We use Postgres 12.1 and Alpine 3.10.
Security is hardened:
- We do not use 'trust' even for local connections
- Requiring password authentication for all
- Using scram-sha-256 is stronger than md5
- Enforcing TLS communication
- Enforcing client-certificate verification
There are 2 users (lega_in and lega_out), and 2 schemas
(local_ega and local_ega_download).
The following environment variables can be used to configure the database:
| Variable | Description | Default value |
|---|---|---|
| PGDATA | The data directory | /ega/data |
| DB_LEGA_IN_PASSWORD | lega_in's password |
- |
| DB_LEGA_OUT_PASSWORD | lega_out's password |
- |
| TZ | Timezone for the Postgres server | Europe/Madrid |
As usual, include your own .sh, .sql or .sql.gz files in /docker-entrypoint-initdb.d/ in order to have them included at initialization time.
| Variable | Description | Default value |
|---|---|---|
| PG_SERVER_CERT | Public Certificate in PEM format | /etc/ega/pg.cert |
| PG_SERVER_KEY | Private Key in PEM format | /etc/ega/pg.key |
| PG_CA | Public CA Certificate in PEM format | /etc/ega/CA.cert |
| PG_VERIFY_PEER | Enforce client verification | 0 |
| SSL_SUBJ | Subject for the self-signed certificate creation | /C=ES/ST=Spain/L=Barcelona/O=CRG/OU=SysDevs/CN=LocalEGA/emailAddress=all.ega@crg.eu |
If not already injected, the files located at PG_SERVER_CERT and PG_SERVER_KEY will be generated, as a self-signed public/private certificate pair, using SSL_SUBJ.
Client verification is enforced if and only if PG_CA exists and PG_VERIFY_PEER is set to 1.