diff --git a/optional/postgresql/Dockerfile b/optional/postgresql/Dockerfile new file mode 100644 index 00000000..dbfc1dc8 --- /dev/null +++ b/optional/postgresql/Dockerfile @@ -0,0 +1,23 @@ +FROM alpine:3.8 +# python3 shared with most images +RUN apk add --no-cache \ + python3 py3-pip \ + && pip3 install --upgrade pip +# Shared layer between rspamd, postfix, dovecot, unbound and nginx +RUN pip3 install jinja2 +# Image specific layers under this line +RUN apk add --no-cache \ + postgresql postgresql-libs \ + && apk add --virtual .build-deps gcc musl-dev postgresql-dev python3-dev \ + && pip3 install psycopg2 anosql \ + && apk --purge del .build-deps + +COPY start.py /start.py +COPY conf /conf + +ENV LANG en_US.UTF-8 +EXPOSE 5432 + +RUN mkdir -p /run/postgresql && chown -R postgres:postgres /run/postgresql && chmod 2777 /run/postgresql + +CMD /start.py diff --git a/optional/postgresql/conf/pg_hba.conf b/optional/postgresql/conf/pg_hba.conf new file mode 100644 index 00000000..ca566f1f --- /dev/null +++ b/optional/postgresql/conf/pg_hba.conf @@ -0,0 +1,90 @@ +# PostgreSQL Client Authentication Configuration File +# =================================================== +# +# Refer to the "Client Authentication" section in the PostgreSQL +# documentation for a complete description of this file. A short +# synopsis follows. +# +# This file controls: which hosts are allowed to connect, how clients +# are authenticated, which PostgreSQL user names they can use, which +# databases they can access. Records take one of these forms: +# +# local DATABASE USER METHOD [OPTIONS] +# host DATABASE USER ADDRESS METHOD [OPTIONS] +# hostssl DATABASE USER ADDRESS METHOD [OPTIONS] +# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS] +# +# (The uppercase items must be replaced by actual values.) +# +# The first field is the connection type: "local" is a Unix-domain +# socket, "host" is either a plain or SSL-encrypted TCP/IP socket, +# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a +# plain TCP/IP socket. +# +# DATABASE can be "all", "sameuser", "samerole", "replication", a +# database name, or a comma-separated list thereof. The "all" +# keyword does not match "replication". Access to replication +# must be enabled in a separate record (see example below). +# +# USER can be "all", a user name, a group name prefixed with "+", or a +# comma-separated list thereof. In both the DATABASE and USER fields +# you can also write a file name prefixed with "@" to include names +# from a separate file. +# +# ADDRESS specifies the set of hosts the record matches. It can be a +# host name, or it is made up of an IP address and a CIDR mask that is +# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that +# specifies the number of significant bits in the mask. A host name +# that starts with a dot (.) matches a suffix of the actual host name. +# Alternatively, you can write an IP address and netmask in separate +# columns to specify the set of hosts. Instead of a CIDR-address, you +# can write "samehost" to match any of the server's own IP addresses, +# or "samenet" to match any address in any subnet that the server is +# directly connected to. +# +# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256", +# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert". +# Note that "password" sends passwords in clear text; "md5" or +# "scram-sha-256" are preferred since they send encrypted passwords. +# +# OPTIONS are a set of options for the authentication in the format +# NAME=VALUE. The available options depend on the different +# authentication methods -- refer to the "Client Authentication" +# section in the documentation for a list of which options are +# available for which authentication methods. +# +# Database and user names containing spaces, commas, quotes and other +# special characters must be quoted. Quoting one of the keywords +# "all", "sameuser", "samerole" or "replication" makes the name lose +# its special character, and just match a database or username with +# that name. +# +# This file is read on server startup and when the server receives a +# SIGHUP signal. If you edit the file on a running system, you have to +# SIGHUP the server for the changes to take effect, run "pg_ctl reload", +# or execute "SELECT pg_reload_conf()". +# +# Put your actual configuration here +# ---------------------------------- +# +# If you want to allow non-local connections, you need to add more +# "host" records. In that case you will also need to make PostgreSQL +# listen on a non-local interface via the listen_addresses +# configuration parameter, or via the -i or -h command line switches. + + + +# TYPE DATABASE USER ADDRESS METHOD + +# "local" is for Unix domain socket connections only +local all all peer map=local +# IPv4 connections: +host all mailu {{ SUBNET }} md5 +host postgres health 127.0.0.1/32 md5 +# IPv6 local