From 208fadd2ba298eaf17be2daa9feee4b48b474ad9 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sat, 29 Jun 2024 07:47:04 -0500 Subject: [PATCH] postgresql: Configure for dedicated DB servers I am going to use the *postgresql* group for the dedicated database servers. The configuration for those machines will be quite a bit different than for the one existing machine that is a member of that group already: the Nextcloud server. Rather than undefine/override all the group-level settings at the host level, I have removed the Nextcloud server from the *postgresql* group, and updated the `nextcloud.yml` playbook to apply the *postgresql-server* role itself. Eventually, I want to move the Nextcloud database to the central database servers. At that point, I will remove the *postgresql-server* role from the `nextcloud.yml` playbook. --- group_vars/nextcloud.yml | 3 +++ group_vars/postgresql.yml | 51 +++++++++++++++++++++++++++++++++++++++ hosts | 1 - nextcloud.yml | 1 + postgresql.yml | 8 ++++++ 5 files changed, 63 insertions(+), 1 deletion(-) create mode 100644 group_vars/postgresql.yml diff --git a/group_vars/nextcloud.yml b/group_vars/nextcloud.yml index 683f9ef..20f295d 100644 --- a/group_vars/nextcloud.yml +++ b/group_vars/nextcloud.yml @@ -19,3 +19,6 @@ nextcloud_smtp: host: mail.pyrocufflink.blue port: 25 dnf_automatic_exclude: nextcloud + +postgresql_config_dir: /var/lib/pgsql/data +postgresql_allow_remote: false diff --git a/group_vars/postgresql.yml b/group_vars/postgresql.yml new file mode 100644 index 0000000..761950e --- /dev/null +++ b/group_vars/postgresql.yml @@ -0,0 +1,51 @@ +data_volumes: +- dev: /dev/vdb + fstype: ext4 + mountpoint: /var/lib/pgsql + +postgresql_cert_domain: postgresql.{{ ansible_domain }} +postgresql_cert_acme_email: '{{ ansible_hostname }}@pyrocufflink.net' +postgresql_cert_acme_server: https://ca.pyrocufflink.blue:32599/acme/acme/directory +postgresql_allow_remote: true +postgresql_allow_sameuser_peer: false + +postgresql_config: + listen_addresses: '''*''' + ssl: 'on' + ssl_cert_file: '''{{ postgresql_config_dir }}/server.cer''' + ssl_key_file: '''{{ postgresql_config_dir }}/server.key''' + ssl_ca_file: '''{{ postgresql_config_dir }}/ca.crt''' + + archive_mode: '''on''' + archive_timeout: 5min + archive_command: '''wal-g-pg --config /etc/postgresql/wal-g.yml wal-push %p''' + restore_command: '''wal-g-pg --config /etc/postgresql/wal-g.yml wal-fetch %f %p''' + hot_standby: 'on' + +pg_hba_extra: +- type: hostssl + database: sameuser + user: all + address: 0.0.0.0/0 + method: cert + +postgresql_restore_command: >- + runuser -u postgres -- + wal-g-pg --config /etc/postgresql/wal-g.yml backup-fetch {{ pgdata_dir }} LATEST + +wal_g_aws_access_key_id: Ps0tjAlLFxnQkelX +wal_g_aws_secret_access_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 31313034633265346365356533623137323835386434313738353362386338666531656635306663 + 3032636433343062366537306663383739633838383633350a353030316534356239363962333164 + 30663565333566616563333766323163643466363639613733323262363135333362663364356533 + 3161646331336265640a333639393463376538343466373362353133626562623562316539356464 + 38613465326234346465336261306336623065613962363362383534346435633637626132613364 + 3062396235663433623535373065626238643663623831306464 + +wal_g_pg_config: + AWS_ACCESS_KEY_ID: '{{ wal_g_aws_access_key_id }}' + AWS_SECRET_ACCESS_KEY: '{{ wal_g_aws_secret_access_key }}' + WALG_S3_PREFIX: s3://pgbackup/spilo/postgresql-default/wal/15 + AWS_S3_FORCE_PATH_STYLE: true + AWS_ENDPOINT: https://burp.pyrocufflink.blue:9000 diff --git a/hosts b/hosts index ca04424..ef263d3 100644 --- a/hosts +++ b/hosts @@ -90,7 +90,6 @@ cloud0.pyrocufflink.blue burp1.pyrocufflink.blue [postgresql] -cloud0.pyrocufflink.blue [public-web] web0.pyrocufflink.blue diff --git a/nextcloud.yml b/nextcloud.yml index 0f6739a..e9737b1 100644 --- a/nextcloud.yml +++ b/nextcloud.yml @@ -2,5 +2,6 @@ vars_files: - vault/nextcloud roles: + - postgresql-server - apache - nextcloud diff --git a/postgresql.yml b/postgresql.yml index 22f74e3..2f84ac4 100644 --- a/postgresql.yml +++ b/postgresql.yml @@ -1,3 +1,11 @@ - hosts: postgresql roles: + - role: trustca + ca: dch-root-ca-r2 + - role: postgresql-cert + tags: + - postgresql-cert + - role: wal-g-pg + tags: + - wal-g - postgresql-server