Add postgres, CA and TLS management and cleanup makefile stuff
This commit is contained in:
parent
3f8be7368b
commit
971057b801
9
Makefile
9
Makefile
|
@ -8,11 +8,9 @@ IMAGES := $(addsuffix /${IMAGE_OUTPUT},${CONTAINERS})
|
|||
BUILD_IDS := $(addsuffix /${BUILD_ID_OUT},${CONTAINERS})
|
||||
|
||||
# Build all containers in order by default
|
||||
all: $(CONTAINERS)
|
||||
all: $(IMAGES)
|
||||
|
||||
# Build process
|
||||
$(CONTAINERS): % : %/${IMAGE_OUTPUT}
|
||||
|
||||
%/${IMAGE_OUTPUT}: %/${BUILD_ID_OUT}
|
||||
buildah push -f oci \
|
||||
$(shell cat $<) \
|
||||
|
@ -28,5 +26,8 @@ $(CONTAINERS): % : %/${IMAGE_OUTPUT}
|
|||
clean:
|
||||
-rm -rv $(IMAGES) $(BUILD_IDS)
|
||||
|
||||
.PHONY: all clean $(CONTAINERS)
|
||||
.PHONY: all clean
|
||||
.SUFFIXES:
|
||||
|
||||
# Somehow GNU make forgets these are intermediates if not explicitly stated, feel free to look into it *shrug*
|
||||
.INTERMEDIATE: $(BUILD_IDS)
|
||||
|
|
18
config.mk
18
config.mk
|
@ -5,10 +5,20 @@ BUILD_ID_OUT := build_id
|
|||
|
||||
# Merge records into zonefile
|
||||
data/dns/${BUILD_ID_OUT}: data/dns/% : \
|
||||
data/dns/redxen.eu \
|
||||
data/dnssec/% \
|
||||
data/opendkim/% \
|
||||
data/dns/redxen.eu
|
||||
data/opendkim/%
|
||||
|
||||
data/postgres-cert/${BUILD_ID_OUT}: data/postgres-cert/% : \
|
||||
data/postgres-cert/x509v3_config \
|
||||
data/ca/%
|
||||
|
||||
daemons/nsd/${BUILD_ID_OUT}: daemons/nsd/% : \
|
||||
data/dns/% \
|
||||
daemons/nsd/nsd.conf
|
||||
daemons/nsd/nsd.conf \
|
||||
data/dns/%
|
||||
|
||||
daemons/postgres/${BUILD_ID_OUT}: daemons/postgres/% : \
|
||||
daemons/postgres/pg_hba.conf \
|
||||
daemons/postgres/postgresql.conf \
|
||||
data/ca/% \
|
||||
data/postgres-cert/%
|
||||
|
|
|
@ -0,0 +1,13 @@
|
|||
FROM postgres:alpine
|
||||
|
||||
ADD postgresql.conf /etc/postgresql/postgresql.conf
|
||||
ADD pg_hba.conf /etc/postgresql/pg_hba.conf
|
||||
|
||||
COPY --from=redxen.eu/data/ca:latest /redxen.eu/certs/ca.crt /etc/redxen/postgres-cert/redxen.eu/certs/ca.crt
|
||||
COPY --from=redxen.eu/data/postgres-cert:latest /redxen.eu/certs/postgres.crt /etc/redxen/postgres-cert/redxen.eu/certs/postgres.crt
|
||||
COPY --from=redxen.eu/data/postgres-cert:latest /redxen.eu/keys/postgres.key /etc/redxen/postgres-cert/redxen.eu/keys/postgres.key
|
||||
|
||||
RUN chown -Rv postgres:postgres /etc/redxen/postgres-cert/
|
||||
|
||||
# TODO: https://hub.docker.com/_/postgres > Initialisation scripts (Database)
|
||||
CMD ["postgres", "-c", "config_file=/etc/postgresql/postgresql.conf"]
|
|
@ -0,0 +1,2 @@
|
|||
local all postgres trust
|
||||
hostssl murmur murmur all cert clientcert=verify-full
|
|
@ -0,0 +1,116 @@
|
|||
#------------------------------------------------------------------------------
|
||||
# FILE LOCATIONS
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
data_directory = '/var/lib/postgresql/data'
|
||||
hba_file = '/etc/postgresql/pg_hba.conf'
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# CONNECTIONS AND AUTHENTICATION
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
listen_addresses = '*'
|
||||
port = 5432
|
||||
max_connections = 100
|
||||
unix_socket_directories = '/run/postgresql'
|
||||
|
||||
authentication_timeout = 10s
|
||||
|
||||
ssl = on
|
||||
ssl_ca_file = '/etc/redxen/postgres-cert/redxen.eu/certs/ca.crt'
|
||||
ssl_cert_file = '/etc/redxen/postgres-cert/redxen.eu/certs/postgres.crt'
|
||||
ssl_key_file = '/etc/redxen/postgres-cert/redxen.eu/keys/postgres.key'
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# RESOURCE USAGE (except WAL)
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
shared_buffers = 128MB
|
||||
dynamic_shared_memory_type = posix
|
||||
|
||||
vacuum_cost_delay = 0
|
||||
vacuum_cost_page_hit = 1
|
||||
vacuum_cost_page_miss = 10
|
||||
vacuum_cost_page_dirty = 20
|
||||
vacuum_cost_limit = 200
|
||||
|
||||
bgwriter_delay = 200ms
|
||||
bgwriter_lru_maxpages = 100
|
||||
bgwriter_lru_multiplier = 2.0
|
||||
bgwriter_flush_after = 512kB
|
||||
|
||||
effective_io_concurrency = 1
|
||||
max_worker_processes = 8
|
||||
max_parallel_maintenance_workers = 2
|
||||
max_parallel_workers_per_gather = 2
|
||||
parallel_leader_participation = on
|
||||
max_parallel_workers = 8
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# WRITE-AHEAD LOG
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
max_wal_size = 1GB
|
||||
