diff --git a/inventory/group_vars/asgard/vars.yml b/inventory/group_vars/asgard/vars.yml index a46c5d2..5a7c6b6 100644 --- a/inventory/group_vars/asgard/vars.yml +++ b/inventory/group_vars/asgard/vars.yml @@ -69,7 +69,11 @@ services: token: "{{ vault_services.www.repo.token }}" lrproxy: {} database: - password: "{{ vault_services.database.password }}" + pgadmin: + email: "{{ vault_services.database.pgadmin.email }}" + password: "{{ vault_services.database.pgadmin.password }}" + postgres: + password: "{{ vault_services.database.postgres.password }}" cloud: domain: "{{ vault_services.cloud.domain }}" database: diff --git a/playbooks/files/services/deploy/lrproxy/nginx-conf.d/archive.music.thenineworlds.net.conf b/playbooks/files/services/deploy/lrproxy/nginx-conf.d/archive.music.thenineworlds.net.conf index b9d08e0..a7319eb 100644 --- a/playbooks/files/services/deploy/lrproxy/nginx-conf.d/archive.music.thenineworlds.net.conf +++ b/playbooks/files/services/deploy/lrproxy/nginx-conf.d/archive.music.thenineworlds.net.conf @@ -14,14 +14,22 @@ server { } server { - listen [::1]:443 ssl; - listen 127.0.0.1:443 ssl; + listen [::]:8443 ssl proxy_protocol; + listen 8443 ssl proxy_protocol; server_name archive.music.thenineworlds.net; ssl_certificate /etc/letsencrypt/live/archive.music.thenineworlds.net/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/archive.music.thenineworlds.net/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/archive.music.thenineworlds.net/chain.pem; + set_real_ip_from {{ services_all_services.rproxy.inet_address }}; + set_real_ip_from {{ services_all_services.rproxy.inet6_address }}; + + set_real_ip_from {{ services_all_services.lrproxy.inet_address }}; + set_real_ip_from {{ services_all_services.lrproxy.inet6_address }}; + + real_ip_header proxy_protocol; + location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; diff --git a/playbooks/files/services/deploy/lrproxy/nginx-conf.d/cloud.wojciechkozlowski.eu.conf b/playbooks/files/services/deploy/lrproxy/nginx-conf.d/cloud.wojciechkozlowski.eu.conf index 1a79a30..a8f2a37 100644 --- a/playbooks/files/services/deploy/lrproxy/nginx-conf.d/cloud.wojciechkozlowski.eu.conf +++ b/playbooks/files/services/deploy/lrproxy/nginx-conf.d/cloud.wojciechkozlowski.eu.conf @@ -14,14 +14,22 @@ server { } server { - listen [::1]:443 ssl; - listen 127.0.0.1:443 ssl; + listen [::]:8443 ssl proxy_protocol; + listen 8443 ssl proxy_protocol; server_name cloud.wojciechkozlowski.eu; ssl_certificate /etc/letsencrypt/live/cloud.wojciechkozlowski.eu/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/cloud.wojciechkozlowski.eu/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/cloud.wojciechkozlowski.eu/chain.pem; + set_real_ip_from {{ services_all_services.rproxy.inet_address }}; + set_real_ip_from {{ services_all_services.rproxy.inet6_address }}; + + set_real_ip_from {{ services_all_services.lrproxy.inet_address }}; + set_real_ip_from {{ services_all_services.lrproxy.inet6_address }}; + + real_ip_header proxy_protocol; + # Values copied and adjusted from # https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html. client_max_body_size 0; @@ -32,16 +40,16 @@ server { # https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html. location ^~ /.well-known { location = /.well-known/webfinger { - return 301 /index.php$uri; + return 301 $scheme://$host:443/index.php$uri; } location = /.well-known/nodeinfo { - return 301 /index.php$uri; + return 301 $scheme://$host:443/index.php$uri; } location = /.well-known/carddav { - return 301 /remote.php/dav/; + return 301 $scheme://$host:443/remote.php/dav; } location = /.well-known/caldav { - return 301 /remote.php/dav/; + return 301 $scheme://$host:443/remote.php/dav; } } diff --git a/playbooks/files/services/deploy/lrproxy/nginx-conf.d/database.thenineworlds.net.conf b/playbooks/files/services/deploy/lrproxy/nginx-conf.d/database.thenineworlds.net.conf new file mode 100644 index 0000000..f7c36d1 --- /dev/null +++ b/playbooks/files/services/deploy/lrproxy/nginx-conf.d/database.thenineworlds.net.conf @@ -0,0 +1,49 @@ +server { + listen [::]:80; + listen 80; + server_name database.thenineworlds.net; + + location ^~ /.well-known { + allow all; + root /var/www/html; + } + + location / { + return 301 https://$server_name$request_uri; + } +} + +server { + listen [::]:8443 ssl proxy_protocol; + listen 8443 ssl proxy_protocol; + server_name database.thenineworlds.net; + + ssl_certificate /etc/letsencrypt/live/database.thenineworlds.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/database.thenineworlds.net/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/database.thenineworlds.net/chain.pem; + + set_real_ip_from {{ services_all_services.rproxy.inet_address }}; + set_real_ip_from {{ services_all_services.rproxy.inet6_address }}; + + set_real_ip_from {{ services_all_services.lrproxy.inet_address }}; + set_real_ip_from {{ services_all_services.lrproxy.inet6_address }}; + + real_ip_header proxy_protocol; + + allow {{ local_inet_network }}; + allow {{ local_inet6_network }}; + deny all; + + location / { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host $host; + proxy_pass http://pod-database; + } + + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + +} diff --git a/playbooks/files/services/deploy/lrproxy/nginx-conf.d/git.thenineworlds.net.conf b/playbooks/files/services/deploy/lrproxy/nginx-conf.d/git.thenineworlds.net.conf index 8d414b1..b479351 100644 --- a/playbooks/files/services/deploy/lrproxy/nginx-conf.d/git.thenineworlds.net.conf +++ b/playbooks/files/services/deploy/lrproxy/nginx-conf.d/git.thenineworlds.net.conf @@ -14,14 +14,22 @@ server { } server { - listen [::1]:443 ssl; - listen 127.0.0.1:443 ssl; + listen [::]:8443 ssl proxy_protocol; + listen 8443 ssl proxy_protocol; server_name git.thenineworlds.net; ssl_certificate /etc/letsencrypt/live/git.thenineworlds.net/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/git.thenineworlds.net/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/git.thenineworlds.net/chain.pem; + set_real_ip_from {{ services_all_services.rproxy.inet_address }}; + set_real_ip_from {{ services_all_services.rproxy.inet6_address }}; + + set_real_ip_from {{ services_all_services.lrproxy.inet_address }}; + set_real_ip_from {{ services_all_services.lrproxy.inet6_address }}; + + real_ip_header proxy_protocol; + location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; diff --git a/playbooks/files/services/deploy/lrproxy/nginx-conf.d/music.thenineworlds.net.conf b/playbooks/files/services/deploy/lrproxy/nginx-conf.d/music.thenineworlds.net.conf index 2f11277..11931b3 100644 --- a/playbooks/files/services/deploy/lrproxy/nginx-conf.d/music.thenineworlds.net.conf +++ b/playbooks/files/services/deploy/lrproxy/nginx-conf.d/music.thenineworlds.net.conf @@ -14,14 +14,22 @@ server { } server { - listen [::1]:443 ssl; - listen 127.0.0.1:443 ssl; + listen [::]:8443 ssl proxy_protocol; + listen 8443 ssl proxy_protocol; server_name music.thenineworlds.net; ssl_certificate /etc/letsencrypt/live/music.thenineworlds.net/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/music.thenineworlds.net/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/music.thenineworlds.net/chain.pem; + set_real_ip_from {{ services_all_services.rproxy.inet_address }}; + set_real_ip_from {{ services_all_services.rproxy.inet6_address }}; + + set_real_ip_from {{ services_all_services.lrproxy.inet_address }}; + set_real_ip_from {{ services_all_services.lrproxy.inet6_address }}; + + real_ip_header proxy_protocol; + location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; diff --git a/playbooks/files/services/deploy/lrproxy/nginx-conf.d/notes.thenineworlds.net.conf b/playbooks/files/services/deploy/lrproxy/nginx-conf.d/notes.thenineworlds.net.conf index feb1fd3..36fe4c2 100644 --- a/playbooks/files/services/deploy/lrproxy/nginx-conf.d/notes.thenineworlds.net.conf +++ b/playbooks/files/services/deploy/lrproxy/nginx-conf.d/notes.thenineworlds.net.conf @@ -14,14 +14,22 @@ server { } server { - listen [::1]:443 ssl; - listen 127.0.0.1:443 ssl; + listen [::]:8443 ssl proxy_protocol; + listen 8443 ssl proxy_protocol; server_name notes.thenineworlds.net; ssl_certificate /etc/letsencrypt/live/notes.thenineworlds.net/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/notes.thenineworlds.net/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/notes.thenineworlds.net/chain.pem; + set_real_ip_from {{ services_all_services.rproxy.inet_address }}; + set_real_ip_from {{ services_all_services.rproxy.inet6_address }}; + + set_real_ip_from {{ services_all_services.lrproxy.inet_address }}; + set_real_ip_from {{ services_all_services.lrproxy.inet6_address }}; + + real_ip_header proxy_protocol; + # Values copied from # https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html and adjusted to # 16G. diff --git a/playbooks/files/services/deploy/rproxy/nginx-conf.d/wojciechkozlowski.eu.conf b/playbooks/files/services/deploy/rproxy/nginx-conf.d/wojciechkozlowski.eu.conf index 3e6023a..3f6feb1 100644 --- a/playbooks/files/services/deploy/rproxy/nginx-conf.d/wojciechkozlowski.eu.conf +++ b/playbooks/files/services/deploy/rproxy/nginx-conf.d/wojciechkozlowski.eu.conf @@ -14,14 +14,22 @@ server { } server { - listen [::1]:443 ssl; - listen 127.0.0.1:443 ssl; + listen [::]:8443 ssl proxy_protocol; + listen 8443 ssl proxy_protocol; server_name wojciechkozlowski.eu; ssl_certificate /etc/letsencrypt/live/wojciechkozlowski.eu/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/wojciechkozlowski.eu/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/wojciechkozlowski.eu/chain.pem; + set_real_ip_from {{ services_all_services.rproxy.inet_address }}; + set_real_ip_from {{ services_all_services.rproxy.inet6_address }}; + + set_real_ip_from {{ services_all_services.lrproxy.inet_address }}; + set_real_ip_from {{ services_all_services.lrproxy.inet6_address }}; + + real_ip_header proxy_protocol; + location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; diff --git a/playbooks/files/services/deploy/rproxy/nginx-conf.d/www.wojciechkozlowski.eu.conf b/playbooks/files/services/deploy/rproxy/nginx-conf.d/www.wojciechkozlowski.eu.conf index 5a36eb8..a60f0e5 100644 --- a/playbooks/files/services/deploy/rproxy/nginx-conf.d/www.wojciechkozlowski.eu.conf +++ b/playbooks/files/services/deploy/rproxy/nginx-conf.d/www.wojciechkozlowski.eu.conf @@ -14,14 +14,22 @@ server { } server { - listen [::1]:443 ssl; - listen 127.0.0.1:443 ssl; + listen [::]:8443 ssl proxy_protocol; + listen 8443 ssl proxy_protocol; server_name