Add pgadmin to pod-database

2023-08-17 17:09:30 +02:00 · 2023-08-17 17:09:30 +02:00 · d09b2ae893
commit d09b2ae893
parent 4b38982e46
22 changed files with 238 additions and 69 deletions
--- a/inventory/group_vars/asgard/vars.yml
+++ b/inventory/group_vars/asgard/vars.yml
@ -69,7 +69,11 @@ services:
      token: "{{ vault_services.www.repo.token }}"
  lrproxy: {}
  database:
-    password: "{{ vault_services.database.password }}"
+    pgadmin:
+      email: "{{ vault_services.database.pgadmin.email }}"
+      password: "{{ vault_services.database.pgadmin.password }}"
+    postgres:
+      password: "{{ vault_services.database.postgres.password }}"
  cloud:
    domain: "{{ vault_services.cloud.domain }}"
    database:
--- a/playbooks/files/services/deploy/lrproxy/nginx-conf.d/archive.music.thenineworlds.net.conf
+++ b/playbooks/files/services/deploy/lrproxy/nginx-conf.d/archive.music.thenineworlds.net.conf
@ -14,14 +14,22 @@ server {
 }

 server {
-    listen [::1]:443 ssl;
-    listen 127.0.0.1:443 ssl;
+    listen [::]:8443 ssl proxy_protocol;
+    listen 8443 ssl proxy_protocol;
    server_name archive.music.thenineworlds.net;

    ssl_certificate         /etc/letsencrypt/live/archive.music.thenineworlds.net/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/archive.music.thenineworlds.net/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/archive.music.thenineworlds.net/chain.pem;

+    set_real_ip_from {{ services_all_services.rproxy.inet_address }};
+    set_real_ip_from {{ services_all_services.rproxy.inet6_address }};
+
+    set_real_ip_from {{ services_all_services.lrproxy.inet_address }};
+    set_real_ip_from {{ services_all_services.lrproxy.inet6_address }};
+
+    real_ip_header proxy_protocol;
+
    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
--- a/playbooks/files/services/deploy/lrproxy/nginx-conf.d/cloud.wojciechkozlowski.eu.conf
+++ b/playbooks/files/services/deploy/lrproxy/nginx-conf.d/cloud.wojciechkozlowski.eu.conf
@ -14,14 +14,22 @@ server {
 }

 server {
-    listen [::1]:443 ssl;
-    listen 127.0.0.1:443 ssl;
+    listen [::]:8443 ssl proxy_protocol;
+    listen 8443 ssl proxy_protocol;
    server_name cloud.wojciechkozlowski.eu;

    ssl_certificate         /etc/letsencrypt/live/cloud.wojciechkozlowski.eu/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/cloud.wojciechkozlowski.eu/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/cloud.wojciechkozlowski.eu/chain.pem;

+    set_real_ip_from {{ services_all_services.rproxy.inet_address }};
+    set_real_ip_from {{ services_all_services.rproxy.inet6_address }};
+
+    set_real_ip_from {{ services_all_services.lrproxy.inet_address }};
+    set_real_ip_from {{ services_all_services.lrproxy.inet6_address }};
+
+    real_ip_header proxy_protocol;
+
    # Values copied and adjusted from
    # https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html.
    client_max_body_size 0;
@ -32,16 +40,16 @@ server {
    # https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html.
    location ^~ /.well-known {
        location = /.well-known/webfinger {
-            return 301 /index.php$uri;
+            return 301 $scheme://$host:443/index.php$uri;
        }
        location = /.well-known/nodeinfo {
-            return 301 /index.php$uri;
+            return 301 $scheme://$host:443/index.php$uri;
        }
        location = /.well-known/carddav {
-            return 301 /remote.php/dav/;
+            return 301 $scheme://$host:443/remote.php/dav;
        }
        location = /.well-known/caldav {
-            return 301 /remote.php/dav/;
+            return 301 $scheme://$host:443/remote.php/dav;
        }
    }

