initial commit

2017-09-04 16:00:44 +02:00 · 2017-09-04 16:00:44 +02:00 · f6b4c20e4a
commit f6b4c20e4a
14 changed files with 160 additions and 0 deletions
--- a/.editorconfig
+++ b/.editorconfig
@ -0,0 +1,12 @@
+root = true
+
+[*]
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+indent_style = space
+indent_size = 4
+
+[*.md]
+trim_trailing_whitespace = false
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,4 @@
+*~
+.DS_Store
+*.swp
+tmp/
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -0,0 +1,10 @@
+build:
+   image: docker:latest
+   services:
+   - docker:dind
+   stage: build
+   script:
+     - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
+     - docker build --pull --tag $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME --tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA .
+     - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME
+     - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
--- a/22
+++ b/22
@ -0,0 +1,22 @@
+FROM golang:alpine as builder
+
+RUN apk --no-cache add git
+RUN go get -v -u github.com/xenolf/lego
+
+FROM registry.gitlab.com/thallian/docker-confd-env:master
+
+COPY --from=builder /go/bin/lego /bin/lego
+
+ENV PGDATA /var/lib/postgresql/data
+
+RUN apk add --no-cache postgresql postgresql-contrib ca-certificates
+
+RUN mkdir -p /run/postgresql && mkdir -p $PGDATA
+RUN chown -R postgres /run/postgresql && chown -R postgres $PGDATA
+RUN chmod 775 /run/postgresql
+
+ADD /rootfs /
+
+VOLUME /var/lib/postgresql/data
+
+EXPOSE 5432
--- a/README.md
+++ b/README.md
@ -0,0 +1,29 @@
+[PostgreSQL](https://www.postgresql.org/) server which provisions
+tls certificates through [Let's Encrypt](https://letsencrypt.org/) with
+[lego](https://github.com/xenolf/lego). 
+
+# Volumes
+- `/var/lib/postgresql/data`
+- `/var/lib/postgresql/.lego`: certificates directory
+
+# Environment Variables
+## POSTGRES_PASSWORD
+
+Password for the postgre admin user.
+
+## POSTGRES_CA
+- default: "https://acme-v01.api.letsencrypt.org/directory"
+
+Which Acme Endpoint to use.
+
+## POSTGRES_ACME_EMAIL
+Email to use in the acme account.
+
+## POSTGRES_DOMAIN
+The domain the certificate uses.
+
+## POSTGRES_DNS_PROVIDER
+One of the list here: https://github.com/xenolf/lego/tree/master/providers/dns
+
+# Ports
+- 5432
--- a/rootfs/bin/renew-certificates
+++ b/rootfs/bin/renew-certificates
@ -0,0 +1,19 @@
+#!/usr/bin/with-contenv sh
+
+cd /var/lib/postgresql
+
+OLD_MOD=$(stat -c %y /var/lib/postgresql/.lego/certificates/${POSTGRES_DOMAIN}.crt)
+
+lego \
+        --accept-tos \
+        --server="${POSTGRES_CA}" \
+        --email="${POSTGRES_ACME_EMAIL}" \
+        --domains="${POSTGRES_DOMAIN}" \
+        --dns="${POSTGRES_DNS_PROVIDER}" \
+        renew --days 30
+
+NEW_MOD=$(stat -c %y /var/lib/postgresql/.lego/certificates/${POSTGRES_DOMAIN}.crt)
+
+if [ "${OLD_MOD}" != "${NEW_MOD}" ]; then
