finallycoffee/databases
2
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat(postgresql): add ansible role for postgresql deployment

Browse Source
This commit is contained in:
transcaffeine 2024-11-14 18:38:38 +01:00
parent bff5cce7e9
commit e2a975a93e
Signed by: transcaffeine
GPG Key ID: 03624C433676E465
17 changed files with 480 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@ -11,6 +11,9 @@
- [`mariadb`](roles/mariadb/README.md): deploy mariadb - [`mariadb`](roles/mariadb/README.md): deploy mariadb
in a docker container in a docker container
- [`postgresql`](roles/postgresql/README.md): deploy postgresql,
the worlds most advances open-source relational database
- [`valkey`](roles/valkey/README.md): deploy and configure valkey, - [`valkey`](roles/valkey/README.md): deploy and configure valkey,
an open source in-memory data store under BSD license, forked an open source in-memory data store under BSD license, forked
from redis. from redis.

2
galaxy.yml
View File

@ -16,5 +16,7 @@ tags:
- elasticsearch - elasticsearch
- redis - redis
- mariadb - mariadb
- postgresql
- postgres
- valkey - valkey
- docker - docker

6
playbooks/postgresql.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: Deploy and configure PostgreSQL
hosts: "{{ postgresql_hosts | default('postgresql', true) }}"
become: "{{ postgresql_become | default(true, true) }}"
roles:
- role: finallycoffee.databases.postgresql

4
roles/postgresql/README.md Normal file
View File

@ -0,0 +1,4 @@
# `finallycoffee.databases.postgresql` ansible role
PostgreSQL is the self proclaimed "world's most advanced" open source relational
database. This ansible role can deploy and configure postgresql.

17
roles/postgresql/defaults/main/config.yml Normal file
View File

@ -0,0 +1,17 @@
---
postgresql_config_connect_socket: true
postgresql_config_unix_socket_directories:
- "/var/run/postgresql"
postgresql_config_listen_addresses:
- '*'
postgresql_config_port: 5432
postgresql_base_config:
listen_addresses: "{{ postgresql_config_listen_addresses }}"
connect_socket: "{{ postgresql_config_connect_socket }}"
port: "{{ postgresql_config_port }}"
postgresql_merged_config: >-2
{{ postgresql_base_config | combine(
postgresql_config | default({}, true),
recursive=True
) }}

73
roles/postgresql/defaults/main/container.yml Normal file
View File

@ -0,0 +1,73 @@
---
postgresql_container_image_registry: docker.io
postgresql_container_image_namespace: ~
postgresql_container_image_name: postgres
postgresql_container_image_tag: ~
postgresql_container_image_source: pull
postgresql_container_image_force_source: >-2
{{ postgresql_container_image_tag | default(false, true) | bool }}
postgresql_container_image: >-2
{{
([
postgresql_container_image_registry | default([], true),
postgresql_container_image_namespace | default([], true),
postgresql_container_image_name
] | flatten | join('/'))
+ ':' + postgresql_container_image_tag | default(
postgresql_version + (
((postgresql_container_image_flavour is string)
and (postgresql_container_image_flavour | length > 0))
| ternary(
'_' + postgresql_container_image_flavour | default('', true),
'',
)
),
true
)
}}
postgresql_container_name: "postgresql-{{ postgresql_major_version }}"
postgresql_container_env: ~
postgresql_container_user: >-2
{{ postgresql_user_id }}:{{ postgresql_user_group_id }}
postgresql_container_ports: ~
postgresql_container_labels: ~
postgresql_container_networks: ~
postgresql_container_recreate: ~
postgresql_container_etc_hosts: ~
postgresql_container_restart_policy: "on-failure"
postgresql_container_state: >-2
{{ (postgresql_state == 'present') | ternary('started', 'absent') }}
postgresql_container_volumes: ~
postgresql_container_unix_socket_path: >-2
{{ postgresql_config_unix_socket_directories | first }}
postgresql_container_base_volumes:
- "{{ postgresql_container_passwd_file }}:/etc/passwd:ro"
- "{{ postgresql_data_path }}:{{ postgresql_container_data_dir }}:Z"
postgresql_container_config_volumes:
- "{{ postgresql_pg_hba_conf_file }}:{{ postgresql_container_data_dir }}/pg_hba.conf:ro"
- "{{ postgresql_pg_ident_conf_file }}:{{ postgresql_container_data_dir }}/pg_ident.conf:ro"
postgresql_container_unix_socket_volumes:
- "{{ postgresql_container_unix_socket_path }}:{{ postgresql_container_unix_socket_path }}:rw,rshared"
postgresql_container_initdb_volumes: >-2
{{ postgresql_container_base_volumes
+ postgresql_container_unix_socket_volumes
+ (postgresql_container_volumes | default([], true)) }}
postgresql_container_merged_volumes: >-2
{{ postgresql_container_base_volumes
+ postgresql_container_config_volumes
+ (postgresql_container_unix_socket_volumes if postgresql_config_connect_socket else [])
+ (postgresql_container_volumes | default([], true)) }}
postgresql_systemd_tmpfile_socket_correction_unit_name: >-2
{{ postgresql_container_unix_socket_path | split('/') | reject('eq', '') | join('-') }}
# (Memory) performance tuning
postgresql_container_memory: ~
postgresql_container_memory_reservation: ~
postgresql_container_shm_size: ~
postgresql_container_oom_kill: ~
postgresql_container_oom_score_adj: ~
postgresql_container_ulimits: ~
postgresql_container_passwd_file: "{{ postgresql_config_path }}/passwd"
postgresql_container_data_dir: "/var/lib/postgresql/data"

34
roles/postgresql/defaults/main/main.yml Normal file
View File

@ -0,0 +1,34 @@
---
postgresql_user: postgresql
postgresql_version: >-2
{{ postgresql_versions[postgresql_major_version | string] }}
postgresql_major_version: 16
postgresql_versions:
"17": "17.2"
"16": "16.6"
"15": "15.10"
"14": "14.15"
postgresql_config_path: >-2
/etc/postgresql/{{ postgresql_major_version }}
postgresql_data_path: >-2
/var/lib/postgresql/{{ postgresql_major_version }}
postgresql_pg_ident_conf_file: >-2
{{ postgresql_config_path }}/pg_ident.conf
postgresql_pg_hba_conf_file: >-2
{{ postgresql_config_path }}/pg_hba.conf
postgresql_admin_role: "{{ postgresql_user }}"
postgresql_admin_role_contype: local
postgresql_admin_role_method: peer
postgresql_admin_local_user: >-2
{{ ansible_facts['user_id'] }}
postgresql_admin_role_mapping_name: >-2
{{ postgresql_admin_local_user }}_{{ postgresql_admin_role }}
postgresql_admin_pg_ident_conf: >-2
{{ postgresql_admin_role_mapping_name }}\t{{ postgresql_admin_local_user }}\t{{ postgresql_admin_role }}
postgresql_admin_pg_hba_conf_options: >-2
map={{ postgresql_admin_role_mapping_name }}
postgresql_superuser_password: ~
postgresql_state: present
postgresql_deployment_method: docker

10
roles/postgresql/defaults/main/user.yml Normal file
View File

@ -0,0 +1,10 @@
---
postgresql_user_system: true
postgresql_user_create_home: false
postgresql_user_groups: ~
postgresql_user_append: ~
postgresql_user_id: >-2
{{ postgresql_user_info.uid | default(postgresql_user, true) }}
postgresql_user_group_id: >-2
{{ postgresql_user_info.group | default(postgresql_user, true) }}

12
roles/postgresql/handlers/main.yml Normal file
View File

@ -0,0 +1,12 @@
---
- name: Restart postgresql container '{{ postgresql_container_name }}' (docker)
community.docker.docker_container:
name: "{{ postgresql_container_name }}"
state: "{{ postgresql_container_state }}"
restart: true
comparisons:
'*': "ignore"
when:
- postgresql_deployment_method == 'docker'
- postgresql_container_state not in ['absent', 'stopped']
listen: postgresql_restart

12
roles/postgresql/meta/main.yml Normal file
View File

@ -0,0 +1,12 @@
---
allow_duplicates: true
dependencies: []
galaxy_info:
role_name: postgresql
description: >-2
PostgreSQL is the self-proclaimed 'worlds most advanced' open source relational database
galaxy_tags:
- postgresql
- postgres
- database
- docker

