diff --git a/playbooks/filesystem/yggdrasil/var/lib/yggdrasil/home/pod-database/.config/pod-database.template/database.password.j2 b/playbooks/filesystem/yggdrasil/var/lib/yggdrasil/home/pod-database/.config/pod-database.template/database.password.j2 new file mode 100644 index 0000000..cc9d84a --- /dev/null +++ b/playbooks/filesystem/yggdrasil/var/lib/yggdrasil/home/pod-database/.config/pod-database.template/database.password.j2 @@ -0,0 +1 @@ +{{ services[service_name].password }} diff --git a/playbooks/filesystem/yggdrasil/var/lib/yggdrasil/home/pod-database/.config/systemd/user/container-database-postgres.service.j2 b/playbooks/filesystem/yggdrasil/var/lib/yggdrasil/home/pod-database/.config/systemd/user/container-database-postgres.service.j2 new file mode 100644 index 0000000..c210d41 --- /dev/null +++ b/playbooks/filesystem/yggdrasil/var/lib/yggdrasil/home/pod-database/.config/systemd/user/container-database-postgres.service.j2 @@ -0,0 +1,21 @@ +[Unit] +Description=Podman container-database-postgres.service +Documentation=man:podman-generate-systemd(1) +Wants=network.target +After=network-online.target +BindsTo=pod-database.service +After=pod-database.service + +[Service] +Environment=PODMAN_SYSTEMD_UNIT=%n +Restart=on-failure +TimeoutStopSec=70 +ExecStartPre=/bin/rm -f %t/container-database-postgres.pid %t/container-database-postgres.ctr-id +ExecStart=/usr/bin/podman run --conmon-pidfile %t/container-database-postgres.pid --cidfile %t/container-database-postgres.ctr-id --cgroups=no-conmon --pod-id-file %t/pod-database.pod-id --replace --label "io.containers.autoupdate=image" -dt -v /var/lib/yggdrasil/valkyrie-resolv.conf:/etc/resolv.conf:ro -v ./.config/pod-database/database.password:/run/secrets/database.password:ro -e POSTGRES_PASSWORD_FILE=/run/secrets/database.password -v var_lib_postgresql-waldir:/var/lib/postgresql-waldir -e POSTGRES_INITDB_WALDIR=/var/lib/postgresql-waldir -v /var/lib/yggdrasil/data/pod-database-data:/var/lib/postgresql/data -e PGDATA=/var/lib/postgresql/data/pgdata --name=pod-database-postgres docker.io/library/postgres:15.0 +ExecStop=/usr/bin/podman stop --ignore --cidfile %t/container-database-postgres.ctr-id -t 10 +ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/container-database-postgres.ctr-id +PIDFile=%t/container-database-postgres.pid +Type=forking + +[Install] +WantedBy=multi-user.target default.target diff --git a/playbooks/filesystem/yggdrasil/var/lib/yggdrasil/home/pod-database/.config/systemd/user/pod-database.service.j2 b/playbooks/filesystem/yggdrasil/var/lib/yggdrasil/home/pod-database/.config/systemd/user/pod-database.service.j2 new file mode 100644 index 0000000..27ab433 --- /dev/null +++ b/playbooks/filesystem/yggdrasil/var/lib/yggdrasil/home/pod-database/.config/systemd/user/pod-database.service.j2 @@ -0,0 +1,23 @@ +[Unit] +Description=Podman pod-database.service +Documentation=man:podman-generate-systemd(1) +Wants=network.target +After=network-online.target +Requires=container-database-postgres.service +Before=container-database-postgres.service + +[Service] +Environment=PODMAN_SYSTEMD_UNIT=%n +Restart=on-failure +TimeoutStopSec=70 +ExecStartPre=/bin/rm -f %t/pod-database.pid %t/pod-database.pod-id +ExecStartPre=/usr/bin/podman pod create --infra-conmon-pidfile %t/pod-database.pid --pod-id-file %t/pod-database.pod-id --name=database --network=none --replace +ExecStart=/usr/bin/podman pod