--- a/playbooks/files/services/deploy/lrproxy/nginx-conf.d/database.thenineworlds.net.conf
+++ b/playbooks/files/services/deploy/lrproxy/nginx-conf.d/database.thenineworlds.net.conf
@ -0,0 +1,49 @@
+server {
+    listen [::]:80;
+    listen 80;
+    server_name database.thenineworlds.net;
+
+    location ^~ /.well-known {
+        allow all;
+        root /var/www/html;
+    }
+
+    location / {
+        return 301 https://$server_name$request_uri;
+    }
+}
+
+server {
+    listen [::]:8443 ssl proxy_protocol;
+    listen 8443 ssl proxy_protocol;
+    server_name database.thenineworlds.net;
+
+    ssl_certificate         /etc/letsencrypt/live/database.thenineworlds.net/fullchain.pem;
+    ssl_certificate_key     /etc/letsencrypt/live/database.thenineworlds.net/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/database.thenineworlds.net/chain.pem;
+
+    set_real_ip_from {{ services_all_services.rproxy.inet_address }};
+    set_real_ip_from {{ services_all_services.rproxy.inet6_address }};
+
+    set_real_ip_from {{ services_all_services.lrproxy.inet_address }};
+    set_real_ip_from {{ services_all_services.lrproxy.inet6_address }};
+
+    real_ip_header proxy_protocol;
+
+    allow {{ local_inet_network }};
+    allow {{ local_inet6_network }};
+    deny  all;
+
+    location / {
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header Host $host;
+        proxy_pass http://pod-database;
+    }
+
+    error_page 500 502 503 504 /50x.html;
+    location = /50x.html {
+        root /usr/share/nginx/html;
+    }
+
+}
--- a/playbooks/files/services/deploy/lrproxy/nginx-conf.d/git.thenineworlds.net.conf
+++ b/playbooks/files/services/deploy/lrproxy/nginx-conf.d/git.thenineworlds.net.conf
@ -14,14 +14,22 @@ server {
 }

 server {
-    listen [::1]:443 ssl;
-    listen 127.0.0.1:443 ssl;
+    listen [::]:8443 ssl proxy_protocol;
+    listen 8443 ssl proxy_protocol;
    server_name git.thenineworlds.net;

    ssl_certificate         /etc/letsencrypt/live/git.thenineworlds.net/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/git.thenineworlds.net/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/git.thenineworlds.net/chain.pem;

+    set_real_ip_from {{ services_all_services.rproxy.inet_address }};
+    set_real_ip_from {{ services_all_services.rproxy.inet6_address }};
+
+    set_real_ip_from {{ services_all_services.lrproxy.inet_address }};
+    set_real_ip_from {{ services_all_services.lrproxy.inet6_address }};
+
+    real_ip_header proxy_protocol;
+
    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
--- a/playbooks/files/services/deploy/lrproxy/nginx-conf.d/music.thenineworlds.net.conf
+++ b/playbooks/files/services/deploy/lrproxy/nginx-conf.d/music.thenineworlds.net.conf
@ -14,14 +14,22 @@ server {
 }

 server {
-    listen [::1]:443 ssl;
-    listen 127.0.0.1:443 ssl;
+    listen [::]:8443 ssl proxy_protocol;
+    listen 8443 ssl proxy_protocol;
    server_name music.thenineworlds.net;

    ssl_certificate         /etc/letsencrypt/live/music.thenineworlds.net/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/music.thenineworlds.net/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/music.thenineworlds.net/chain.pem;

+    set_real_ip_from {{ services_all_services.rproxy.inet_address }};
+    set_real_ip_from {{ services_all_services.rproxy.inet6_address }};
+
+    set_real_ip_from {{ services_all_services.lrproxy.inet_address }};
+    set_real_ip_from {{ services_all_services.lrproxy.inet6_address }};
+
+    real_ip_header proxy_protocol;
+
    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
--- a/playbooks/files/services/deploy/lrproxy/nginx-conf.d/notes.thenineworlds.net.conf
+++ b/playbooks/files/services/deploy/lrproxy/nginx-conf.d/notes.thenineworlds.net.conf
@ -14,14 +14,22 @@ server {
 }

 server {
-    listen [::1]:443 ssl;
-    listen 127.0.0.1:443 ssl;
+    listen [::]:8443 ssl proxy_protocol;
+    listen  8443 ssl proxy_protocol;
    server_name notes.thenineworlds.net;

    ssl_certificate         /etc/letsencrypt/live/notes.thenineworlds.net/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/notes.thenineworlds.net/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/notes.thenineworlds.net/chain.pem;

