Add postgres, CA and TLS management and cleanup makefile stuff

Makefile

@@ -8,11 +8,9 @@ IMAGES := $(addsuffix /${IMAGE_OUTPUT},${CONTAINERS})
 BUILD_IDS := $(addsuffix /${BUILD_ID_OUT},${CONTAINERS})
 
 # Build all containers in order by default
-all: $(CONTAINERS)
+all: $(IMAGES)
 
 # Build process
-$(CONTAINERS): % : %/${IMAGE_OUTPUT}
-
 %/${IMAGE_OUTPUT}: %/${BUILD_ID_OUT}
 	buildah push -f oci \
 		$(shell cat $<) \
@@ -28,5 +26,8 @@ $(CONTAINERS): % : %/${IMAGE_OUTPUT}
 clean:
 	-rm -rv $(IMAGES) $(BUILD_IDS)
 
-.PHONY: all clean $(CONTAINERS)
+.PHONY: all clean
 .SUFFIXES:
+
+# Somehow GNU make forgets these are intermediates if not explicitly stated, feel free to look into it *shrug*
+.INTERMEDIATE: $(BUILD_IDS)

config.mk

@@ -5,10 +5,20 @@ BUILD_ID_OUT := build_id
 
 # Merge records into zonefile
 data/dns/${BUILD_ID_OUT}: data/dns/% : \
+	data/dns/redxen.eu \
 	data/dnssec/% \
-	data/opendkim/% \
-	data/dns/redxen.eu
+	data/opendkim/%
+
+data/postgres-cert/${BUILD_ID_OUT}: data/postgres-cert/% : \
+	data/postgres-cert/x509v3_config \
+	data/ca/%
 
 daemons/nsd/${BUILD_ID_OUT}: daemons/nsd/% : \
-	data/dns/% \
-	daemons/nsd/nsd.conf
+	daemons/nsd/nsd.conf \
+	data/dns/%
+
+daemons/postgres/${BUILD_ID_OUT}: daemons/postgres/% : \
+	daemons/postgres/pg_hba.conf \
+	daemons/postgres/postgresql.conf \
+	data/ca/% \
+	data/postgres-cert/%

daemons/postgres/Containerfile

@@ -0,0 +1,13 @@
+FROM postgres:alpine
+
+ADD postgresql.conf /etc/postgresql/postgresql.conf
+ADD pg_hba.conf /etc/postgresql/pg_hba.conf
+
+COPY --from=redxen.eu/data/ca:latest /redxen.eu/certs/ca.crt /etc/redxen/postgres-cert/redxen.eu/certs/ca.crt
+COPY --from=redxen.eu/data/postgres-cert:latest /redxen.eu/certs/postgres.crt /etc/redxen/postgres-cert/redxen.eu/certs/postgres.crt
+COPY --from=redxen.eu/data/postgres-cert:latest /redxen.eu/keys/postgres.key /etc/redxen/postgres-cert/redxen.eu/keys/postgres.key
+
+RUN chown -Rv postgres:postgres /etc/redxen/postgres-cert/
+
+# TODO: https://hub.docker.com/_/postgres > Initialisation scripts (Database)
+CMD ["postgres", "-c", "config_file=/etc/postgresql/postgresql.conf"]

daemons/postgres/pg_hba.conf

@@ -0,0 +1,2 @@
+local	all	postgres	trust
+hostssl	murmur	murmur	all	cert	clientcert=verify-full

daemons/postgres/postgresql.conf

@@ -0,0 +1,116 @@
+#------------------------------------------------------------------------------
+# FILE LOCATIONS
+#------------------------------------------------------------------------------
+
+data_directory = '/var/lib/postgresql/data'
+hba_file = '/etc/postgresql/pg_hba.conf'
+
+#------------------------------------------------------------------------------
+# CONNECTIONS AND AUTHENTICATION
+#------------------------------------------------------------------------------
+
+listen_addresses = '*'
+port = 5432
+max_connections = 100
+unix_socket_directories = '/run/postgresql'
+
+authentication_timeout = 10s
+
+ssl = on
+ssl_ca_file = '/etc/redxen/postgres-cert/redxen.eu/certs/ca.crt'
+ssl_cert_file = '/etc/redxen/postgres-cert/redxen.eu/certs/postgres.crt'
+ssl_key_file = '/etc/redxen/postgres-cert/redxen.eu/keys/postgres.key'
+
+#------------------------------------------------------------------------------
+# RESOURCE USAGE (except WAL)
+#------------------------------------------------------------------------------
+
+shared_buffers = 128MB
+dynamic_shared_memory_type = posix
+
+vacuum_cost_delay = 0
+vacuum_cost_page_hit = 1
+vacuum_cost_page_miss = 10
+vacuum_cost_page_dirty = 20
+vacuum_cost_limit = 200
+
+bgwriter_delay = 200ms
+bgwriter_lru_maxpages = 100
+bgwriter_lru_multiplier = 2.0
+bgwriter_flush_after = 512kB
+
+effective_io_concurrency = 1
+max_worker_processes = 8
+max_parallel_maintenance_workers = 2
+max_parallel_workers_per_gather = 2
+parallel_leader_participation = on
+max_parallel_workers = 8
+
+#------------------------------------------------------------------------------
+# WRITE-AHEAD LOG
+#------------------------------------------------------------------------------
+
+max_wal_size = 1GB
+min_wal_size = 80MB
+
+#------------------------------------------------------------------------------
+# REPLICATION
+#------------------------------------------------------------------------------
+
+#------------------------------------------------------------------------------
+# QUERY TUNING
+#------------------------------------------------------------------------------
+
+#------------------------------------------------------------------------------
+# REPORTING AND LOGGING
+#------------------------------------------------------------------------------
+
+log_line_prefix = '%m [%p] %q%u@%d '
+log_destination = stderr
+
+#------------------------------------------------------------------------------
+# PROCESS TITLE
+#------------------------------------------------------------------------------
+
+cluster_name = 'redxen-main'
+
+#------------------------------------------------------------------------------
+# STATISTICS
+#------------------------------------------------------------------------------
+
+track_activities = on
+track_counts = on
+track_io_timing = on
+track_functions = all
+track_activity_query_size = 1024
+
+#------------------------------------------------------------------------------
+# AUTOVACUUM
+#------------------------------------------------------------------------------
+
+autovacuum = on
+autovacuum_naptime = 1min
+
+#------------------------------------------------------------------------------
+# CLIENT CONNECTION DEFAULTS
+#------------------------------------------------------------------------------
+
+datestyle = 'iso, mdy'
+timezone = 'UTC'
+lc_messages = 'en_US.UTF-8'
+lc_monetary = 'en_US.UTF-8'
+lc_numeric = 'en_US.UTF-8'
+lc_time = 'en_US.UTF-8'
+default_text_search_config = 'pg_catalog.english'
+
+#------------------------------------------------------------------------------
+# LOCK MANAGEMENT
+#------------------------------------------------------------------------------
+
+#------------------------------------------------------------------------------
+# VERSION AND PLATFORM COMPATIBILITY
+#------------------------------------------------------------------------------
+
+#------------------------------------------------------------------------------
+# ERROR HANDLING
+#------------------------------------------------------------------------------

