Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: SSL for Postgres DB #4884

Draft
wants to merge 2 commits into
base: next
Choose a base branch
from
Draft

feat: SSL for Postgres DB #4884

wants to merge 2 commits into from
+155 −42

Conversation

zaaakher
Copy link
Contributor

This is still WIP I'm trying to get the ball rolling. However, I'm still learning Laravel and Livewire (I'm quite the beginner) So any help is really appreciated.

I started with the UI and added some conditions:

  • User can't enable SSL if the db is not started
  • User can't set a custom domain if SSL is not enabled
  • Show the SSL mode selection only if SSL is enabled.

Changes

  • Adds a checkbox to enable SSL database.enable_ssl
  • Adds a selection for SSL Mode database.ssl_mode
  • Adds an input for the custom domain database.custom_domain

Issues

If someone can help direct me to the right part where the actual logic of enabling SSL for a public Postgres db that would be really helpful. I barely know what I'm doing here my apologies.

I have a feeling I've done a couple things wrong. If so, please point it out for me to fix.

@zaaakher
Copy link
Contributor Author

I've spend a good hour or so trying to disable the auto first-letter-capitalization that happens in the <label> (Only in x-forms.select) but to no avail :(

Screenshot 2025-01-21 at 1 07 54 PM

@peaklabs-dev peaklabs-dev marked this pull request as draft January 21, 2025 10:26
@djsisson
Copy link
Contributor

djsisson commented Jan 21, 2025
edited
Loading

@zaaakher This s for postgres & traefik, not sure on rest

  1. if you want to use custom domains for your db, you will need to add a new tcp entrypoint to the static config for traefik (this can't be done in dynamic files) such that tcp on 5432 can then be routed to this domain (you can't just route as normal http)

Or you can still use nginx but restrict the hostname

  1. you will need to use a custom entrypoint and a cert volume mount, or pass in the certs as docker secrets

So you will bind a new file to be the postgres entrypoint, this will chown/chmod the cert directory, it has to be read only for the postgres user, it can't be rw.
you will need to either enable generating new certs in coolify or allow them to be set using copy/paste etc
you can't use the ones being generated by the proxy, as they arent easily accessible, and you need the relevant client cert , derived from the server cert in order to connect

at the end of the above script, you can then call postgres as normal, where the command from the compose file will pass in the args

  1. then you either also need to override the postgresql.conf to set ssl=on along with where the certs are, or you can pass in as command line args, the latter is probably easier

hope this helps a little

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@zaaakher @djsisson @andrasbacsai