+    set_real_ip_from {{ services_all_services.rproxy.inet_address }};
+    set_real_ip_from {{ services_all_services.rproxy.inet6_address }};
+
+    set_real_ip_from {{ services_all_services.lrproxy.inet_address }};
+    set_real_ip_from {{ services_all_services.lrproxy.inet6_address }};
+
+    real_ip_header proxy_protocol;
+
    # Values copied from
    # https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html and adjusted to
    # 16G.
--- a/playbooks/files/services/deploy/rproxy/nginx-conf.d/wojciechkozlowski.eu.conf
+++ b/playbooks/files/services/deploy/rproxy/nginx-conf.d/wojciechkozlowski.eu.conf
@ -14,14 +14,22 @@ server {
 }

 server {
-    listen [::1]:443 ssl;
-    listen 127.0.0.1:443 ssl;
+    listen [::]:8443 ssl proxy_protocol;
+    listen 8443 ssl proxy_protocol;
    server_name wojciechkozlowski.eu;

    ssl_certificate         /etc/letsencrypt/live/wojciechkozlowski.eu/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/wojciechkozlowski.eu/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/wojciechkozlowski.eu/chain.pem;

+    set_real_ip_from {{ services_all_services.rproxy.inet_address }};
+    set_real_ip_from {{ services_all_services.rproxy.inet6_address }};
+
+    set_real_ip_from {{ services_all_services.lrproxy.inet_address }};
+    set_real_ip_from {{ services_all_services.lrproxy.inet6_address }};
+
+    real_ip_header proxy_protocol;
+
    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
--- a/playbooks/files/services/deploy/rproxy/nginx-conf.d/www.wojciechkozlowski.eu.conf
+++ b/playbooks/files/services/deploy/rproxy/nginx-conf.d/www.wojciechkozlowski.eu.conf
@ -14,14 +14,22 @@ server {
 }

 server {
-    listen [::1]:443 ssl;
-    listen 127.0.0.1:443 ssl;
+    listen [::]:8443 ssl proxy_protocol;
+    listen 8443 ssl proxy_protocol;
    server_name www.wojciechkozlowski.eu;

    ssl_certificate         /etc/letsencrypt/live/www.wojciechkozlowski.eu/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/www.wojciechkozlowski.eu/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/www.wojciechkozlowski.eu/chain.pem;

+    set_real_ip_from {{ services_all_services.rproxy.inet_address }};
+    set_real_ip_from {{ services_all_services.rproxy.inet6_address }};
+
+    set_real_ip_from {{ services_all_services.lrproxy.inet_address }};
+    set_real_ip_from {{ services_all_services.lrproxy.inet6_address }};
+
+    real_ip_header proxy_protocol;
+
    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
--- a/playbooks/files/services/deploy/rproxy/stream.conf
+++ b/playbooks/files/services/deploy/rproxy/stream.conf
@ -1,22 +0,0 @@
-stream {
-
-    map $ssl_preread_server_name $name {
-        wojciechkozlowski.eu rproxy;
-        www.wojciechkozlowski.eu rproxy;
-        default lrproxy;
-    }
-
-    upstream rproxy {
-        server localhost:443;
-    }
-
-    upstream lrproxy {
-        server pod-lrproxy:443;
-    }
-
-    server {
-        listen pod-rproxy:443;
-        proxy_pass $name;
-        ssl_preread on;
-    }
-}
--- a/playbooks/files/services/deploy/lrproxy/stream.conf
+++ b/playbooks/files/services/deploy/lrproxy/stream.conf
@ -7,15 +7,16 @@ stream {
    }

    upstream rproxy {
-        server pod-rproxy:443;
+        server pod-rproxy:8443;
    }

    upstream lrproxy {
-        server localhost:443;
+        server pod-lrproxy:8443;
    }

    server {
-        listen pod-lrproxy:443;
+        listen {{ services_service_user_name }}:443;
+        proxy_protocol on;
        proxy_pass $name;
        ssl_preread on;
    }
--- a/playbooks/roles/services/deploy/database/tasks/main.yml
+++ b/playbooks/roles/services/deploy/database/tasks/main.yml
@ -11,7 +11,14 @@
        src: "./postgres/database.password"
        dest: "{{ services_service_user_home }}/.config/service/database.password"
        mode: 0600
-      register: services_deploy_database_password_file
+      register: services_deploy_database_postgres_password_file
+
+    - name: "configure pgadmin password"
+      ansible.builtin.template:
+        src: "./pgadmin/pgadmin.password"
+        dest: "{{ services_service_user_home }}/.config/service/pgadmin.password"
+        mode: 0600
+      register: services_deploy_database_pgadmin_password_file

