doc: remove env file from readme

.gitea/workflows/cd.yaml

@@ -7,20 +7,14 @@ on:
 
 jobs:
   build_n_upload:
-    runs-on: linux
+    runs-on: self-hosted
     steps:
-      - name: Git checkout
+      - uses: actions/checkout@v6
-        uses: actions/checkout@v6
         with:
+          detch-depth: 0
           fetch-tags: true
-      - name: Build tarball
+      - run: make tarball
-        run: make tarball
+      - run: rpmbuild -ba "$(make name).spec"
+      - run: make upload
         env:
-          GIT_REFERENCE: ${{ github.ref }}
+          PKG_TOKEN: ${{ secrets.PKG_TOKEN }}
-      - name: Build rpm package
-        run: rpmbuild -ba "%(make name).spec"
-      - name: Upload rpm package
-        run: make upload
-        env:
-          GIT_PACKAGES_USERNAME: ${{ vars.GIT_PACKAGES_USERNAME }}
-          GIT_PACKAGES_TOKEN: ${{ secrets.GIT_PACKAGES_TOKEN }}

.gitea/workflows/ci.yaml

@@ -7,14 +7,11 @@ on:
 
 jobs:
   lint_n_build:
-    runs-on: linux
+    runs-on: self-hosted
     steps:
-      - name: Git checkout
+      - uses: actions/checkout@v6
-        uses: actions/checkout@v6
         with:
           fetch-depth: 0
           fetch-tags: true
-      - name: Build tarball
+      - run: make tarball
-        run: make tarball
+      - run: rpmbuild -ba "$(make name).spec"
-      - name: Build rpm file
-        run: rpmbuild -ba "$(make name).spec"

Makefile

@@ -1,50 +1,87 @@
 NAME = netoik-db
 VERSION = $(shell git describe --abbrev=0)
 RELEASE = $(shell git rev-parse --short HEAD)
-REFERENCE = $(if $(GIT_REFERENCE),$(GIT_REFERENCE),$(shell git branch --show-current))
+ARCH = noarch
-BUILD_ARCH = noarch
+OWNER = samuel
+SUMMARY = "Netoïk Database Management System"
+LICENSE = "MIT"
+URL = "https://git.netoik.io/$(OWNER)/$(NAME)"
+SOURCE0 = "$(NAME)-$(VERSION)-$(RELEASE).tar.gz"
 
 RPM_RPMDIR = $(shell rpm --eval '%{_rpmdir}')
+RPM_RUNDIR = $(shell rpm --eval '%{_rundir}')
 RPM_SBINDIR = $(shell rpm --eval '%{_sbindir}')
 RPM_SOURCEDIR = $(shell rpm --eval '%{_sourcedir}')
 RPM_SYSCONFDIR = $(shell rpm --eval '%{_sysconfdir}')
 RPM_UNITDIR = $(shell rpm --eval '%{_unitdir}')
-RPM_TARBALL_PATH = $(RPM_SOURCEDIR)/$(NAME)-$(VERSION).tar.gz
+
-RPM_BUILD_PATH = $(RPM_RPMDIR)/$(BUILD_ARCH)/$(NAME)-$(VERSION)-$(RELEASE).$(BUILD_ARCH).rpm
+RPM_TARBALL_PATH = $(RPM_SOURCEDIR)/$(SOURCE0)
+RPM_BUILD_PATH = $(RPM_RPMDIR)/$(ARCH)/$(NAME)-$(VERSION)-$(RELEASE).$(ARCH).rpm
+
+.PHONY: help
+help:
+	@grep -E '^[a-zA-Z0-9_-]+:.*?## .*' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
 
 .PHONY: name
-name:
+name:  ## Show project name
 	@echo "$(NAME)"
 
 .PHONY: version
-version:
+version:  ## Show current project version
 	@echo "$(VERSION)"
 
 .PHONY: release
-release:
+release:  ## Show current project release
 	@echo "$(RELEASE)"
 
-.PHONY: build_arch
+.PHONY: arch
-build_arch:
+arch:  ## Show rpm arch target
-	@echo "$(BUILD_ARCH)"
+	@echo "$(ARCH)"
 
