initial commit

2017-09-04 16:00:44 +02:00 · 2017-09-04 16:00:44 +02:00 · f6b4c20e4a
commit f6b4c20e4a
14 changed files with 160 additions and 0 deletions
--- a/.editorconfig
+++ b/.editorconfig
@ -0,0 +1,12 @@
 root = true
 [*]
 end_of_line = lf
 charset = utf-8
 trim_trailing_whitespace = true
 insert_final_newline = true
 indent_style = space
 indent_size = 4
 [*.md]
 trim_trailing_whitespace = false
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,4 @@
 *~
 .DS_Store
 *.swp
 tmp/
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -0,0 +1,10 @@
 build:
   image: docker:latest
   services:
   - docker:dind
   stage: build
   script:
     - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
     - docker build --pull --tag $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME --tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA .
     - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME
     - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
--- a/22
+++ b/22
@ -0,0 +1,22 @@
 FROM golang:alpine as builder
 RUN apk --no-cache add git
 RUN go get -v -u github.com/xenolf/lego
 FROM registry.gitlab.com/thallian/docker-confd-env:master
 COPY --from=builder /go/bin/lego /bin/lego
 ENV PGDATA /var/lib/postgresql/data
 RUN apk add --no-cache postgresql postgresql-contrib ca-certificates
 RUN mkdir -p /run/postgresql && mkdir -p $PGDATA
 RUN chown -R postgres /run/postgresql && chown -R postgres $PGDATA
 RUN chmod 775 /run/postgresql
 ADD /rootfs /
 VOLUME /var/lib/postgresql/data
 EXPOSE 5432
--- a/README.md
+++ b/README.md
@ -0,0 +1,29 @@
 [PostgreSQL](https://www.postgresql.org/) server which provisions
 tls certificates through [Let's Encrypt](https://letsencrypt.org/) with
 [lego](https://github.com/xenolf/lego). 
 # Volumes
 - `/var/lib/postgresql/data`
 - `/var/lib/postgresql/.lego`: certificates directory
 # Environment Variables
 ## POSTGRES_PASSWORD
 Password for the postgre admin user.
 ## POSTGRES_CA
 - default: "https://acme-v01.api.letsencrypt.org/directory"
 Which Acme Endpoint to use.
 ## POSTGRES_ACME_EMAIL
 Email to use in the acme account.
 ## POSTGRES_DOMAIN
 The domain the certificate uses.
 ## POSTGRES_DNS_PROVIDER
 One of the list here: https://github.com/xenolf/lego/tree/master/providers/dns
 # Ports
 - 5432
--- a/rootfs/bin/renew-certificates
+++ b/rootfs/bin/renew-certificates
@ -0,0 +1,19 @@
 #!/usr/bin/with-contenv sh
 cd /var/lib/postgresql
 OLD_MOD=$(stat -c %y /var/lib/postgresql/.lego/certificates/${POSTGRES_DOMAIN}.crt)
 lego \
        --accept-tos \
        --server="${POSTGRES_CA}" \
        --email="${POSTGRES_ACME_EMAIL}" \
        --domains="${POSTGRES_DOMAIN}" \
        --dns="${POSTGRES_DNS_PROVIDER}" \
        renew --days 30
 NEW_MOD=$(stat -c %y /var/lib/postgresql/.lego/certificates/${POSTGRES_DOMAIN}.crt)
 if [ "${OLD_MOD}" != "${NEW_MOD}" ]; then
    kill -s TERM $(head -1 ${PGDATA}/postmaster.pid)
 fi
--- a/rootfs/etc/confd/conf.d/pg_hba.conf.toml
+++ b/rootfs/etc/confd/conf.d/pg_hba.conf.toml
@ -0,0 +1,5 @@
 [template]
 src = "pg_hba.conf.tmpl"
 dest = "/var/lib/postgresql/data/pg_hba.conf"
 gid = 70
 uid = 70
--- a/rootfs/etc/confd/templates/pg_hba.conf.tmpl
+++ b/rootfs/etc/confd/templates/pg_hba.conf.tmpl
@ -0,0 +1,3 @@
 local   all             all                                     trust
 hostssl all             all             0.0.0.0/0		        md5
 host    all             all             ::1/128                 trust
--- a/rootfs/etc/cont-init.d/00-initdb
+++ b/rootfs/etc/cont-init.d/00-initdb
@ -0,0 +1,5 @@
 #!/usr/bin/with-contenv sh
 if [ ! -f ${PGDATA}/PG_VERSION ]; then
    s6-setuidgid postgres initdb --username=postgres
 fi
--- a/rootfs/etc/cont-init.d/00-password
+++ b/rootfs/etc/cont-init.d/00-password
@ -0,0 +1,11 @@
 #!/usr/bin/with-contenv sh
 cat <<EOF > /var/lib/postgresql/data/pg_hba.conf
 local all all trust
 EOF
 s6-setuidgid postgres pg_ctl -D "$PGDATA" -o "-c listen_addresses='localhost'" -w start
 s6-setuidgid postgres psql --command "ALTER USER postgres WITH PASSWORD '${POSTGRES_PASSWORD}';"
 s6-setuidgid postgres pg_ctl -D "$PGDATA" -o "-c listen_addresses='localhost'" -w stop
--- a/rootfs/etc/cont-init.d/02-certificates
+++ b/rootfs/etc/cont-init.d/02-certificates
@ -0,0 +1,30 @@
 #!/usr/bin/with-contenv sh
 cd /var/lib/postgresql
 SAN_DOMAINS=""
 export IFS=";"
 for SAN in ${POSTGRES_SAN}
 do
    SAN_DOMAINS="${SAN_DOMAINS} --domains=\"${SAN}\""
 done
 if [ ! -f /var/lib/postgresql/.lego/certificates/${POSTGRES_DOMAIN}.crt ]; then
    chown -R postgres /var/lib/postgresql/.lego
    s6-setuidgid postgres lego \
        --accept-tos \
        --server="${POSTGRES_CA}" \
        --email="${POSTGRES_ACME_EMAIL}" \
        --domains="${POSTGRES_DOMAIN}" ${SAN_DOMAINS} \
        --dns="${POSTGRES_DNS_PROVIDER}" \
        run
 else
    s6-setuidgid postgres lego \
        --accept-tos \
        --server="${POSTGRES_CA}" \
        --email="${POSTGRES_ACME_EMAIL}" \
        --domains="${POSTGRES_DOMAIN}" \
        --dns="${POSTGRES_DNS_PROVIDER}" \
        renew --days 30
 fi
--- a/rootfs/etc/fix-attrs.d/01-pgdata
+++ b/rootfs/etc/fix-attrs.d/01-pgdata
@ -0,0 +1 @@
 /var/lib/postgresql true postgres 0600 0700
--- a/rootfs/etc/services.d/postgres/run
+++ b/rootfs/etc/services.d/postgres/run
@ -0,0 +1,8 @@
 #!/usr/bin/with-contenv sh
 s6-setuidgid postgres postgres \
    -D $PGDATA \
    -c listen_addresses='*' \
    -c ssl=on \
    -c ssl_cert_file="/var/lib/postgresql/.lego/certificates/${POSTGRES_DOMAIN}.crt" \
    -c ssl_key_file="/var/lib/postgresql/.lego/certificates/${POSTGRES_DOMAIN}.key"
--- a/rootfs/var/spool/cron/crontab/postgres
+++ b/rootfs/var/spool/cron/crontab/postgres
@ -0,0 +1 @@
 0  3  *  *  * /bin/renew-certificates