faicel/server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Page: 11-PostgreSQL-Configuration
Pages
00-Architecture-Overview 01-System-Hardware 02-Operating-System 03-SSH-Hardening 04-Docker-Installation 05-Docker-Swarm 06-Network-Architecture 07-Stacks-Deployment 08-Reverse-Proxy 09-Certbot-Lets-Encrypt 10-TURN-server 11-PostgreSQL-Configuration 12-MinIO-Configuration 13-Forgejo-Configuration 14-Mattermost-Configuration 15-Backup-and-Recovery 16-Security-Checklist Home
1 11-PostgreSQL-Configuration
faycel edited this page 2026-02-26 21:17:10 +00:00
Table of Contents

This page documents the PostgreSQL configuration used in production.

Snapshot date: 2026-02
Stack: data
Image: postgres:18.2-alpine3.22
Mode: Docker Swarm

1. Purpose

PostgreSQL is used as the primary relational database engine

The database runs inside the data stack and is not publicly exposed.

2. Network Isolation

PostgreSQL:

  • Is attached only to the internal overlay network
  • Does NOT expose any ports to the public

Verify:

sudo docker service inspect data_postgres

Ensure:

  • No published ports
  • Network: internal only

3. Secrets Integration

Database password is managed via Docker secret.

Secret file:

swarm/secrets/postgres_password.txt

Secret creation:

sudo docker secret create postgres_password swarm/secrets/postgres_password.txt

Inside container, the secret is mounted at:

/run/secrets/postgres_password

4. Environment Variables

PostgreSQL is typically configured with:

  • POSTGRES_USER
  • POSTGRES_DB
  • POSTGRES_PASSWORD_FILE

Example:

environment:
  POSTGRES_USER: postgres
  POSTGRES_DB: mattermost
  POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password

Using _FILE ensures password is not stored in environment variables.

5. Persistent Storage

PostgreSQL data is stored in a Docker volume.

Verify volume:

sudo docker volume ls

Inspect volume:

sudo docker volume inspect <volume_name>

Database files are stored under:

/var/lib/postgresql/data

Persistence is critical to avoid data loss.

6. Verify Database Access

Access container shell:

sudo docker exec -it $(sudo docker ps | grep postgres | awk '{print $1}') psql -U postgres

List databases:

\l

Check users:

\du

Exit:

\q

7. Backup Strategy (Minimum Requirement)

Manual dump:

sudo docker exec -t data_postgres pg_dumpall -U postgres > backup.sql

Recommended:

  • Regular automated backups
  • Store backups outside Docker host
  • Encrypt backups at rest

8. Security Considerations

  • PostgreSQL must not expose port 5432 publicly
  • Only internal services should connect
  • Password must be strong and randomly generated
  • Use Docker secrets instead of plain environment variables
  • Monitor disk usage of database volume

9. Verify Listening Ports

On host:

sudo ss -tulpn | grep 5432

Expected:

No public binding.

10. Production Rules

  • Never expose PostgreSQL directly to the internet.
  • Never store DB passwords in Git.
  • Always use persistent volumes.
  • Always backup before upgrading.
  1. Architecture Overview
  2. System Hardware
  3. Operating System
  4. SSH Hardening
  5. Docker Installation
  6. Docker Swarm Configuration
  7. Network Architecture
  8. Stacks Deployment
  9. Reverse Proxy
  10. Certbot & Let's Encrypt
  11. TURN Server (Coturn)
  12. PostgreSQL Configuration
  13. MinIO Configuration
  14. Forgejo Configuration
  15. Mattermost Configuration
  16. Backup and Recovery
  17. Security Checklist