Add pgadmin to pod-database

This commit is contained in:
Wojciech Kozlowski 2023-08-17 17:09:30 +02:00
parent 4b38982e46
commit d09b2ae893
22 changed files with 238 additions and 69 deletions

View File

@ -69,7 +69,11 @@ services:
token: "{{ vault_services.www.repo.token }}"
lrproxy: {}
database:
password: "{{ vault_services.database.password }}"
pgadmin:
email: "{{ vault_services.database.pgadmin.email }}"
password: "{{ vault_services.database.pgadmin.password }}"
postgres:
password: "{{ vault_services.database.postgres.password }}"
cloud:
domain: "{{ vault_services.cloud.domain }}"
database:

View File

@ -14,14 +14,22 @@ server {
}
server {
listen [::1]:443 ssl;
listen 127.0.0.1:443 ssl;
listen [::]:8443 ssl proxy_protocol;
listen 8443 ssl proxy_protocol;
server_name archive.music.thenineworlds.net;
ssl_certificate /etc/letsencrypt/live/archive.music.thenineworlds.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/archive.music.thenineworlds.net/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/archive.music.thenineworlds.net/chain.pem;
set_real_ip_from {{ services_all_services.rproxy.inet_address }};
set_real_ip_from {{ services_all_services.rproxy.inet6_address }};
set_real_ip_from {{ services_all_services.lrproxy.inet_address }};
set_real_ip_from {{ services_all_services.lrproxy.inet6_address }};
real_ip_header proxy_protocol;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;

View File

@ -14,14 +14,22 @@ server {
}
server {
listen [::1]:443 ssl;
listen 127.0.0.1:443 ssl;
listen [::]:8443 ssl proxy_protocol;
listen 8443 ssl proxy_protocol;
server_name cloud.wojciechkozlowski.eu;
ssl_certificate /etc/letsencrypt/live/cloud.wojciechkozlowski.eu/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cloud.wojciechkozlowski.eu/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/cloud.wojciechkozlowski.eu/chain.pem;
set_real_ip_from {{ services_all_services.rproxy.inet_address }};
set_real_ip_from {{ services_all_services.rproxy.inet6_address }};
set_real_ip_from {{ services_all_services.lrproxy.inet_address }};
set_real_ip_from {{ services_all_services.lrproxy.inet6_address }};
real_ip_header proxy_protocol;
# Values copied and adjusted from
# https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html.
client_max_body_size 0;
@ -32,16 +40,16 @@ server {
# https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html.
location ^~ /.well-known {
location = /.well-known/webfinger {
return 301 /index.php$uri;
return 301 $scheme://$host:443/index.php$uri;
}
location = /.well-known/nodeinfo {
return 301 /index.php$uri;
return 301 $scheme://$host:443/index.php$uri;
}
location = /.well-known/carddav {
return 301 /remote.php/dav/;
return 301 $scheme://$host:443/remote.php/dav;
}
location = /.well-known/caldav {
return 301 /remote.php/dav/;
return 301 $scheme://$host:443/remote.php/dav;
}
}

View File

@ -0,0 +1,49 @@
server {
listen [::]:80;
listen 80;
server_name database.thenineworlds.net;
location ^~ /.well-known {
allow all;
root /var/www/html;
}
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen [::]:8443 ssl proxy_protocol;
listen 8443 ssl proxy_protocol;
server_name database.thenineworlds.net;
ssl_certificate /etc/letsencrypt/live/database.thenineworlds.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/database.thenineworlds.net/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/database.thenineworlds.net/chain.pem;
set_real_ip_from {{ services_all_services.rproxy.inet_address }};
set_real_ip_from {{ services_all_services.rproxy.inet6_address }};
set_real_ip_from {{ services_all_services.lrproxy.inet_address }};
set_real_ip_from {{ services_all_services.lrproxy.inet6_address }};
real_ip_header proxy_protocol;
allow {{ local_inet_network }};
allow {{ local_inet6_network }};
deny all;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass http://pod-database;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}

View File

@ -14,14 +14,22 @@ server {
}
server {
listen [::1]:443 ssl;
listen 127.0.0.1:443 ssl;
listen [::]:8443 ssl proxy_protocol;
listen 8443 ssl proxy_protocol;
server_name git.thenineworlds.net;
ssl_certificate /etc/letsencrypt/live/git.thenineworlds.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/git.thenineworlds.net/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/git.thenineworlds.net/chain.pem;
set_real_ip_from {{ services_all_services.rproxy.inet_address }};
set_real_ip_from {{ services_all_services.rproxy.inet6_address }};
set_real_ip_from {{ services_all_services.lrproxy.inet_address }};
set_real_ip_from {{ services_all_services.lrproxy.inet6_address }};
real_ip_header proxy_protocol;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;

View File

@ -14,14 +14,22 @@ server {
}
server {
listen [::1]:443 ssl;
listen 127.0.0.1:443 ssl;
listen [::]:8443 ssl proxy_protocol;
listen 8443 ssl proxy_protocol;
server_name music.thenineworlds.net;
ssl_certificate /etc/letsencrypt/live/music.thenineworlds.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/music.thenineworlds.net/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/music.thenineworlds.net/chain.pem;
set_real_ip_from {{ services_all_services.rproxy.inet_address }};
set_real_ip_from {{ services_all_services.rproxy.inet6_address }};
set_real_ip_from {{ services_all_services.lrproxy.inet_address }};
set_real_ip_from {{ services_all_services.lrproxy.inet6_address }};
real_ip_header proxy_protocol;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;

