diff --git a/playbook.yml b/playbook.yml index ab0faa3..efa8861 100644 --- a/playbook.yml +++ b/playbook.yml @@ -21,7 +21,7 @@ - role: nginx - role: pi-hole - role: actual - # - role: postgres + - role: postgres # - role: wedding # - role: changedetection # - role: monitoring diff --git a/roles/postgres/files/ensure_certificate_setup.sh b/roles/postgres/files/ensure_certificate_setup.sh index 8c6184a..bfebd82 100644 --- a/roles/postgres/files/ensure_certificate_setup.sh +++ b/roles/postgres/files/ensure_certificate_setup.sh @@ -1,15 +1,7 @@ #!/bin/bash echo "Running as $(whoami)..." - -target_user='postgres' -# This user shouldn't be mapped to postgres on the host but rather to postgres on the container. -# This user has host uid: 558821 (in container it's uid: 70). This number is resolved by getting the start -# of the subuid range for this user and then than adding 70 (-1) to it (since we know that that is the uid -# of the postgres user within the container). -target_path_subuid_start="$(su $target_user -c 'grep $USER /etc/subuid | cut -d ":" -f 2')" -target_host_postgres_id=$(($target_path_subuid_start + 70 - 1)) - -certsPath="/home/$target_user/certs" +certsPath="/home/postgres/certs" +target_host_postgres_id=70 if [[ ! -e "$certsPath" ]]; then echo "Certs directory doesn't exist, creating certs directory: $certsPath..." @@ -23,8 +15,6 @@ for srcPath in $cert_files; do cp -L "$srcPath" "$certsPath" newFileName="$certsPath/$(basename $srcPath)" - echo "Setting permissions for: $newFileName to uid: $target_host_postgres_id..." - chown "$target_host_postgres_id:$target_host_postgres_id" "$newFileName" chmod 0600 "$newFileName" done diff --git a/roles/postgres/tasks/main.yml b/roles/postgres/tasks/main.yml index 1eb87b6..1041d81 100644 --- a/roles/postgres/tasks/main.yml +++ b/roles/postgres/tasks/main.yml @@ -5,6 +5,7 @@ vars: user_username: "{{ postgres_unix_username }}" user_password: "{{ postgres_unix_password }}" + user_add_to_docker_group: true - name: Install ensure_certificate_setup.sh become: true ansible.builtin.copy: @@ -12,6 +13,7 @@ dest: "/root/.bin/" mode: '0700' owner: root +# Output of the hook can be found as part of the logs at: /var/log/letsencrypt/letsencrypt.log - name: Create certificates for PostgreSQL (postgres.kleinendorst.info) become: true ansible.builtin.command: @@ -24,46 +26,24 @@ --agree-tos -m {{ administration_email }} -d postgres.kleinendorst.info creates: "/etc/letsencrypt/live/postgres.kleinendorst.info" -- name: Create the postgres container - ansible.builtin.include_role: - name: podman-container - apply: - become: true - become_user: "{{ postgres_unix_username }}" - vars: - podman_container_name: postgres - podman_container_image: docker.io/postgres - podman_container_tag: "{{ postgres_version }}" - podman_container_publish: - - 0.0.0.0:5432:5432 - podman_container_volumes: - - "/home/{{ postgres_unix_username }}/certs/fullchain.pem:/var/lib/postgresql/fullchain.pem:ro" - - "/home/{{ postgres_unix_username }}/certs/privkey.pem:/var/lib/postgresql/privkey.pem:ro" - podman_simple_container_volumes: - - name: postgres_data - mnt: /var/lib/postgresql/data - podman_container_command: - - -c - - ssl=on - - -c - - ssl_cert_file=/var/lib/postgresql/fullchain.pem - - -c - - ssl_key_file=/var/lib/postgresql/privkey.pem - podman_container_env: - POSTGRES_PASSWORD: "{{ postgres_password }}" -- name: Create the postgres prometheus exporter container - ansible.builtin.include_role: - name: podman-container - apply: - become: true - become_user: "{{ postgres_unix_username }}" - vars: - podman_container_name: postgres-prometheus-exporter - podman_container_image: quay.io/prometheuscommunity/postgres-exporter - podman_container_tag: "{{ postgres_prometheus_exporter_version }}" - podman_container_publish: - - 0.0.0.0:9187:9187 - podman_container_env: - DATA_SOURCE_URI: "postgres.kleinendorst.info:5432/postgres" - DATA_SOURCE_USER: "postgres" - DATA_SOURCE_PASS: "{{ postgres_password }}" +- name: Create the compose project directory + become: true + become_user: "{{ postgres_unix_username }}" + ansible.builtin.file: + path: "/home/{{ postgres_unix_username }}/postgres" + state: directory + owner: "{{ postgres_unix_username }}" + mode: '0744' +- name: Create the compose project + become: true + become_user: "{{ postgres_unix_username }}" + ansible.builtin.template: + src: docker-compose.yml.j2 + dest: "/home/{{ postgres_unix_username }}/postgres/docker-compose.yml" + owner: "{{ postgres_unix_username }}" + mode: '0644' +- name: Create and start services + become: true + community.docker.docker_compose_v2: + project_src: "/home/{{ postgres_unix_username }}/postgres/" + register: docker_compose_output diff --git a/roles/postgres/templates/docker-compose.yml.j2 b/roles/postgres/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..c93b95f --- /dev/null +++ b/roles/postgres/templates/docker-compose.yml.j2 @@ -0,0 +1,30 @@ +--- +services: + postgres: + image: docker.io/postgres:{{ postgres_version }} + ports: + - "0.0.0.0:5432:5432" + restart: always + volumes: + - "/home/{{ postgres_unix_username }}/certs/fullchain.pem:/var/lib/postgresql/fullchain.pem:ro" + - "/home/{{ postgres_unix_username }}/certs/privkey.pem:/var/lib/postgresql/privkey.pem:ro" + - "postgres_data:/var/lib/postgresql/data" + command: + - -c + - ssl=on + - -c + - ssl_cert_file=/var/lib/postgresql/fullchain.pem + - -c + - ssl_key_file=/var/lib/postgresql/privkey.pem + environment: + POSTGRES_PASSWORD: "{{ postgres_password }}" + postgres-prometheus-exporter: + image: quay.io/prometheuscommunity/postgres-exporter:{{ postgres_prometheus_exporter_version }} + ports: + - "0.0.0.0:9187:9187" + environment: + DATA_SOURCE_URI: "postgres.kleinendorst.info:5432/postgres" + DATA_SOURCE_USER: "postgres" + DATA_SOURCE_PASS: "{{ postgres_password }}" +volumes: + postgres_data: diff --git a/roles/user/vars/main/defaults.yml b/roles/user/vars/main/defaults.yml new file mode 100644 index 0000000..73a763f --- /dev/null +++ b/roles/user/vars/main/defaults.yml @@ -0,0 +1,2 @@ +--- +user_add_to_docker_group: false