:78:0e:6b:c1:68:c7:5c:16:
+                    9a:06:54:df:b6:77:1d:2d:89:d0:c8:9e:db:b5:d4:
+                    8c:fb:b9:4f:b7:6e:39:5f:39:8e:48:73:76:7d:46:
+                    6e:1f:8d:14:cb:40:b5:ff:c6:f0:c0:44:3c:ed:52:
+                    3f:4f:7b:69:63:93:c6:41:e6:5e:ed:33:50:20:46:
+                    db:93:bf:e8:52:51:95:f1:81:73:58:da:67:21:7b:
+                    12:bd
+                Exponent: 65537 (0x10001)
+    Signature Algorithm: sha256WithRSAEncryption
+         aa:5c:89:41:a6:b7:3d:65:87:ca:50:c4:f3:58:aa:d3:b4:55:
+         b1:a7:8d:18:26:17:e5:8a:21:24:a1:49:53:77:31:5b:55:63:
+         be:01:d8:fe:b7:06:7c:da:07:1f:94:6a:de:96:ad:ca:3b:20:
+         2a:e1:35:90:19:83:6d:37:d1:15:12:de:3c:0e:46:be:66:a1:
+         6a:1d:ec:72:dc:46:79:69:e4:af:77:c8:ff:cd:d6:7d:16:88:
+         ab:44:fd:70:fc:40:47:ff:43:95:11:5a:9a:56:0c:d2:dd:7c:
+         3b:87:aa:10:26:fa:25:a3:a0:43:8a:1b:ec:54:11:7e:65:67:
+         d2:06:e1:3e:3b:e1:0e:b0:80:ef:4b:35:3f:fc:34:1d:95:2e:
+         ee:c1:67:38:da:b3:74:86:4b:95:8c:0c:1d:51:28:c1:42:e9:
+         77:68:d7:ec:3b:66:30:c6:e5:2a:62:ea:15:fb:24:56:cf:02:
+         d0:25:54:a7:58:15:b5:2a:71:93:56:c0:69:7a:36:18:6c:31:
+         b1:8e:3c:77:d7:77:ac:fc:e1:94:c5:08:bb:35:ac:48:5f:6b:
+         8b:c8:c8:78:f4:a9:ca:4f:9d:51:54:89:97:c9:af:a1:fa:71:
+         df:58:f6:ff:04:7c:c8:1c:95:6b:1a:e3:a7:f6:43:1c:27:94:
+         10:03:ce:ec
+-----BEGIN CERTIFICATE-----
+MIICpjCCAY4CCQDvL03UJn4zGzANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAlq
+ZWZrZS5oeXAwIBcNMjMxMTIyMTkxMjAzWhgPMjEyMzEwMjkxOTEyMDNaMBQxEjAQ
+BgNVBAMMCWplZmtlLmh5cDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AMer65zQf0/xumUKiwd7LlvwJoIzyXPmkcwRlAUcjWcpy15nNQKAVK+ZS6rO6FZi
+vmPLskqwqSgS4ndQfdXSO0jYMlklJv+mXPbrrls9ehQQupCcbx+52JkOtwleYmnE
+wMYnsNNgDUdMpRFT8vFK+aa81qM1oujlqdFg6OUYztJggE7cSK5/t+p2USg5pLCV
+gpWTmLKfI8mBaVmj5PdaHAExlsFLWSH4ouaeIXgOa8Fox1wWmgZU37Z3HS2J0Mie
