diff --git a/README.md b/README.md index 476d7d5..6e766ee 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,12 @@ A secure PostgreSQL Docker container with enforced SSL/TLS encryption, certificate verification, and advanced security features. +## Docker Images + +This project builds and publishes Docker images to the git.nixc.us registry: +- **Unstable**: `git.nixc.us/postgre-tls:unstable` (latest development) +- **Stable**: `git.nixc.us/postgre-tls:stable` (stable releases) + ## Features - **SSL/TLS Encryption**: TLSv1.3 with 256-bit AES-GCM encryption @@ -42,16 +48,26 @@ The setup provides enterprise-grade security with: You can also connect manually using psql: ```bash -psql "host=localhost port=5432 dbname=ploughgres user=ploughgres_user sslmode=verify-full sslrootcert=secrets/ca_crt" +psql "host=localhost port=5432 dbname=postgre_tls user=postgre_tls_user sslmode=verify-full sslrootcert=secrets/ca_crt" ``` For non-interactive connection, set the PGPASSWORD environment variable: ```bash export PGPASSWORD=$(cat secrets/postgres_password || echo "change_me_in_production") -psql "host=localhost port=5432 dbname=ploughgres user=ploughgres_user sslmode=verify-full sslrootcert=secrets/ca_crt" +psql "host=localhost port=5432 dbname=postgre_tls user=postgre_tls_user sslmode=verify-full sslrootcert=secrets/ca_crt" ``` ## Project Structure ``` +Postgre-TLS/ +├── docker-compose.yml # Container configuration +├── Dockerfile # Container image definition +├── start.sh # Initialization and startup script +├── connect.sh # SSL connection test script +├── postgresql.conf # PostgreSQL configuration +├── USAGE.md # Usage guide and commands +├── data/ # PostgreSQL data directory +├── secrets/ # SSL certificates and passwords +└── logs/ # Container logs ``` \ No newline at end of file diff --git a/USAGE.md b/USAGE.md index 5ef8c67..e38b3f0 100644 --- a/USAGE.md +++ b/USAGE.md @@ -1,4 +1,4 @@ -# PloughGres Usage Guide +# Postgre-TLS Usage Guide ## Quick Start @@ -21,7 +21,7 @@ ### Database Management - **View container status:** `docker ps` -- **View container logs:** `docker logs ploughgres-db` +- **View container logs:** `docker logs postgre_tls-db` - **Access PostgreSQL shell:** `./connect.sh` - **Restart container:** `docker-compose restart` @@ -29,8 +29,8 @@ The setup uses TLSv1.3 with 256-bit encryption. Connection details: - **Host:** localhost - **Port:** 5432 -- **Database:** ploughgres -- **User:** ploughgres_user +- **Database:** postgre_tls +- **User:** postgre_tls_user - **SSL Mode:** verify-full (certificate verification enabled) ### Data Persistence @@ -49,7 +49,7 @@ The setup uses TLSv1.3 with 256-bit encryption. Connection details: ## Troubleshooting ### Container Issues -- **Container won't start:** Check `docker logs ploughgres-db` +- **Container won't start:** Check `docker logs postgre_tls-db` - **Port conflicts:** Ensure port 5432 is available - **Permission issues:** Check file permissions in `secrets/` directory diff --git a/build-push.sh b/build-push.sh new file mode 100755 index 0000000..b83083f --- /dev/null +++ b/build-push.sh @@ -0,0 +1,43 @@ +#!/bin/bash +set -e + +# Colors for output +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +NC='\033[0m' + +# Configuration +REGISTRY="git.nixc.us" +IMAGE_NAME="postgre-tls" +TAG_UNSTABLE="unstable" +TAG_STABLE="stable" + +echo -e "${GREEN}[Postgre-TLS] Building and pushing Docker images...