min_wal_size = 80MB
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# REPLICATION
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# QUERY TUNING
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# REPORTING AND LOGGING
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
log_line_prefix = '%m [%p] %q%u@%d '
|
||||
log_destination = stderr
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# PROCESS TITLE
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
cluster_name = 'redxen-main'
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# STATISTICS
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
track_activities = on
|
||||
track_counts = on
|
||||
track_io_timing = on
|
||||
track_functions = all
|
||||
track_activity_query_size = 1024
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# AUTOVACUUM
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
autovacuum = on
|
||||
autovacuum_naptime = 1min
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# CLIENT CONNECTION DEFAULTS
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
datestyle = 'iso, mdy'
|
||||
timezone = 'UTC'
|
||||
lc_messages = 'en_US.UTF-8'
|
||||
lc_monetary = 'en_US.UTF-8'
|
||||
lc_numeric = 'en_US.UTF-8'
|
||||
lc_time = 'en_US.UTF-8'
|
||||
default_text_search_config = 'pg_catalog.english'
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# LOCK MANAGEMENT
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# VERSION AND PLATFORM COMPATIBILITY
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# ERROR HANDLING
|
||||
#------------------------------------------------------------------------------
|
|
@ -0,0 +1,21 @@
|
|||
FROM alpine:latest as generator
|
||||
|
||||
RUN --network=host apk add openssl
|
||||
|
||||
RUN mkdir -p "/redxen.eu/certs"
|
||||
RUN mkdir -p "/redxen.eu/keys"
|
||||
|
||||
WORKDIR "/redxen.eu"
|
||||
RUN openssl req \
|
||||
-new \
|
||||
-utf8 \
|
||||
-x509 \
|
||||
-days 365 \
|
||||
-nodes \
|
||||
-keyout keys/ca.key \
|
||||
-out certs/ca.crt \
|
||||
-subj "/O=RedXen/CN=root"
|
||||
|
||||
FROM scratch
|
||||
|
||||
COPY --from=generator "/redxen.eu" "/redxen.eu"
|
|
@ -0,0 +1,60 @@
|
|||
FROM alpine:latest as generator
|
||||
|
||||
RUN --network=host apk add openssl
|
||||
|
||||
COPY --from=redxen.eu/data/ca:latest "/redxen.eu" "/ca"
|
||||
|
||||
ADD x509v3_config /
|
||||
|
||||
RUN mkdir -p "/redxen.eu/certs"
|
||||
RUN mkdir -p "/redxen.eu/keys"
|
||||
|
||||
WORKDIR "/redxen.eu"
|
||||
|
||||
# Server
|
||||
RUN openssl req \
|
||||
-new \
|
||||
-utf8 \
|
||||
-sha256 \
|
||||
-key /ca/keys/ca.key \
|
||||
-subj "/O=RedXen/CN=postgres" \
|
||||
-nodes \
|
||||
-keyout keys/postgres.key \
|
||||
-out /tmp/postgres.csr
|
||||
|
||||
RUN openssl x509 \
|
||||
-req \
|
||||
-in /tmp/postgres.csr \
|
||||
-days 365 \
|
||||
-extfile /x509v3_config \
|
||||
-extensions x590v3_ca \
|
||||
-CA /ca/certs/ca.crt \
|
||||
-CAkey /ca/keys/ca.key \
|
||||
-CAcreateserial \
|
||||
-out certs/postgres.crt
|
||||
|
||||
# Murmur
|
||||
RUN openssl req \
|
||||
-new \
|
||||
-utf8 \
|
||||
-sha256 \
|
||||
-key /ca/keys/ca.key \
|
||||
-subj "/O=RedXen/CN=murmur" \
|
||||
-nodes \
|
||||
-keyout keys/murmur.key \
|
||||
-out /tmp/murmur.csr
|
||||
|
||||
RUN openssl x509 \
|
||||
-req \
|
||||
-in /tmp/murmur.csr \
|
||||
-days 365 \
|
||||
-extfile /x509v3_config \
|
||||
-extensions x590v3_ca \
|
||||
-CA /ca/certs/ca.crt \
|
||||
-CAkey /ca/keys/ca.key \
|
||||
-CAcreateserial \
|
||||
-out certs/murmur.crt
|
||||
|
||||
FROM scratch
|
||||
|
||||
COPY --from=generator "/redxen.eu" "/redxen.eu"
|
|
@ -0,0 +1,4 @@
|
|||
[x590v3_ca]
|
||||
extendedKeyUsage = serverAuth, clientAuth
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid:always, issuer:always
|
|
@ -3,13 +3,16 @@ FROM alpine:latest as generator
|
|||
RUN --network=host apk add openssl
|
||||
|
||||
RUN mkdir "/redxen.eu"
|
||||
RUN cd "/redxen.eu"
|
||||
WORKDIR "/redxen.eu"
|
||||
|
||||
RUN openssl genrsa -out private.key 4096
|
||||
RUN openssl req -new \
|
||||
-key private.key \
|
||||
-x509 \
|
||||
-days 365 \
|
||||
-key private.key \
|
||||
-out public.pem \
|
||||
-x509 -subj '/C=DE/ST=Bavaria/L=Nurnberg/O=RedXen/CN=redxen.eu'
|
||||
-subj '/O=RedXen/CN=redxen.eu'
|
||||
|
||||
RUN cat public.pem private.key > fullchain.crt
|
||||
|
||||
FROM scratch
|
||||
|
|
Loading…
Reference in New Issue