-.PHONY: install
+.PHONY: owner
-install:
+owner:  ## Show project owner name
-	install --mode=755 --directory $(DESTDIR)$(RPM_SYSCONFDIR)/postgres $(DESTDIR)$(RPM_UNITDIR)/postgresql.service.d
+	@echo "$(OWNER)"
-	install --mode=644 --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/postgres files/postgres/postgresql.conf files/postgres/pg_hba.conf
+
-	install --mode=644 --target-directory=$(DESTDIR)$(RPM_UNITDIR)/postgresql.service.d files/systemd/postgres.conf
+.PHONY: summary
+summary:  ## Show project summary
+	@echo "$(SUMMARY)"
+
+.PHONY: license
+license:  ## Show project license
+	@echo "$(LICENSE)"
+
+.PHONY: url
+url:  ## Show project homepage URL
+	@echo "$(URL)"
+
+.PHONY: source0
+source0:  ## Show rpm source0 file name
+	@echo "$(SOURCE0)"
 
 $(RPM_TARBALL_PATH): *
 	git archive --format=tar.gz \
 	            --output="$@" \
 	            --prefix="$(NAME)-$(VERSION)/" \
 	            --verbose \
-	            "$(REFERENCE)"
+	            HEAD 
 
 .PHONY: tarball
-tarball: $(RPM_TARBALL_PATH)
+tarball: $(RPM_TARBALL_PATH)  ## Build rpm tarball
+
+.PHONY: install
+install:  ## Install files into rpm dest (requires env var DESTDIR)
+	@if [ -z "$(DESTDIR)" ]; then \
+		printf "[CRITICAL] Missing env var DESTDIR\n[CRITICAL] This command is designed to be called by rpmbuild only!\n" 1>&2; \
+		exit 1; \
+	fi
+	install --mode=755 --directory $(DESTDIR)$(RPM_RUNDIR)/postgresql $(DESTDIR)$(RPM_SYSCONFDIR)/postgres $(DESTDIR)$(RPM_UNITDIR)/postgresql.service.d
+	install --mode=644 --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/postgres files/postgres/postgresql.conf files/postgres/pg_hba.conf
+	install --mode=644 --target-directory=$(DESTDIR)$(RPM_UNITDIR)/postgresql.service.d files/systemd/postgres.conf
 
 .PHONY: upload
-upload:
+upload:  ## Upload rpm package to Gitea repository (requires env var PKG_TOKEN)
-	curl --fail-with-body --upload-file "$(RPM_BUILD_PATH)" --user "$(GIT_PACKAGES_USERNAME):$(GIT_PACKAGES_TOKEN)" https://git.netoik.io/api/packages/$(GIT_PACKAGES_USERNAME)/rpm/upload
+	@if [ -z "$(PKG_TOKEN)" ]; then \
-
+		printf "[CRITICAL] Missing env var PKG_TOKEN\n[CRITICAL] This command is designed to be called by Gitea Actions only!\n" 1>&2; \
+		exit 1; \
+	fi
+	curl --fail-with-body --upload-file "$(RPM_BUILD_PATH)" --user "$(OWNER):$(PKG_TOKEN)" https://git.netoik.io/api/packages/$(OWNER)/rpm/upload

README.md

@@ -1,3 +1,80 @@
 # Netoïk Database ![badge](https://git.netoik.io/samuel/netoik-db/actions/workflows/ci.yaml/badge.svg)
 
