Skip to content
This repository has been archived by the owner on Jun 15, 2020. It is now read-only.

Latest commit

 

History

History
44 lines (31 loc) · 2.28 KB

README.md

File metadata and controls

44 lines (31 loc) · 2.28 KB

LocalEGA database definitions and docker image

We use Postgres 12.1 and Alpine 3.10.

Security is hardened:

  • We do not use 'trust' even for local connections
  • Requiring password authentication for all
  • Using scram-sha-256 is stronger than md5
  • Enforcing TLS communication
  • Enforcing client-certificate verification

Configuration

There are 2 users (lega_in and lega_out), and 2 schemas (local_ega and local_ega_download).

The following environment variables can be used to configure the database:

Variable Description Default value
PGDATA The data directory /ega/data
DB_LEGA_IN_PASSWORD lega_in's password -
DB_LEGA_OUT_PASSWORD lega_out's password -
TZ Timezone for the Postgres server Europe/Madrid

As usual, include your own .sh, .sql or .sql.gz files in /docker-entrypoint-initdb.d/ in order to have them included at initialization time.

TLS support

Variable Description Default value
PG_SERVER_CERT Public Certificate in PEM format /etc/ega/pg.cert
PG_SERVER_KEY Private Key in PEM format /etc/ega/pg.key
PG_CA Public CA Certificate in PEM format /etc/ega/CA.cert
PG_VERIFY_PEER Enforce client verification 0
SSL_SUBJ Subject for the self-signed certificate creation /C=ES/ST=Spain/L=Barcelona/O=CRG/OU=SysDevs/CN=LocalEGA/[email protected]

If not already injected, the files located at PG_SERVER_CERT and PG_SERVER_KEY will be generated, as a self-signed public/private certificate pair, using SSL_SUBJ.

Client verification is enforced if and only if PG_CA exists and PG_VERIFY_PEER is set to 1.