    - name: "configure systemd service"
      ansible.builtin.template:
@ -21,6 +28,8 @@
      loop:
        - "pod-database.service"
        - "container-database-postgres.service"
+        - "container-database-pgadmin-chown.service"
+        - "container-database-pgadmin.service"
      register: services_deploy_database_systemd_files

    - name: "systemd user daemon reload"
@ -50,7 +59,8 @@
        state: "restarted"
        scope: "user"
      when:
-        (services_deploy_database_password_file.changed or
+        (services_deploy_database_postgres_password_file.changed or
+        services_deploy_database_pgadmin_password_file.changed or
        services_deploy_database_systemd_files.changed) and
        services_deploy_database_service_active_state.stdout == "active"

--- a/playbooks/roles/services/deploy/database/templates/pgadmin/pgadmin.password
+++ b/playbooks/roles/services/deploy/database/templates/pgadmin/pgadmin.password
@ -0,0 +1 @@
+{{ services[services_service_name].pgadmin.password }}
--- a/playbooks/roles/services/deploy/database/templates/postgres/database.password
+++ b/playbooks/roles/services/deploy/database/templates/postgres/database.password
@ -1 +1 @@
-{{ services[services_service_name].password }}
+{{ services[services_service_name].postgres.password }}
--- a/playbooks/roles/services/deploy/database/templates/systemd/container-database-pgadmin-chown.service
+++ b/playbooks/roles/services/deploy/database/templates/systemd/container-database-pgadmin-chown.service
@ -0,0 +1,29 @@
+[Unit]
+Description=Podman container-database-pgadmin-chown.service
+Documentation=man:podman-generate-systemd(1)
+After=pod-database.service
+Before=container-database-pgadmin.service
+OnFailure=status-mail@%n.service
+
+[Service]
+Environment=PODMAN_SYSTEMD_UNIT=%n
+TimeoutStopSec=70
+ExecStartPre=/bin/rm -f %t/container-database-pgadmin-chown.pid %t/container-database-pgadmin-chown.ctr-id
+ExecStart=/usr/bin/podman run \
+    --conmon-pidfile %t/container-database-pgadmin-chown.pid \
+    --cidfile %t/container-database-pgadmin-chown.ctr-id \
+    --cgroups=no-conmon \
+    --pod-id-file %t/pod-database.pod-id \
+    --replace \
+    -v {{ services_data_directory }}/pod-database/pgadmin/_data:/var/lib/pgadmin \
+    -v ./.config/service/pgadmin.password:/run/secrets/pgadmin.password \
+    --user=0 \
+    --entrypoint="/bin/sh" \
+    --name=pod-database-pgadmin-chown \
+    docker.io/dpage/pgadmin4:{{ services_service_deploy_versions.pgadmin4 }} \
+    -c "chown -R 5050:5050 /var/lib/pgadmin /run/secrets/pgadmin.password"
+ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/container-database-pgadmin-chown.ctr-id
+Type=oneshot
+
+[Install]
+WantedBy=container-database-pgadmin.service
--- a/playbooks/roles/services/deploy/database/templates/systemd/container-database-pgadmin.service
+++ b/playbooks/roles/services/deploy/database/templates/systemd/container-database-pgadmin.service
@ -0,0 +1,38 @@
+[Unit]
+Description=Podman container-database-pgadmin.service
+Documentation=man:podman-generate-systemd(1)
+Wants=network.target
+After=network-online.target
+BindsTo=pod-database.service container-database-postgres.service
+Requires=container-database-pgadmin-chown.service
+After=pod-database.service container-database-postgres.service container-database-pgadmin-chown.service
+OnFailure=status-mail@%n.service
+
+[Service]
+Environment=PODMAN_SYSTEMD_UNIT=%n
+Restart=on-failure
+TimeoutStopSec=70
+ExecStartPre=/bin/rm -f %t/container-database-pgadmin.pid %t/container-database-pgadmin.ctr-id
+ExecStart=/usr/bin/podman run \
+    --conmon-pidfile %t/container-database-pgadmin.pid \
+    --cidfile %t/container-database-pgadmin.ctr-id \
+    --cgroups=no-conmon \
+    --pod-id-file %t/pod-database.pod-id \
+    --replace \
+    --label "io.containers.autoupdate=image" \
+    --log-driver=journald \
+    -dt \
+    -v {{ system_etc_root_directory }}/resolv.conf:/etc/resolv.conf:ro \