 Build an RPM package which will install the DBMS called Postgresql with custom configuration.
+
+- listen only on a unix socket
+- each user is authentified by its unix account
+
+
+# Development
+
+A `Makefile` is integrated to let you run some basic commands.
+
+- Display some information about the project
+  ```shell
+  make help
+  make name
+  make version
+  make release
+  make arch
+  ```
+
+- Build a tarball:
+  ```shell
+  make tarball
+  ```
+
+- Build an rpm package:
+  ```shell
+  rpmbuild -ba netoik-db.spec
+  ```
+
+- Upload rpm package to Gitea repository (env var `PKG_TOKEN` is required):
+  ```shell
+  make upload
+  ```
+
+
+# CI / CD
+
+Two workflows are set up.
+
+- Continuous Integration:
+  - triggered by each push event on branch `main`
+  - builds tarball
+  - builds rpm package
+
+- Continuous Delivery:
+  - triggered by each tag push event
+  - builds tarball
+  - builds rpm package
+  - uploads rpm package to repository
+
+
+# Deployment
+
+Some commands to deploy the RPM package on server
+
+- Add Gitea repo to your repo list:
+  ```shell
+  dnf config-manager --add-repo https://git.netoik.io/api/packages/samuel/rpm.repo
+  dnf repolist | grep gitea-samuel
+  ```
+
+- Show available versions:
+  ```shell
+  dnf --showduplicates netoik-db
+  ```
+
+- Install or upgrade package:
+  ```shell
+  dnf --nogpgcheck --refresh --assumeyes --best install netoik-db
+  ```
+
+
+# Security Notes
+
+For security reasons, act runners does not have sudo privileges and so there is:
+- **no** Continuous Deployment because act runners cannot use `dnf`
+- **no** GPG signing because act runners cannot use `gpg`
+

files/postgres/postgresql.conf

@@ -5,7 +5,7 @@
 #-------------------------------------------------------------------------------
 
 # Change pg_hba location
-hba_file = "/etc/postgres/pg_hba.conf"
+hba_file = '/etc/postgres/pg_hba.conf'
 
 
 #-------------------------------------------------------------------------------
@@ -16,7 +16,10 @@ hba_file = "/etc/postgres/pg_hba.conf"
 
 # Empty listen addresses to disable listening via TCP/IP
 # because we want only uni socket connections
-listen_addresses = ""
+listen_addresses = ''
+
+# Forbide access to users not in group postgres
+unix_socket_permissions = 0770
 
 
 #-------------------------------------------------------------------------------
@@ -26,4 +29,4 @@ listen_addresses = ""
 #-------------------------------------------------------------------------------
 
 # Redirect logs to stderr to be managed by journald
-log_destination = "stderr"
+log_destination = 'stderr'

files/systemd/postgres.conf

@@ -1,2 +1,3 @@
 [Service]
+ExecStart=
 ExecStart=/usr/bin/postgres -D ${PGDATA} -c config_file=/etc/postgres/postgresql.conf

netoik-db.spec

@@ -3,12 +3,12 @@
 Name:           %(make name)
 Version:        %(make version)
 Release:        %(make release)
-Summary:        Netoik Reverse Proxy
+Summary:        %(make summary)
-License:        MIT
+License:        %(make license)
-URL:            https://git.netoik.io/samuel/%(make name)
+URL:            %(make url)
 
-Source0:        %{name}-%{version}.tar.gz
+Source0:        %(make source0)
-Buildarch:      %(make build_arch)
+Buildarch:      %(make arch)
 BuildRequires:  make
 Requires:       postgresql-server postgresql
 
@@ -22,25 +22,23 @@ Install the database management system called postgresql with a predefined confi
 %make_install
 
 %post
-# Create databases and users from DB_USERS variable (separator is ",") if not existing
+# Create sock directory if not existing
-echo "$DB_USERS" | IFS="," read -ra users
+chown postgres:postgres "%{_rundir}/postgresql"
-for user in "${users[@]}"; do
-  if ! runuser --user=postgres -- psql --quiet --tuples-only --command='\du' | grep --invert-match postgres | grep --quiet "$user"; then
-    runuser --user=postgres -- createuser "$user"
-    runuser --user=postgres -- createdb --owner="$user" "$user"
-  fi
-done
 
 # Restart services
 systemctl daemon-reload
-systemctl reenable --now postgresql.service
+systemctl reenable postgresql.service
+systemctl restart postgresql.service
 
 %files
-%attr(755, root, root) %{_sysconfdir}/postgres
+%dir %attr(755, root, root) %{_sysconfdir}/postgres
 %attr(644, root, root) %{_sysconfdir}/postgres/postgresql.conf
 %attr(644, root, root) %{_sysconfdir}/postgres/pg_hba.conf
+
+%dir %attr(755, root, root) %{_unitdir}/postgresql.service.d
 %attr(644, root, root) %{_unitdir}/postgresql.service.d/postgres.conf
 
+%dir %attr(755, -, -) %{_rundir}/postgresql
+
 %changelog
 %autochangelog
-