49
roles/postgresql/tasks/configure.yml Normal file
View File

@ -0,0 +1,49 @@
---
- name: Ensure postgresql superuser is set
community.postgresql.postgresql_user:
name: "{{ postgresql_admin_role }}"
password: "{{ postgresql_superuser_password }}"
login_host: >-2
{{
(postgresql_config_unix_socket_directories | first)
if postgresql_config_connect_socket else
(postgresql_container_info.container.NetworkSettings.IPAddress)
}}
register: postgresql_superuser_password_result
until: "postgresql_superuser_password_result is succeeded"
retries: 10
delay: 2
- name: Ensure postgresql configuration is set
community.postgresql.postgresql_set:
name: "{{ option.key }}"
value: "{{ option.value }}"
login_host: >-2
{{
(postgresql_config_unix_socket_directories | first)
if postgresql_config_connect_socket else
(postgresql_container_info.container.NetworkSettings.IPAddress)
}}
login_port: "{{ postgresql_config_port }}"
login_password: #TODO
loop: "{{ postgresql_merged_options | dict2items }}"
loop_control:
loop_var: option
- name: Ensure postgresql configuration is reloaded
community.postgresql.postgresql_query:
query: "SELECT pg_reload_conf();"
login_host: #TODO
login_port: #TODO
login_password: #TODO
- name: Ensure restart handler is fired if required
debug:
msg: "{{ result.option.key }} changed! Restart required: {{ result.restart_required }}"
when: result.changed
changed_when: "{{ result.restart_required }}"
notify: postgresql_restart
loop: "{{ postgresql_config_results }}"
loop_control:
loop_var: result
label: "{{ result.option.name }}"

85
roles/postgresql/tasks/deploy-docker.yml Normal file
View File

@ -0,0 +1,85 @@
---
- name: Ensure postgresql container image '{{ postgresql_container_image }}' is {{ postgresql_state }}
community.docker.docker_image:
name: "{{ postgresql_container_image }}"
state: "{{ postgresql_state }}"
source: "{{ postgresql_container_image_source }}"
force_source: "{{ postgresql_container_image_force_source }}"
register: postgresql_container_image_info
until: postgresql_container_image_info is success
retries: 5
delay: 4
- name: Ensure /etc/passwd for container is {{ postgresql_state }}
ansible.builtin.template:
src: "postgresql-passwd.j2"
dest: "{{ postgresql_container_passwd_file }}"
owner: "{{ postgresql_user_id }}"
group: "{{ postgresql_user_group_id }}"
mode: "0640"
when: postgresql_state == 'present'
- name: Ensure systemd unit to correct path permissions is {{ postgresql_state }}
ansible.builtin.copy:
dest: "/etc/systemd/system/{{ postgresql_systemd_tmpfile_socket_correction_unit_name }}.service"
content: |+2
[Unit]
Description="Ensure permissions on {{ postgresql_container_unix_socket_path }}"
After=systemd-tmpfiles-setup.service
Before=docker.service
[Service]
Type=exec
RemainAfterExit=yes
ExecStart=/bin/bash -c 'mkdir {{ postgresql_container_unix_socket_path }} ||:; chown {{ postgresql_user }}:{{ postgresql_user }} {{ postgresql_container_unix_socket_path }}'
[Install]
WantedBy=multi-user.target
when:
- ansible_facts['service_mgr'] == 'systemd'
- postgresql_state == 'present'
- name: Ensure systemd is reloaded
ansible.builtin.systemd:
daemon_reload: true
when:
- postgresql_systemd_tmpfile_correction_unit.changed
- name: Ensure systemd unit {{ postgresql_systemd_tmpfile_socket_correction_unit_name }} is {{ postgresql_container_state }}
ansible.builtin.systemd:
name: "{{ postgresql_systemd_tmpfile_socket_correction_unit_name }}.service"
state: "{{ postgresql_container_state }}"
when: ansible_facts['service_mgr'] == 'systemd'
- name: Ensure systemd unit {{ postgresql_systemd_tmpfile_socket_correction_unit_name }} is {{ postgresql_container_state }}
ansible.builtin.systemd:
name: "{{ postgresql_systemd_tmpfile_socket_correction_unit_name }}.service"
enabled: "{{ postgresql_state == 'present' }}"
when: ansible_facts['service_mgr'] == 'systemd'
- name: Initialize database if empty
ansible.builtin.include_tasks:
file: "initialize-docker.yml"
when:
- postgresql_state == 'present'
- name: Ensure postgresql container '{{ postgresql_container_name }}' is {{ postgresql_container_state }}
community.docker.docker_container:
name: "{{ postgresql_container_name }}"
image: "{{ postgresql_container_image }}"
env: "{{ postgresql_container_env | default(omit, true) }}"
user: "{{ postgresql_container_user | default(omit, true) }}"
ports: "{{ postgresql_container_ports | default(omit, true) }}"
labels: "{{ postgresql_container_labels | default(omit, true) }}"
volumes: "{{ postgresql_container_merged_volumes }}"
recreate: "{{ postgresql_container_recreate | default(omit, true) }}"
networks: "{{ postgresql_container_networks | default(omit, true) }}"
etc_hosts: "{{ postgresql_container_etc_hosts | default(omit, true) }}"
memory: "{{ postgresql_container_memory | default(omit, true) }}"
memory_reservation: "{{ postgresql_container_memory_reservation | default(omit, true) }}"
oom_killer: "{{ postgresql_container_oom_killer | default(omit, true) }}"
oom_score_adj: "{{ postgresql_container_oom_score_adj | default(omit, true) }}"
shm_size: "{{ postgresql_container_shm_size | default(omit, true) }}"
ulimits: "{{ postgresql_container_ulimits | default(omit, true) }}"
restart_policy: "{{ postgresql_container_restart_policy | default(omit, true) }}"
state: "{{ postgresql_container_state }}"

48
roles/postgresql/tasks/initialize-docker.yml Normal file
View File

@ -0,0 +1,48 @@
---
- name: Ensure container '{{ postgresql_container_name }}' is {{ postgresql_container_state }} to initialise the database
community.docker.docker_container:
name: "{{ postgresql_container_name }}"
image: "{{ postgresql_container_image }}"
env: >-2
{{ postgresql_container_env | default({}, true)
| combine({'POSTGRES_PASSWORD': postgresql_superuser_password}) }}
user: "{{ postgresql_container_user | default(omit, true) }}"
ports: "{{ postgresql_container_ports | default(omit, true) }}"
labels: "{{ postgresql_container_labels | default(omit, true) }}"
volumes: "{{ postgresql_container_initdb_volumes }}"
recreate: "{{ postgresql_container_recreate | default(omit, true) }}"
networks: "{{ postgresql_container_networks | default(omit, true) }}"
etc_hosts: "{{ postgresql_container_etc_hosts | default(omit, true) }}"
memory: "{{ postgresql_container_memory | default(omit, true) }}"
memory_reservation: "{{ postgresql_container_memory_reservation | default(omit, true) }}"
oom_killer: "{{ postgresql_container_oom_killer | default(omit, true) }}"
oom_score_adj: "{{ postgresql_container_oom_score_adj | default(omit, true) }}"
shm_size: "{{ postgresql_container_shm_size | default(omit, true) }}"
ulimits: "{{ postgresql_container_ulimits | default(omit, true) }}"
restart_policy: "{{ postgresql_container_restart_policy | default(omit, true) }}"
state: "{{ postgresql_container_state }}"
register: postgresql_container_info
- name: Wait for container startup
block:
- name: Wait for container startup (socket)
ansible.builtin.wait_for:
path: "{{ postgresql_config_unix_socket_directories | first }}.s.PGSQL.{{ postgresql_config_port }}"
when: "postgresql_config_connect_socket | bool"
- name: Wait for container startup (port)
ansible.builtin.wait_for:
host: >-2
{{ (pg_addresses == '*') | ternary(
omit,
postgresql_config_listen_addresses | first
) }}
port: "{{ postgresql_config_port }}"
when: "not postgresql_config_connect_socket | bool"
vars:
pg_addresses: "{{ postgresql_config_listen_addresses | join(',') }}"
- name: Ensure init container '{{ postgresql_container_name }}' is removed
community.docker.docker_container:
name: "{{ postgresql_container_name }}"
state: absent

