From f6b4c20e4aab9ee3679685a1fa1934a60fb12a20 Mon Sep 17 00:00:00 2001 From: Sebastian Hugentobler Date: Mon, 4 Sep 2017 16:00:44 +0200 Subject: [PATCH] initial commit --- .editorconfig | 12 +++++++++ .gitignore | 4 +++ .gitlab-ci.yml | 10 +++++++ Dockerfile | 22 +++++++++++++++ README.md | 29 ++++++++++++++++++++ rootfs/bin/renew-certificates | 19 +++++++++++++ rootfs/etc/confd/conf.d/pg_hba.conf.toml | 5 ++++ rootfs/etc/confd/templates/pg_hba.conf.tmpl | 3 +++ rootfs/etc/cont-init.d/00-initdb | 5 ++++ rootfs/etc/cont-init.d/00-password | 11 ++++++++ rootfs/etc/cont-init.d/02-certificates | 30 +++++++++++++++++++++ rootfs/etc/fix-attrs.d/01-pgdata | 1 + rootfs/etc/services.d/postgres/run | 8 ++++++ rootfs/var/spool/cron/crontab/postgres | 1 + 14 files changed, 160 insertions(+) create mode 100644 .editorconfig create mode 100755 .gitignore create mode 100644 .gitlab-ci.yml create mode 100644 Dockerfile create mode 100644 README.md create mode 100755 rootfs/bin/renew-certificates create mode 100644 rootfs/etc/confd/conf.d/pg_hba.conf.toml create mode 100644 rootfs/etc/confd/templates/pg_hba.conf.tmpl create mode 100644 rootfs/etc/cont-init.d/00-initdb create mode 100644 rootfs/etc/cont-init.d/00-password create mode 100644 rootfs/etc/cont-init.d/02-certificates create mode 100644 rootfs/etc/fix-attrs.d/01-pgdata create mode 100755 rootfs/etc/services.d/postgres/run create mode 100644 rootfs/var/spool/cron/crontab/postgres diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..d1f040a --- /dev/null +++ b/.editorconfig @@ -0,0 +1,12 @@ +root = true + +[*] +end_of_line = lf +charset = utf-8 +trim_trailing_whitespace = true +insert_final_newline = true +indent_style = space +indent_size = 4 + +[*.md] +trim_trailing_whitespace = false diff --git a/.gitignore b/.gitignore new file mode 100755 index 0000000..e753310 --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +*~ +.DS_Store +*.swp +tmp/ diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..dfde774 --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,10 @@ +build: + image: docker:latest + services: + - docker:dind + stage: build + script: + - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY + - docker build --pull --tag $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME --tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA . + - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME + - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..9944364 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,22 @@ +FROM golang:alpine as builder + +RUN apk --no-cache add git +RUN go get -v -u github.com/xenolf/lego + +FROM registry.gitlab.com/thallian/docker-confd-env:master + +COPY --from=builder /go/bin/lego /bin/lego + +ENV PGDATA /var/lib/postgresql/data + +RUN apk add --no-cache postgresql postgresql-contrib ca-certificates + +RUN mkdir -p /run/postgresql && mkdir -p $PGDATA +RUN chown -R postgres /run/postgresql && chown -R postgres $PGDATA +RUN chmod 775 /run/postgresql + +ADD /rootfs / + +VOLUME /var/lib/postgresql/data + +EXPOSE 5432 diff --git a/README.md b/README.md new file mode 100644 index 0000000..3a20277 --- /dev/null +++ b/README.md @@ -0,0 +1,29 @@ +[PostgreSQL](https://www.postgresql.org/) server which provisions +tls certificates through [Let's Encrypt](https://letsencrypt.org/) with +[lego](https://github.com/xenolf/lego). + +# Volumes +- `/var/lib/postgresql/data` +- `/var/lib/postgresql/.lego`: certificates directory + +# Environment Variables +## POSTGRES_PASSWORD + +Password for the postgre admin user. + +## POSTGRES_CA +- default: "https://acme-v01.api.letsencrypt.org/directory" + +Which Acme Endpoint to use. + +## POSTGRES_ACME_EMAIL +Email to use in the acme account. + +## POSTGRES_DOMAIN +The domain the certificate uses. + +## POSTGRES_DNS_PROVIDER +One of the list here: https://github.com/xenolf/lego/tree/master/providers/dns + +# Ports +- 5432 diff --git a/rootfs/bin/renew-certificates b/rootfs/bin/renew-certificates new file mode 100755 index 0000000..ddc74a7 --- /dev/null +++ b/rootfs/bin/renew-certificates @@ -0,0 +1,19 @@ +#!