start --pod-id-file %t/pod-database.pod-id +ExecStartPost=/usr/bin/sh -c 'podman inspect --format "{% raw %}{{ .State.Pid }}{% endraw %}" $(podman inspect --format "{% raw %}{{ .InfraContainerID }}{% endraw %}" database) > /var/lib/{{ ansible_hostname }}/containers/pod-database/pidfile' +ExecStop=/usr/bin/podman pod stop --ignore --pod-id-file %t/pod-database.pod-id -t 10 +ExecStopPost=/usr/bin/podman pod rm --ignore -f --pod-id-file %t/pod-database.pod-id +PIDFile=%t/pod-database.pid +Type=forking + +[Install] +WantedBy=multi-user.target default.target diff --git a/playbooks/tasks/services/deploy/service/01-user.d/data/_default.yml b/playbooks/tasks/services/deploy/service/01-user.d/data/_default.yml new file mode 100644 index 0000000..339b30b --- /dev/null +++ b/playbooks/tasks/services/deploy/service/01-user.d/data/_default.yml @@ -0,0 +1,7 @@ +- name: Create volume data directory for user {{ service_user_name }} + file: + path: "/var/lib/{{ ansible_hostname }}/data/{{ service_user_name }}" + state: directory + owner: "{{ service_user_name }}" + group: "{{ service_user_name }}" + mode: 0755 diff --git a/playbooks/tasks/services/deploy/service/01-user.d/data/database.yml b/playbooks/tasks/services/deploy/service/01-user.d/data/database.yml new file mode 100644 index 0000000..393af60 --- /dev/null +++ b/playbooks/tasks/services/deploy/service/01-user.d/data/database.yml @@ -0,0 +1,15 @@ +- name: Create volume data directory for user {{ service_user_name }} + file: + path: "/var/lib/{{ ansible_hostname }}/data/{{ service_user_name }}" + state: directory + owner: "{{ service_user_name }}" + group: "{{ service_user_name }}" + mode: 0755 + +- name: Create data directory for user {{ service_user_name }} + file: + path: "/var/lib/{{ ansible_hostname }}/data/{{ service_user_name }}-data" + state: directory + owner: "{{ service_user_name }}" + group: "{{ service_user_name }}" + mode: 0755 diff --git a/playbooks/tasks/services/deploy/service/01-user.d/shell/_default.yml b/playbooks/tasks/services/deploy/service/01-user.d/shell/_default.yml new file mode 100644 index 0000000..8d51e13 --- /dev/null +++ b/playbooks/tasks/services/deploy/service/01-user.d/shell/_default.yml @@ -0,0 +1,4 @@ +- name: Set default shell for for {{ service_user_name }} + user: + name: "{{ service_user_name }}" + shell: "/usr/sbin/nologin" diff --git a/playbooks/tasks/services/deploy/service/01-user.d/shell/rproxy.yml b/playbooks/tasks/services/deploy/service/01-user.d/shell/rproxy.yml new file mode 100644 index 0000000..a50624a --- /dev/null +++ b/playbooks/tasks/services/deploy/service/01-user.d/shell/rproxy.yml @@ -0,0 +1,4 @@ +- name: Set default shell for for {{ service_user_name }} + user: + name: "{{ service_user_name }}" + shell: "/usr/bin/rbash" diff --git a/playbooks/tasks/services/deploy/service/01-user.yml b/playbooks/tasks/services/deploy/service/01-user.yml index f869612..e3d00fa 100644 --- a/playbooks/tasks/services/deploy/service/01-user.yml +++ b/playbooks/tasks/services/deploy/service/01-user.yml @@ -6,10 +6,11 @@ system: yes register: user_create -- name: Set default shell for for {{ service_user_name }} - user: - name: "{{ service_user_name }}" - shell: "{{ '/usr/bin/rbash' if service_name=='rproxy' else '/usr/sbin/nologin' }}" +- include_tasks: "{{ item }}" + with_first_found: + - files: + - "01-user.d/shell/{{ service_name }}.yml" + - "01-user.d/shell/_default.yml" - name: Ensure the home directory belongs to the user {{ service_user_name }} file: @@ -49,13 +50,11 @@ group: "{{ service_user_name }}" mode: 0755 -- name: Create volume data directory for user {{ service_user_name }} - file: - path: "/var/lib/{{ ansible_hostname }}/data/{{ service_user_name }}" - state: directory - owner: "{{ service_user_name }}" - group: "{{ service_user_name }}" - mode: 0755 +- include_tasks: "{{ item }}" + with_first_found: + - files: + - "01-user.d/data/{{ service_name }}.yml" + - "01-user.d/data/_default.yml" - block: - name: Create configuration directory for user {{ service_user_name }} diff --git a/playbooks/tasks/services/deploy/service/01-zfs-datasets.d/_default.yml b/playbooks/tasks/services/deploy/service/01-zfs-datasets.d/_default.yml new file mode 100644 index 0000000..85bc59a --- /dev/null +++ b/playbooks/tasks/services/deploy/service/01-zfs-datasets.d/_default.yml @@ -0,0 +1,4 @@ +- name: Create volume data dataset for user {{ service_user_name }} + zfs: + name: rpool/var/lib/{{ ansible_hostname }}/data/{{ service_user_name }} + state: present diff --git a/playbooks/tasks/services/deploy/service/01-zfs-datasets.d/database.yml b/playbooks/tasks/services/deploy/service/01-zfs-datasets.d/database.yml new file mode 100644 index 0000000..eaddaf8 --- /dev/null +++ b/playbooks/tasks/services/deploy/service/01-zfs-datasets.d/database.yml @@ -0,0 +1,14 @@ +- name: Create volume data dataset for user {{ service_user_name }} + zfs: + name: rpool/var/lib/{{ ansible_hostname }}/data/{{ service_user_name }} + state: present + extra_zfs_properties: + recordsize: "8K" + +- name: Create data dataset for user {{ service_user_name }} + zfs: + name: rpool/var/lib/{{ ansible_hostname }}/data/{{ service_user_name }}-data + state: present + extra_zfs_properties: + recordsize: "8K" + logbias: "throughput" diff --git a/playbooks/tasks/services/deploy/service/01-zfs-datasets.yml b/playbooks/tasks/services/deploy/service/01-zfs-datasets.yml index 6105f3f..95b1072 100644 --- a/playbooks/tasks/services/deploy/service/01-zfs-datasets.yml +++ b/playbooks/tasks/services/deploy/service/01-zfs-datasets.yml @@ -12,7 +12,8 @@ when: user_zfs_home is changed -- name: Create volume data dataset for user {{ service_user_name }} - zfs: - name: rpool/var/lib/{{ ansible_hostname }}/data/{{ service_user_name }} - state: present +- include_tasks: "{{ item }}" + with_first_found: + - files: + - "01-zfs-datasets.d/{{ service_name }}.yml" + - "01-zfs-datasets.d/_default.yml" diff --git a/playbooks/tasks/services/deploy/service/03-pod.d/database.yml b/playbooks/tasks/services/deploy/service/03-pod.d/database.yml new file mode 100644 index 0000000..b54dd3e --- /dev/null +++ b/playbooks/tasks/services/deploy/service/03-pod.d/database.yml @@ -0,0 +1,21 @@ +- block: + - name: Create service configuration directory for {{ service_user_name }} + file: + path: "{{ service_home }}/.config/{{ service_user_name }}" + state: directory + mode: 0755 + + - name: Create database password + template: + src: "{{ local_service_home }}/.config/{{ service_user_name }}.template/database.password.j2" + dest: "{{ service_home }}/.config/{{ service_user_name }}/database.password" + mode: 0600 + register: database_password_file + + - name: Record changes + set_fact: + service_changed: true + when: + database_password_file is changed + + become_user: "{{ service_user_name }}"