Here's an example of what the accessory for Postgres could look like. It would rely on you updating the .kamal/secrets to also pass the POSTGRES_PASSWORD for the initial setup. Also, you would want to take care because in this situation, you're exposing port 5432 to the world as well. This shouldn't be an issue if you have a firewall, but you still want to take precautions. You could do something like
127.0.0.1:5432:5432
to expose it only on the localhost, but could have issues if you ever outgrow a single server setup.
Running kamal setup will install docker for you automatically as it does detect if it doesn't exist. In the episode example of the DO Droplet, I didn't do any pre-setup or hardening. Kamal installed docker and everything it needed.
> Also, you would want to take care because in this situation, you're exposing port 5432 to the world as well. > [...] You could do something like 127.0.0.1:5432:5432
Yeah with Kamal 2 you can avoid exposing the port to the world by setting the postgres accessory `port` to `127.0.0.1:5432:5432` instead of `5432:5432`, and in the `database.yml` or env var config making sure the host is `servicename-accessoryname` instead of an IP, e.g. `app1-postgres`, so the Rails app can connect to the database via Kamal 2's internal docker local network.
This is explained in the the Kamal 2 presentation video at 14:26: https://youtu.be/QC4b2teG_hc?feature=shared&t=866. It is not yet well known as this tip was documented in deploy.yml only last week in the Rails main branch, but if you run `rails new --main` you will see those deploy.yml comments about the local network.
But as David said, that will only work for single server setups.
when I try the kamal setup it was complaining about credentials as I was expect they will load via .env, but failled after I use kamal secrets print, I realize that I ahve no values, so I had to run export KEY from my terminal as kamal will read from there.
In Kamal 2, the secrets were moved from .env to .kamal/secrets. Be careful as this file is included in your version control by default (not added to .gitignore).
David Kimura abs. :) they will not be added. For me is not clear now where to load my ENV. I could just use rails credentials, but happens with all people like me, that Are using .env?
Thanks for the video. When you mention having a firewall in your comment, what exactly do you mean? Do you set up the firewall yourself, or is it provided by DigitalOcean droplets or Kamal? I am considering using Kamal instead of a PaaS platform that handles security automatically. Should I take additional steps to secure Kamal? Also, is there an advanced video on firewalls available?
This will block incoming requests except the SSH port, and ports 80 & 443. For server hardening, I also like updating all of the packages on a fresh install and installing fail2ban. I'll also typically update my SSH config (or verify it) that password authentication is disabled, so you can only use a SSH key to authenticate.
Good video. I have a question about postgres. Is it possible to create several databases at once via deploy.yml (for the application, for the queue, for the cache...). It seems that it is not. What is the best way to do it then?
You can use the one postgresql instance and have multiple databases on that instance. You do not need to create separate instances (one for each database). If you have specific requirements because maybe a queue database or cache database has different infrastructure requirements, then you should be able to set up additional servers and use the accessories for each of those servers to host their own container of postgresql. But if we're talking a more simple setup (everything on one box/vm) then you would need just the one postgresql instance (even with multiple databases).
Great video. Could you demo a deploy with postgresql on the same server?
to expose it only on the localhost, but could have issues if you ever outgrow a single server setup.
# config/deploy.yml accessories: postgres: image: postgres:17 port: 5432:5432 host: IP_OF_THE_SERVER env: clear: POSTGRES_USER: APPLICATION_NAME POSTGRES_DB: APPLICATION_NAME_production secret: - POSTGRES_PASSWORD directories: - data:/var/lib/postgresql/data> [...] You could do something like 127.0.0.1:5432:5432
Yeah with Kamal 2 you can avoid exposing the port to the world by setting the postgres accessory `port` to `127.0.0.1:5432:5432` instead of `5432:5432`, and in the `database.yml` or env var config making sure the host is `servicename-accessoryname` instead of an IP, e.g. `app1-postgres`, so the Rails app can connect to the database via Kamal 2's internal docker local network.
This is explained in the the Kamal 2 presentation video at 14:26: https://youtu.be/QC4b2teG_hc?feature=shared&t=866. It is not yet well known as this tip was documented in deploy.yml only last week in the Rails main branch, but if you run `rails new --main` you will see those deploy.yml comments about the local network.
But as David said, that will only work for single server setups.
after I use kamal secrets print, I realize that I ahve no values, so I had to run export KEY from my terminal as kamal will read from there.
any better ideas here?
Hey David,
Thanks for the video. When you mention having a firewall in your comment, what exactly do you mean? Do you set up the firewall yourself, or is it provided by DigitalOcean droplets or Kamal? I am considering using Kamal instead of a PaaS platform that handles security automatically. Should I take additional steps to secure Kamal? Also, is there an advanced video on firewalls available?
Thanks!
This will block incoming requests except the SSH port, and ports 80 & 443. For server hardening, I also like updating all of the packages on a fresh install and installing fail2ban. I'll also typically update my SSH config (or verify it) that password authentication is disabled, so you can only use a SSH key to authenticate.