/usr/bin/with-contenv sh + +cd /var/lib/postgresql + +OLD_MOD=$(stat -c %y /var/lib/postgresql/.lego/certificates/${POSTGRES_DOMAIN}.crt) + +lego \ + --accept-tos \ + --server="${POSTGRES_CA}" \ + --email="${POSTGRES_ACME_EMAIL}" \ + --domains="${POSTGRES_DOMAIN}" \ + --dns="${POSTGRES_DNS_PROVIDER}" \ + renew --days 30 + +NEW_MOD=$(stat -c %y /var/lib/postgresql/.lego/certificates/${POSTGRES_DOMAIN}.crt) + +if [ "${OLD_MOD}" != "${NEW_MOD}" ]; then + kill -s TERM $(head -1 ${PGDATA}/postmaster.pid) +fi diff --git a/rootfs/etc/confd/conf.d/pg_hba.conf.toml b/rootfs/etc/confd/conf.d/pg_hba.conf.toml new file mode 100644 index 0000000..b0957f4 --- /dev/null +++ b/rootfs/etc/confd/conf.d/pg_hba.conf.toml @@ -0,0 +1,5 @@ +[template] +src = "pg_hba.conf.tmpl" +dest = "/var/lib/postgresql/data/pg_hba.conf" +gid = 70 +uid = 70 diff --git a/rootfs/etc/confd/templates/pg_hba.conf.tmpl b/rootfs/etc/confd/templates/pg_hba.conf.tmpl new file mode 100644 index 0000000..65c716f --- /dev/null +++ b/rootfs/etc/confd/templates/pg_hba.conf.tmpl @@ -0,0 +1,3 @@ +local all all trust +hostssl all all 0.0.0.0/0 md5 +host all all ::1/128 trust diff --git a/rootfs/etc/cont-init.d/00-initdb b/rootfs/etc/cont-init.d/00-initdb new file mode 100644 index 0000000..b03b3d0 --- /dev/null +++ b/rootfs/etc/cont-init.d/00-initdb @@ -0,0 +1,5 @@ +#!/usr/bin/with-contenv sh + +if [ ! -f ${PGDATA}/PG_VERSION ]; then + s6-setuidgid postgres initdb --username=postgres +fi diff --git a/rootfs/etc/cont-init.d/00-password b/rootfs/etc/cont-init.d/00-password new file mode 100644 index 0000000..a7278ab --- /dev/null +++ b/rootfs/etc/cont-init.d/00-password @@ -0,0 +1,11 @@ +#!/usr/bin/with-contenv sh + +cat < /var/lib/postgresql/data/pg_hba.conf +local all all trust +EOF + +s6-setuidgid postgres pg_ctl -D "$PGDATA" -o "-c listen_addresses='localhost'" -w start + +s6-setuidgid postgres psql --command "ALTER USER postgres WITH PASSWORD '${POSTGRES_PASSWORD}';" + +s6-setuidgid postgres pg_ctl -D "$PGDATA" -o "-c listen_addresses='localhost'" -w stop diff --git a/rootfs/etc/cont-init.d/02-certificates b/rootfs/etc/cont-init.d/02-certificates new file mode 100644 index 0000000..c1c5dcf --- /dev/null +++ b/rootfs/etc/cont-init.d/02-certificates @@ -0,0 +1,30 @@ +#!/usr/bin/with-contenv sh + +cd /var/lib/postgresql + +SAN_DOMAINS="" + +export IFS=";" +for SAN in ${POSTGRES_SAN} +do + SAN_DOMAINS="${SAN_DOMAINS} --domains=\"${SAN}\"" +done + +if [ ! -f /var/lib/postgresql/.lego/certificates/${POSTGRES_DOMAIN}.crt ]; then + chown -R postgres /var/lib/postgresql/.lego + s6-setuidgid postgres lego \ + --accept-tos \ + --server="${POSTGRES_CA}" \ + --email="${POSTGRES_ACME_EMAIL}" \ + --domains="${POSTGRES_DOMAIN}" ${SAN_DOMAINS} \ + --dns="${POSTGRES_DNS_PROVIDER}" \ + run +else + s6-setuidgid postgres lego \ + --accept-tos \ + --server="${POSTGRES_CA}" \ + --email="${POSTGRES_ACME_EMAIL}" \ + --domains="${POSTGRES_DOMAIN}" \ + --dns="${POSTGRES_DNS_PROVIDER}" \ + renew --days 30 +fi diff --git a/rootfs/etc/fix-attrs.d/01-pgdata b/rootfs/etc/fix-attrs.d/01-pgdata new file mode 100644 index 0000000..217b138 --- /dev/null +++ b/rootfs/etc/fix-attrs.d/01-pgdata @@ -0,0 +1 @@ +/var/lib/postgresql true postgres 0600 0700 diff --git a/rootfs/etc/services.d/postgres/run b/rootfs/etc/services.d/postgres/run new file mode 100755 index 0000000..12be913 --- /dev/null +++ b/rootfs/etc/services.d/postgres/run @@ -0,0 +1,8 @@ +#!/usr/bin/with-contenv sh + +s6-setuidgid postgres postgres \ + -D $PGDATA \ + -c listen_addresses='*' \ + -c ssl=on \ + -c ssl_cert_file="/var/lib/postgresql/.lego/certificates/${POSTGRES_DOMAIN}.crt" \ + -c ssl_key_file="/var/lib/postgresql/.lego/certificates/${POSTGRES_DOMAIN}.key" diff --git a/rootfs/var/spool/cron/crontab/postgres b/rootfs/var/spool/cron/crontab/postgres new file mode 100644 index 0000000..0377661 --- /dev/null +++ b/rootfs/var/spool/cron/crontab/postgres @@ -0,0 +1 @@ +0 3 * * * /bin/renew-certificates