Skip to content

Source: examples/modules/postgresql/module.bu#

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
# butane config

systemd:
  units:
    - name: container-build@postgresql.service
      dropins:
        - name: dropin.conf
          contents: |
            [Service]
            Environment="PODMAN_BUILD_OPTIONS=--build-arg ADDLOCALES={{ LOCALE["LANG"] }}"

storage:
  files:
    # {% for f in ["postgresql.conf", "postgresql.container", "postgresql.volume",] %}
    - path: /etc/containers/systemd/{{ f }}
      contents:
        local: postgresql/container/{{ f }}
        template: jinja
    # {% endfor %}

    # {% for f in ["Containerfile", "custom-entrypoint.sh",] %}
    - path: /etc/containers/build/{{ f }}
      contents:
        local: postgresql/Containerfile/postgresql/{{ f }}
        template: jinja
    # {% endfor %}

    # postgresql env
    - path: /etc/containers/environment/postgresql.env
      mode: 0600
      contents:
        inline: |
          PGDATA=/var/lib/postgresql/data
          POSTGRES_PASSWORD={{ POSTGRESQL_PASSWORD }}
          POSTGRES_HOST_AUTH_METHOD=reject
          # map username postgres@hostname to postgres if postgres@hostname matches hostname
          POSTGRES_EXTRA_IDENT=tlsmap /^(.*)@{{ HOSTNAME }} \1
          LANG={{ LOCALE["LANG"] }}

    # traefik config for public access to the postgresql server
    #   if inactive, it will be empty and therefore deactivated
    - path: /etc/local/frontend/frontend.postgresql.dynamic.yml
      contents:
        local: postgresql/frontend.postgresql.dynamic.yml
        template: jinja

    # firewall config for public access to the postgresql server
    - path: /etc/firewalld/policies/ingress-postgresql.xml
      mode: 0644
      contents:
        inline: |
          <?xml version="1.0" encoding="utf-8"?>
          {% if POSTGRESQL_PUBLIC_MTLS or POSTGRESQL_PUBLIC_PWD %}
          <policy target="ACCEPT">
            <short>Allow Incoming postgresql Traffic</short>
            <description>Allow incoming traffic to the host on the postgresql ports 5432 and 5431 from the public zone.</description>
            <ingress-zone name="public"/>
            {% if POSTGRESQL_PUBLIC_MTLS %}<port protocol="tcp" port="5432"/>{% endif %}
            {% if POSTGRESQL_PUBLIC_PWD %}<port protocol="tcp" port="5431"/>{% endif %}
          </policy>
          {% else %}
          <policy target="REJECT">
            <short>Blank REJECT Rule for disabled posgresql Traffic</short>
            <description>Replacement rule if both MTLS and PWD postgresql traffic is not enabled.</description>
            <ingress-zone name="public"/>
          </policy>
          {% endif %}