Image that configures Postgres before starting it.
To automate dealing with specific users accessing from specific networks to a postgres server.
It tries to configure as good as possible, differentiating between connections made from LAN (docker networks attached) and from WAN (all others). This is done at entrypoint time, because it's the only way to know dynamic IP ranges in attached networks.
Then it generates appropriate postgres.conf
and pg_hba.conf
files.
It doesn't validate your settings, so you should be aware of proper configuration:
- Do not set
cert
auth method ifclient.ca.cert.pem
is not supplied. - Do not enable TLS if
server.cert.pem
andserver.key.pem
are not supplied. - Do not publish ports without encryption.
- Use good passwords if you don't use cert auth.
Variables' defaults are all found in the Dockerfile
.
The container is mainly configured via these environment variables:
JSON object with some or all of these keys:
client.ca.cert.pem
: PEM contents for Postgres'ssl_ca_file
parameter. Enablescert
authentication in remote postgres clients. It's the most secure remote auth option. All clients must authenticate with a cert signed by this CA.server.cert.pem
: PEM contents for Postgres'ssl_cert_file
parameter. The Postgres server will identify himself and encrypt the connection with this certificate.server.key.pem
: PEM contents for Postgres'ssl_key_file
parameter. The Postgres server will identify himself and encrypt the connection with this private key.
If you pass server.cert.pem
, you should pass server.key.pem
too, and viceversa, or TLS encryption will not be properly configured. You also need both of them if you use client.ca.cert.pem
.
It is safer to mount files with secrets instead of passing a JSON string in an env variable. You can mount the equivalents:
/etc/postgres/client.ca.cert.pem
/etc/postgres/server.cert.pem
/etc/postgres/server.key.pem
String with contents appended to the generated postgres.conf
file.
Method required to authenticate clients that connect from LAN.
Connection type allowed for LAN connections.
JSON array with database names whose access is allowed from LAN.
Template applied for each combination of LAN CIDR/USER/DATABASE in the pg_hba.conf
file.
Some placeholders can be expanded. See the Dockerfile
to know them.
Wether to enable or not TLS in LAN connections.
Users allowed to connect from LAN.
Method required to authenticate clients that connect from WAN.
Connection type allowed for WAN connections. If it is hostssl
, it will only have effect when the required certs are received.
JSON array with database names whose access is allowed from WAN.
Template applied for each combination of USER/DATABASE in the pg_hba.conf
file, for public connections.
Some placeholders can be expanded. See the Dockerfile
to know them.
Wether to enable or not TLS in WAN connections.
Users allowed to connect from WAN.
JSON array of additional pg_hba.conf rules to append. Each array element should be a string representing a valid pg_hba.conf line.
Example HBA_EXTRA_RULES format in an .env file:
HBA_EXTRA_RULES=["host all all 192.168.1.0/24 md5", "hostssl mydb myuser 10.0.0.0/8 scram-sha-256"]
This adds the following lines to pg_hba.conf:
host all all 192.168.1.0/24 md5 hostssl mydb myuser 10.0.0.0/8 scram-sha-256