[doc] workers need access to the database
This commit is contained in:
Nico Schottelius
parent
e51edab2f5
commit
18d4c99571
1 changed files with 63 additions and 0 deletions
|
|
@ -32,6 +32,8 @@ pip install -r requirements.txt
|
||||||
The database can run on the same host as uncloud, but can also run
|
The database can run on the same host as uncloud, but can also run
|
||||||
a different server. Consult the usual postgresql documentation for
|
a different server. Consult the usual postgresql documentation for
|
||||||
a secure configuration.
|
a secure configuration.
|
||||||
|
|
||||||
|
The database needs to be accessible from all worker nodes.
|
||||||
**** Alpine
|
**** Alpine
|
||||||
#+BEGIN_SRC sh
|
#+BEGIN_SRC sh
|
||||||
apk add postgresql-server
|
apk add postgresql-server
|
||||||
|
|
@ -60,6 +62,67 @@ postgres=# create database uncloud owner nico;
|
||||||
python manage.py migrate
|
python manage.py migrate
|
||||||
#+END_SRC
|
#+END_SRC
|
||||||
|
|
||||||
|
*** Configuring remote access
|
||||||
|
- Get a letsencrypt certificate
|
||||||
|
- Expose SSL ports
|
||||||
|
- Create a user
|
||||||
|
|
||||||
|
#+BEGIN_SRC sh
|
||||||
|
certbot certonly --standalone \
|
||||||
|
-d <yourdbhostname> -m your@email.come \
|
||||||
|
--agree-tos --no-eff-email
|
||||||
|
#+END_SRC
|
||||||
|
|
||||||
|
- Configuring postgresql.conf:
|
||||||
|
#+BEGIN_SRC sh
|
||||||
|
listen_addresses = '*' # what IP address(es) to listen on;
|
||||||
|
ssl = on
|
||||||
|
ssl_cert_file = '/etc/postgresql/server.crt'
|
||||||
|
ssl_key_file = '/etc/postgresql/server.key'
|
||||||
|
|
||||||
|
#+END_SRC
|
||||||
|
|
||||||
|
- Cannot load directly due to permission error:
|
||||||
|
2020-12-26 13:01:55.235 CET [27805] FATAL: could not load server
|
||||||
|
certificate file
|
||||||
|
"/etc/letsencrypt/live/2a0a-e5c0-0013-0000-9f4b-e619-efe5-a4ac.has-a.name/fullchain.pem":
|
||||||
|
Permission denied
|
||||||
|
|
||||||
|
- hook
|
||||||
|
#+BEGIN_SRC sh
|
||||||
|
bridge:/etc/letsencrypt/renewal-hooks/deploy# cat /etc/letsencrypt/renewal-hooks/deploy/postgresql
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
umask 0177
|
||||||
|
export DOMAIN=2a0a-e5c0-0013-0000-9f4b-e619-efe5-a4ac.has-a.name
|
||||||
|
export DATA_DIR=/etc/postgresql
|
||||||
|
|
||||||
|
cp /etc/letsencrypt/live/$DOMAIN/fullchain.pem $DATA_DIR/server.crt
|
||||||
|
cp /etc/letsencrypt/live/$DOMAIN/privkey.pem $DATA_DIR/server.key
|
||||||
|
chown postgres:postgres $DATA_DIR/server.crt $DATA_DIR/server.key
|
||||||
|
#+END_SRC
|
||||||
|
|
||||||
|
- Allowing access with md5 encrypted password encrypted via TLS
|
||||||
|
#+BEGIN_SRC sh
|
||||||
|
hostssl all all ::/0 md5
|
||||||
|
#+END_SRC
|
||||||
|
|
||||||
|
#+BEGIN_SRC sh
|
||||||
|
|
||||||
|
postgres=# create role uncloud password '...';
|
||||||
|
CREATE ROLE
|
||||||
|
postgres=# alter role uncloud login ;
|
||||||
|
ALTER ROLE
|
||||||
|
#+END_SRC
|
||||||
|
|
||||||
|
Testing the connection:
|
||||||
|
|
||||||
|
#+BEGIN_SRC sh
|
||||||
|
psql postgresql://uncloud@2a0a-e5c0-0013-0000-9f4b-e619-efe5-a4ac.has-a.name/uncloud?sslmode
|
||||||
|
=require
|
||||||
|
#+END_SRC
|
||||||
|
|
||||||
|
|
||||||
** Bootstrap
|
** Bootstrap
|
||||||
- Login via a user so that the user object gets created
|
- Login via a user so that the user object gets created
|
||||||
- Run the following (replace nicocustomer with the username)
|
- Run the following (replace nicocustomer with the username)
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue