Add postgres to deployment

playbook.yml

@@ -21,7 +21,7 @@
     - role: nginx
     - role: pi-hole
     - role: actual
-    # - role: postgres
+    - role: postgres
     # - role: wedding
     # - role: changedetection
     # - role: monitoring

roles/postgres/files/ensure_certificate_setup.sh

@@ -1,15 +1,7 @@
 #!/bin/bash
 echo "Running as $(whoami)..."
-
+certsPath="/home/postgres/certs"
-target_user='postgres'
+target_host_postgres_id=70
-# This user shouldn't be mapped to postgres on the host but rather to postgres on the container.
-# This user has host uid: 558821 (in container it's uid: 70). This number is resolved by getting the start
-# of the subuid range for this user and then than adding 70 (-1) to it (since we know that that is the uid
-# of the postgres user within the container).
-target_path_subuid_start="$(su $target_user -c 'grep $USER /etc/subuid | cut -d ":" -f 2')"
-target_host_postgres_id=$(($target_path_subuid_start + 70 - 1))
-
-certsPath="/home/$target_user/certs"
 
 if [[ ! -e "$certsPath" ]]; then
     echo "Certs directory doesn't exist, creating certs directory: $certsPath..."
@@ -23,8 +15,6 @@ for srcPath in $cert_files; do
     cp -L "$srcPath" "$certsPath"
 
     newFileName="$certsPath/$(basename $srcPath)"
-    echo "Setting permissions for: $newFileName to uid: $target_host_postgres_id..."
-
     chown "$target_host_postgres_id:$target_host_postgres_id" "$newFileName"
     chmod 0600 "$newFileName"
 done

roles/postgres/tasks/main.yml

@@ -5,6 +5,7 @@
   vars:
     user_username: "{{ postgres_unix_username }}"
     user_password: "{{ postgres_unix_password }}"
+    user_add_to_docker_group: true
 - name: Install ensure_certificate_setup.sh
   become: true
   ansible.builtin.copy:
@@ -12,6 +13,7 @@
     dest: "/root/.bin/"
     mode: '0700'
     owner: root
+# Output of the hook can be found as part of the logs at: /var/log/letsencrypt/letsencrypt.log
 - name: Create certificates for PostgreSQL (postgres.kleinendorst.info)
   become: true
   ansible.builtin.command:
@@ -24,46 +26,24 @@
         --agree-tos -m {{ administration_email }}
         -d postgres.kleinendorst.info
     creates: "/etc/letsencrypt/live/postgres.kleinendorst.info"
-- name: Create the postgres container
+- name: Create the compose project directory
-  ansible.builtin.include_role:
+  become: true
-    name: podman-container
+  become_user: "{{ postgres_unix_username }}"
-    apply:
+  ansible.builtin.file:
-      become: true
+    path: "/home/{{ postgres_unix_username }}/postgres"
-      become_user: "{{ postgres_unix_username }}"
+    state: directory
-  vars:
+    owner: "{{ postgres_unix_username }}"
-    podman_container_name: postgres
+    mode: '0744'
-    podman_container_image: docker.io/postgres
+- name: Create the compose project
-    podman_container_tag: "{{ postgres_version }}"
+  become: true
-    podman_container_publish:
+  become_user: "{{ postgres_unix_username }}"
-      - 0.0.0.0:5432:5432
+  ansible.builtin.template:
-    podman_container_volumes:
+    src: docker-compose.yml.j2
-      - "/home/{{ postgres_unix_username }}/certs/fullchain.pem:/var/lib/postgresql/fullchain.pem:ro"
+    dest: "/home/{{ postgres_unix_username }}/postgres/docker-compose.yml"
-      - "/home/{{ postgres_unix_username }}/certs/privkey.pem:/var/lib/postgresql/privkey.pem:ro"
+    owner: "{{ postgres_unix_username }}"
-    podman_simple_container_volumes:
+    mode: '0644'
-      - name: postgres_data
+- name: Create and start services
-        mnt: /var/lib/postgresql/data
+  become: true
-    podman_container_command:
+  community.docker.docker_compose_v2:
-      - -c
+    project_src: "/home/{{ postgres_unix_username }}/postgres/"
-      - ssl=on
+  register: docker_compose_output
-      - -c
-      - ssl_cert_file=/var/lib/postgresql/fullchain.pem
-      - -c
-      - ssl_key_file=/var/lib/postgresql/privkey.pem
-    podman_container_env:
-      POSTGRES_PASSWORD: "{{ postgres_password }}"
-- name: Create the postgres prometheus exporter container
-  ansible.builtin.include_role:
-    name: podman-container
-    apply:
-      become: true
-      become_user: "{{ postgres_unix_username }}"
-  vars:
-    podman_container_name: postgres-prometheus-exporter
-    podman_container_image: quay.io/prometheuscommunity/postgres-exporter
-    podman_container_tag: "{{ postgres_prometheus_exporter_version }}"
-    podman_container_publish:
-      - 0.0.0.0:9187:9187
-    podman_container_env:
-      DATA_SOURCE_URI: "postgres.kleinendorst.info:5432/postgres"
-      DATA_SOURCE_USER: "postgres"
-      DATA_SOURCE_PASS: "{{ postgres_password }}"

roles/postgres/templates/docker-compose.yml.j2

@@ -0,0 +1,30 @@
+---
+services:
+  postgres:
+    image: docker.io/postgres:{{ postgres_version }}
+    ports:
+      - "0.0.0.0:5432:5432"
+    restart: always
+    volumes:
+      - "/home/{{ postgres_unix_username }}/certs/fullchain.pem:/var/lib/postgresql/fullchain.pem:ro"
+      - "/home/{{ postgres_unix_username }}/certs/privkey.pem:/var/lib/postgresql/privkey.pem:ro"
+      - "postgres_data:/var/lib/postgresql/data"
+    command:
+      - -c
+      - ssl=on
+      - -c
+      - ssl_cert_file=/var/lib/postgresql/fullchain.pem
+      - -c
+      - ssl_key_file=/var/lib/postgresql/privkey.pem
+    environment:
+      POSTGRES_PASSWORD: "{{ postgres_password }}"
+  postgres-prometheus-exporter:
+    image: quay.io/prometheuscommunity/postgres-exporter:{{ postgres_prometheus_exporter_version }}
+    ports:
+      - "0.0.0.0:9187:9187"
+    environment:
+      DATA_SOURCE_URI: "postgres.kleinendorst.info:5432/postgres"
+      DATA_SOURCE_USER: "postgres"
+      DATA_SOURCE_PASS: "{{ postgres_password }}"
+volumes:
+  postgres_data:

roles/user/vars/main/defaults.yml

@@ -0,0 +1,2 @@
+---
+user_add_to_docker_group: false