+    -v {{ services_data_directory }}/pod-database/pgadmin/_data:/var/lib/pgadmin \
+    -v ./.config/service/pgadmin.password:/run/secrets/pgadmin.password:ro \
+    -e PGADMIN_DEFAULT_EMAIL="{{ services[services_service_name].pgadmin.email }}" \
+    -e PGADMIN_DEFAULT_PASSWORD_FILE=/run/secrets/pgadmin.password \
+    --name=pod-database-pgadmin \
+    docker.io/dpage/pgadmin4:{{ services_service_deploy_versions.pgadmin4 }}
+ExecStop=/usr/bin/podman stop --ignore --cidfile %t/container-database-pgadmin.ctr-id -t 10
+ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/container-database-pgadmin.ctr-id
+PIDFile=%t/container-database-pgadmin.pid
+Type=forking
+
+[Install]
+WantedBy=multi-user.target default.target
--- a/playbooks/roles/services/deploy/database/templates/systemd/container-database-postgres.service
+++ b/playbooks/roles/services/deploy/database/templates/systemd/container-database-postgres.service
@ -13,22 +13,22 @@ Restart=on-failure
 TimeoutStopSec=70
 ExecStartPre=/bin/rm -f %t/container-database-postgres.pid %t/container-database-postgres.ctr-id
 ExecStart=/usr/bin/podman run \
-                          --conmon-pidfile %t/container-database-postgres.pid \
-                          --cidfile %t/container-database-postgres.ctr-id \
-                          --cgroups=no-conmon \
-                          --pod-id-file %t/pod-database.pod-id \
-                          --replace \
-                          --label "io.containers.autoupdate=image" \
-                          --log-driver=journald \
-                          -dt \
-                          -v {{ system_etc_root_directory }}/resolv.conf:/etc/resolv.conf:ro \
-                          -v ./.config/service/database.password:/run/secrets/database.password:ro \
-                          -e POSTGRES_PASSWORD_FILE=/run/secrets/database.password \
-                          -v {{ services_data_directory }}/pod-database/wal/_data:/var/lib/postgresql-wal \
-                          -e POSTGRES_INITDB_WALDIR=/var/lib/postgresql-wal \
-                          -v {{ services_data_directory }}/pod-database/data/_data:/var/lib/postgresql/data \
-                          --name=pod-database-postgres \
-                          docker.io/library/postgres:{{ services_service_deploy_versions.postgres }}
+    --conmon-pidfile %t/container-database-postgres.pid \
+    --cidfile %t/container-database-postgres.ctr-id \
+    --cgroups=no-conmon \
+    --pod-id-file %t/pod-database.pod-id \
+    --replace \
+    --label "io.containers.autoupdate=image" \
+    --log-driver=journald \
+    -dt \
+    -v {{ system_etc_root_directory }}/resolv.conf:/etc/resolv.conf:ro \
+    -v ./.config/service/database.password:/run/secrets/database.password:ro \
+    -e POSTGRES_PASSWORD_FILE=/run/secrets/database.password \
+    -v {{ services_data_directory }}/pod-database/wal/_data:/var/lib/postgresql-wal \
+    -e POSTGRES_INITDB_WALDIR=/var/lib/postgresql-wal \
+    -v {{ services_data_directory }}/pod-database/data/_data:/var/lib/postgresql/data \
+    --name=pod-database-postgres \
+    docker.io/library/postgres:{{ services_service_deploy_versions.postgres }}
 ExecStop=/usr/bin/podman stop --ignore --cidfile %t/container-database-postgres.ctr-id -t 10
 ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/container-database-postgres.ctr-id
 PIDFile=%t/container-database-postgres.pid
--- a/playbooks/roles/services/deploy/database/templates/systemd/pod-database.service
+++ b/playbooks/roles/services/deploy/database/templates/systemd/pod-database.service
@ -3,8 +3,8 @@ Description=Podman pod-database.service
 Documentation=man:podman-generate-systemd(1)
 Wants=network.target
 After=network-online.target
-Requires=container-database-postgres.service
-Before=container-database-postgres.service
+Requires=container-database-postgres.service container-database-pgadmin.service
+Before=container-database-postgres.service container-database-pgadmin.service
 OnFailure=status-mail@%n.service

