added postgres & made structure changes
This commit is contained in:
Amar Saljic
28
homelab/applications/postgres/README.md
Normal file
28
homelab/applications/postgres/README.md
Normal file
@ -0,0 +1,28 @@
|
||||
# Postgres
|
||||
## Set up non-root user for container
|
||||
We are providing a non-root user to the container to limit the attack surface for privilege escalations. In order for this to work in our setup, please make sure to check if you have a user called `postgres` set up.
|
||||
|
||||
1. Check if user `postgres` exists and if the UID is 1002
|
||||
|
||||
```
|
||||
cat /etc/passwd | grep postgres
|
||||
```
|
||||
|
||||
In case the `postgres` user exists but the UID is not 1002, please adjust it via
|
||||
```
|
||||
sudo usermod -u 1002 postgres
|
||||
```
|
||||
|
||||
In case the `postgres` user doesn't exist at all, please create the user incl. the right UID by running
|
||||
```
|
||||
sudo useradd -u 1002 postgres
|
||||
```
|
||||
|
||||
## About secrets
|
||||
In order to manage secrets centrally in 1Password and due to the need for secrets in Postgres, using `docker compose` directly in the terminal does not work.
|
||||
|
||||
## Bring up/tear down container
|
||||
Please use the `start.sh` to spin up the container
|
||||
### Prerequisites start.sh
|
||||
- User executing the script is part of the `docker` group
|
||||
- Env variable `OP_SERVICE_ACCOUNT_TOKEN` is set up \[check out top-level README.md for more information on how to set this up\]
|
||||
18
homelab/applications/postgres/compose.yml
Normal file
18
homelab/applications/postgres/compose.yml
Normal file
@ -0,0 +1,18 @@
|
||||
secrets:
|
||||
postgres_password:
|
||||
environment: POSTGRES_PASSWORD
|
||||
postgres_user:
|
||||
environment: POSTGRES_USER
|
||||
services:
|
||||
postgres:
|
||||
image: postgres:18
|
||||
container_name: postgres
|
||||
user: "1002"
|
||||
restart: always
|
||||
shm_size: 1024mb
|
||||
environment:
|
||||
POSTGRES_USER_FILE: /run/secrets/postgres_user
|
||||
POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password
|
||||
secrets: ['postgres_password', 'postgres_user']
|
||||
ports: ['5432:5432']
|
||||
volumes: ['./data:/var/lib/postgresql']
|
||||
13
homelab/applications/postgres/start.sh
Normal file
13
homelab/applications/postgres/start.sh
Normal file
@ -0,0 +1,13 @@
|
||||
#!/bin/zsh
|
||||
# Exit immediately if a command exits with a non-zero status.
|
||||
set -e
|
||||
|
||||
echo "--- Starting Docker Secret Management ---"
|
||||
# Mount secrets
|
||||
export POSTGRES_USER="$(op read 'op://NAxS Homelab/Postgres Homelab/username')"
|
||||
export POSTGRES_PASSWORD="$(op read 'op://NAxS Homelab/Postgres Homelab/password')"
|
||||
|
||||
# Bring up container
|
||||
docker compose up -d
|
||||
|
||||
echo "--- Docker Secret Management Complete ---"
|
||||
Reference in New Issue
Block a user