From 18d4c995717c64af75cdd6208bff153f2a00987c Mon Sep 17 00:00:00 2001
From: Nico Schottelius <nico@nico-notebook.schottelius.org>
Date: Sat, 26 Dec 2020 13:42:20 +0100
Subject: [PATCH] [doc] workers need access to the database

---
 doc/uncloud-manual-2020-08-01.org | 63 +++++++++++++++++++++++++++++++
 1 file changed, 63 insertions(+)

diff --git a/doc/uncloud-manual-2020-08-01.org b/doc/uncloud-manual-2020-08-01.org
index 5c6a9f7..2fefca6 100644
--- a/doc/uncloud-manual-2020-08-01.org
+++ b/doc/uncloud-manual-2020-08-01.org
@@ -32,6 +32,8 @@ pip install -r requirements.txt
     The database can run on the same host as uncloud, but can also run
     a different server. Consult the usual postgresql documentation for
     a secure configuration.
+
+    The database needs to be accessible from all worker nodes.
 **** Alpine
     #+BEGIN_SRC sh
 apk add postgresql-server
@@ -60,6 +62,67 @@ postgres=# create database uncloud owner nico;
 python manage.py migrate
 #+END_SRC
 
+*** Configuring remote access
+    - Get a letsencrypt certificate
+    - Expose SSL ports
+    - Create a user
+
+    #+BEGIN_SRC sh
+    certbot certonly --standalone \
+              -d <yourdbhostname> -m your@email.come \
+              --agree-tos  --no-eff-email
+    #+END_SRC
+
+    - Configuring postgresql.conf:
+    #+BEGIN_SRC sh
+listen_addresses = '*'		# what IP address(es) to listen on;
+ssl = on
+ssl_cert_file = '/etc/postgresql/server.crt'
+ssl_key_file = '/etc/postgresql/server.key'
+
+    #+END_SRC
+
+    - Cannot load directly due to permission error:
+2020-12-26 13:01:55.235 CET [27805] FATAL:  could not load server
+certificate file
+"/etc/letsencrypt/live/2a0a-e5c0-0013-0000-9f4b-e619-efe5-a4ac.has-a.name/fullchain.pem":
+Permission denied
+
+    - hook
+    #+BEGIN_SRC sh
+bridge:/etc/letsencrypt/renewal-hooks/deploy# cat /etc/letsencrypt/renewal-hooks/deploy/postgresql
+#!/bin/sh
+
+umask 0177
+export DOMAIN=2a0a-e5c0-0013-0000-9f4b-e619-efe5-a4ac.has-a.name
+export DATA_DIR=/etc/postgresql
+
+cp /etc/letsencrypt/live/$DOMAIN/fullchain.pem $DATA_DIR/server.crt
+cp /etc/letsencrypt/live/$DOMAIN/privkey.pem   $DATA_DIR/server.key
+chown postgres:postgres  $DATA_DIR/server.crt $DATA_DIR/server.key
+    #+END_SRC
+
+    - Allowing access with md5 encrypted password encrypted via TLS
+    #+BEGIN_SRC sh
+hostssl all             all             ::/0			md5
+    #+END_SRC
+
+    #+BEGIN_SRC sh
+
+postgres=# create role uncloud password '...';
+CREATE ROLE
+postgres=# alter role uncloud login ;
+ALTER ROLE
+    #+END_SRC
+
+    Testing the connection:
+
+    #+BEGIN_SRC sh
+psql postgresql://uncloud@2a0a-e5c0-0013-0000-9f4b-e619-efe5-a4ac.has-a.name/uncloud?sslmode
+=require
+    #+END_SRC
+
+
 ** Bootstrap
    - Login via a user so that the user object gets created
    - Run the following (replace nicocustomer with the username)