forked from IT-Syndikat/its-network
1.9 KiB
1.9 KiB
About
This file contains the documenation for our local database server. This was originally postgres only, which has changed now to postgres and mariadb making the name a bit confusing.
Location
The VM is running as pgsql.srv.it-syndikat.org on acraze.
PostgreSQL
The PostgreSQL database uses client certificates for authentication. These are stored in
/etc/postgresql/client_certs/; the server is configured to use /etc/postgresql/client_certs.pem
(a concatenation of all the individual certificates) as a certificate authority, removing the
need for a "proper" PKI.
To set up a new postgresql client:
- Generate a new client key and certificate using
sudo generate_client_cert DBNAME KEY_OUTFILE - Copy the generated keyfile and certificate (from
/etc/postgresql/client_certs/) as well as the server certificate (from/etc/postgresql/server.pem) to the client - Specify the following postgres arguments:
user=DBNAMEdatabase=DBNAMEsslmode=verify-casslkey=[client keyfile.key]sslcert=[client cert.pem]sslrootcert=[server cert.pem]
generate_client_cert
script
#!/usr/bin/env bash
set -euo pipefail
CERTS_DIRECTORY=/etc/postgresql/client_certs
COMBINED_CERTS_FILE=/etc/postgresql/client_certs.pem
[[ $# -eq 2 ]] || { echo "Usage: $0 DBNAME KEY_OUTFILE" >&2; exit 1; }
dbname=$1
keyfile=$2
openssl req \
-new \
-x509 \
-sha256 \
-days 358201 \
-extensions usr_cert \
-newkey rsa:4096 \
-noenc \
-out "$CERTS_DIRECTORY/$dbname.pem" \
-keyout "$keyfile" \
-subj "/CN=$dbname"
echo "Key has been generated as $keyfile."
echo "Adding certificate to certificate store..."
cat "$CERTS_DIRECTORY"/*.pem > "$COMBINED_CERTS_FILE"
systemctl reload postgresql.service
echo "Done."
Maintainers
- @xiretza: VM maintenance and postgresql
- @tyrolyean: mariadb database