Warning: postgresql configuration is not controlled by a Debian package, but it should be. Ideally `pg_hba.conf` and `pg_ident.conf` would be managed by DomTool, or some other system management daemon.

Current node is fritz, with Postgres 8.1 on port 5422, and Postgres 9.1 on 5433. Note that navajos/bog can only use Postgres 9.1, and support for 8.1 will be removed once mire has been decommissioned.

The source code of DomTool's dbms module is useful as documentation.

== Tablespaces ==

Each user has a table space in `/srv/database/$PATHBITS/$USER/{postgres,postgres-9.1}`, created by the `create-user-database` script.

Tablespaces are an artifact from when we stored databases in afs. There may be some organizational advantage as well, but future admins should revisit the issue.

== Authentication ==

The `pg_hba.conf` of every install must explicitely list the allowed hosts. Firewall rules on both sides should be opened.

Postgres 8.1 uses ident. It's a hack, but GSSAPI support wasn't quite functional enough, or at least we'll say it wasn't.

Postgres 9.1 uses GSSAPI. An `pg_ident.conf` is used to map `$USER/daemon@HCOOP.NET` to the Postgres user `$USER`. This has the advantage that `$USER@HCOOP.NET` resolves to the same database user. See the [[http://www.postgresql.org/docs/9.1/static/auth-methods.html#KERBEROS-AUTH|postgres auth docs]] for details; we're using a pretty standard set up.

Additionally, there must be a rule to allow clients on the database server to connect to itself over tcp for various administrative functions, since DomTool is configured to use TCP for maintaining node independence.

== Network ==

Always remember to set `listen_addresses = '*'`, or (better) the IP that postgres should really listen on. Otherwise, connections will fail mysteriously.

----
CategoryNeedsWork CategorySystemAdministration