Add easy support for using a remote postgres database.

README.prod.md

@@ -859,3 +859,32 @@ understanding what's going on as you try to debug:
 Again, most issues with this setup tend to be subtle issues with the
 hostname/DNS side of the configuration.  Suggestions for how to
 improve this SSO setup documentation are very welcome!
+
+
+Remote Postgresql database
+==========================
+
+If you want to use a remote Postgresql database, you should configure the information about the connection with the server. You need a user called "zulip" in your database server. You can configure these options in /etc/zulip/settings.py
+
+* REMOTE_POSTGRES_HOST: Name or IP address of the remote host
+* REMOTE_POSTGRES_SSLMODE: SSL Mode used to connect to the server, different options you can use are:
+  * disable: I don't care about security, and I don't want to pay the overhead of encryption.
+  * allow: I don't care about security, but I will pay the overhead of encryption if the server insists on it.
+  * prefer: I don't care about encryption, but I wish to pay the overhead of encryption if the server supports it.
+  * require: I want my data to be encrypted, and I accept the overhead. I trust that the network will make sure I always connect to the server I want.
+  * verify-ca: I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server that I trust.
+  * verify-full: I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server I trust, and that it's the one I specify.
+
+Then you should specify the password of the user zulip for the database in /etc/zulip/zulip-secrets.conf:
+
+```
+postgres_password = xxxx
+```
+
+Finally you can stop your database in the zulip server to save some memory, you can do it with:
+
+```
+sudo service postgresql stop
+sudo update-rc.d postgresql disable
+```
+

puppet/zulip/files/postgresql/process_fts_updates

@@ -4,6 +4,9 @@ import psycopg2.extensions
 import select
 import time
 import logging
+from django.conf import settings
+import sys
+import os
 
 def update_fts_columns(cursor):
     cursor.execute("SELECT id, message_id FROM fts_update_log;")
@@ -27,7 +30,26 @@ logger.setLevel(logging.DEBUG)
 
 logger.info("process_fts_updates starting")
 
-conn = psycopg2.connect("user=zulip")
+sys.path.insert(0, '/home/zulip/deployments/current')
+sys.path.insert(0, '/srv/zulip')
+os.environ['DJANGO_SETTINGS_MODULE'] = 'zproject.settings'
+try:
+    import zproject.settings
+    remote_postgres_host = settings.REMOTE_POSTGRES_HOST
+except:
+    remote_postgres_host = ''
+
+if remote_postgres_host != '':
+    postgres_password = ''
+    if settings.DATABASES['default']['PASSWORD'] is not None:
+        postgres_password = "password='%s'" % settings.DATABASES['default']['PASSWORD']
+    if settings.REMOTE_POSTGRES_SSLMODE != '':
+        postgres_sslmode = settings.REMOTE_POSTGRES_SSLMODE
+    else:
+        postgres_sslmode = 'verify-full'
+    conn = psycopg2.connect("user=zulip %s host='%s' dbname=zulip connect_timeout=600 sslmode='%s'" % (postgres_password, remote_postgres_host, postgres_sslmode))
+else:
+    conn = psycopg2.connect("user=zulip")
 cursor = conn.cursor()
 
 conn.set_isolation_level(psycopg2.extensions.ISOLATION_LEVEL_AUTOCOMMIT)
@@ -51,4 +73,3 @@ while True:
         while conn.notifies:
             conn.notifies.pop()
             update_fts_columns(cursor)
-

zproject/local_settings_template.py

@@ -149,6 +149,19 @@ ENABLE_GRAVATAR = True
 # and uncomment the following line.
 #DEFAULT_AVATAR_URI = '/local-static/default-avatar.png'
 
+# To access an external postgres database you should define the host name in
+# REMOTE_POSTGRES_HOST, you can define the password in the secrets file in the
+# property postgres_password, and the SSL connection mode in REMOTE_POSTGRES_SSLMODE
+# Different options are:
+#   disable: I don't care about security, and I don't want to pay the overhead of encryption.
+#   allow: I don't care about security, but I will pay the overhead of encryption if the server insists on it.
+#   prefer: I don't care about encryption, but I wish to pay the overhead of encryption if the server supports it.
+#   require: I want my data to be encrypted, and I accept the overhead. I trust that the network will make sure I always connect to the server I want.
+#   verify-ca: I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server that I trust.
+#   verify-full: I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server I trust, and that it's the one I specify.
+#REMOTE_POSTGRES_HOST = 'dbserver.example.com'
+#REMOTE_POSTGRES_SSLMODE = 'require'
+
 ### TWITTER INTEGRATION
 
 # Zulip supports showing inline Tweet previews when a tweet is linked

zproject/settings.py

@@ -150,6 +150,7 @@ DEFAULT_SETTINGS = {'TWITTER_CONSUMER_KEY': '',
                     'ZULIP_COM_STAGING': False,
                     'STATSD_HOST': '',
                     'REMOTE_POSTGRES_HOST': '',
+                    'REMOTE_POSTGRES_SSLMODE': '',
                     'GOOGLE_CLIENT_ID': '',
                     'DBX_APNS_CERT_FILE': None,
                     }
@@ -312,7 +313,14 @@ elif REMOTE_POSTGRES_HOST != '':
     DATABASES['default'].update({
             'HOST': REMOTE_POSTGRES_HOST,
             })
-    DATABASES['default']['OPTIONS']['sslmode'] = 'verify-full'
+    if get_secret("postgres_password") is not None:
+        DATABASES['default'].update({
+            'PASSWORD': get_secret("postgres_password"),
+            })
+    if REMOTE_POSTGRES_SSLMODE != '':
+        DATABASES['default']['OPTIONS']['sslmode'] = REMOTE_POSTGRES_SSLMODE
+    else:
+        DATABASES['default']['OPTIONS']['sslmode'] = 'verify-full'
 
 ########################################################################
 # RABBITMQ CONFIGURATION