forked from uncloud/uncloud
[doc] workers need access to the database
This commit is contained in:
parent
e51edab2f5
commit
18d4c99571
1 changed files with 63 additions and 0 deletions
|
@ -32,6 +32,8 @@ pip install -r requirements.txt
|
|||
The database can run on the same host as uncloud, but can also run
|
||||
a different server. Consult the usual postgresql documentation for
|
||||
a secure configuration.
|
||||
|
||||
The database needs to be accessible from all worker nodes.
|
||||
**** Alpine
|
||||
#+BEGIN_SRC sh
|
||||
apk add postgresql-server
|
||||
|
@ -60,6 +62,67 @@ postgres=# create database uncloud owner nico;
|
|||
python manage.py migrate
|
||||
#+END_SRC
|
||||
|
||||
*** Configuring remote access
|
||||
- Get a letsencrypt certificate
|
||||
- Expose SSL ports
|
||||
- Create a user
|
||||
|
||||
#+BEGIN_SRC sh
|
||||
certbot certonly --standalone \
|
||||
-d <yourdbhostname> -m your@email.come \
|
||||
--agree-tos --no-eff-email
|
||||
#+END_SRC
|
||||
|
||||
- Configuring postgresql.conf:
|
||||
#+BEGIN_SRC sh
|
||||
listen_addresses = '*' # what IP address(es) to listen on;
|
||||
ssl = on
|
||||
ssl_cert_file = '/etc/postgresql/server.crt'
|
||||
ssl_key_file = '/etc/postgresql/server.key'
|
||||
|
||||
#+END_SRC
|
||||
|
||||
- Cannot load directly due to permission error:
|
||||
2020-12-26 13:01:55.235 CET [27805] FATAL: could not load server
|
||||
certificate file
|
||||
"/etc/letsencrypt/live/2a0a-e5c0-0013-0000-9f4b-e619-efe5-a4ac.has-a.name/fullchain.pem":
|
||||
Permission denied
|
||||
|
||||
- hook
|
||||
#+BEGIN_SRC sh
|
||||
bridge:/etc/letsencrypt/renewal-hooks/deploy# cat /etc/letsencrypt/renewal-hooks/deploy/postgresql
|
||||
#!/bin/sh
|
||||
|
||||
umask 0177
|
||||
export DOMAIN=2a0a-e5c0-0013-0000-9f4b-e619-efe5-a4ac.has-a.name
|
||||
export DATA_DIR=/etc/postgresql
|
||||
|
||||
cp /etc/letsencrypt/live/$DOMAIN/fullchain.pem $DATA_DIR/server.crt
|
||||
cp /etc/letsencrypt/live/$DOMAIN/privkey.pem $DATA_DIR/server.key
|
||||
chown postgres:postgres $DATA_DIR/server.crt $DATA_DIR/server.key
|
||||
#+END_SRC
|
||||
|
||||
- Allowing access with md5 encrypted password encrypted via TLS
|
||||
#+BEGIN_SRC sh
|
||||
hostssl all all ::/0 md5
|
||||
#+END_SRC
|
||||
|
||||
#+BEGIN_SRC sh
|
||||
|
||||
postgres=# create role uncloud password '...';
|
||||
CREATE ROLE
|
||||
postgres=# alter role uncloud login ;
|
||||
ALTER ROLE
|
||||
#+END_SRC
|
||||
|
||||
Testing the connection:
|
||||
|
||||
#+BEGIN_SRC sh
|
||||
psql postgresql://uncloud@2a0a-e5c0-0013-0000-9f4b-e619-efe5-a4ac.has-a.name/uncloud?sslmode
|
||||
=require
|
||||
#+END_SRC
|
||||
|
||||
|
||||
** Bootstrap
|
||||
- Login via a user so that the user object gets created
|
||||
- Run the following (replace nicocustomer with the username)
|
||||
|
|
Loading…
Reference in a new issue