kopia lustrzana https://github.com/kartoza/docker-postgis
				
				
				
			
		
			
				
	
	
		
			87 wiersze
		
	
	
		
			2.8 KiB
		
	
	
	
		
			Bash
		
	
	
			
		
		
	
	
			87 wiersze
		
	
	
		
			2.8 KiB
		
	
	
	
		
			Bash
		
	
	
| #!/usr/bin/env bash
 | |
| 
 | |
| source /scripts/env-data.sh
 | |
| 
 | |
| SETUP_LOCKFILE="${ROOT_CONF}/.pg_hba.conf.lock"
 | |
| if [ -f "${SETUP_LOCKFILE}" ]; then
 | |
| 	return 0
 | |
| fi
 | |
| 
 | |
| # Setup Postgresql password
 | |
| pg_password
 | |
| 
 | |
| # This script will setup pg_hba.conf
 | |
| 
 | |
| # Reconfigure pg_hba if environment settings changed
 | |
| cat ${ROOT_CONF}/pg_hba.conf.template > ${ROOT_CONF}/pg_hba.conf
 | |
| 
 | |
| 
 | |
| if [[ "${FORCE_SSL}" =~ [Ff][Aa][Ll][Ss][Ee] ]]; then
 | |
|   PG_CONF_HOST='host'
 | |
|   CERT_AUTH=${PASSWORD_AUTHENTICATION}
 | |
|   CLIENT_VERIFY=
 | |
| else
 | |
|   # If user has their own cert we default to force auth using cert method
 | |
|   if  [[ "${SSL_KEY_FILE}" != '/etc/ssl/private/ssl-cert-snakeoil.key' ]]; then
 | |
|     PG_CONF_HOST='hostssl'
 | |
|     CERT_AUTH='cert'
 | |
|     CLIENT_VERIFY=
 | |
|   else
 | |
|     # Used when using the default ssl certs
 | |
|     PG_CONF_HOST='hostssl'
 | |
|     CERT_AUTH=${PASSWORD_AUTHENTICATION}
 | |
|     CLIENT_VERIFY='clientcert=0'
 | |
|   fi
 | |
| 
 | |
| fi
 | |
| 
 | |
| # Restrict subnet to docker private network
 | |
| echo "$PG_CONF_HOST   all             all             172.0.0.0/8              ${CERT_AUTH}   $CLIENT_VERIFY" >> $ROOT_CONF/pg_hba.conf
 | |
| # And allow access from DockerToolbox / Boot to docker on OSX
 | |
| echo "$PG_CONF_HOST    all             all             192.168.0.0/16               ${CERT_AUTH}    $CLIENT_VERIFY" >> $ROOT_CONF/pg_hba.conf
 | |
| 
 | |
| # Custom IP range via docker run -e (https://docs.docker.com/engine/reference/run/#env-environment-variables)
 | |
| # Usage is: docker run [...] -e ALLOW_IP_RANGE='192.168.0.0/16'
 | |
| if [[ -n "$ALLOW_IP_RANGE" ]]
 | |
| then
 | |
| 	echo "Add rule to pg_hba: $ALLOW_IP_RANGE"
 | |
|  	echo "$PG_CONF_HOST   all             all             $ALLOW_IP_RANGE              ${CERT_AUTH}   $CLIENT_VERIFY" >> ${ROOT_CONF}/pg_hba.conf
 | |
| fi
 | |
| 
 | |
| # check password first so we can output the warning before postgres
 | |
| # messes it up
 | |
| 
 | |
| if [[ "$POSTGRES_PASS" ]]; then
 | |
| 	pass="PASSWORD '$POSTGRES_PASS'"
 | |
| 	authMethod=${CERT_AUTH}
 | |
| 
 | |
| else
 | |
| 	# The - option suppresses leading tabs but *not* spaces. :)
 | |
| 	cat >&2 <<-'EOWARN'
 | |
| 		****************************************************
 | |
| 		WARNING: No password has been set for the database.
 | |
| 				 This will allow anyone with access to the
 | |
| 				 Postgres port to access your database. In
 | |
| 				 Docker's default configuration, this is
 | |
| 				 effectively any other container on the same
 | |
| 				 system.
 | |
| 
 | |
| 				 Use "-e POSTGRES_PASS=password" to set
 | |
| 				 it in "docker run".
 | |
| 		****************************************************
 | |
| 	EOWARN
 | |
| 
 | |
| 	pass=
 | |
| 	authMethod=trust
 | |
| fi
 | |
| 
 | |
| if [[ -z "$REPLICATE_FROM" ]]; then
 | |
| 	# if env not set, then assume this is master instance
 | |
| 	# add rules to pg_hba.conf to allow replication from all
 | |
| 	echo "Add rule to pg_hba: replication ${REPLICATION_USER} "
 | |
| 	echo "$PG_CONF_HOST   replication            ${REPLICATION_USER}             ${ALLOW_IP_RANGE}          $authMethod   $CLIENT_VERIFY" >> ${ROOT_CONF}/pg_hba.conf
 | |
| fi
 | |
| 
 | |
| # Put lock file to make sure conf was not reinitialized
 | |
| touch ${SETUP_LOCKFILE}
 |