 [Service]
--- a/playbooks/roles/services/deploy/rproxy/tasks/main.yml
+++ b/playbooks/roles/services/deploy/rproxy/tasks/main.yml
@ -24,14 +24,14 @@
      register: services_deploy_rproxy_generic_config

    - name: "{{ services_service_name }} : stream nginx reverse proxy configuration"
-      ansible.builtin.copy:
+      ansible.builtin.template:
        src: "{{ services_deploy_rproxy_nginx_stream_config }}"
        dest: "{{ services_service_user_home }}/.config/service/stream.conf"
        mode: 0644
      register: services_deploy_rproxy_stream_config

    - name: "{{ services_service_name }} : subdomain nginx reverse proxy configuration"
-      ansible.builtin.copy:
+      ansible.builtin.template:
        src: "{{ item }}"
        dest: "{{ services_service_user_home }}/.config/service/nginx-conf.d/{{ item | basename }}"
        mode: 0644
--- a/playbooks/services.yml
+++ b/playbooks/services.yml
@ -63,7 +63,7 @@
            - "services:rproxy:deploy"
      vars:
        services_service_name: "rproxy"
-        services_deploy_rproxy_nginx_stream_config: "files/services/deploy/rproxy/stream.conf"
+        services_deploy_rproxy_nginx_stream_config: "files/services/deploy/stream.conf"
        services_deploy_rproxy_nginx_subdomain_config_files:
          - "files/services/deploy/rproxy/nginx-conf.d/http-default.conf"
          - "files/services/deploy/rproxy/nginx-conf.d/wojciechkozlowski.eu.conf"
@ -83,10 +83,11 @@
            - "services:lrproxy:deploy"
      vars:
        services_service_name: "lrproxy"
-        services_deploy_rproxy_nginx_stream_config: "files/services/deploy/lrproxy/stream.conf"
+        services_deploy_rproxy_nginx_stream_config: "files/services/deploy/stream.conf"
        services_deploy_rproxy_nginx_subdomain_config_files:
          - "files/services/deploy/lrproxy/nginx-conf.d/archive.music.thenineworlds.net.conf"
          - "files/services/deploy/lrproxy/nginx-conf.d/cloud.wojciechkozlowski.eu.conf"
+          - "files/services/deploy/lrproxy/nginx-conf.d/database.thenineworlds.net.conf"
          - "files/services/deploy/lrproxy/nginx-conf.d/git.thenineworlds.net.conf"
          - "files/services/deploy/lrproxy/nginx-conf.d/music.thenineworlds.net.conf"
          - "files/services/deploy/lrproxy/nginx-conf.d/notes.thenineworlds.net.conf"
--- a/playbooks/vars/services/deploy/versions.yml
+++ b/playbooks/vars/services/deploy/versions.yml
@ -8,6 +8,7 @@ services_deploy_versions:
    nginx: "stable"
  database:
    postgres: "15"
+    pgadmin4: "7"
  cloud:
    nginx: "stable"
    nextcloud: "27-fpm"
--- a/playbooks/vars/services/volumes.yml
+++ b/playbooks/vars/services/volumes.yml
@ -6,6 +6,7 @@ services_volumes:
  lrproxy:
    etc-letsencrypt:
  database:
+    pgadmin:
    wal:
      extra_zfs_properties:
        recordsize: "8192"      # 8K
				`@ -0,0 +1 @@`
				`{{ services[services_service_name].pgadmin.password }}`