data/ca/Containerfile

@@ -0,0 +1,21 @@
+FROM alpine:latest as generator
+
+RUN --network=host apk add openssl
+
+RUN mkdir -p "/redxen.eu/certs"
+RUN mkdir -p "/redxen.eu/keys"
+
+WORKDIR "/redxen.eu"
+RUN openssl req \
+	-new \
+	-utf8 \
+	-x509 \
+	-days 365 \
+	-nodes \
+	-keyout keys/ca.key \
+	-out certs/ca.crt \
+	-subj "/O=RedXen/CN=root"
+
+FROM scratch
+
+COPY --from=generator "/redxen.eu" "/redxen.eu"

data/postgres-cert/Containerfile

@@ -0,0 +1,60 @@
+FROM alpine:latest as generator
+
+RUN --network=host apk add openssl
+
+COPY --from=redxen.eu/data/ca:latest "/redxen.eu" "/ca"
+
+ADD x509v3_config /
+
+RUN mkdir -p "/redxen.eu/certs"
+RUN mkdir -p "/redxen.eu/keys"
+
+WORKDIR "/redxen.eu"
+
+# Server
+RUN openssl req \
+	-new \
+	-utf8 \
+	-sha256 \
+	-key /ca/keys/ca.key \
+	-subj "/O=RedXen/CN=postgres" \
+	-nodes \
+	-keyout keys/postgres.key \
+	-out /tmp/postgres.csr
+
+RUN openssl x509 \
+	-req \
+	-in /tmp/postgres.csr \
+	-days 365 \
+	-extfile /x509v3_config \
+	-extensions x590v3_ca \
+	-CA /ca/certs/ca.crt \
+	-CAkey /ca/keys/ca.key \
+	-CAcreateserial \
+	-out certs/postgres.crt
+
+# Murmur
+RUN openssl req \
+	-new \
+	-utf8 \
+	-sha256 \
+	-key /ca/keys/ca.key \
+	-subj "/O=RedXen/CN=murmur" \
+	-nodes \
+	-keyout keys/murmur.key \
+	-out /tmp/murmur.csr
+
+RUN openssl x509 \
+	-req \
+	-in /tmp/murmur.csr \
+	-days 365 \
+	-extfile /x509v3_config \
+	-extensions x590v3_ca \
+	-CA /ca/certs/ca.crt \
+	-CAkey /ca/keys/ca.key \
+	-CAcreateserial \
+	-out certs/murmur.crt
+
+FROM scratch
+
+COPY --from=generator "/redxen.eu" "/redxen.eu"

data/postgres-cert/x509v3_config

@@ -0,0 +1,4 @@
+[x590v3_ca]
+extendedKeyUsage = serverAuth, clientAuth
+subjectKeyIdentifier = hash
+authorityKeyIdentifier  = keyid:always, issuer:always

data/selfsigned/Containerfile

@@ -3,13 +3,16 @@ FROM alpine:latest as generator
 RUN --network=host apk add openssl
 
 RUN mkdir "/redxen.eu"
-RUN cd "/redxen.eu"
+WORKDIR "/redxen.eu"
+
 RUN openssl genrsa -out private.key 4096
 RUN openssl req -new \
-	-key private.key \
+	-x509 \
 	-days 365 \
+	-key private.key \
 	-out public.pem \
-	-x509 -subj '/C=DE/ST=Bavaria/L=Nurnberg/O=RedXen/CN=redxen.eu'
+	-subj '/O=RedXen/CN=redxen.eu'
+
 RUN cat public.pem private.key > fullchain.crt
 
 FROM scratch