diff --git a/postgres/docker-compose.yml b/postgres/docker-compose.yml index 76c1afa..0c704f1 100644 --- a/postgres/docker-compose.yml +++ b/postgres/docker-compose.yml @@ -10,7 +10,11 @@ services: PGDATA: /var/lib/postgresql/data/pgdata volumes: - postgres_data:/var/lib/postgresql/data - - ./ssl:/ssl:ro + - ./ssl:/ssl-host:ro # your host SSL files, read-only + tmpfs: + - /ssl:rw,mode=0700 # tmpfs inside container for proper ownership + - /tmp + - /var/run/postgresql ports: - "5432:5432" healthcheck: @@ -19,30 +23,35 @@ services: timeout: 5s retries: 5 start_period: 10s + security_opt: + - no-new-privileges:true deploy: resources: limits: memory: 512M reservations: memory: 256M - security_opt: - - no-new-privileges:true - tmpfs: - - /tmp - - /var/run/postgresql command: > - postgres - -c ssl=on - -c ssl_cert_file=/ssl/server.crt - -c ssl_key_file=/ssl/server.key - -c ssl_ca_file=/ssl/ca.crt - -c max_connections=100 - -c shared_buffers=128MB - -c effective_cache_size=256MB - -c maintenance_work_mem=64MB - -c checkpoint_completion_target=0.9 - -c wal_buffers=16MB - -c default_statistics_target=100 + sh -c " + # Copy SSL files into tmpfs, set correct permissions + cp /ssl-host/* /ssl/ && + chown postgres:postgres /ssl/* && + chmod 600 /ssl/server.key && + chmod 644 /ssl/server.crt /ssl/ca.crt && + # Start PostgreSQL with SSL + postgres + -c ssl=on + -c ssl_cert_file=/ssl/server.crt + -c ssl_key_file=/ssl/server.key + -c ssl_ca_file=/ssl/ca.crt + -c max_connections=100 + -c shared_buffers=128MB + -c effective_cache_size=256MB + -c maintenance_work_mem=64MB + -c checkpoint_completion_target=0.9 + -c wal_buffers=16MB + -c default_statistics_target=100 + " volumes: postgres_data: \ No newline at end of file