initial commit

rootfs/bin/renew-certificates

@@ -0,0 +1,19 @@
+#!/usr/bin/with-contenv sh
+
+cd /var/lib/postgresql
+
+OLD_MOD=$(stat -c %y /var/lib/postgresql/.lego/certificates/${POSTGRES_DOMAIN}.crt)
+
+lego \
+        --accept-tos \
+        --server="${POSTGRES_CA}" \
+        --email="${POSTGRES_ACME_EMAIL}" \
+        --domains="${POSTGRES_DOMAIN}" \
+        --dns="${POSTGRES_DNS_PROVIDER}" \
+        renew --days 30
+
+NEW_MOD=$(stat -c %y /var/lib/postgresql/.lego/certificates/${POSTGRES_DOMAIN}.crt)
+
+if [ "${OLD_MOD}" != "${NEW_MOD}" ]; then
+    kill -s TERM $(head -1 ${PGDATA}/postmaster.pid)
+fi

rootfs/etc/confd/conf.d/pg_hba.conf.toml

@@ -0,0 +1,5 @@
+[template]
+src = "pg_hba.conf.tmpl"
+dest = "/var/lib/postgresql/data/pg_hba.conf"
+gid = 70
+uid = 70

rootfs/etc/confd/templates/pg_hba.conf.tmpl

@@ -0,0 +1,3 @@
+local   all             all                                     trust
+hostssl all             all             0.0.0.0/0		        md5
+host    all             all             ::1/128                 trust

rootfs/etc/cont-init.d/00-initdb

@@ -0,0 +1,5 @@
+#!/usr/bin/with-contenv sh
+
+if [ ! -f ${PGDATA}/PG_VERSION ]; then
+    s6-setuidgid postgres initdb --username=postgres
+fi

rootfs/etc/cont-init.d/00-password

@@ -0,0 +1,11 @@
+#!/usr/bin/with-contenv sh
+
+cat <<EOF > /var/lib/postgresql/data/pg_hba.conf
+local all all trust
+EOF
+
+s6-setuidgid postgres pg_ctl -D "$PGDATA" -o "-c listen_addresses='localhost'" -w start
+
+s6-setuidgid postgres psql --command "ALTER USER postgres WITH PASSWORD '${POSTGRES_PASSWORD}';"
+
+s6-setuidgid postgres pg_ctl -D "$PGDATA" -o "-c listen_addresses='localhost'" -w stop

rootfs/etc/cont-init.d/02-certificates

@@ -0,0 +1,30 @@
+#!/usr/bin/with-contenv sh
+
+cd /var/lib/postgresql
+
+SAN_DOMAINS=""
+
+export IFS=";"
+for SAN in ${POSTGRES_SAN}
+do
+    SAN_DOMAINS="${SAN_DOMAINS} --domains=\"${SAN}\""
+done
+
+if [ ! -f /var/lib/postgresql/.lego/certificates/${POSTGRES_DOMAIN}.crt ]; then
+    chown -R postgres /var/lib/postgresql/.lego
+    s6-setuidgid postgres lego \
+        --accept-tos \
+        --server="${POSTGRES_CA}" \
+        --email="${POSTGRES_ACME_EMAIL}" \
+        --domains="${POSTGRES_DOMAIN}" ${SAN_DOMAINS} \
+        --dns="${POSTGRES_DNS_PROVIDER}" \
+        run
+else
+    s6-setuidgid postgres lego \
+        --accept-tos \
+        --server="${POSTGRES_CA}" \
+        --email="${POSTGRES_ACME_EMAIL}" \
+        --domains="${POSTGRES_DOMAIN}" \
+        --dns="${POSTGRES_DNS_PROVIDER}" \
+        renew --days 30
+fi

rootfs/etc/fix-attrs.d/01-pgdata

@@ -0,0 +1 @@
+/var/lib/postgresql true postgres 0600 0700

rootfs/etc/services.d/postgres/run

@@ -0,0 +1,8 @@
+#!/usr/bin/with-contenv sh
+
+s6-setuidgid postgres postgres \
+    -D $PGDATA \
+    -c listen_addresses='*' \
+    -c ssl=on \
+    -c ssl_cert_file="/var/lib/postgresql/.lego/certificates/${POSTGRES_DOMAIN}.crt" \
+    -c ssl_key_file="/var/lib/postgresql/.lego/certificates/${POSTGRES_DOMAIN}.key"

rootfs/var/spool/cron/crontab/postgres

@@ -0,0 +1 @@
+0  3  *  *  * /bin/renew-certificates