+27XUjPu5T7duOV85jkhzdn1Gbh+NFMtAtf/G8MBEPO1SP097aWOTxkHmXu0zUCBG
+25O/6FJRlfGBc1jaZyF7Er0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAqlyJQaa3
+PWWHylDE81iq07RVsaeNGCYX5YohJKFJU3cxW1VjvgHY/rcGfNoHH5Rq3patyjsg
+KuE1kBmDbTfRFRLePA5Gvmahah3sctxGeWnkr3fI/83WfRaIq0T9cPxAR/9DlRFa
+mlYM0t18O4eqECb6JaOgQ4ob7FQRfmVn0gbhPjvhDrCA70s1P/w0HZUu7sFnONqz
+dIZLlYwMHVEowULpd2jX7DtmMMblKmLqFfskVs8C0CVUp1gVtSpxk1bAaXo2GGwx
+sY48d9d3rPzhlMUIuzWsSF9ri8jIePSpyk+dUVSJl8mvofpx31j2/wR8yByVaxrj
+p/ZDHCeUEAPO7A==
+-----END CERTIFICATE-----
diff --git a/secrets/postgresql_client.key.age b/secrets/postgresql_client.key.age
new file mode 100644
index 0000000000000000000000000000000000000000..0639fc2a0876002bce895222faa014c2eaa360cc
GIT binary patch
literal 2091
zcmV+`2-NpsXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9LOhHgpcXuFC
zHda<IFj!PJPc>9mIdoTgR7zMyb5K}9bYpmLMmJM(ZAdqHD|C5EF;xm}NLOKMD@Zjq
zZb5lhN<=wKMNV35MQVC7Z)G=Pc3Mq!d1QKTPgGP*GeHV1J|J^*Xf0)AGBq_ZIUsgI
zT52_CATwGta(QHNN@6uqN_a?4L~uBBVpds2Z#Q>wS$bJeHF8KxPGxIMVohvs3PUqZ
zK}~o_V^V8)NOo6uT4P6TZ#hb2HgaV|LqS(kQc!MWLV9IEGE#AC3N1b$M=fV^Wnpt=
z3UxDMYH3JuOE7jsSW#(gV|qwAS5<RQVP#S@cxE?jFm)?xWjJAFPi}5)H(F$EWJYjU
zYYHtbEg)oMIWlm1IC(}<c0*ZMQFU@nST{K<S#NPSb5Lh7YAZ@;D@asHb$D=dFbXlz
zjZa%>?8L*LwchY#8{>RskQB6z!HN=DuYKTv!RTv9NjJW%9-HyVvZsDuh;Qc$@<NLA
zlbS&X_<(oqB2f?FAT7&h2o^SoH&`u`%=vZHpHE7(onliV@b-4k$UqB=O=b?h%gL3J
zTn9InU$Z+PPeFNeMI|7hi<}nK2NH_!U-5$j{?Sp39`H4MWgeLC>{)ACIHB8$p`$$8
z)eDqeP%25qL6kc`<)v|YZ9{bzS*a?VR5D;EK=fc4D`ZA(1-q+X;<zye|5J-OQs01{
zwXt>UtFY3jK^Cg}Q6+tGh*|$DY3?qmIYXQyDifiLgXsb#wrpR~lBXwoW<<nurb^J2
zS#h-F4h}(TKXQKJ8DjvAa|9+;Ol>l)KX9Ul`g+e5Wg;+KVhMh>l!<GL&QBXcgb+T}
zl%Q+fxi^tgou*M~mJon!w8&3xL6tEbs-$@ZR~D#8EH3x4+Gzuel?9Cpmt8DKunJbG
z6WVZtyH=%SFhLUPoc@0UXV!;0O~D<NKj8{iTC-ouy`ctEx8Dzmyatv;se=57DtJ-J
zeZNXh9}!N-`TlPcHqlr$K(SbNl`|n$1;A=^=1HfH(KJ?%Oub)=@ELN~vAERNklZP}
z%E;iE8(6Yx(vLHFNp_9`zG4F@Tn)3>n7JccwLCV_#_2UW_g8tY7X#w4C)tgASAvJT
