docs(asset/sql): document mtls and ssh-sudo run modes
The previous bootstrap docs implied a `-U postgres` connection that
won't work over the network — postgres peer auth is local-socket
only. Document the two paths that actually work on this infra:
(a) mTLS as the network superuser `grenade` using the host cert
via PGSSL* env vars (cert paths from /etc/pki/tls per §11).
(b) ssh to the db host and sudo to the local postgres peer.
No script changes — only comments in bootstrap.sql and
bootstrap-moments.sql.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -2,9 +2,21 @@
|
|||||||
-- Run after asset/sql/bootstrap.sql, against the moments database.
|
-- Run after asset/sql/bootstrap.sql, against the moments database.
|
||||||
-- Idempotent — safe to re-run on every deploy.
|
-- Idempotent — safe to re-run on every deploy.
|
||||||
--
|
--
|
||||||
-- psql -h magrathea.kosherinata.internal -U postgres -d moments \
|
-- (a) mTLS as `grenade`:
|
||||||
|
--
|
||||||
|
-- PGSSLMODE=verify-full \
|
||||||
|
-- PGSSLCERT=/etc/pki/tls/misc/$(hostname -f).pem \
|
||||||
|
-- PGSSLKEY=/etc/pki/tls/private/$(hostname -f).pem \
|
||||||
|
-- PGSSLROOTCERT=/etc/pki/ca-trust/source/anchors/root-internal.pem \
|
||||||
|
-- psql -h magrathea.kosherinata.internal -U grenade -d moments \
|
||||||
-- -f asset/sql/bootstrap-moments.sql
|
-- -f asset/sql/bootstrap-moments.sql
|
||||||
--
|
--
|
||||||
|
-- (b) ssh + sudo to the local postgres peer:
|
||||||
|
--
|
||||||
|
-- ssh magrathea.kosherinata.internal \
|
||||||
|
-- sudo --user postgres psql -d moments -f - \
|
||||||
|
-- < asset/sql/bootstrap-moments.sql
|
||||||
|
--
|
||||||
-- The schema itself is created by sqlx migrations executed by moments-api
|
-- The schema itself is created by sqlx migrations executed by moments-api
|
||||||
-- on startup (which runs as moments_rw, the database owner). This file
|
-- on startup (which runs as moments_rw, the database owner). This file
|
||||||
-- only manages the read-only role's access to whatever moments_rw creates.
|
-- only manages the read-only role's access to whatever moments_rw creates.
|
||||||
|
|||||||
@@ -2,9 +2,25 @@
|
|||||||
-- Run as a postgres superuser against the cluster's `postgres` database.
|
-- Run as a postgres superuser against the cluster's `postgres` database.
|
||||||
-- Idempotent — safe to re-run on every deploy.
|
-- Idempotent — safe to re-run on every deploy.
|
||||||
--
|
--
|
||||||
-- psql -h magrathea.kosherinata.internal -U postgres -d postgres \
|
-- Two run modes — pick whichever fits your operator path:
|
||||||
|
--
|
||||||
|
-- (a) mTLS as the network superuser `grenade` (already mapped via pg_ident
|
||||||
|
-- on magrathea + frankie). The host cert is picked up from the standard
|
||||||
|
-- /etc/pki/tls paths via the PG* env vars:
|
||||||
|
--
|
||||||
|
-- PGSSLMODE=verify-full \
|
||||||
|
-- PGSSLCERT=/etc/pki/tls/misc/$(hostname -f).pem \
|
||||||
|
-- PGSSLKEY=/etc/pki/tls/private/$(hostname -f).pem \
|
||||||
|
-- PGSSLROOTCERT=/etc/pki/ca-trust/source/anchors/root-internal.pem \
|
||||||
|
-- psql -h magrathea.kosherinata.internal -U grenade -d postgres \
|
||||||
-- -f asset/sql/bootstrap.sql
|
-- -f asset/sql/bootstrap.sql
|
||||||
--
|
--
|
||||||
|
-- (b) ssh to the db host and run as the local `postgres` peer:
|
||||||
|
--
|
||||||
|
-- ssh magrathea.kosherinata.internal \
|
||||||
|
-- sudo --user postgres psql -d postgres -f - \
|
||||||
|
-- < asset/sql/bootstrap.sql
|
||||||
|
--
|
||||||
-- After this completes, run asset/sql/bootstrap-moments.sql against the
|
-- After this completes, run asset/sql/bootstrap-moments.sql against the
|
||||||
-- newly created `moments` database to apply the in-database grants.
|
-- newly created `moments` database to apply the in-database grants.
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user