Postgresql database for storing TF states #10
Labels
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: home/nixos-servers#10
Loading…
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
https://nixos.wiki/wiki/PostgreSQL
https://www.postgresql.org/docs/current/ssl-tcp.html
Forcing server SSL cert checking:
https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNECT-SSLCERTMODE
Setting root certificate of server:
https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNECT-SSLROOTCERT
Environmental variables for options:
https://www.postgresql.org/docs/current/libpq-envars.html
Maybe nice to do mutual SSL instead of passwords.
Should use
sslmode == require
which doesn't check hostname and we don't have to put that into the certificate.Thought of an interesting potential problem. If we have a data directory for postgresql, with a matching UID and GID, how can we guarantee that the postgresql service can access these files? The service needs to have the same UID and GID. However, if we just let Nix create the user and group, a random unused UID and GID are chosen. Therefore we need to declare this user and group beforehand.
Update: this is not actually a problem, because NixOS uses ids.uids.postgres and ids.gids.postgres, which are static values. Not sure how this works on other distros, but NixOS fixes this at least.