${NC}" + +# Build the image +echo -e "${YELLOW}[Postgre-TLS] Building Docker image...${NC}" +docker build -t ${REGISTRY}/${IMAGE_NAME}:${TAG_UNSTABLE} . + +# Tag for stable if requested +if [ "$1" == "stable" ]; then + echo -e "${YELLOW}[Postgre-TLS] Tagging as stable...${NC}" + docker tag ${REGISTRY}/${IMAGE_NAME}:${TAG_UNSTABLE} ${REGISTRY}/${IMAGE_NAME}:${TAG_STABLE} +fi + +# Push unstable +echo -e "${YELLOW}[Postgre-TLS] Pushing unstable image...${NC}" +docker push ${REGISTRY}/${IMAGE_NAME}:${TAG_UNSTABLE} + +# Push stable if tagged +if [ "$1" == "stable" ]; then + echo -e "${YELLOW}[Postgre-TLS] Pushing stable image...${NC}" + docker push ${REGISTRY}/${IMAGE_NAME}:${TAG_STABLE} +fi + +echo -e "${GREEN}[Postgre-TLS] Docker images built and pushed successfully!${NC}" +echo -e "${YELLOW}[Postgre-TLS] Available images:${NC}" +echo "- ${REGISTRY}/${IMAGE_NAME}:${TAG_UNSTABLE}" +if [ "$1" == "stable" ]; then + echo "- ${REGISTRY}/${IMAGE_NAME}:${TAG_STABLE}" +fi \ No newline at end of file diff --git a/connect.sh b/connect.sh index c3f8032..2446c41 100755 --- a/connect.sh +++ b/connect.sh @@ -14,7 +14,7 @@ PASSWORD=$([ -f secrets/postgres_password ] && cat secrets/postgres_password || export PGPASSWORD="$PASSWORD" # Test basic connection -OUTPUT=$(psql "host=localhost port=5432 dbname=ploughgres user=ploughgres_user sslmode=verify-full sslrootcert=secrets/ca.crt" \ +OUTPUT=$(psql "host=localhost port=5432 dbname=postgre_tls user=postgre_tls_user sslmode=verify-full sslrootcert=secrets/ca.crt" \ -c "SELECT version(), current_user, current_database();" -t) || { echo -e "${RED}[Postgre-TLS] Connection failed!${NC}" exit 1 @@ -23,7 +23,7 @@ echo "$OUTPUT" # Check SSL details echo -e "\n${GREEN}[Postgre-TLS] SSL Connection Details:${NC}" -SSL_DETAILS=$(psql "host=localhost port=5432 dbname=ploughgres user=ploughgres_user sslmode=verify-full sslrootcert=secrets/ca.crt" \ +SSL_DETAILS=$(psql "host=localhost port=5432 dbname=postgre_tls user=postgre_tls_user sslmode=verify-full sslrootcert=secrets/ca.crt" \ -c "SELECT ssl, version as ssl_version, cipher as ssl_cipher, bits as ssl_bits FROM pg_stat_ssl WHERE pid = pg_backend_pid();" -t) || { echo -e "${RED}[Postgre-TLS] Failed to get SSL details!${NC}" exit 1 @@ -32,25 +32,25 @@ echo "$SSL_DETAILS" # Test non-SSL connection (should fail) echo -e "\n${YELLOW}[Postgre-TLS] Testing non-SSL connection (expected to fail):${NC}" -psql "host=localhost port=5432 dbname=ploughgres user=ploughgres_user sslmode=disable" -c "SELECT 1;" 2>&1 | grep "SSL" || echo -e "${GREEN}Non-SSL connection correctly refused.${NC}" +psql "host=localhost port=5432 dbname=postgre_tls user=postgre_tls_user sslmode=disable" -c "SELECT 1;" 2>&1 | grep "SSL" || echo -e "${GREEN}Non-SSL connection correctly refused.${NC}" # Advanced database operations over SSL echo -e "\n${GREEN}[Postgre-TLS] Performing advanced tests over SSL:${NC}" # Create test table -psql "host=localhost port=5432 dbname=ploughgres user=ploughgres_user sslmode=verify-full sslrootcert=secrets/ca.crt" -c "CREATE TABLE IF NOT EXISTS test_table (id SERIAL PRIMARY KEY, data TEXT);" || { echo -e "${RED}Failed to create test table!