www.wojciechkozlowski.eu; ssl_certificate /etc/letsencrypt/live/www.wojciechkozlowski.eu/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.wojciechkozlowski.eu/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/www.wojciechkozlowski.eu/chain.pem; + set_real_ip_from {{ services_all_services.rproxy.inet_address }}; + set_real_ip_from {{ services_all_services.rproxy.inet6_address }}; + + set_real_ip_from {{ services_all_services.lrproxy.inet_address }}; + set_real_ip_from {{ services_all_services.lrproxy.inet6_address }}; + + real_ip_header proxy_protocol; + location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; diff --git a/playbooks/files/services/deploy/rproxy/stream.conf b/playbooks/files/services/deploy/rproxy/stream.conf deleted file mode 100644 index 1a83ec6..0000000 --- a/playbooks/files/services/deploy/rproxy/stream.conf +++ /dev/null @@ -1,22 +0,0 @@ -stream { - - map $ssl_preread_server_name $name { - wojciechkozlowski.eu rproxy; - www.wojciechkozlowski.eu rproxy; - default lrproxy; - } - - upstream rproxy { - server localhost:443; - } - - upstream lrproxy { - server pod-lrproxy:443; - } - - server { - listen pod-rproxy:443; - proxy_pass $name; - ssl_preread on; - } -} diff --git a/playbooks/files/services/deploy/lrproxy/stream.conf b/playbooks/files/services/deploy/stream.conf similarity index 66% rename from playbooks/files/services/deploy/lrproxy/stream.conf rename to playbooks/files/services/deploy/stream.conf index 4c37ad3..b461682 100644 --- a/playbooks/files/services/deploy/lrproxy/stream.conf +++ b/playbooks/files/services/deploy/stream.conf @@ -7,15 +7,16 @@ stream { } upstream rproxy { - server pod-rproxy:443; + server pod-rproxy:8443; } upstream lrproxy { - server localhost:443; + server pod-lrproxy:8443; } server { - listen pod-lrproxy:443; + listen {{ services_service_user_name }}:443; + proxy_protocol on; proxy_pass $name; ssl_preread on; } diff --git a/playbooks/roles/services/deploy/database/tasks/main.yml b/playbooks/roles/services/deploy/database/tasks/main.yml index db1ab1e..8b2137d 100644 --- a/playbooks/roles/services/deploy/database/tasks/main.yml +++ b/playbooks/roles/services/deploy/database/tasks/main.yml @@ -11,7 +11,14 @@ src: "./postgres/database.password" dest: "{{ services_service_user_home }}/.config/service/database.password" mode: 0600 - register: services_deploy_database_password_file + register: services_deploy_database_postgres_password_file + + - name: "configure pgadmin password" + ansible.builtin.template: + src: "./pgadmin/pgadmin.password" + dest: "{{ services_service_user_home }}/.config/service/pgadmin.password" + mode: 0600 + register: services_deploy_database_pgadmin_password_file - name: "configure systemd service" ansible.builtin.template: @@ -21,6 +28,8 @@ loop: - "pod-database.service" - "container-database-postgres.service" + - "container-database-pgadmin-chown.service" + - "container-database-pgadmin.service" register: services_deploy_database_systemd_files - name: "systemd user daemon reload" @@ -50,7 +59,8 @@ state: "restarted" scope: "user" when: - (services_deploy_database_password_file.changed or + (services_deploy_database_postgres_password_file.changed or + services_deploy_database_pgadmin_password_file.changed or services_deploy_database_systemd_files.changed) and services_deploy_database_service_active_state.stdout == "active" diff --git a/playbooks/roles/services/deploy/database/templates/pgadmin/pgadmin.password b/playbooks/roles/services/deploy/database/templates/pgadmin/pgadmin.password