z5)Br~Y{l??m^wXU?3wGGs-vi(a}+R>>lNlLSSEcR%@atP7(uQf+`@s&2q@sz!;I`l
zQS@hJBK{r#Dazc@QV1Z@N6>tuHj=CJRDk-k(7d)>@D^`qY_T!SEaDPj?jW?5HhoWv
z)k9|G4YU_}M2<&^G-33(e8TE(`sAq*tm!)wGZ=Kf(9#NKOHcHA`$r%JTDTEDl7NdT
zit^o@c*<u4e{1L?QQg#yXr?8`X}ySErhji%TwBBHoGZYuwnz>sY;x3#*9qZT18=JC
zvNd(6IC${Aud^;SouEfZKie`G*rmUyV+!#<F_!~i1<uK9s3;~-5kui_R<m=oq@UuD
zdD-^@=c?b$UYLv$<6%vi$VkHS)ukx?O~cg27GS{l@FCN!IZ)fU&9`sjQ2-C4=4<sF
z?_14S_miu5tkF3H`Je6yYqh&8j_M;QXrX*B<(8*Pa;4v_1BB`#iJ8ofTTo_*8O(9-
z4yeK<Do*{;K0Z*tS9*I+xHCqphURsZ?=_7n-Bf3=>h_+r#MOYCvM!E4m<e@<rPIhn
zu3w{#1Jg$$WKwOSP~FA}PZvohf#;}UHDWl{@??u5Xwh7B0eUtZxSHB_i<2)o`{d2>
zw6j?Dk>;K?<uh$fxE&~B71ux}>2o9Tci^`36-;yaC7G(XfIKGV&*%yk9g8HNd4l~<
za-M`y*e597Q+%9e-iPvAv10w%^)(f;it3DJkeYj!UOTqvGUUUEZ@yv)QAuwMS>^6z
zklud%5izLZ#Z}FsLie1dG=1Nj&Rgpms)QLUVZRe{MQx`BpUB+xo1ZDQ=9vQ($Lj=`
zruxy>6zO}ceeZ6Z;E2vEwKK;ZP3l7VbBq*#vNBkIro)6l{GZ0DTcd)M>w%7(a%G~W
z5W>XpqBa|*^6rKEK2zb(r6MrBu2&Hlvwr%3Ckbz6iVSUKDSvbH9rng34~*=#9-=q~
zFUomW5W+LrRDFiGW3Jfv&JEi(dnldlYYb5*t24wwySgn5TxFr27<qo|J4PoC9Vu8g
z2>3A^%V4YRw^qA)32x7vOqvgxGY~U$totcgR51)=5q$@ab$vYHgSr0P8BjqrRUJl$
z<6(Gb#=n{Z8TaV?-&t?a#PjtB5VY<!wa0xEG-R#2ikT5;7!g`)2rYk(V2_^hwvXeZ
zusNo}W@1+4M!hvw@5hwXYF7QMdoTF@g~A8AjLGwkt8DQe7`1zPyvf&YQZ@K?v?K>i
ztV79T7!D(k)54ts(9p7fnQN~-Rueznnw$i={+3HVLe$gX$6go%IgGe2n2j4M1;|+0
zogzXz2Ub$V_;bJEDQ9B<u;m>z5Z*)TYaI)QaR&X?Bl5V)_#ih=y6GO8PG?Fikh45I
zY)e+bwA4`;S@lSp)*=Jlh%o8?RX?@CqNDM;u`Q7%xa(;$KM_@$u1w3sGWhd-6Cy^d
zI|h}DuAHYalVQuDl5qp&ze4sM3vWyft56|Cj+Mhufir{pEx-g0mn4l^Q<;H?%>YW6
z)6lS*i&yxbj<?B*febIq_=Yn2N#xhR@g4VUx3y&&7igF10a(n-bW56RJyACV&iD=0
Va~mk4UrWRDd-nj3c9<f1ss7XL&2s<%

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 9edefb4..8cd452b 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -17,4 +17,5 @@ in {
   "powerdns-api-key.json.age".publicKeys = publicKeys;
   "keepassxc.ini.age".publicKeys =
     publicKeys; # Secret agent causes private keys in config file.
+  "postgresql_client.key.age".publicKeys = publicKeys;
 }