foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-02-26 06:19:01 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

hosts/plover: disable PostgreSQL SSL mode

Browse Source
This commit is contained in:
Gabriel Arazas 2022-12-17 22:23:11 +08:00
parent 138fb25e8f
commit c008debd74
1 changed files with 3 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
hosts/plover/default.nix
View File

@ -89,15 +89,9 @@ in
# DNS-related settings. This is nice for automating them putting DNS records # DNS-related settings. This is nice for automating them putting DNS records
# and other types of stuff. # and other types of stuff.
security.acme = { security.acme.defaults = {
defaults = { dnsProvider = "porkbun";
dnsProvider = "porkbun"; credentialsFile = config.sops.secrets."plover/lego/env".path;
credentialsFile = config.sops.secrets."plover/lego/env".path;
};
certs = {
"${dbDomain}" = { };
};
}; };
services.openssh.hostKeys = [{ services.openssh.hostKeys = [{
@ -166,20 +160,6 @@ in
}; };
}; };
}; };
streamConfig = ''
server {
listen ${toString config.services.postgresql.port} ssl so_keepalive=on;
proxy_pass localhost:${toString config.services.postgresql.port};
ssl_certificate ${certs."${dbDomain}".directory}/fullchain.pem;
ssl_certificate_key ${certs."${dbDomain}".directory}/key.pem;
ssl_trusted_certificate ${certs."${dbDomain}".directory}/chain.pem;
ssl_session_timeout 15m;
ssl_session_cache shared:SSL:10m;
}
'';
}; };
# Enable database services that is used in all of the services here so far. # Enable database services that is used in all of the services here so far.
@ -188,14 +168,6 @@ in
package = pkgs.postgresql_15; package = pkgs.postgresql_15;
enableTCPIP = true; enableTCPIP = true;
authentication = ''
# Enable SSL connections.
hostssl all all ::1/128 trust
hostssl all all 127.0.0.1/32 trust
hostssl replication all ::1/128 trust
hostssl replication all 127.0.0.1/32 trust
'';
# Create per-user schema as documented from Usage Patterns. This is to make # Create per-user schema as documented from Usage Patterns. This is to make
# use of the secure schema usage pattern they encouraged to do. # use of the secure schema usage pattern they encouraged to do.
# #
@ -218,10 +190,6 @@ in
''; '';
settings = { settings = {
ssl = true;
ssl_cert_file = "${certs."${dbDomain}".directory}/fullchain.pem";
ssl_key_file = "${certs."${dbDomain}".directory}/key.pem";
log_connections = true; log_connections = true;
log_disconnections = true; log_disconnections = true;
@ -259,7 +227,6 @@ in
type = "postgresql"; type = "postgresql";
createLocally = true; createLocally = true;
passwordFile = config.sops.secrets."plover/keycloak/db/password".path; passwordFile = config.sops.secrets."plover/keycloak/db/password".path;
caCert = "${certs."${dbDomain}".directory}/chain.pem";
}; };
settings = { settings = {
@ -267,9 +234,6 @@ in
hostname-strict-backchannel = true; hostname-strict-backchannel = true;
proxy = "reencrypt"; proxy = "reencrypt";
}; };
sslCertificate = "${certs."${identityDomain}".directory}/fullchain.pem";
sslCertificateKey = "${certs."${identityDomain}".directory}/key.pem";
}; };
# With a database comes a dumping. # With a database comes a dumping.