67
roles/postgresql/tasks/main.yml Normal file
View File

@ -0,0 +1,67 @@
---
- name: Ensure state is valid
ansible.builtin.fail:
msg: >-2
Invalid state '{{ postgresql_state }}'! Supported
states are {{ postgresql_states | join(', ') }}.
when: postgresql_state not in postgresql_states
- name: Ensure deployment method is valid
ansible.builtin.fail:
msg: >-2
Unsupported deployment method '{{ postgresql_deployment_method }}!
Supported deployment methods are {{ postgresql_deployment_methods | join(', ') }}.
when: postgresql_deployment_method not in postgresql_deployment_methods
- name: Ensure postgresql user '{{ postgresql_user }}' is {{ postgresql_state }}
ansible.builtin.user:
name: "{{ postgresql_user }}"
state: "{{ postgresql_state }}"
system: "{{ postgresql_user_system | default(omit, true) }}"
create_home: "{{ postgresql_user_create_home | default(omit, true) }}"
groups: "{{ postgresql_user_groups | default(omit, true) }}"
append: "{{ postgresql_user_append | default(omit, true) }}"
register: postgresql_user_info
- name: Ensure directories are {{ postgresql_state }}
ansible.builtin.file:
path: "{{ path.name }}"
state: "{{ (postgresql_state == 'present') | ternary('directory', 'absent') }}"
owner: "{{ path.owner | default(postgresql_user_id, true) }}"
group: "{{ path.group | default(postgresql_user_group_id, true) }}"
mode: "{{ path.mode | default('0755', true) }}"
loop:
- name: "{{ postgresql_config_path }}"
- name: "{{ postgresql_data_path }}"
loop_control:
loop_var: path
label: "{{ path.name }}"
- name: Check for existing PG_VERSION file
ansible.builtin.stat:
path: "{{ postgresql_data_path }}/PG_VERSION"
register: postgresql_data_dir_version_info
- name: Read existing PG_VERSION file
ansible.builtin.slurp:
path: "{{ postgresql_data_path }}/PG_VERSION"
register: postgresql_data_dir_version_content
when:
- postgresql_data_dir_version_info.stat.exists
- name: Prevent major version changes
ansible.builtin.fail:
msg: >-2
Mismatched postgresql version for the data directory!
Aborting...
when:
- postgresql_data_dir_version_info.stat.exists
- "(postgresql_data_dir_version_content.content | b64decode | int) != (postgresql_major_version | int)"
- name: Prepare authentication and authorization for database admin role
ansible.builtin.include_tasks:
file: "prepare.yml"
- name: Deploy postgresql using {{ postgresql_deployment_method }}
ansible.builtin.include_tasks:
file: "deploy-{{ postgresql_deployment_method }}.yml"

33
roles/postgresql/tasks/prepare.yml Normal file
View File

@ -0,0 +1,33 @@
---
- name: Ensure postgresql config files are {{ postgresql_state }}
ansible.builtin.lineinfile:
path: "{{ file.name }}"
insertafter: "{{ file.insert_after | default(omit) }}"
insertbefore: "{{ file.insert_before | default(omit) }}"
line: "{{ file.line }}"
owner: "{{ postgresql_user_id }}"
group: "{{ postgresql_user_group_id }}"
create: true
loop_control:
loop_var: file
label: "{{ file.name }}"
loop:
- name: "{{ postgresql_pg_hba_conf_file }}"
insert_before: "BOF"
line: "# Ansible managed"
- name: "{{ postgresql_pg_ident_conf_file }}"
insert_before: "BOF"
line: "# Ansible managed"
- name: "{{ postgresql_pg_ident_conf_file }}"
insert_after: "# Ansible managed"
line: "{{ ansible_user }}_{{ postgresql_admin_role }}\t{{ ansible_user }}\t{{ postgresql_admin_role }}"
when: postgresql_state == 'present'
- name: Configure permissions for postgresql admin role
community.postgresql.postgresql_pg_hba:
dest: "{{ postgresql_pg_hba_conf_file }}"
contype: "{{ postgresql_admin_role_contype }}"
users: "{{ postgresql_admin_role }}"
method: "{{ postgresql_admin_role_method }}"
options: "map={{ ansible_user }}_{{ postgresql_admin_role }}"
when: postgresql_state == 'present'

19
roles/postgresql/templates/postgresql-passwd.j2 Normal file
View File

@ -0,0 +1,19 @@
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
postgres:x:{{ postgresql_user_id }}:{{ postgresql_user_group_id }}::/var/lib/postgresql:/bin/bash

6
roles/postgresql/vars/main.yml Normal file
View File

@ -0,0 +1,6 @@
---
postgresql_states:
- present
- absent
postgresql_deployment_methods:
- docker