From 3b48965afe78b5846c780aa995d36c15b19be7a8 Mon Sep 17 00:00:00 2001
From: Bernhard Radermacher <bwr@celsius.bwr.net>
Date: Wed, 25 Feb 2026 15:00:50 +0100
Subject: [PATCH] initial

---
 Dockerfile                    |  22 ++++++
 entrypoint.sh                 | 141 ++++++++++++++++++++++++++++++++++
 postgres/.profile             |   1 +
 postgres/.ssh/authorized_keys |   1 +
 postgres/.ssh/id_ed25519      |   7 ++
 5 files changed, 172 insertions(+)
 create mode 100644 Dockerfile
 create mode 100644 entrypoint.sh
 create mode 100644 postgres/.profile
 create mode 100644 postgres/.ssh/authorized_keys
 create mode 100644 postgres/.ssh/id_ed25519

diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..59ff42c
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,22 @@
+FROM postgres:15
+
+
+RUN mkdir -p "$PGDATA" && \
+    chmod 00700 "$PGDATA" && \
+    mkdir -p /var/run/postgresql && \
+    chmod 03755 /var/run/postgresql
+
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+            openssh-server \
+            sudo \
+            && \
+    rm -rf /var/lib/apt/lists/* && \
+    printf "\npostgres  ALL = (ALL) NOPASSWD:ALL\n" >> /etc/sudoers && \
+    printf "\nX11Forwarding no\nPasswordAuthentication no\n" >> /etc/ssh/sshd_config && \
+    printf "\nStrictHostKeyChecking no\n" >> /etc/ssh/ssh_config
+COPY --chown=postgres:postgres postgres /var/lib/postgresql/
+
+COPY --chmod=755 entrypoint.sh /usr/local/bin/
+
+ENTRYPOINT ["entrypoint.sh"]
diff --git a/entrypoint.sh b/entrypoint.sh
new file mode 100644
index 0000000..5cbe128
--- /dev/null
+++ b/entrypoint.sh
@@ -0,0 +1,141 @@
+#!/usr/bin/env bash
+
+set -Eeo pipefail
+
+file_env() {
+	local var="$1"
+	local fileVar="${var}_FILE"
+	local def="${2:-}"
+	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+		printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+		exit 1
+	fi
+	local val="$def"
+	if [ "${!var:-}" ]; then
+		val="${!var}"
+	elif [ "${!fileVar:-}" ]; then
+		val="$(< "${!fileVar}")"
+	fi
+	export "$var"="$val"
+	unset "$fileVar"
+}
+
+docker_setup_env() {
+	file_env 'POSTGRES_PASSWORD'
+	file_env 'POSTGRES_REPLICATOR_USERNAME'
+	file_env 'POSTGRES_REPLICATOR_PASSWORD'
+	file_env 'POSTGRES_PGPOOL_USERNAME'
+	file_env 'POSTGRES_PGPOOL_PASSWORD'
+}
+
+docker_init_database() {
+	local uid; uid="$(id -u)"
+	if ! getent passwd "$uid" &> /dev/null; then
+		local wrapper
+		for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+			if [ -s "$wrapper" ]; then
+				NSS_WRAPPER_PASSWD="$(mktemp)"
+				NSS_WRAPPER_GROUP="$(mktemp)"
+				export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+				local gid; gid="$(id -g)"
+				printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+				printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+				break
+			fi
+		done
+	fi
+	eval 'initdb --username=postgres --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+	if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+		rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+		unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+	fi
+}
+
+docker_temp_server_start() {
+  NOTIFY_SOCKET= \
+  PGUSER="${PGUSER:-postgres}" \
+  pg_ctl -D "$PGDATA" \
+  	-o "-c listen_addresses='' -p 5432" \
+   	-w start
+}
+
+docker_temp_server_stop() {
+	PGUSER="${PGUSER:-postgres}" \
+	pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+pg_setup_conf() {
+	{
+		printf "\n"
+    printf "archive_command          = '/bin/true'\n"
+    printf "archive_mode             = on\n"
+    printf "hot_standby              = on\n"
+    printf "max_replication_slots    = 10\n"
+    printf "max_wal_senders          = 10\n"
+    printf "wal_compression          = on\n"
+    printf "wal_log_hints            = on\n"
+    if [[ -n $POSTGRES_MAX_CONNECTIONS ]]; then
+      printf "\nmax_connections = '%s'\n" "$POSTGRES_MAX_CONNECTIONS"
+    fi
+	} >> "$PGDATA/postgresql.conf"
+}
+
+pg_setup_hba_conf() {
+	{
+		printf '\n'
+    printf 'local  all  all  trust\n'
+    if [[ -n $POSTGRES_REPLICATOR_USERNAME ]]; then
+      printf 'local  replication  %s  trust\n' "$POSTGRES_REPLICATOR_USERNAME"
+      printf 'host  replication  %s  127.0.0.1/32  trust\n' "$POSTGRES_REPLICATOR_USERNAME"
+      printf 'host  replication  %s  %s  trust\n' "$POSTGRES_REPLICATOR_USERNAME" "${POSTGRES_NETWORK:-100.64.0.0/10}"
+    fi
+    if [[ -n $POSTGRES_PGPOOL_USERNAME ]]; then
+      printf 'local  replication  %s  trust\n' "$POSTGRES_PGPOOL_USERNAME"
+      printf 'host  replication  %s  127.0.0.1/32  trust\n' "$POSTGRES_PGPOOL_USERNAME"
+      printf 'host  replication  %s  %s  trust\n' "$POSTGRES_PGPOOL_USERNAME" "${POSTGRES_NETWORK:-100.64.0.0/10}"
+    fi
+    printf '\n'
+    printf 'host  all all all scram-sha-256'
+	} >> "$PGDATA/pg_hba.conf"
+}
+
+
+if [ "$(id -u)" = '0' ]; then
+	exec gosu postgres "$BASH_SOURCE"
+fi
+
+docker_setup_env
+
+if [[ ! -s "$PGDATA/PG_VERSION" ]]; then
+  if [[ -z $POSTGRES_UPSTREAM ]] || [[ -z $POSTGRES_REPLICATOR_USERNAME ]]; then
+    docker_init_database
+    pg_setup_conf
+    pg_setup_hba_conf
+
+    if [[ -n $POSTGRES_REPLICATOR_USERNAME ]] || [[ -n $POSTGRES_PGPOOL_USERNAME ]]; then
+      export PGPASSWORD="$POSTGRES_PASSWORD"
+      docker_temp_server_start
+      if [[ -n $POSTGRES_REPLICATOR_USERNAME ]]; then
+        psql -c "CREATE USER ${POSTGRES_REPLICATOR_USERNAME} WITH SUPERUSER ENCRYPTED PASSWORD '${POSTGRES_REPLICATOR_PASSWORD}';"
+      fi
+      if [[ -n $POSTGRES_PGPOOL_USERNAME ]]; then
+        psql -c "CREATE USER ${POSTGRES_PGPOOL_USERNAME} WITH SUPERUSER ENCRYPTED PASSWORD '${POSTGRES_PGPOOL_PASSWORD}';"
+      fi
+      docker_temp_server_stop
+  		unset PGPASSWORD
+    fi
+
+  else
+    until pg_basebackup -h "${POSTGRES_UPSTREAM}" -U "${POSTGRES_REPLICATOR_USERNAME}" -D "${PGDATA}" -Fp -Xs -R &> /dev/null
+    do
+      echo "Upstream host not ready. Waiting for 5 minutes..."
+      sleep 300
+    done
+  fi
+
+fi
+
+sudo service ssh start
+
+postgres
diff --git a/postgres/.profile b/postgres/.profile
new file mode 100644
index 0000000..144512f
--- /dev/null
+++ b/postgres/.profile
@@ -0,0 +1 @@
+export PATH="${PATH}:/usr/lib/postgresql/15/bin"
\ No newline at end of file
diff --git a/postgres/.ssh/authorized_keys b/postgres/.ssh/authorized_keys
new file mode 100644
index 0000000..8f1fa7f
--- /dev/null
+++ b/postgres/.ssh/authorized_keys
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILfsb4w8ZYhu/A1HFR/e59WpbKxejE8DkbdCpj6y/mbO postgres docker swarm
\ No newline at end of file
diff --git a/postgres/.ssh/id_ed25519 b/postgres/.ssh/id_ed25519
new file mode 100644
index 0000000..2f40cc8
--- /dev/null
+++ b/postgres/.ssh/id_ed25519
@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACC37G+MPGWIbvwNRxUf3ufVqWysXoxPA5G3QqY+sv5mzgAAAJgP2LF4D9ix
+eAAAAAtzc2gtZWQyNTUxOQAAACC37G+MPGWIbvwNRxUf3ufVqWysXoxPA5G3QqY+sv5mzg
+AAAEBhVUtZmAbot+VXJpY/IueHrCQeTDgClUTCepMJa1mqZbfsb4w8ZYhu/A1HFR/e59Wp
+bKxejE8DkbdCpj6y/mbOAAAAFXBvc3RncmVzIGRvY2tlciBzd2FybQ==
+-----END OPENSSH PRIVATE KEY-----