From 15be0aaa2b0b6596b34eb4f1b72ff0816c095abc Mon Sep 17 00:00:00 2001 From: Brian <213060881+brynsofz@users.noreply.github.com> Date: Wed, 14 Jan 2026 22:54:58 +0700 Subject: [PATCH 1/7] feat: expose posegresql configuration --- docker-compose.yml | 8 ++++- docker/postgresql/conf.d/10-tuning.conf | 3 ++ docker/postgresql/pg_hba.conf | 39 +++++++++++++++++++++++++ docker/postgresql/postgresql.conf | 13 +++++++++ 4 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 docker/postgresql/conf.d/10-tuning.conf create mode 100644 docker/postgresql/pg_hba.conf create mode 100644 docker/postgresql/postgresql.conf diff --git a/docker-compose.yml b/docker-compose.yml index e9d3c2c122c..a725a294f84 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -131,13 +131,19 @@ services: db: # use geonode official postgis 15 image image: geonode/postgis:15-3.5-latest - command: postgres -c "max_connections=${POSTGRESQL_MAX_CONNECTIONS}" + command: + - postgres + - -c + - config_file=/etc/postgresql/postgresql.conf container_name: db4${COMPOSE_PROJECT_NAME} env_file: - .env volumes: - dbdata:/var/lib/postgresql/data - dbbackups:/pg_backups + - ./docker/postgresql/postgresql.conf:/etc/postgresql/postgresql.conf:ro + - ./docker/postgresql/conf.d:/etc/postgresql/conf.d:ro + - ./docker/postgresql/pg_hba.conf:/etc/postgresql/pg_hba.conf:ro restart: unless-stopped healthcheck: test: "pg_isready -d postgres -U postgres" diff --git a/docker/postgresql/conf.d/10-tuning.conf b/docker/postgresql/conf.d/10-tuning.conf new file mode 100644 index 00000000000..d69b379faf8 --- /dev/null +++ b/docker/postgresql/conf.d/10-tuning.conf @@ -0,0 +1,3 @@ +max_connections = 200 +extra_float_digits = -1 +max_pred_locks_per_page = 5 \ No newline at end of file diff --git a/docker/postgresql/pg_hba.conf b/docker/postgresql/pg_hba.conf new file mode 100644 index 00000000000..265fdb3b1c1 --- /dev/null +++ b/docker/postgresql/pg_hba.conf @@ -0,0 +1,39 @@ +# Local Unix socket connections - trust for local admin access +local all postgres trust + +# Localhost connections - trust for container internal access +host all postgres 127.0.0.1/32 trust +host all postgres ::1/128 trust + +# Allow replication connections from localhost +local replication all trust +host replication all 127.0.0.1/32 trust +host replication all ::1/128 trust + +# ============================================================================= +# Application-specific rules (evaluated in order) +# ============================================================================= + +# GeoNode database - require SCRAM-SHA-256 authentication +# This matches connections from Django/Celery containers +host geonode geonode 172.19.0.0/16 scram-sha-256 + +# GeoNode geodatabase - require SCRAM-SHA-256 authentication +# This matches connections from GeoServer +host geonode_data geonode_data 172.19.0.0/16 scram-sha-256 + +# Template databases - no external access allowed +host template0 all all reject +host template1 all all reject + +# Postgres database - admin only, require password +host postgres postgres 172.19.0.0/16 scram-sha-256 + +# ============================================================================= +# Default catch-all rule - deny all other connections +# ============================================================================= +# Uncomment to explicitly deny all other connections: +# host all all all reject + +# Or allow with password (current default): +host all all all scram-sha-256 diff --git a/docker/postgresql/postgresql.conf b/docker/postgresql/postgresql.conf new file mode 100644 index 00000000000..0483bc4df50 --- /dev/null +++ b/docker/postgresql/postgresql.conf @@ -0,0 +1,13 @@ +# Data Directory (managed by Docker) +data_directory = '/var/lib/postgresql/data' + +# Connection Settings +listen_addresses = '*' # Listen on all network interfaces + +# Authentication Configuration File +hba_file = '/etc/postgresql/pg_hba.conf' + +# Include additional configuration files from conf.d directory +# All .conf files in this directory will be processed +include_dir = 'conf.d' + From d279916ba2b4691fb4886d543a81e1fa4ff43e88 Mon Sep 17 00:00:00 2001 From: Brian <213060881+brynsofz@users.noreply.github.com> Date: Thu, 15 Jan 2026 10:13:00 +0700 Subject: [PATCH 2/7] fix: fix EOF --- docker/postgresql/conf.d/10-tuning.