mirror of
https://git.asonix.dog/asonix/pict-rs
synced 2024-12-21 10:51:25 +00:00
Add postgres.md in docs/
This commit is contained in:
parent
a4f1a1e843
commit
378bde933e
1 changed files with 188 additions and 0 deletions
188
docs/postgres.md
Normal file
188
docs/postgres.md
Normal file
|
@ -0,0 +1,188 @@
|
|||
# How to prepare postgres for pict-rs
|
||||
|
||||
## Preparing postgres
|
||||
|
||||
### I already have a postgres
|
||||
|
||||
If you already have a postgres server, we'll create an additional database in it for pict-rs. First,
|
||||
you'll need to connect to your postgres server as an administrator. The general command should look
|
||||
like the following.
|
||||
```bash
|
||||
psql -U postgres
|
||||
```
|
||||
> `postgres` here is the name of the administrator role. If your administrator role is named
|
||||
something else (maybe `lemmy`) then use that instead.
|
||||
|
||||
If postgres is running in a docker-compose environment, it might look like this.
|
||||
```bash
|
||||
sudo docker-compose exec postgres psql -U postgres
|
||||
```
|
||||
> note that the first `postgres` in this command is the docker-compose service, and the second
|
||||
`postgres` is the name of the database administrator role
|
||||
|
||||
Once you have a postgres shell, we'll configure the postgres user and database.
|
||||
|
||||
First, create the pictrs user.
|
||||
```sql
|
||||
CREATE USER pictrs;
|
||||
```
|
||||
|
||||
Then set the pictrs user's password
|
||||
```sql
|
||||
\password pictrs -- allows setting the password for the postgres user
|
||||
```
|
||||
|
||||
Finally, create the pictrs database giving ownership to the pictrs user.
|
||||
```sql
|
||||
CREATE DATABASE pictrs OWNER pictrs;
|
||||
```
|
||||
|
||||
The database configuration is now complete.
|
||||
|
||||
### I don't have a postgres
|
||||
|
||||
Postgres can be installed in a variety of ways, but a simple way to do it is with docker-compose,
|
||||
although installing docker and docker-compose is left as an exercise to the reader. An example
|
||||
docker-compose file can be found below.
|
||||
|
||||
```yaml
|
||||
version: '3.3'
|
||||
|
||||
services:
|
||||
postgres:
|
||||
image: postgres:16-alpine
|
||||
ports:
|
||||
- "5432:5432"
|
||||
environment:
|
||||
- PG_DATA=/var/lib/postgresql/data
|
||||
- POSTGRES_DB=pictrs
|
||||
- POSTGRES_USER=pictrs
|
||||
- POSTGRES_PASSWORD=CREATE_YOUR_OWN_PASSWORD
|
||||
volumes:
|
||||
- ./storage/postgres:/var/lib/postgresql/data
|
||||
```
|
||||
|
||||
After the file is written, a quick `sudo docker-compose up -d` should launch the postgres server,
|
||||
making it available on `localhost:5432`.
|
||||
|
||||
## Connecting to postgres
|
||||
|
||||
pict-rs can be configured to talk to your postgres server a few different ways.
|
||||
1. environment variables
|
||||
2. the `pict-rs.toml` file
|
||||
3. commandline arguments
|
||||
|
||||
In many cases, environment variables will be the easiest.
|
||||
|
||||
### Environment Variables
|
||||
|
||||
The variables you'll need to set are the following
|
||||
- `PICTRS__REPO__TYPE`
|
||||
- `PICTRS__REPO__URL`
|
||||
|
||||
with a few optional variables for folks who have TLS involved
|
||||
- `PICTRS__REPO__USE_TLS`
|
||||
- `PICTRS__REPO__CERTIFICATE_FILE`
|
||||
|
||||
For a simple self-hosted postgres deployment, the following variables should be set:
|
||||
```bash
|
||||
PICTRS__REPO__TYPE=postgres
|
||||
PICTRS__REPO__URL=postgres://pictrs:CREATE_YOUR_OWN_PASSWORD@localhost:5432/pictrs
|
||||
```
|
||||
|
||||
If you're running pict-rs in the same docker-compose file as you are postgres, then change
|
||||
`localhost` in the above URL to the name of your postgres service, e.g.