connections: +host all all ::1/128 reject +# Allow replication connections from localhost, by a user with the +# replication privilege. +local replication all reject +host replication all 127.0.0.1/32 reject +host replication all ::1/128 reject diff --git a/optional/postgresql/conf/pg_ident.conf b/optional/postgresql/conf/pg_ident.conf new file mode 100644 index 00000000..dcfa34f3 --- /dev/null +++ b/optional/postgresql/conf/pg_ident.conf @@ -0,0 +1,45 @@ +# PostgreSQL User Name Maps +# ========================= +# +# Refer to the PostgreSQL documentation, chapter "Client +# Authentication" for a complete description. A short synopsis +# follows. +# +# This file controls PostgreSQL user name mapping. It maps external +# user names to their corresponding PostgreSQL user names. Records +# are of the form: +# +# MAPNAME SYSTEM-USERNAME PG-USERNAME +# +# (The uppercase quantities must be replaced by actual values.) +# +# MAPNAME is the (otherwise freely chosen) map name that was used in +# pg_hba.conf. SYSTEM-USERNAME is the detected user name of the +# client. PG-USERNAME is the requested PostgreSQL user name. The +# existence of a record specifies that SYSTEM-USERNAME may connect as +# PG-USERNAME. +# +# If SYSTEM-USERNAME starts with a slash (/), it will be treated as a +# regular expression. Optionally this can contain a capture (a +# parenthesized subexpression). The substring matching the capture +# will be substituted for \1 (backslash-one) if present in +# PG-USERNAME. +# +# Multiple maps may be specified in this file and used by pg_hba.conf. +# +# No map names are defined in the default configuration. If all +# system user names and PostgreSQL user names are the same, you don't +# need anything in this file. +# +# This file is read on server startup and when the postmaster receives +# a SIGHUP signal. If you edit the file on a running system, you have +# to SIGHUP the postmaster for the changes to take effect. You can +# use "pg_ctl reload" to do that. + +# Put your actual configuration here +# ---------------------------------- + +# MAPNAME SYSTEM-USERNAME PG-USERNAME +local postgres postgres +local root postgres +local root health diff --git a/optional/postgresql/conf/queries.sql b/optional/postgresql/conf/queries.sql new file mode 100644 index 00000000..ffea716b --- /dev/null +++ b/optional/postgresql/conf/queries.sql @@ -0,0 +1,26 @@ +-- name: create_user! +-- Create the mailu user if it does not exist. +do $$ +begin + create user mailu; + exception when others then + raise notice 'not creating mailu user -- it already exists'; +end +$$; + +-- name: update_pw! +alter + user mailu + password :pw; + +-- name: check_db +-- check if the mailu db exists +select 1 + from pg_database + where datname = 'mailu'; + +-- name: create_db! +-- create the mailu db +create + database mailu + owner mailu; diff --git a/optional/postgresql/start.py b/optional/postgresql/start.py new file mode 100755 index 00000000..f8bfc7d9 --- /dev/null +++ b/optional/postgresql/start.py @@ -0,0 +1,37 @@ +#!/usr/bin/python3 + +import anosql +import psycopg2 +import jinja2 +import glob +import os + +def setup(): + conn = psycopg2.connect('user=postgres') + queries = anosql.load_queries('postgres', '/conf/queries.sql') + queries.create_user(conn) + queries.update_pw(conn, pw=os.environ.get("SECRET_KEY")) + conn.commit() + # create db cannot be atomic. But this script is the only active connection, this is kinda safe. + if not queries.check_db(conn): + conn.set_isolation_level(0) + queries.create_db(conn) + conn.set_isolation_level(1) + conn.close() + +# Bootstrap the database if postgresql is running for the first time +if not os.path.exists('/var/lib/postgresql/data/pg_hba.conf'): + os.system("chown -R postgres:postgres /var/lib/postgresql") + os.system("su - postgres -c 'initdb -D /var/lib/postgresql/data'") + +convert = lambda src, dst: open(dst, "w").write(jinja2.Template(open(src).read()).render(**os.environ)) +for pg_file in glob.glob("/conf/*.conf"): + convert(pg_file, os.path.join("/var/lib/postgresql/data", os.path.basename(pg_file))) + +# Run postgresql locally for DB and user creation +os.system("su - postgres -c 'pg_ctl start -D /var/lib/postgresql/data -o \"-h localhost\"'") +setup() +os.system("su - postgres -c 'pg_ctl stop -m smart -w -D /var/lib/postgresql/data'") + +# Run postgresql service +os.system("su - postgres -c 'postgres -D /var/lib/postgresql/data -h \*'") diff --git a/tests/build.yml b/tests/build.yml index 8603e4af..2cd0663c 100644 --- a/tests/build.yml +++ b/tests/build.yml @@ -34,6 +34,10 @@ services: image: ${DOCKER_ORG:-mailu}/admin:${MAILU_VERSION:-local} build: ../core/admin + postgresql: + image: ${DOCKER_ORG:-mailu}/postgresql:${MAILU_VERSION:-local} + build: ../optional/postgresql + roundcube: image: ${DOCKER_ORG:-mailu}/roundcube:${MAILU_VERSION:-local} build: ../webmails/roundcube