+    kill -s TERM $(head -1 ${PGDATA}/postmaster.pid)
+fi
--- a/rootfs/etc/confd/conf.d/pg_hba.conf.toml
+++ b/rootfs/etc/confd/conf.d/pg_hba.conf.toml
@ -0,0 +1,5 @@
+[template]
+src = "pg_hba.conf.tmpl"
+dest = "/var/lib/postgresql/data/pg_hba.conf"
+gid = 70
+uid = 70
--- a/rootfs/etc/confd/templates/pg_hba.conf.tmpl
+++ b/rootfs/etc/confd/templates/pg_hba.conf.tmpl
@ -0,0 +1,3 @@
+local   all             all                                     trust
+hostssl all             all             0.0.0.0/0		        md5
+host    all             all             ::1/128                 trust
--- a/rootfs/etc/cont-init.d/00-initdb
+++ b/rootfs/etc/cont-init.d/00-initdb
@ -0,0 +1,5 @@
+#!/usr/bin/with-contenv sh
+
+if [ ! -f ${PGDATA}/PG_VERSION ]; then
+    s6-setuidgid postgres initdb --username=postgres
+fi
--- a/rootfs/etc/cont-init.d/00-password
+++ b/rootfs/etc/cont-init.d/00-password
@ -0,0 +1,11 @@
+#!/usr/bin/with-contenv sh
+
+cat <<EOF > /var/lib/postgresql/data/pg_hba.conf
+local all all trust
+EOF
+
+s6-setuidgid postgres pg_ctl -D "$PGDATA" -o "-c listen_addresses='localhost'" -w start
+
+s6-setuidgid postgres psql --command "ALTER USER postgres WITH PASSWORD '${POSTGRES_PASSWORD}';"
+
+s6-setuidgid postgres pg_ctl -D "$PGDATA" -o "-c listen_addresses='localhost'" -w stop
--- a/rootfs/etc/cont-init.d/02-certificates
+++ b/rootfs/etc/cont-init.d/02-certificates
@ -0,0 +1,30 @@
+#!/usr/bin/with-contenv sh
+
+cd /var/lib/postgresql
+
+SAN_DOMAINS=""
+
+export IFS=";"
+for SAN in ${POSTGRES_SAN}
+do
+    SAN_DOMAINS="${SAN_DOMAINS} --domains=\"${SAN}\""
+done
+
+if [ ! -f /var/lib/postgresql/.lego/certificates/${POSTGRES_DOMAIN}.crt ]; then
+    chown -R postgres /var/lib/postgresql/.lego
+    s6-setuidgid postgres lego \
+        --accept-tos \
+        --server="${POSTGRES_CA}" \
+        --email="${POSTGRES_ACME_EMAIL}" \
+        --domains="${POSTGRES_DOMAIN}" ${SAN_DOMAINS} \
+        --dns="${POSTGRES_DNS_PROVIDER}" \
+        run
+else
+    s6-setuidgid postgres lego \
+        --accept-tos \
+        --server="${POSTGRES_CA}" \
+        --email="${POSTGRES_ACME_EMAIL}" \
+        --domains="${POSTGRES_DOMAIN}" \
+        --dns="${POSTGRES_DNS_PROVIDER}" \
+        renew --days 30
+fi
--- a/rootfs/etc/fix-attrs.d/01-pgdata
+++ b/rootfs/etc/fix-attrs.d/01-pgdata
@ -0,0 +1 @@
+/var/lib/postgresql true postgres 0600 0700
--- a/rootfs/etc/services.d/postgres/run
+++ b/rootfs/etc/services.d/postgres/run
@ -0,0 +1,8 @@
+#!/usr/bin/with-contenv sh
+
+s6-setuidgid postgres postgres \
+    -D $PGDATA \
+    -c listen_addresses='*' \
+    -c ssl=on \
+    -c ssl_cert_file="/var/lib/postgresql/.lego/certificates/${POSTGRES_DOMAIN}.crt" \
+    -c ssl_key_file="/var/lib/postgresql/.lego/certificates/${POSTGRES_DOMAIN}.key"
--- a/rootfs/var/spool/cron/crontab/postgres
+++ b/rootfs/var/spool/cron/crontab/postgres
@ -0,0 +1 @@
+0  3  *  *  * /bin/renew-certificates