👯‍ First draft for database replication

compose.yml

@@ -72,12 +72,21 @@ services:
     restart: always
 
   database:
-    image: citusdata/citus
+    build: database
     environment:
       POSTGRES_USER: user
       POSTGRES_PASSWORD: example
       POSTGRES_DB: autochess
 
+  database-secondary:
+    build: database-secondary
+    environment:
+      POSTGRES_USER: user
+      POSTGRES_PASSWORD: example
+      POSTGRES_DB: autochess
+    depends_on:
+      - database
+
   ingame:
     build:
       context: ingame

database-secondary/Dockerfile

@@ -0,0 +1,3 @@
+FROM autochess-database
+RUN rm /docker-entrypoint-initdb.d/init.sh
+COPY init.sh /docker-entrypoint-initdb.d/init.sh

database-secondary/init.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+set -e
+
+setup_keys() {
+    cp /certs/secondary.key "$PGDATA/server.key"
+    cp /certs/secondary.crt "$PGDATA/server.crt"
+    cp /certs/ca.crt "$PGDATA/ca.crt"
+    chown postgres:postgres "$PGDATA/server.key" "$PGDATA/server.crt" "$PGDATA/ca.crt"
+    chmod 600 "$PGDATA/server.key"
+    chmod 644 $PGDATA/server.crt $PGDATA/ca.crt
+    echo "ssl = on" >> "$PGDATA/postgresql.auto.conf"
+    echo "ssl_cert_file = '$PGDATA/server.crt'" >> "$PGDATA/postgresql.auto.conf"
+    echo "ssl_key_file = '$PGDATA/server.key'" >> "$PGDATA/postgresql.auto.conf"
+    echo "ssl_ca_file = '$PGDATA/ca.crt'" >> "$PGDATA/postgresql.auto.conf"
+}
+
+configure_replication() {
+    echo "primary_conninfo = 'host=database port=5432 user=$POSTGRES_USER'" >> "$PGDATA/postgresql.auto.conf"
+    echo "hot_standby = on" >> "$PGDATA/postgresql.auto.conf"
+}
+
+setup_keys
+configure_replication
+touch "$PGDATA/standby.signal"
+

database/Dockerfile

@@ -0,0 +1,4 @@
+FROM citusdata/citus
+COPY key-gen.sh /key-gen.sh
+RUN /key-gen.sh
+COPY init.sh /docker-entrypoint-initdb.d/init.sh

database/init.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+set -e
+
+setup_keys() {
+    cp /certs/primary.key "$PGDATA/server.key"
+    cp /certs/primary.crt "$PGDATA/server.crt"
+    cp /certs/ca.crt "$PGDATA/ca.crt"
+    chown postgres:postgres $PGDATA/server.key $PGDATA/server.crt $PGDATA/ca.crt
+    chmod 600 $PGDATA/server.key
+    chmod 644 $PGDATA/server.crt $PGDATA/ca.crt
+    echo "ssl = on" >> "$PGDATA/postgresql.auto.conf"
+    echo "ssl_cert_file = '$PGDATA/server.crt'" >> "$PGDATA/postgresql.auto.conf"
+    echo "ssl_key_file = '$PGDATA/server.key'" >> "$PGDATA/postgresql.auto.conf"
+    echo "ssl_ca_file = '$PGDATA/ca.crt'" >> "$PGDATA/postgresql.auto.conf"
+}
+
+configure_replication() {
+    echo "listen_addresses = '*'" >> $PGDATA/postgresql.auto.conf
+    echo "wal_level = replica" >> $PGDATA/postgresql.auto.conf
+    echo "max_wal_senders = 10" >> $PGDATA/postgresql.auto.conf
+    echo "wal_keep_size = 1GB" >> $PGDATA/postgresql.auto.conf
+    echo "host replication $POSTGRES_USER all md5" >> $PGDATA/pg_hba.conf
+}
+
+configure_replication
+setup_keys

database/key-gen.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+set -e
+
+CERTS_DIR="/certs"
+mkdir -p "$CERTS_DIR"
+
+echo "Generating CA..."
+openssl genrsa -out "$CERTS_DIR/ca.key" 2048
+openssl req -x509 -new -nodes -key "$CERTS_DIR/ca.key" -sha256 -days 3650 -out "$CERTS_DIR/ca.crt" \
+  -subj "/CN=PostgreSQL_CA"
+
+echo "Generating keys for primary..."
+openssl genrsa -out "$CERTS_DIR/primary.key" 2048
+openssl req -new -key "$CERTS_DIR/primary.key" -out "$CERTS_DIR/primary.csr" \
+  -subj "/CN=db-primary"
+openssl x509 -req -in "$CERTS_DIR/primary.csr" -CA "$CERTS_DIR/ca.crt" -CAkey "$CERTS_DIR/ca.key" \
+  -CAcreateserial -out "$CERTS_DIR/primary.crt" -days 3650 -sha256
+
+echo "Generating keys for secondary..."
+openssl genrsa -out "$CERTS_DIR/secondary.key" 2048
+openssl req -new -key "$CERTS_DIR/secondary.key" -out "$CERTS_DIR/secondary.csr" \
+  -subj "/CN=db-secondary"
+openssl x509 -req -in "$CERTS_DIR/secondary.csr" -CA "$CERTS_DIR/ca.crt" -CAkey "$CERTS_DIR/ca.key" \
+  -CAcreateserial -out "$CERTS_DIR/secondary.crt" -days 3650 -sha256
+
+rm "$CERTS_DIR/"*.csr
+
+chown -R "$POSTGRES_USER:$POSTGRES_USER" "$CERTS_DIR"
+chmod 777 "$CERTS_DIR/"*.key
+chmod 777 "$CERTS_DIR/"*.crt