From 573f1df7850dc3a05913c4a3a67470aeb9018f0b Mon Sep 17 00:00:00 2001 From: transcaffeine Date: Thu, 14 Nov 2024 18:38:38 +0100 Subject: [PATCH] feat(postgresql): add ansible role for postgresql deployment --- README.md | 3 + galaxy.yml | 2 + playbooks/postgresql.yml | 6 ++ roles/postgresql/README.md | 4 ++ roles/postgresql/defaults/main/config.yml | 17 +++++ roles/postgresql/defaults/main/container.yml | 60 +++++++++++++++++ roles/postgresql/defaults/main/main.yml | 34 ++++++++++ roles/postgresql/defaults/main/user.yml | 10 +++ roles/postgresql/handlers/main.yml | 12 ++++ roles/postgresql/meta/main.yml | 12 ++++ roles/postgresql/tasks/configure.yml | 49 ++++++++++++++ roles/postgresql/tasks/deploy-docker.yml | 47 +++++++++++++ roles/postgresql/tasks/initialize-docker.yml | 48 +++++++++++++ roles/postgresql/tasks/main.yml | 67 +++++++++++++++++++ roles/postgresql/tasks/prepare.yml | 33 +++++++++ .../postgresql/templates/postgresql-passwd.j2 | 19 ++++++ roles/postgresql/vars/main.yml | 6 ++ 17 files changed, 429 insertions(+) create mode 100644 playbooks/postgresql.yml create mode 100644 roles/postgresql/README.md create mode 100644 roles/postgresql/defaults/main/config.yml create mode 100644 roles/postgresql/defaults/main/container.yml create mode 100644 roles/postgresql/defaults/main/main.yml create mode 100644 roles/postgresql/defaults/main/user.yml create mode 100644 roles/postgresql/handlers/main.yml create mode 100644 roles/postgresql/meta/main.yml create mode 100644 roles/postgresql/tasks/configure.yml create mode 100644 roles/postgresql/tasks/deploy-docker.yml create mode 100644 roles/postgresql/tasks/initialize-docker.yml create mode 100644 roles/postgresql/tasks/main.yml create mode 100644 roles/postgresql/tasks/prepare.yml create mode 100644 roles/postgresql/templates/postgresql-passwd.j2 create mode 100644 roles/postgresql/vars/main.yml diff --git a/README.md b/README.md index 6195bf7..27876af 100644 --- a/README.md +++ b/README.md @@ -11,6 +11,9 @@ - [`mariadb`](roles/mariadb/README.md): deploy mariadb in a docker container +- [`postgresql`](roles/postgresql/README.md): deploy postgresql, + the worlds most advances open-source relational database + - [`valkey`](roles/valkey/README.md): deploy and configure valkey, an open source in-memory data store under BSD license, forked from redis. diff --git a/galaxy.yml b/galaxy.yml index 9eda0ba..845b873 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -16,5 +16,7 @@ tags: - elasticsearch - redis - mariadb + - postgresql + - postgres - valkey - docker diff --git a/playbooks/postgresql.yml b/playbooks/postgresql.yml new file mode 100644 index 0000000..1c0d7ac --- /dev/null +++ b/playbooks/postgresql.yml @@ -0,0 +1,6 @@ +--- +- name: Deploy and configure PostgreSQL + hosts: "{{ postgresql_hosts | default('postgresql', true) }}" + become: "{{ postgresql_become | default(true, true) }}" + roles: + - role: finallycoffee.databases.postgresql diff --git a/roles/postgresql/README.md b/roles/postgresql/README.md new file mode 100644 index 0000000..c037305 --- /dev/null +++ b/roles/postgresql/README.md @@ -0,0 +1,4 @@ +# `finallycoffee.databases.postgresql` ansible role + +PostgreSQL is the self proclaimed "world's most advanced" open source relational +database. This ansible role can deploy and configure postgresql. diff --git a/roles/postgresql/defaults/main/config.yml b/roles/postgresql/defaults/main/config.yml new file mode 100644 index 0000000..0badb94 --- /dev/null +++ b/roles/postgresql/defaults/main/config.yml @@ -0,0 +1,17 @@ +--- +postgresql_config_connect_socket: true +postgresql_config_unix_socket_directories: + - "/var/run/postgresql" +postgresql_config_listen_addresses: + - '*' +postgresql_config_port: 5432 + +postgresql_base_config: + listen_addresses: "{{ postgresql_config_listen_addresses }}" + connect_socket: "{{ postgresql_config_connect_socket }}" + port: "{{ postgresql_config_port }}" +postgresql_merged_config: >-2 + {{ postgresql_base_config | combine( + postgresql_config | default({}, true), + recursive=True + ) }} diff --git a/roles/postgresql/defaults/main/container.yml b/roles/postgresql/defaults/main/container.yml new file mode 100644 index 0000000..7600746 --- /dev/null +++ b/roles/postgresql/defaults/main/container.yml @@ -0,0 +1,60 @@ +--- +postgresql_container_image_registry: docker.io +postgresql_container_image_namespace: ~ +postgresql_container_image_name: postgres +postgresql_container_image_tag: ~ +postgresql_container_image_source: pull +postgresql_container_image_force_source: >-2 + {{ postgresql_container_image_tag | default(false, true) | bool }} +postgresql_container_image: >-2 + {{ + ([ + postgresql_container_image_registry | default([], true), + postgresql_container_image_namespace | default([], true), + postgresql_container_image_name + ] | flatten | join('/')) + + ':' + postgresql_container_image_tag | default( + postgresql_version + ( + ((postgresql_container_image_flavour is string) + and (postgresql_container_image_flavour | length > 0)) + | ternary( + '_' + postgresql_container_image_flavour | default('', true), + '', + ) + ), + true + ) + }} + +postgresql_container_name: "postgresql-{{ postgresql_major_version }}" +postgresql_container_env: ~ +postgresql_container_user: >-2 + {{ postgresql_user_id }}:{{ postgresql_user_group_id }} +postgresql_container_ports: ~ +postgresql_container_labels: ~ +postgresql_container_networks: ~ +postgresql_container_recreate: ~ +postgresql_container_etc_hosts: ~ +postgresql_container_restart_policy: "on-failure" +postgresql_container_state: >-2 + {{ (postgresql_state == 'present') | ternary('started', 'absent') }} +postgresql_container_volumes: ~ +postgresql_container_base_volumes: + - "{{ postgresql_data_path }}:{{ postgresql_container_data_dir }}:z" + - "{{ postgresql_pg_hba_conf_file }}:{{ postgresql_container_data_dir }}/pg_hba.conf:ro" + - "{{ postgresql_pg_ident_conf_file }}:{{ postgresql_container_data_dir }}/pg_ident.conf:ro" + - "{{ postgresql_container_passwd_file }}:/etc/passwd:ro" +postgresql_container_merged_volumes: >-2 + {{ postgresql_container_base_volumes + + (postgresql_container_volumes | default([], true)) }} + +# (Memory) performance tuning +postgresql_container_memory: ~ +postgresql_container_memory_reservation: ~ +postgresql_container_shm_size: ~ +postgresql_container_oom_kill: ~ +postgresql_container_oom_score_adj: ~ +postgresql_container_ulimits: ~ + +postgresql_container_passwd_file: "{{ postgresql_config_path }}/passwd" +postgresql_container_data_dir: "/var/lib/postgresql/data" diff --git a/roles/postgresql/defaults/main/main.yml b/roles/postgresql/defaults/main/main.yml new file mode 100644 index 0000000..21ed761 --- /dev/null +++ b/roles/postgresql/defaults/main/main.yml @@ -0,0 +1,34 @@ +--- +postgresql_user: postgresql +postgresql_version: >-2 + {{ postgresql_versions[postgresql_major_version | string] }} +postgresql_major_version: 16 +postgresql_versions: + "17": "17.2" + "16": "16.6" + "15": "15.10" + "14": "14.15" + +postgresql_config_path: >-2 + /etc/postgresql/{{ postgresql_major_version }} +postgresql_data_path: >-2 + /var/lib/postgresql/{{ postgresql_major_version }} +postgresql_pg_ident_conf_file: >-2 + {{ postgresql_config_path }}/pg_ident.conf +postgresql_pg_hba_conf_file: >-2 + {{ postgresql_config_path }}/pg_hba.conf +postgresql_admin_role: "{{ postgresql_user }}" +postgresql_admin_role_contype: local +postgresql_admin_role_method: peer +postgresql_admin_local_user: >-2 + {{ ansible_facts['user_id'] }} +postgresql_admin_role_mapping_name: >-2 + {{ postgresql_admin_local_user }}_{{ postgresql_admin_role }} +postgresql_admin_pg_ident_conf: >-2 + {{ postgresql_admin_role_mapping_name }}\t{{ postgresql_admin_local_user }}\t{{ postgresql_admin_role }} +postgresql_admin_pg_hba_conf_options: >-2 + map={{ postgresql_admin_role_mapping_name }} +postgresql_superuser_password: ~ + +postgresql_state: present +postgresql_deployment_method: docker diff --git a/roles/postgresql/defaults/main/user.yml b/roles/postgresql/defaults/main/user.yml new file mode 100644 index 0000000..d28fa5a --- /dev/null +++ b/roles/postgresql/defaults/main/user.yml @@ -0,0 +1,10 @@ +--- +postgresql_user_system: true +postgresql_user_create_home: false +postgresql_user_groups: ~ +postgresql_user_append: ~ + +postgresql_user_id: >-2 + {{ postgresql_user_info.uid | default(postgresql_user, true) }} +postgresql_user_group_id: >-2 + {{ postgresql_user_info.group | default(postgresql_user, true) }} diff --git a/roles/postgresql/handlers/main.yml b/roles/postgresql/handlers/main.yml new file mode 100644 index 0000000..afbf59f --- /dev/null +++ b/roles/postgresql/handlers/main.yml @@ -0,0 +1,12 @@ +--- +- name: Restart postgresql container '{{ postgresql_container_name }}' (docker) + community.docker.docker_container: + name: "{{ postgresql_container_name }}" + state: "{{ postgresql_container_state }}" + restart: true + comparisons: + '*': "ignore" + when: + - postgresql_deployment_method == 'docker' + - postgresql_container_state not in ['absent', 'stopped'] + listen: postgresql_restart diff --git a/roles/postgresql/meta/main.yml b/roles/postgresql/meta/main.yml new file mode 100644 index 0000000..2eb937c --- /dev/null +++ b/roles/postgresql/meta/main.yml @@ -0,0 +1,12 @@ +--- +allow_duplicates: true +dependencies: [] +galaxy_info: + role_name: postgresql + description: >-2 + PostgreSQL is the self-proclaimed 'worlds most advanced' open source relational database + galaxy_tags: + - postgresql + - postgres + - database + - docker diff --git a/roles/postgresql/tasks/configure.yml b/roles/postgresql/tasks/configure.yml new file mode 100644 index 0000000..56b147e --- /dev/null +++ b/roles/postgresql/tasks/configure.yml @@ -0,0 +1,49 @@ +--- +- name: Ensure postgresql superuser is set + community.postgresql.postgresql_user: + name: "{{ postgresql_admin_role }}" + password: "{{ postgresql_superuser_password }}" + login_host: >-2 + {{ + (postgresql_config_unix_socket_directories | first) + if postgresql_config_connect_socket else + (postgresql_container_info.container.NetworkSettings.IPAddress) + }} + register: postgresql_superuser_password_result + until: "postgresql_superuser_password_result is succeeded" + retries: 10 + delay: 2 + +- name: Ensure postgresql configuration is set + community.postgresql.postgresql_set: + name: "{{ option.key }}" + value: "{{ option.value }}" + login_host: >-2 + {{ + (postgresql_config_unix_socket_directories | first) + if postgresql_config_connect_socket else + (postgresql_container_info.container.NetworkSettings.IPAddress) + }} + login_port: "{{ postgresql_config_port }}" + login_password: #TODO + loop: "{{ postgresql_merged_options | dict2items }}" + loop_control: + loop_var: option + +- name: Ensure postgresql configuration is reloaded + community.postgresql.postgresql_query: + query: "SELECT pg_reload_conf();" + login_host: #TODO + login_port: #TODO + login_password: #TODO + +- name: Ensure restart handler is fired if required + debug: + msg: "{{ result.option.key }} changed! Restart required: {{ result.restart_required }}" + when: result.changed + changed_when: "{{ result.restart_required }}" + notify: postgresql_restart + loop: "{{ postgresql_config_results }}" + loop_control: + loop_var: result + label: "{{ result.option.name }}" diff --git a/roles/postgresql/tasks/deploy-docker.yml b/roles/postgresql/tasks/deploy-docker.yml new file mode 100644 index 0000000..d37d8c8 --- /dev/null +++ b/roles/postgresql/tasks/deploy-docker.yml @@ -0,0 +1,47 @@ +--- +- name: Ensure postgresql container image '{{ postgresql_container_image }}' is {{ postgresql_state }} + community.docker.docker_image: + name: "{{ postgresql_container_image }}" + state: "{{ postgresql_state }}" + source: "{{ postgresql_container_image_source }}" + force_source: "{{ postgresql_container_image_force_source }}" + register: postgresql_container_image_info + until: postgresql_container_image_info is success + retries: 5 + delay: 4 + +- name: Ensure /etc/passwd for container is {{ postgresql_state }} + ansible.builtin.template: + src: "postgresql-passwd.j2" + dest: "{{ postgresql_container_passwd_file }}" + owner: "{{ postgresql_user_id }}" + group: "{{ postgresql_user_group_id }}" + mode: "0640" + when: postgresql_state == 'present' + +- name: Initialize database if empty + ansible.builtin.include_tasks: + file: "initialize-docker.yml" + when: + - postgresql_state == 'present' + +- name: Ensure postgresql container '{{ postgresql_container_name }}' is {{ postgresql_container_state }} + community.docker.docker_container: + name: "{{ postgresql_container_name }}" + image: "{{ postgresql_container_image }}" + env: "{{ postgresql_container_env | default(omit, true) }}" + user: "{{ postgresql_container_user | default(omit, true) }}" + ports: "{{ postgresql_container_ports | default(omit, true) }}" + labels: "{{ postgresql_container_labels | default(omit, true) }}" + volumes: "{{ postgresql_container_merged_volumes }}" + recreate: "{{ postgresql_container_recreate | default(omit, true) }}" + networks: "{{ postgresql_container_networks | default(omit, true) }}" + etc_hosts: "{{ postgresql_container_etc_hosts | default(omit, true) }}" + memory: "{{ postgresql_container_memory | default(omit, true) }}" + memory_reservation: "{{ postgresql_container_memory_reservation | default(omit, true) }}" + oom_killer: "{{ postgresql_container_oom_killer | default(omit, true) }}" + oom_score_adj: "{{ postgresql_container_oom_score_adj | default(omit, true) }}" + shm_size: "{{ postgresql_container_shm_size | default(omit, true) }}" + ulimits: "{{ postgresql_container_ulimits | default(omit, true) }}" + restart_policy: "{{ postgresql_container_restart_policy | default(omit, true) }}" + state: "{{ postgresql_container_state }}" diff --git a/roles/postgresql/tasks/initialize-docker.yml b/roles/postgresql/tasks/initialize-docker.yml new file mode 100644 index 0000000..5325ced --- /dev/null +++ b/roles/postgresql/tasks/initialize-docker.yml @@ -0,0 +1,48 @@ +--- +- name: Ensure container '{{ postgresql_container_name }}' is {{ postgresql_container_state }} to initialise the database + community.docker.docker_container: + name: "{{ postgresql_container_name }}" + image: "{{ postgresql_container_image }}" + env: >-2 + {{ postgresql_container_env | default({}, true) + | combine({'POSTGRES_PASSWORD': postgresql_superuser_password}) }} + user: "{{ postgresql_container_user | default(omit, true) }}" + ports: "{{ postgresql_container_ports | default(omit, true) }}" + labels: "{{ postgresql_container_labels | default(omit, true) }}" + volumes: "{{ postgresql_container_merged_volumes }}" + recreate: "{{ postgresql_container_recreate | default(omit, true) }}" + networks: "{{ postgresql_container_networks | default(omit, true) }}" + etc_hosts: "{{ postgresql_container_etc_hosts | default(omit, true) }}" + memory: "{{ postgresql_container_memory | default(omit, true) }}" + memory_reservation: "{{ postgresql_container_memory_reservation | default(omit, true) }}" + oom_killer: "{{ postgresql_container_oom_killer | default(omit, true) }}" + oom_score_adj: "{{ postgresql_container_oom_score_adj | default(omit, true) }}" + shm_size: "{{ postgresql_container_shm_size | default(omit, true) }}" + ulimits: "{{ postgresql_container_ulimits | default(omit, true) }}" + restart_policy: "{{ postgresql_container_restart_policy | default(omit, true) }}" + state: "{{ postgresql_container_state }}" + register: postgresql_container_info + +- name: Wait for container startup + block: + - name: Wait for container startup (socket) + ansible.builtin.wait_for: + path: "{{ postgresql_config_unix_socket_directories | first }}.s.PGSQL.{{ postgresql_config_port }}" + when: "postgresql_config_connect_socket | bool" + - name: Wait for container startup (port) + ansible.builtin.wait_for: + host: >-2 + {{ (pg_addresses == '*') | ternary( + omit, + postgresql_config_listen_addresses | first + ) }} + port: "{{ postgresql_config_port }}" + when: "not postgresql_config_connect_socket | bool" + vars: + pg_addresses: "{{ postgresql_config_listen_addresses | join(',') }}" + +- name: Ensure init container '{{ postgresql_container_name }}' is removed + community.docker.docker_container: + name: "{{ postgresql_container_name }}" + state: absent + diff --git a/roles/postgresql/tasks/main.yml b/roles/postgresql/tasks/main.yml new file mode 100644 index 0000000..1e60504 --- /dev/null +++ b/roles/postgresql/tasks/main.yml @@ -0,0 +1,67 @@ +--- +- name: Ensure state is valid + ansible.builtin.fail: + msg: >-2 + Invalid state '{{ postgresql_state }}'! Supported + states are {{ postgresql_states | join(', ') }}. + when: postgresql_state not in postgresql_states + +- name: Ensure deployment method is valid + ansible.builtin.fail: + msg: >-2 + Unsupported deployment method '{{ postgresql_deployment_method }}! + Supported deployment methods are {{ postgresql_deployment_methods | join(', ') }}. + when: postgresql_deployment_method not in postgresql_deployment_methods + +- name: Ensure postgresql user '{{ postgresql_user }}' is {{ postgresql_state }} + ansible.builtin.user: + name: "{{ postgresql_user }}" + state: "{{ postgresql_state }}" + system: "{{ postgresql_user_system | default(omit, true) }}" + create_home: "{{ postgresql_user_create_home | default(omit, true) }}" + groups: "{{ postgresql_user_groups | default(omit, true) }}" + append: "{{ postgresql_user_append | default(omit, true) }}" + register: postgresql_user_info + +- name: Ensure directories are {{ postgresql_state }} + ansible.builtin.file: + path: "{{ path.name }}" + state: "{{ (postgresql_state == 'present') | ternary('directory', 'absent') }}" + owner: "{{ path.owner | default(postgresql_user_id, true) }}" + group: "{{ path.group | default(postgresql_user_group_id, true) }}" + mode: "{{ path.mode | default('0755', true) }}" + loop: + - name: "{{ postgresql_config_path }}" + - name: "{{ postgresql_data_path }}" + loop_control: + loop_var: path + label: "{{ path.name }}" + +- name: Check for existing PG_VERSION file + ansible.builtin.stat: + path: "{{ postgresql_data_path }}/PG_VERSION" + register: postgresql_data_dir_version_info + +- name: Read existing PG_VERSION file + ansible.builtin.slurp: + path: "{{ postgresql_data_path }}/PG_VERSION" + register: postgresql_data_dir_version_content + when: + - postgresql_data_dir_version_info.stat.exists + +- name: Prevent major version changes + ansible.builtin.fail: + msg: >-2 + Mismatched postgresql version for the data directory! + Aborting... + when: + - postgresql_data_dir_version_info.stat.exists + - "(postgresql_data_dir_version_content | b64decode | int) != (postgresql_major_version | int)" + +- name: Prepare authentication and authorization for database admin role + ansible.builtin.include_tasks: + file: "prepare.yml" + +- name: Deploy postgresql using {{ postgresql_deployment_method }} + ansible.builtin.include_tasks: + file: "deploy-{{ postgresql_deployment_method }}.yml" diff --git a/roles/postgresql/tasks/prepare.yml b/roles/postgresql/tasks/prepare.yml new file mode 100644 index 0000000..5e4f203 --- /dev/null +++ b/roles/postgresql/tasks/prepare.yml @@ -0,0 +1,33 @@ +--- +- name: Ensure postgresql config files are {{ postgresql_state }} + ansible.builtin.lineinfile: + path: "{{ file.name }}" + insertafter: "{{ file.insert_after | default(omit) }}" + insertbefore: "{{ file.insert_before | default(omit) }}" + line: "{{ file.line }}" + owner: "{{ postgresql_user_id }}" + group: "{{ postgresql_user_group_id }}" + create: true + loop_control: + loop_var: file + label: "{{ file.name }}" + loop: + - name: "{{ postgresql_pg_hba_conf_file }}" + insert_before: "BOF" + line: "# Ansible managed" + - name: "{{ postgresql_pg_ident_conf_file }}" + insert_before: "BOF" + line: "# Ansible managed" + - name: "{{ postgresql_pg_ident_conf_file }}" + insert_after: "# Ansible managed" + line: "{{ ansible_user }}_{{ postgresql_admin_role }}\t{{ ansible_user }}\t{{ postgresql_admin_role }}" + when: postgresql_state == 'present' + +- name: Configure permissions for postgresql admin role + community.postgresql.postgresql_pg_hba: + dest: "{{ postgresql_pg_hba_conf_file }}" + contype: "{{ postgresql_admin_role_contype }}" + users: "{{ postgresql_admin_role }}" + method: "{{ postgresql_admin_role_method }}" + options: "map={{ ansible_user }}_{{ postgresql_admin_role }}" + when: postgresql_state == 'present' diff --git a/roles/postgresql/templates/postgresql-passwd.j2 b/roles/postgresql/templates/postgresql-passwd.j2 new file mode 100644 index 0000000..cbed141 --- /dev/null +++ b/roles/postgresql/templates/postgresql-passwd.j2 @@ -0,0 +1,19 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin +bin:x:2:2:bin:/bin:/usr/sbin/nologin +sys:x:3:3:sys:/dev:/usr/sbin/nologin +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/usr/sbin/nologin +man:x:6:12:man:/var/cache/man:/usr/sbin/nologin +lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin +mail:x:8:8:mail:/var/mail:/usr/sbin/nologin +news:x:9:9:news:/var/spool/news:/usr/sbin/nologin +uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin +proxy:x:13:13:proxy:/bin:/usr/sbin/nologin +www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin +backup:x:34:34:backup:/var/backups:/usr/sbin/nologin +list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin +irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin +_apt:x:42:65534::/nonexistent:/usr/sbin/nologin +nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin +postgres:x:{{ postgresql_user_id }}:{{ postgresql_user_group_id }}::/var/lib/postgresql:/bin/bash diff --git a/roles/postgresql/vars/main.yml b/roles/postgresql/vars/main.yml new file mode 100644 index 0000000..ed8f50a --- /dev/null +++ b/roles/postgresql/vars/main.yml @@ -0,0 +1,6 @@ +--- +postgresql_states: + - present + - absent +postgresql_deployment_methods: + - docker