${NC}"; exit 1; } +psql "host=localhost port=5432 dbname=postgre_tls user=postgre_tls_user sslmode=verify-full sslrootcert=secrets/ca.crt" -c "CREATE TABLE IF NOT EXISTS test_table (id SERIAL PRIMARY KEY, data TEXT);" || { echo -e "${RED}Failed to create test table!${NC}"; exit 1; } echo "Test table created." # Insert data -psql "host=localhost port=5432 dbname=ploughgres user=ploughgres_user sslmode=verify-full sslrootcert=secrets/ca.crt" -c "INSERT INTO test_table (data) VALUES ('Hello, SSL World!');" || { echo -e "${RED}Failed to insert data!${NC}"; exit 1; } +psql "host=localhost port=5432 dbname=postgre_tls user=postgre_tls_user sslmode=verify-full sslrootcert=secrets/ca.crt" -c "INSERT INTO test_table (data) VALUES ('Hello, SSL World!');" || { echo -e "${RED}Failed to insert data!${NC}"; exit 1; } echo "Data inserted." # Query data -QUERY_RESULT=$(psql "host=localhost port=5432 dbname=ploughgres user=ploughgres_user sslmode=verify-full sslrootcert=secrets/ca.crt" -c "SELECT data FROM test_table WHERE id = (SELECT MAX(id) FROM test_table);" -t) || { echo -e "${RED}Failed to query data!${NC}"; exit 1; } +QUERY_RESULT=$(psql "host=localhost port=5432 dbname=postgre_tls user=postgre_tls_user sslmode=verify-full sslrootcert=secrets/ca.crt" -c "SELECT data FROM test_table WHERE id = (SELECT MAX(id) FROM test_table);" -t) || { echo -e "${RED}Failed to query data!${NC}"; exit 1; } echo "Queried data: $QUERY_RESULT" # Drop test table -psql "host=localhost port=5432 dbname=ploughgres user=ploughgres_user sslmode=verify-full sslrootcert=secrets/ca.crt" -c "DROP TABLE test_table;" || { echo -e "${RED}Failed to drop test table!${NC}"; exit 1; } +psql "host=localhost port=5432 dbname=postgre_tls user=postgre_tls_user sslmode=verify-full sslrootcert=secrets/ca.crt" -c "DROP TABLE test_table;" || { echo -e "${RED}Failed to drop test table!${NC}"; exit 1; } echo "Test table dropped." # Check if all tests passed diff --git a/docker-compose.yml b/docker-compose.yml index 243da65..3886cf8 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,11 +1,12 @@ services: postgres: build: . - container_name: postgretls-db + image: git.nixc.us/postgre-tls:unstable + container_name: postgre-tls-db restart: unless-stopped environment: - POSTGRES_DB: ploughgres - POSTGRES_USER: ploughgres_user + POSTGRES_DB: postgre_tls + POSTGRES_USER: postgre_tls_user POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-change_me_in_production} # Enable SSL/TLS POSTGRES_INITDB_ARGS: "--auth-local=password --auth-host=scram-sha-256" @@ -14,21 +15,21 @@ services: ports: - "5432:5432" volumes: - - postgretls_data:/var/lib/postgresql/data - - postgretls_logs:/var/log/postgresql + - postgre_tls_data:/var/lib/postgresql/data + - postgre_tls_logs:/var/log/postgresql - ./secrets:/run/secrets:ro healthcheck: - test: ["CMD-SHELL", "pg_isready -U ploughgres_user -d ploughgres"] + test: ["CMD-SHELL", "pg_isready -U postgre_tls_user -d postgre_tls"] interval: 10s timeout: 5s retries: 5 networks: - - postgretls-network + - postgre-tls-network volumes: - postgretls_data: - postgretls_logs: + postgre_tls_data: + postgre_tls_logs: networks: - postgretls-network: + postgre-tls-network: driver: bridge \ No newline at end of file diff --git a/entrypoint.sh b/entrypoint.sh index 1a7bb17..e67cd09 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -121,8 +121,8 @@ load_secrets() { fi # Set default values for other variables - export POSTGRES_DB="${POSTGRES_DB:-ploughgres}" - export POSTGRES_USER="${POSTGRES_USER:-ploughgres_user}" + export POSTGRES_DB="${POSTGRES_DB:-postgre_tls}" + export POSTGRES_USER="${POSTGRES_USER:-postgre_tls_user}" } # Function to initialize database with encryption @@ -135,7 +135,7 @@ initialize_database() { # Initialize the database with proper encoding and authentication # Create the main database during initdb - export POSTGRES_DB="${POSTGRES_DB:-ploughgres}" + export POSTGRES_DB="${POSTGRES_DB:-postgre_tls}" su-exec postgres initdb \ --pgdata="$PGDATA" \ --username="$POSTGRES_USER" \ diff --git a/start.sh b/start.sh index dd8678e..35bcdfb 100755 --- a/start.sh +++ b/start.sh @@ -14,17 +14,17 @@ mkdir -p secrets # Generate SSL certificates if missing if [ ! -f "secrets/ca.crt" ] || [ ! -f "secrets/server.crt" ] || [ ! -f "secrets/server.key" ]; then - echo -e "${YELLOW}[PloughGres] Generating SSL certificates for local development...${NC}" + echo -e "${YELLOW}[Postgre-TLS] Generating SSL certificates for local development...${NC}" openssl genrsa -out secrets/ca.key 2048 openssl req -new -x509 -key secrets/ca.key -out secrets/ca.crt -days 365 \ - -subj "/C=US/ST=State/L=City/O=PloughGres/CN=PloughGres-CA" -batch + -subj "/C=US/ST=State/L=City/O=Postgre-TLS/CN=Postgre-TLS-CA" -batch openssl genrsa -out secrets/server.key 2048 openssl req -new -key secrets/server.key -out secrets/server.csr \ - -subj "/C=US/ST=State/L=City/O=PloughGres/CN=localhost" -batch + -subj "/C=US/ST=State/L=City/O=Postgre-TLS/CN=localhost" -batch openssl x509 -req -in secrets/server.csr \ -CA secrets/ca.crt -CAkey secrets/ca.key \ @@ -38,24 +38,24 @@ if [ ! -f "secrets/ca.crt" ] || [ ! -f "secrets/server.crt" ] || [ ! -f "secrets # Remove CA private key for security rm secrets/ca.key - echo -e "${GREEN}[PloughGres] SSL certificates generated in secrets/${NC}" + echo -e "${GREEN}[Postgre-TLS] SSL certificates generated in secrets/${NC}" fi # Generate password if missing if [ ! -f "secrets/postgres_password" ]; then - echo -e "${YELLOW}[PloughGres] Generating random password for PostgreSQL...${NC}" + echo -e "${YELLOW}[Postgre-TLS] Generating random password for PostgreSQL...${NC}" openssl rand -base64 32 > secrets/postgres_password chmod 600 secrets/postgres_password - echo -e "${GREEN}[PloughGres] Generated password stored in secrets/postgres_password${NC}" - echo -e "${YELLOW}[PloughGres] Your PostgreSQL password is:${NC}" + echo -e "${GREEN}[Postgre-TLS] Generated password stored in secrets/postgres_password${NC}" + echo -e "${YELLOW}[Postgre-TLS] Your PostgreSQL password is:${NC}" cat secrets/postgres_password echo "" fi # Manage container -echo -e "${YELLOW}[PloughGres] Managing Docker container...${NC}" +echo -e "${YELLOW}[Postgre-TLS] Managing Docker container...${NC}" docker-compose down -v || true # Graceful down with volume removal docker-compose build docker-compose up -d -echo -e "${GREEN}[PloughGres] Container started successfully!${NC}" -echo -e "${YELLOW}[PloughGres] Run ./connect.sh to test the connection.${NC}" \ No newline at end of file +echo -e "${GREEN}[Postgre-TLS] Container started successfully!${NC}" +echo -e "${YELLOW}[Postgre-TLS] Run ./connect.sh to test the connection.${NC}" \ No newline at end of file