{ config, pkgs, environment, ... }: let hostPath = /srv + ("/" + config.networking.hostName); srcCertificateDirectory = hostPath + "/certs"; dstCertificateDirectory = "/etc/pki/certs/postgres"; dstPrivateKey = dstCertificateDirectory + /private/privkey.pem; srcKeytabPath = hostPath + /keytabs/postgres; dstKeytabPath = "/etc/postgresql-common/keytab"; in { containers.postgres = { autoStart = true; bindMounts = { "${dstCertificateDirectory}" = { hostPath = "${srcCertificateDirectory}"; isReadOnly = false; }; "${dstKeytabPath}" = { hostPath = "${srcKeytabPath}"; isReadOnly = false; }; }; config = { config, pkgs, environment, ... }: { environment.etc."${dstPrivateKey}".mode = "0400"; boot.tmpOnTmpfs = true; # Kind of a stupid hack...bindMounts can't specify perms, and it defaults to # permissive (even for nested files). So, explicitly make the keys private. # TODO: eventually, use bindMount perms, hopefully? boot.postBootCommands = '' chown postgres ${dstKeytabPath}/postgres.keytab chmod 400 ${dstKeytabPath}/postgres.keytab chown -R postgres ${dstCertificateDirectory} chown 400 ${dstCertificateDirectory}/private/privkey.pem ''; services.postgresql = { enable = true; package = pkgs.postgresql_10; enableTCPIP = true; extraConfig = '' krb_server_keyfile = '${dstKeytabPath}/postgres.keytab' ssl = true ssl_cert_file = '${dstCertificateDirectory}/cert.pem' ssl_key_file = '${dstCertificateDirectory}/private/privkey.pem' ''; authentication = '' local all all ident # host-local host all all 127.0.0.1/32 gss include_realm=0 krb_realm=FUDO.ORG host all all ::1/128 gss include_realm=0 krb_realm=FUDO.ORG # local network host all all 10.0.0.1/24 gss include_realm=0 krb_realm=FUDO.ORG host all all 2601:600:997f:fc00::/60 gss include_realm=0 krb_realm=FUDO.ORG ''; initialScript = pkgs.writeText "backend-initscript" '' CREATE ROLE niten; ''; }; }; }; }