Skip to content
This repository has been archived by the owner on Jun 15, 2020. It is now read-only.
/ LocalEGA-db Public archive

LocalEGA database definitions and docker image

License

Notifications You must be signed in to change notification settings

EGA-archive/LocalEGA-db

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

27 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

LocalEGA database definitions and docker image

We use Postgres 12.1 and Alpine 3.10.

Security is hardened:

  • We do not use 'trust' even for local connections
  • Requiring password authentication for all
  • Using scram-sha-256 is stronger than md5
  • Enforcing TLS communication
  • Enforcing client-certificate verification

Configuration

There are 2 users (lega_in and lega_out), and 2 schemas (local_ega and local_ega_download).

The following environment variables can be used to configure the database:

Variable Description Default value
PGDATA The data directory /ega/data
DB_LEGA_IN_PASSWORD lega_in's password -
DB_LEGA_OUT_PASSWORD lega_out's password -
TZ Timezone for the Postgres server Europe/Madrid

As usual, include your own .sh, .sql or .sql.gz files in /docker-entrypoint-initdb.d/ in order to have them included at initialization time.

TLS support

Variable Description Default value
PG_SERVER_CERT Public Certificate in PEM format /etc/ega/pg.cert
PG_SERVER_KEY Private Key in PEM format /etc/ega/pg.key
PG_CA Public CA Certificate in PEM format /etc/ega/CA.cert
PG_VERIFY_PEER Enforce client verification 0
SSL_SUBJ Subject for the self-signed certificate creation /C=ES/ST=Spain/L=Barcelona/O=CRG/OU=SysDevs/CN=LocalEGA/[email protected]

If not already injected, the files located at PG_SERVER_CERT and PG_SERVER_KEY will be generated, as a self-signed public/private certificate pair, using SSL_SUBJ.

Client verification is enforced if and only if PG_CA exists and PG_VERIFY_PEER is set to 1.