home/nixos-servers
home/nixos-servers
2
0
Fork 0
Code Issues 8 Pull requests Projects Releases Packages Wiki Activity Actions

Postgresql database for storing TF states #10

New issue
Closed
opened 2023-11-22 11:33:45 +00:00 by pim · 1 comment
pim commented 2023-11-22 11:33:45 +00:00
Owner
Copy link

https://nixos.wiki/wiki/PostgreSQL
https://www.postgresql.org/docs/current/ssl-tcp.html

Forcing server SSL cert checking:
https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNECT-SSLCERTMODE

Setting root certificate of server:
https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNECT-SSLROOTCERT

Environmental variables for options:
https://www.postgresql.org/docs/current/libpq-envars.html

Maybe nice to do mutual SSL instead of passwords.

Should use sslmode == require which doesn't check hostname and we don't have to put that into the certificate.

https://nixos.wiki/wiki/PostgreSQL https://www.postgresql.org/docs/current/ssl-tcp.html Forcing server SSL cert checking: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNECT-SSLCERTMODE Setting root certificate of server: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNECT-SSLROOTCERT Environmental variables for options: https://www.postgresql.org/docs/current/libpq-envars.html Maybe nice to do mutual SSL instead of passwords. Should use `sslmode == require` which doesn't check hostname and we don't have to put that into the certificate.
pim commented 2023-11-23 21:25:13 +00:00
Author
Owner
Copy link

Thought of an interesting potential problem. If we have a data directory for postgresql, with a matching UID and GID, how can we guarantee that the postgresql service can access these files? The service needs to have the same UID and GID. However, if we just let Nix create the user and group, a random unused UID and GID are chosen. Therefore we need to declare this user and group beforehand.

Update: this is not actually a problem, because NixOS uses ids.uids.postgres and ids.gids.postgres, which are static values. Not sure how this works on other distros, but NixOS fixes this at least.

Thought of an interesting potential problem. If we have a data directory for postgresql, with a matching UID and GID, how can we guarantee that the postgresql service can access these files? The service needs to have the same UID and GID. However, if we just let Nix create the user and group, a random unused UID and GID are chosen. Therefore we need to declare this user and group beforehand. Update: this is not actually a problem, because NixOS uses ids.uids.postgres and ids.gids.postgres, which are static values. Not sure how this works on other distros, but NixOS fixes this at least.
pim closed this issue 2023-11-25 13:58:24 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
headscale
nix-snapshotter
No results found.
Labels
Clear labels
  
Bug

   
Enhancement

   
Investigate

Investigate the utility or feasability

  
Long-term plan

   
New feature

   
New service

A potential new service that we would like to host.

No labels
Bug
Enhancement
Investigate
Long-term plan
New feature
New service
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: home/nixos-servers#10
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?