new file mode 100644 index 0000000..2f79f8d --- /dev/null +++ b/playbooks/roles/services/deploy/database/templates/pgadmin/pgadmin.password @@ -0,0 +1 @@ +{{ services[services_service_name].pgadmin.password }} diff --git a/playbooks/roles/services/deploy/database/templates/postgres/database.password b/playbooks/roles/services/deploy/database/templates/postgres/database.password index c6b591a..9129f07 100644 --- a/playbooks/roles/services/deploy/database/templates/postgres/database.password +++ b/playbooks/roles/services/deploy/database/templates/postgres/database.password @@ -1 +1 @@ -{{ services[services_service_name].password }} +{{ services[services_service_name].postgres.password }} diff --git a/playbooks/roles/services/deploy/database/templates/systemd/container-database-pgadmin-chown.service b/playbooks/roles/services/deploy/database/templates/systemd/container-database-pgadmin-chown.service new file mode 100644 index 0000000..322c10d --- /dev/null +++ b/playbooks/roles/services/deploy/database/templates/systemd/container-database-pgadmin-chown.service @@ -0,0 +1,29 @@ +[Unit] +Description=Podman container-database-pgadmin-chown.service +Documentation=man:podman-generate-systemd(1) +After=pod-database.service +Before=container-database-pgadmin.service +OnFailure=status-mail@%n.service + +[Service] +Environment=PODMAN_SYSTEMD_UNIT=%n +TimeoutStopSec=70 +ExecStartPre=/bin/rm -f %t/container-database-pgadmin-chown.pid %t/container-database-pgadmin-chown.ctr-id +ExecStart=/usr/bin/podman run \ + --conmon-pidfile %t/container-database-pgadmin-chown.pid \ + --cidfile %t/container-database-pgadmin-chown.ctr-id \ + --cgroups=no-conmon \ + --pod-id-file %t/pod-database.pod-id \ + --replace \ + -v {{ services_data_directory }}/pod-database/pgadmin/_data:/var/lib/pgadmin \ + -v ./.config/service/pgadmin.password:/run/secrets/pgadmin.password \ + --user=0 \ + --entrypoint="/bin/sh" \ + --name=pod-database-pgadmin-chown \ + docker.io/dpage/pgadmin4:{{ services_service_deploy_versions.pgadmin4 }} \ + -c "chown -R 5050:5050 /var/lib/pgadmin /run/secrets/pgadmin.password" +ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/container-database-pgadmin-chown.ctr-id +Type=oneshot + +[Install] +WantedBy=container-database-pgadmin.service diff --git a/playbooks/roles/services/deploy/database/templates/systemd/container-database-pgadmin.service b/playbooks/roles/services/deploy/database/templates/systemd/container-database-pgadmin.service new file mode 100644 index 0000000..861c1d5 --- /dev/null +++ b/playbooks/roles/services/deploy/database/templates/systemd/container-database-pgadmin.service @@ -0,0 +1,38 @@ +[Unit] +Description=Podman container-database-pgadmin.service +Documentation=man:podman-generate-systemd(1) +Wants=network.target +After=network-online.target +BindsTo=pod-database.service container-database-postgres.service +Requires=container-database-pgadmin-chown.service +After=pod-database.service container-database-postgres.service container-database-pgadmin-chown.service +OnFailure=status-mail@%n.service + +[Service] +Environment=PODMAN_SYSTEMD_UNIT=%n +Restart=on-failure +TimeoutStopSec=70 +ExecStartPre=/bin/rm -f %t/container-database-pgadmin.pid %t/container-database-pgadmin.ctr-id +ExecStart=/usr/bin/podman run \ + --conmon-pidfile %t/container-database-pgadmin.pid \ + --cidfile %t/container-database-pgadmin.ctr-id \ + --cgroups=no-conmon \ + --pod-id-file %t/pod-database.pod-id \ + --replace \ + --label "io.containers.autoupdate=image" \ + --log-driver=journald \ + -dt \ + -v {{ system_etc_root_directory }}/resolv.conf:/etc/resolv.conf:ro \ + -v {{ services_data_directory }}/pod-database/pgadmin/_data:/var/lib/pgadmin \ + -v ./.config/service/pgadmin.password:/run/secrets/pgadmin.password:ro \ + -e PGADMIN_DEFAULT_EMAIL="{{ services[services_service_name].pgadmin.email }}" \ + -e PGADMIN_DEFAULT_PASSWORD_FILE=/run/secrets/pgadmin.password \ + --name=pod-database-pgadmin \ + docker.io/dpage/pgadmin4:{{ services_service_deploy_versions.pgadmin4 }} +ExecStop=/usr/bin/podman stop --ignore --cidfile %t/container-database-pgadmin.ctr-id -t 10 +ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/container-database-pgadmin.ctr-id +PIDFile=%t/container-database-pgadmin.pid +Type=forking + +[Install] +WantedBy=multi-user.target default.target diff --git a/playbooks/roles/services/deploy/database/templates/systemd/container-database-postgres.service b/playbooks/roles/services/deploy/database/templates/systemd/container-database-postgres.service index aeef512..8df6aa8 100644 --- a/playbooks/roles/services/deploy/database/templates/systemd/container-database-postgres.service +++ b/playbooks/roles/services/deploy/database/templates/systemd/container-database-postgres.service @@ -13,22 +13,22 @@ Restart=on-failure TimeoutStopSec=70 ExecStartPre=/bin/rm -f %t/container-database-postgres.pid %t/container-database-postgres.ctr-id ExecStart=/usr/bin/podman run \ - --conmon-pidfile %t/container-database-postgres.pid \ - --cidfile %t/container-database-postgres.ctr-id \ - --cgroups=no-conmon \ - --pod-id-file %t/pod-database.pod-id \ - --replace \ - --label "io.containers.autoupdate=image" \ - --log-driver=journald \ - -dt \ - -v {{ system_etc_root_directory }}/resolv.conf:/etc/resolv.conf:ro \ - -v ./.config/service/database.password:/run/secrets/database.password:ro \ - -e POSTGRES_PASSWORD_FILE=/run/secrets/database.password \ - -v {{ services_data_directory }}/pod-database/wal/_data:/var/lib/postgresql-wal \ - -e POSTGRES_INITDB_WALDIR=/var/lib/postgresql-wal \ - -v {{ services_data_directory }}/pod-database/data/_data:/var/lib/postgresql/data \ - --name=pod-database-postgres \ - docker.io/library/postgres:{{ services_service_deploy_versions.postgres }} + --conmon-pidfile %t/container-database-postgres.pid \ + --cidfile %t/container-database-postgres.ctr-id \ + --cgroups=no-conmon \ + --pod-id-file %t/pod-database.pod-id \ + --replace \ + --label "io.containers.autoupdate=image" \ + --log-driver=journald \ + -dt \ + -v {{ system_etc_root_directory }}/resolv.conf:/etc/resolv.conf:ro \ + -v ./.config/service/database.password:/run/secrets/database.password:ro \ + -e POSTGRES_PASSWORD_FILE=/run/secrets/database.password \ + -v {{ services_data_directory }}/pod-database/wal/_data:/var/lib/postgresql-wal \ + -e POSTGRES_INITDB_WALDIR=/var/lib/postgresql-wal \ + -v {{ services_data_directory }}/pod-database/data/_data:/var/lib/postgresql/data \ + --name=pod-database-postgres \ + docker.io/library/postgres:{{ services_service_deploy_versions.postgres }} ExecStop=/usr/bin/podman stop --ignore --cidfile %t/container-database-postgres.ctr-id -t 10 ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/container-database-postgres.ctr-id PIDFile=%t/container-database-postgres.pid diff --git a/playbooks/roles/services/deploy/database/templates/systemd/pod-database.service b/playbooks/roles/services/deploy/database/templates/systemd/pod-database.service index 3e1fe0c..beffe76 100644 --- a/playbooks/roles/services/deploy/database/templates/systemd/pod-database.service +++ b/playbooks/roles/services/deploy/database/templates/systemd/pod-database.service @@ -3,8 +3,8 @@ Description=Podman pod-database.service Documentation=man:podman-generate-systemd(1) Wants=network.target After=network-online.target -Requires=container-database-postgres.service -Before=container-database-postgres.service +Requires=container-database-postgres.service container-database-pgadmin.service +Before=container-database-postgres.service container-database-pgadmin.service OnFailure=status-mail@%n.service [Service] diff --git a/playbooks/roles/services/deploy/rproxy/tasks/main.yml b/playbooks/roles/services/deploy/rproxy/tasks/main.yml index d9e3b58..c4e6ab9 100644 --- a/playbooks/roles/services/deploy/rproxy/tasks/main.yml +++ b/playbooks/roles/services/deploy/rproxy/tasks/main.yml @@ -24,14 +24,14 @@ register: services_deploy_rproxy_generic_config - name: "{{ services_service_name }} : stream nginx reverse proxy configuration" - ansible.builtin.copy: + ansible.builtin.template: src: "{{ services_deploy_rproxy_nginx_stream_config }}" dest: "{{ services_service_user_home }}/.config/service/stream.conf" mode: 0644 register: services_deploy_rproxy_stream_config - name: "{{ services_service_name }} : subdomain nginx reverse proxy configuration" - ansible.builtin.copy: + ansible.builtin.template: src: "{{ item }}" dest: "{{ services_service_user_home }}/.config/service/nginx-conf.d/{{ item | basename }}" mode: 0644 diff --git a/playbooks/services.yml b/playbooks/services.yml index 258ea5f..07d0c07 100644 --- a/playbooks/services.yml +++ b/playbooks/services.yml @@ -63,7 +63,7 @@ - "services:rproxy:deploy" vars: services_service_name: "rproxy" - services_deploy_rproxy_nginx_stream_config: "files/services/deploy/rproxy/stream.conf" + services_deploy_rproxy_nginx_stream_config: "files/services/deploy/stream.conf" services_deploy_rproxy_nginx_subdomain_config_files: - "files/services/deploy/rproxy/nginx-conf.d/http-default.conf" - "files/services/deploy/rproxy/nginx-conf.d/wojciechkozlowski.eu.conf" @@ -83,10 +83,11 @@ - "services:lrproxy:deploy" vars: services_service_name: "lrproxy" - services_deploy_rproxy_nginx_stream_config: "files/services/deploy/lrproxy/stream.conf" + services_deploy_rproxy_nginx_stream_config: "files/services/deploy/stream.conf" services_deploy_rproxy_nginx_subdomain_config_files: - "files/services/deploy/lrproxy/nginx-conf.d/archive.music.thenineworlds.net.conf" - "files/services/deploy/lrproxy/nginx-conf.d/cloud.wojciechkozlowski.eu.conf" + - "files/services/deploy/lrproxy/nginx-conf.d/database.thenineworlds.net.conf" - "files/services/deploy/lrproxy/nginx-conf.d/git.thenineworlds.net.conf" - "files/services/deploy/lrproxy/nginx-conf.d/music.thenineworlds.net.conf" - "files/services/deploy/lrproxy/nginx-conf.d/notes.thenineworlds.net.conf" diff --git a/playbooks/vars/services/deploy/versions.yml b/playbooks/vars/services/deploy/versions.yml index e1fff87..3fb29bc 100644 --- a/playbooks/vars/services/deploy/versions.yml +++ b/playbooks/vars/services/deploy/versions.yml @@ -8,6 +8,7 @@ services_deploy_versions: nginx: "stable" database: postgres: "15" + pgadmin4: "7" cloud: nginx: "stable" nextcloud: "27-fpm" diff --git a/playbooks/vars/services/volumes.yml b/playbooks/vars/services/volumes.yml index 5fdac90..3d6e54e 100644 --- a/playbooks/vars/services/volumes.yml +++ b/playbooks/vars/services/volumes.yml @@ -6,6 +6,7 @@ services_volumes: lrproxy: etc-letsencrypt: database: + pgadmin: wal: extra_zfs_properties: recordsize: "8192" # 8K