'';
};
- deployment.keys = {
- postgresql-pam = {
- destDir = "/run/keys/postgresql";
+ mySecrets.keys = [
+ {
+ dest = "postgresql/pam";
permissions = "0400";
group = "postgres";
user = "postgres";
pam_filter ${filter}
ssl start_tls
'';
- };
- postgresql-pam_replication = {
- destDir = "/run/keys/postgresql";
+ }
+ {
+ dest = "postgresql/pam_replication";
permissions = "0400";
group = "postgres";
user = "postgres";
pam_login_attribute cn
ssl start_tls
'';
- };
- };
+ }
+ ];
security.pam.services = let
pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
{
name = "postgresql";
text = ''
- auth required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam
- account required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam
+ auth required ${pam_ldap} config=/var/secrets/postgresql/pam
+ account required ${pam_ldap} config=/var/secrets/postgresql/pam
'';
}
{
name = "postgresql_replication";
text = ''
- auth required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam_replication
- account required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam_replication
+ auth required ${pam_ldap} config=/var/secrets/postgresql/pam_replication
+ account required ${pam_ldap} config=/var/secrets/postgresql/pam_replication
'';
}
];