|
||||
```yaml
|
||||
- PICTRS__REPO__TYPE=postgres
|
||||
- PICTRS__REPO__URL=postgres://pictrs:CREATE_YOUR_OWN_PASSWORD@postgres:5432/pictrs
|
||||
```
|
||||
|
||||
If your postgres is provided by another party, or exists on a different host, then provide the
|
||||
correct hostname or IP address to reach it.
|
||||
|
||||
If your postgres supports TLS connections, as might be present in cloud environments, then the
|
||||
following variables should be set.
|
||||
```bash
|
||||
PICTRS__REPO__USE_TLS=true
|
||||
PICTRS__REPO__CERTIFICATE_FILE=/path/to/certificate/file.crt
|
||||
```
|
||||
> Note that if you provide a path to the certificate file, pict-rs must be able to read that path.
|
||||
This means that if you're running pict-rs in docker, the certificate file needs to be mounted into
|
||||
the container.
|
||||
|
||||
### pict-rs.toml
|
||||
|
||||
The toml configuration can be set pretty easily. The `repo` section should look like the following
|
||||
```toml
|
||||
[repo]
|
||||
type = 'postgres'
|
||||
url = 'postgres://pictrs:CREATE_YOUR_OWN_PASSWORD@postgres:5432/pictrs'
|
||||
```
|
||||
note that the hostname `postgres` should be changed to the host that your postgres server is
|
||||
accessible at.
|
||||
|
||||
For enabling TLS, the configuration would look like the following:
|
||||
```toml
|
||||
[repo]
|
||||
type = 'postgres'
|
||||
url = 'postgres://pictrs:CREATE_YOUR_OWN_PASSWORD@postgres:5432/pictrs'
|
||||
use_tls = true
|
||||
certificate_file = '/path/to/certificate/file.crt'
|
||||
```
|
||||
|
||||
### Commandline arguments
|
||||
|
||||
pict-rs can be configured entirely from the commandline. An example invocation could look like the
|
||||
following:
|
||||
```bash
|
||||
pict-rs run \
|
||||
filesytem -p /path/to/files \
|
||||
postgres -u 'postgres://pictrs:CREATE_YOUR_OWN_PASSWORD@postgres:5432/pictrs'
|
||||
```
|
||||
|
||||
with TLS it could look like this:
|
||||
```bash
|
||||
pict-rs run \
|
||||
filesytem -p /path/to/files \
|
||||
postgres \
|
||||
-u 'postgres://pictrs:CREATE_YOUR_OWN_PASSWORD@postgres:5432/pictrs' \
|
||||
-t \
|
||||
-c /path/to/certificate/file.crt
|
||||
```
|
||||
|
||||
## Additional comments
|
||||
|
||||
When configuring TLS, the `certificate_file` setting isn't required, however, it is likely it will
|
||||
be used when TLS is enabled. A case when it might not be required is if your postgres publicly
|
||||
accessible on the internet and receives a valid certificate from a trusted certificate authority.
|
||||
|
||||
For testing TLS, I've been using `certstrap` to generate a CA and certificates. I have a script
|
||||
called `setup-tls.sh` that looks like this:
|
||||
```bash
|
||||
certstrap init --common-name pictrsCA
|
||||
certstrap request-cert --common-name postgres --domain localhost
|
||||
certstrap sign postgres --CA pictrsCA
|
||||
```
|
||||
|
||||
This genrates a CA and uses that CA to sign a new certificate for `localhost`. Then I update
|
||||
postgres' pg_hba.conf file to allow connections over TLS:
|
||||
```pg_hba.conf
|
||||
hostssl all all all cert clientcert=verify-full
|
||||
```
|
||||
|
||||
Finally, I launch postgres with a custom commandline.
|
||||
```
|
||||
-c "ssl=on" \
|
||||
-c "ssl_cert_file=/path/to/postgres.crt" \
|
||||
-c "ssl_key_file=/path/to/postgres.key" \
|
||||
-c "ssl_ca_file=/path/to/pictrsCA.crt" \
|
||||
-c "ssl_crl_file=/path/to/pictrsCA.crl"
|
||||
```
|
||||
Alternatively, I could update the postgresql.conf file.
|
||||
```postgresql.conf
|
||||
ssl=on
|
||||
ssl_cert_file=/path/to/postgres.crt
|
||||
ssl_key_file=/path/to/postgres.key
|
||||
ssl_ca_file=/path/to/pictrsCA.crt
|
||||
ssl_crl_file=/path/to/pictrsCA.crl
|
||||
```
|
Loading…
Reference in a new issue