Refactor PostgreSQL Docker Compose configuration for improved SSL handling and tmpfs setup

postgres/docker-compose.yml

@@ -10,7 +10,11 @@ services:
       PGDATA: /var/lib/postgresql/data/pgdata
     volumes:
       - postgres_data:/var/lib/postgresql/data
-      - ./ssl:/ssl:ro
+      - ./ssl:/ssl-host:ro  # your host SSL files, read-only
+    tmpfs:
+      - /ssl:rw,mode=0700   # tmpfs inside container for proper ownership
+      - /tmp
+      - /var/run/postgresql
     ports:
       - "5432:5432"
     healthcheck:
@@ -19,18 +23,22 @@ services:
       timeout: 5s
       retries: 5
       start_period: 10s
+    security_opt:
+      - no-new-privileges:true
     deploy:
       resources:
         limits:
           memory: 512M
         reservations:
           memory: 256M
-    security_opt:
-      - no-new-privileges:true
-    tmpfs:
-      - /tmp
-      - /var/run/postgresql
     command: >
+      sh -c "
+        # Copy SSL files into tmpfs, set correct permissions
+        cp /ssl-host/* /ssl/ &&
+        chown postgres:postgres /ssl/* &&
+        chmod 600 /ssl/server.key &&
+        chmod 644 /ssl/server.crt /ssl/ca.crt &&
+        # Start PostgreSQL with SSL
         postgres
           -c ssl=on
           -c ssl_cert_file=/ssl/server.crt
@@ -43,6 +51,7 @@ services:
           -c checkpoint_completion_target=0.9
           -c wal_buffers=16MB
           -c default_statistics_target=100
+      "
 
 volumes:
   postgres_data: