This commit is contained in:
11
README.md
11
README.md
@@ -147,6 +147,8 @@ Connect to the new database and grant privileges required for migrations and run
|
||||
|
||||
```sql
|
||||
\c vctp
|
||||
ALTER DATABASE vctp OWNER TO vctp_user;
|
||||
ALTER SCHEMA public OWNER TO vctp_user;
|
||||
GRANT CONNECT, TEMP ON DATABASE vctp TO vctp_user;
|
||||
GRANT USAGE, CREATE ON SCHEMA public TO vctp_user;
|
||||
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO vctp_user;
|
||||
@@ -155,6 +157,12 @@ ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO vctp_user;
|
||||
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO vctp_user;
|
||||
```
|
||||
|
||||
Verify effective schema privileges (useful if migrations fail creating `goose_db_version`):
|
||||
|
||||
```sql
|
||||
SELECT has_schema_privilege('vctp_user', 'public', 'USAGE,CREATE');
|
||||
```
|
||||
|
||||
Recommended auth/network configuration:
|
||||
|
||||
- Ensure PostgreSQL is listening on the expected interface/port in `postgresql.conf` (for example, `listen_addresses` and `port`).
|
||||
@@ -241,6 +249,9 @@ Database:
|
||||
HTTP/TLS:
|
||||
- `settings.bind_ip`: IP address to bind the HTTP server
|
||||
- `settings.bind_port`: TCP port to bind the HTTP server
|
||||
- `settings.bind_port` below `1024` (for example `443`) requires privileged bind permissions.
|
||||
The packaged systemd unit grants `CAP_NET_BIND_SERVICE` to the `vctp` user; if you run
|
||||
vCTP outside that unit, grant equivalent capability or use a non-privileged port.
|
||||
- `settings.bind_disable_tls`: `true` to serve plain HTTP (no TLS)
|
||||
- `settings.tls_cert_filename`: PEM certificate path (TLS mode)
|
||||
- `settings.tls_key_filename`: PEM private key path (TLS mode)
|
||||
|
||||
Reference in New Issue
Block a user