57 lines
1.7 KiB
YAML
57 lines
1.7 KiB
YAML
services:
|
|
postgres:
|
|
image: postgres:16-alpine
|
|
container_name: fairreview_postgres
|
|
restart: unless-stopped
|
|
environment:
|
|
POSTGRES_DB: ${POSTGRES_DB:-fairreview}
|
|
POSTGRES_USER: ${POSTGRES_USER:-zhuma}
|
|
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
|
|
PGDATA: /var/lib/postgresql/data/pgdata
|
|
volumes:
|
|
- postgres_data:/var/lib/postgresql/data
|
|
- ./ssl:/ssl-host:ro # your host SSL files, read-only
|
|
tmpfs:
|
|
- /ssl:rw,mode=0700 # tmpfs inside container for proper ownership
|
|
- /tmp
|
|
- /var/run/postgresql
|
|
ports:
|
|
- "5432:5432"
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-zhuma} -d ${POSTGRES_DB:-fairreview}"]
|
|
interval: 10s
|
|
timeout: 5s
|
|
retries: 5
|
|
start_period: 10s
|
|
security_opt:
|
|
- no-new-privileges:true
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
memory: 512M
|
|
reservations:
|
|
memory: 256M
|
|
command: >
|
|
sh -c "
|
|
# Copy SSL files into tmpfs, set correct permissions
|
|
cp /ssl-host/* /ssl/ &&
|
|
chown postgres:postgres /ssl/* &&
|
|
chmod 600 /ssl/server.key &&
|
|
chmod 644 /ssl/server.crt /ssl/ca.crt &&
|
|
# Start PostgreSQL with SSL
|
|
postgres
|
|
-c ssl=on
|
|
-c ssl_cert_file=/ssl/server.crt
|
|
-c ssl_key_file=/ssl/server.key
|
|
-c ssl_ca_file=/ssl/ca.crt
|
|
-c max_connections=100
|
|
-c shared_buffers=128MB
|
|
-c effective_cache_size=256MB
|
|
-c maintenance_work_mem=64MB
|
|
-c checkpoint_completion_target=0.9
|
|
-c wal_buffers=16MB
|
|
-c default_statistics_target=100
|
|
"
|
|
|
|
volumes:
|
|
postgres_data: |