PostgreSQL: Enterprise Relational Database

The Architecture Rationale

While lightweight environments often lean on NoSQL or simplistic relational databases, complex enterprise applications, transactional data, and advanced analytical pipelines demand the robust consistency and rich feature set of PostgreSQL. Rather than running PostgreSQL inside a bloated VM or nesting it inside application containers, I deployed it within a dedicated Proxmox LXC. This provides:

  1. Bare-Metal Performance: Minimal overhead with direct host kernel interaction.
  2. Resource Isolation: Dedicated memory limits prevent intense analytical queries from impacting other hosts in the ecosystem.
  3. Data Security: Centralized database storage simplifies disaster recovery, snapshotting, and clustering.

Phase 1: Rapid Deployment on Proxmox

The database server is spun up using a lightweight Debian-based container optimized for resource efficiency.

Phase 2: Administrative Hardening

Upon initialization, securing the root administrative account (postgres) is the top priority. To prevent your credentials from appearing in standard system process logs (which is a risk during interactive commands), the password is changed directly via a non-interactive local console pipe:

Bash

# Execute within the LXC root console to encrypt and update credentials immediately
echo "ALTER USER postgres with encrypted password 'YOUR_SECURE_PASSWORD';" | sudo -u postgres psql

🔒 Security Best Practice: Executing database mutations directly through UNIX sockets using local OS delegation (sudo -u postgres) completely eliminates network-based sniffing vectors during initialization, ensuring your credentials are encrypted immediately.

Phase 3: Access Control & Remote Binding

By default, PostgreSQL strictly binds only to the local loopback interface (127.0.0.1), rendering it unreachable by external resources like n8n or Dokploy applications.

1. Bind Address Configuration

Open the main configuration file (paths vary slightly depending on the PostgreSQL version, typically in /etc/postgresql/<version>/main/):

Bash

nano /etc/postgresql/16/main/postgresql.conf

Find the connection parameters and bind it to all active network interfaces:

Ini, TOML

listen_addresses = '*'

2. Host-Based Authentication (pg_hba.conf)

To prevent unauthorized network access, configure the host-based client authentication file to restrict database ingress exclusively to your internal network range:

Bash

nano /etc/postgresql/16/main/pg_hba.conf

Add the following line to the bottom of the file to permit connection exclusively from your LAN subnet using strong SCRAM-SHA-256 password hashing:

Plaintext

# TYPE  DATABASE        USER            ADDRESS                 METHOD
host    all             all             192.168.100.0/24        scram-sha-256

Restart the service to commit changes:

Bash

systemctl restart postgresql
systemctl status postgresql

Evaluation: PostgreSQL vs. MariaDB

DatabasePrimary StrengthsIdeal Use Case
PostgreSQLStrict ACID compliance, advanced data indexing, native JSONB support, extensive analytical functions.Highly complex enterprise services, stateful analytical backends (e.g., n8n persistent datastores).
MariaDBHigh write throughput, simple replication topologies, lightweight thread-per-connection model.Rapid web applications, content management systems, general-purpose persistent backends.