66 lines
1.7 KiB
Nix
66 lines
1.7 KiB
Nix
{ config, pkgs, environment, ... }:
|
|
|
|
let
|
|
dataPath = /srv + ("/" + config.networking.hostName);
|
|
|
|
in {
|
|
|
|
environment = {
|
|
|
|
systemPackages = with pkgs; [
|
|
postgresql_11_gssapi
|
|
];
|
|
|
|
etc = {
|
|
"postgresql/private/privkey.pem" = {
|
|
mode = "0400";
|
|
user = "postgres";
|
|
group = "postgres";
|
|
source = dataPath + "/certs/private/privkey.pem";
|
|
};
|
|
|
|
"postgresql/cert.pem" = {
|
|
mode = "0444";
|
|
user = "postgres";
|
|
group = "postgres";
|
|
source = dataPath + "/certs/cert.pem";
|
|
};
|
|
|
|
"postgresql/private/postgres.keytab" = {
|
|
mode = "0400";
|
|
user = "postgres";
|
|
group = "postgres";
|
|
source = dataPath + "/keytabs/postgres.keytab";
|
|
};
|
|
};
|
|
};
|
|
<
|
|
services.postgresql = {
|
|
enable = true;
|
|
package = pkgs.postgresql_11_gssapi;
|
|
enableTCPIP = true;
|
|
|
|
extraConfig =
|
|
''
|
|
krb_server_keyfile = '/etc/postgresql/private/postgres.keytab'
|
|
|
|
ssl = true
|
|
ssl_cert_file = '/etc/postgresql/cert.pem'
|
|
ssl_key_file = '/etc/postgresql/private/privkey.pem'
|
|
'';
|
|
|
|
authentication =
|
|
''
|
|
local all all ident
|
|
|
|
# host-local
|
|
host all all 127.0.0.1/32 gss include_realm=0 krb_realm=FUDO.ORG
|
|
host all all ::1/128 gss include_realm=0 krb_realm=FUDO.ORG
|
|
|
|
# local network
|
|
host all all 10.0.0.1/24 gss include_realm=0 krb_realm=FUDO.ORG
|
|
host all all 2601:600:997f:fc00::/60 gss include_realm=0 krb_realm=FUDO.ORG
|
|
'';
|
|
};
|
|
}
|