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/postgresql/conf.d/10-tuning.conf b/docker/postgresql/conf.d/10-tuning.conf index d69b379faf8..b964985f17a 100644 --- a/docker/postgresql/conf.d/10-tuning.conf +++ b/docker/postgresql/conf.d/10-tuning.conf @@ -1,3 +1,3 @@ max_connections = 200 extra_float_digits = -1 -max_pred_locks_per_page = 5 \ No newline at end of file +max_pred_locks_per_page = 5 From 4c3584338fc0341a0a1caa7838c3393aea7d46d0 Mon Sep 17 00:00:00 2001 From: Brian <213060881+brynsofz@users.noreply.github.com> Date: Thu, 15 Jan 2026 16:20:26 +0700 Subject: [PATCH 3/7] fix: remove test config --- docker/postgresql/conf.d/10-tuning.conf | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 docker/postgresql/conf.d/10-tuning.conf diff --git a/docker/postgresql/conf.d/10-tuning.conf b/docker/postgresql/conf.d/10-tuning.conf deleted file mode 100644 index b964985f17a..00000000000 --- a/docker/postgresql/conf.d/10-tuning.conf +++ /dev/null @@ -1,3 +0,0 @@ -max_connections = 200 -extra_float_digits = -1 -max_pred_locks_per_page = 5 From 947e0b63be4551746d4718a32df40cf61d32d701 Mon Sep 17 00:00:00 2001 From: Brian <213060881+brynsofz@users.noreply.github.com> Date: Wed, 21 Jan 2026 16:34:01 +0700 Subject: [PATCH 4/7] fix: add default configuration for max_connections --- docker/postgresql/conf.d/01-default.conf | 1 + 1 file changed, 1 insertion(+) create mode 100644 docker/postgresql/conf.d/01-default.conf diff --git a/docker/postgresql/conf.d/01-default.conf b/docker/postgresql/conf.d/01-default.conf new file mode 100644 index 00000000000..232fc972db3 --- /dev/null +++ b/docker/postgresql/conf.d/01-default.conf @@ -0,0 +1 @@ +max_connections = 200 From 2151ece7a6a1206391167d4dac85c43ed56d5e45 Mon Sep 17 00:00:00 2001 From: Giovanni Allegri Date: Thu, 22 Jan 2026 10:43:03 +0100 Subject: [PATCH 5/7] Add 'brynsofz' to the list in .clabot --- .clabot | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.clabot b/.clabot index 0342a7afa8a..fe93348e0de 100644 --- a/.clabot +++ b/.clabot @@ -84,6 +84,7 @@ "marlowp", "sijandh35", "mcihad", - "nrjadkry" + "nrjadkry", + "brynsofz" ] -} \ No newline at end of file +} From 691ce39c470f2aa46f4f69b5e1a9864f6faed81c Mon Sep 17 00:00:00 2001 From: Brian <213060881+brynsofz@users.noreply.github.com> Date: Thu, 22 Jan 2026 21:45:56 +0700 Subject: [PATCH 6/7] fix: update PostgreSQL configuration to explicitly deny all other connections --- docker/postgresql/pg_hba.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docker/postgresql/pg_hba.conf b/docker/postgresql/pg_hba.conf index 265fdb3b1c1..5d9ad1a8280 100644 --- a/docker/postgresql/pg_hba.conf +++ b/docker/postgresql/pg_hba.conf @@ -32,8 +32,8 @@ host postgres postgres 172.19.0.0/16 scram-sha-256 # ============================================================================= # Default catch-all rule - deny all other connections # ============================================================================= -# Uncomment to explicitly deny all other connections: -# host all all all reject +# Explicitly deny all other connections: +host all all all reject # Or allow with password (current default): -host all all all scram-sha-256 +# host all all all scram-sha-256 From 070e8f75d1eba5a45929fe4788c154f4e2a74d18 Mon Sep 17 00:00:00 2001 From: Brian <213060881+brynsofz@users.noreply.github.com> Date: Thu, 22 Jan 2026 21:46:13 +0700 Subject: [PATCH 7/7] fix: update docker-compose files for other environments --- docker-compose-dev.yml | 8 +++++++- docker-compose-test.yml | 8 +++++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/docker-compose-dev.yml b/docker-compose-dev.yml index b19042ecce1..b5e4c19e00d 100644 --- a/docker-compose-dev.yml +++ b/docker-compose-dev.yml @@ -118,13 +118,19 @@ services: db: # use geonode official postgis 15 image image: geonode/postgis:15-3.5-latest - command: postgres -c "max_connections=${POSTGRESQL_MAX_CONNECTIONS}" + command: + - postgres + - -c + - config_file=/etc/postgresql/postgresql.conf container_name: db4${COMPOSE_PROJECT_NAME} env_file: - .env volumes: - dbdata:/var/lib/postgresql/data - dbbackups:/pg_backups + - ./docker/postgresql/postgresql.conf:/etc/postgresql/postgresql.conf:ro + - ./docker/postgresql/conf.d:/etc/postgresql/conf.d:ro + - ./docker/postgresql/pg_hba.conf:/etc/postgresql/pg_hba.conf:ro restart: unless-stopped healthcheck: test: "pg_isready -d postgres -U postgres" diff --git a/docker-compose-test.yml b/docker-compose-test.yml index ed933655dfe..98c6875b1da 100644 --- a/docker-compose-test.yml +++ b/docker-compose-test.yml @@ -119,13 +119,19 @@ services: db: # use geonode official postgis 15 image image: geonode/postgis:15-3.5-latest - command: postgres -c "max_connections=${POSTGRESQL_MAX_CONNECTIONS}" + command: + - postgres + - -c + - config_file=/etc/postgresql/postgresql.conf container_name: db4${COMPOSE_PROJECT_NAME} env_file: - .env_test volumes: - dbdata:/var/lib/postgresql/data - dbbackups:/pg_backups + - ./docker/postgresql/postgresql.conf:/etc/postgresql/postgresql.conf:ro + - ./docker/postgresql/conf.d:/etc/postgresql/conf.d:ro + - ./docker/postgresql/pg_hba.conf:/etc/postgresql/pg_hba.conf:ro restart: unless-stopped healthcheck: test: "pg_isready -d postgres -U postgres"