|
|
|
|
@ -33,14 +33,32 @@ On phosphoric-acid, you will additionally need to create a principal |
|
|
|
|
called `ceod/admin` (remember to addprinc **and** ktadd). |
|
|
|
|
|
|
|
|
|
#### Database |
|
|
|
|
create superuser `mysql` with password `mysql` |
|
|
|
|
**Note**: The instructions below apply to the dev environment only; in |
|
|
|
|
production, the DB superusers should be restricted to the host where |
|
|
|
|
the DB is running. |
|
|
|
|
|
|
|
|
|
Attach to the coffee container, run `mysql`, and run the following: |
|
|
|
|
|
|
|
|
|
``` |
|
|
|
|
CREATE USER 'mysql' IDENTIFIED BY 'mysql'; |
|
|
|
|
GRANT ALL PRIVILEGES ON *.* TO 'mysql' WITH GRANT OPTION; |
|
|
|
|
``` |
|
|
|
|
mysql -u root |
|
|
|
|
(In prod, the superuser should have '@localhost' appended to its name.) |
|
|
|
|
|
|
|
|
|
CREATE USER 'mysql'@'localhost' IDENTIFIED BY 'mysql'; |
|
|
|
|
GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' WITH GRANT OPTION; |
|
|
|
|
Now open /etc/mysql/mariadb.conf.d/50-server.cnf and comment out the following line: |
|
|
|
|
``` |
|
|
|
|
bind-address = 127.0.0.1 |
|
|
|
|
``` |
|
|
|
|
Then restart MariaDB: |
|
|
|
|
``` |
|
|
|
|
systemctl restart mariadb |
|
|
|
|
``` |
|
|
|
|
|
|
|
|
|
Install PostgreSQL in the container: |
|
|
|
|
``` |
|
|
|
|
apt install -y postgresql |
|
|
|
|
``` |
|
|
|
|
modify superuser `postgres` for password authentication and restrict new users |
|
|
|
|
Modify the superuser `postgres` for password authentication and restrict new users: |
|
|
|
|
``` |
|
|
|
|
su postgres |
|
|
|
|
psql |
|
|
|
|
@ -49,7 +67,7 @@ ALTER USER postgres WITH PASSWORD 'postgres'; |
|
|
|
|
REVOKE ALL ON SCHEMA public FROM public; |
|
|
|
|
GRANT ALL ON SCHEMA public TO postgres; |
|
|
|
|
``` |
|
|
|
|
create a new `pg_hba.conf` to force password authentication |
|
|
|
|
Create a new `pg_hba.conf`: |
|
|
|
|
``` |
|
|
|
|
cd /etc/postgresql/<version>/<branch>/ |
|
|
|
|
mv pg_hba.conf pg_hba.conf.old |
|
|
|
|
@ -57,23 +75,33 @@ mv pg_hba.conf pg_hba.conf.old |
|
|
|
|
``` |
|
|
|
|
# new pg_hba.conf |
|
|
|
|
# TYPE DATABASE USER ADDRESS METHOD |
|
|
|
|
local all postgres peer |
|
|
|
|
host all postgres 0.0.0.0/0 md5 |
|
|
|
|
|
|
|
|
|
local all all peer |
|
|
|
|
host all all localhost md5 |
|
|
|
|
|
|
|
|
|
local sameuser all md5 |
|
|
|
|
host sameuser all 0.0.0.0/0 md5 |
|
|
|
|
``` |
|
|
|
|
**Warning**: in prod, the postgres user should only be allowed to connect locally, |
|
|
|
|
so the relevant snippet in pg_hba.conf should look something like |
|
|
|
|
``` |
|
|
|
|
local all postgres md5 |
|
|
|
|
host all postgres localhost md5 |
|
|
|
|
host all postgres 0.0.0.0/0 reject |
|
|
|
|
host all postgres ::/0 reject |
|
|
|
|
local sameuser all md5 |
|
|
|
|
host sameuser all 0.0.0.0/0 md5 |
|
|
|
|
host sameuser all ::/0 md5 |
|
|
|
|
``` |
|
|
|
|
Add the following to postgresql.conf: |
|
|
|
|
``` |
|
|
|
|
# modified postgresql.conf |
|
|
|
|
# listen_addresses = 'localhost' |
|
|
|
|
listen_address = '*' |
|
|
|
|
listen_addresses = '*' |
|
|
|
|
``` |
|
|
|
|
Now restart PostgreSQL: |
|
|
|
|
``` |
|
|
|
|
systemctl restart postgresql |
|
|
|
|
``` |
|
|
|
|
users can login remotely but superusers (`postgres` and `mysql`) are only allowed to login from the database host |
|
|
|
|
**In prod**, users can login remotely but superusers (`postgres` and `mysql`) are only |
|
|
|
|
allowed to login from the database host. |
|
|
|
|
|
|
|
|
|
#### Mailman |
|
|
|
|
You should create the following mailing lists from the mail container: |
|
|
|
|
|