View File

@ -14,14 +14,22 @@ server {
}
server {
listen [::1]:443 ssl;
listen 127.0.0.1:443 ssl;
listen [::]:8443 ssl proxy_protocol;
listen 8443 ssl proxy_protocol;
server_name notes.thenineworlds.net;
ssl_certificate /etc/letsencrypt/live/notes.thenineworlds.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/notes.thenineworlds.net/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/notes.thenineworlds.net/chain.pem;
set_real_ip_from {{ services_all_services.rproxy.inet_address }};
set_real_ip_from {{ services_all_services.rproxy.inet6_address }};
set_real_ip_from {{ services_all_services.lrproxy.inet_address }};
set_real_ip_from {{ services_all_services.lrproxy.inet6_address }};
real_ip_header proxy_protocol;
# Values copied from
# https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html and adjusted to
# 16G.

View File

@ -14,14 +14,22 @@ server {
}
server {
listen [::1]:443 ssl;
listen 127.0.0.1:443 ssl;
listen [::]:8443 ssl proxy_protocol;
listen 8443 ssl proxy_protocol;
server_name wojciechkozlowski.eu;
ssl_certificate /etc/letsencrypt/live/wojciechkozlowski.eu/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/wojciechkozlowski.eu/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/wojciechkozlowski.eu/chain.pem;
set_real_ip_from {{ services_all_services.rproxy.inet_address }};
set_real_ip_from {{ services_all_services.rproxy.inet6_address }};
set_real_ip_from {{ services_all_services.lrproxy.inet_address }};
set_real_ip_from {{ services_all_services.lrproxy.inet6_address }};
real_ip_header proxy_protocol;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;

View File

@ -14,14 +14,22 @@ server {
}
server {
listen [::1]:443 ssl;
listen 127.0.0.1:443 ssl;
listen [::]:8443 ssl proxy_protocol;
listen 8443 ssl proxy_protocol;
server_name www.wojciechkozlowski.eu;
ssl_certificate /etc/letsencrypt/live/www.wojciechkozlowski.eu/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.wojciechkozlowski.eu/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/www.wojciechkozlowski.eu/chain.pem;
set_real_ip_from {{ services_all_services.rproxy.inet_address }};
set_real_ip_from {{ services_all_services.rproxy.inet6_address }};
set_real_ip_from {{ services_all_services.lrproxy.inet_address }};
set_real_ip_from {{ services_all_services.lrproxy.inet6_address }};
real_ip_header proxy_protocol;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;

View File

@ -1,22 +0,0 @@
stream {
map $ssl_preread_server_name $name {
wojciechkozlowski.eu rproxy;
www.wojciechkozlowski.eu rproxy;
default lrproxy;
}
upstream rproxy {
server localhost:443;
}
upstream lrproxy {
server pod-lrproxy:443;
}
server {
listen pod-rproxy:443;
proxy_pass $name;
ssl_preread on;
}
}

View File

@ -7,15 +7,16 @@ stream {
}
upstream rproxy {
server pod-rproxy:443;
server pod-rproxy:8443;
}
upstream lrproxy {
server localhost:443;
server pod-lrproxy:8443;
}
server {
listen pod-lrproxy:443;
listen {{ services_service_user_name }}:443;
proxy_protocol on;
proxy_pass $name;
ssl_preread on;
}

View File

@ -11,7 +11,14 @@
src: "./postgres/database.password"
dest: "{{ services_service_user_home }}/.config/service/database.password"
mode: 0600
register: services_deploy_database_password_file
register: services_deploy_database_postgres_password_file
- name: "configure pgadmin password"
ansible.builtin.template:
src: "./pgadmin/pgadmin.password"
dest: "{{ services_service_user_home }}/.config/service/pgadmin.password"
mode: 0600
register: services_deploy_database_pgadmin_password_file
- name: "configure systemd service"
ansible.builtin.template:
@ -21,6 +28,8 @@
loop:
- "pod-database.service"
- "container-database-postgres.service"
- "container-database-pgadmin-chown.service"
- "container-database-pgadmin.service"
register: services_deploy_database_systemd_files
- name: "systemd user daemon reload"
@ -50,7 +59,8 @@
state: "restarted"
scope: "user"
when:
(services_deploy_database_password_file.changed or
(services_deploy_database_postgres_password_file.changed or
services_deploy_database_pgadmin_password_file.changed or
services_deploy_database_systemd_files.changed) and
services_deploy_database_service_active_state.stdout == "active"

View File

@ -0,0 +1 @@
{{ services[services_service_name].pgadmin.password }}

View File

@ -1 +1 @@
{{ services[services_service_name].password }}
{{ services[services_service_name].postgres.password }}

View File

@ -0,0 +1,29 @@
[Unit]
Description=Podman container-database-pgadmin-chown.service
Documentation=man:podman-generate-systemd(1)
After=pod-database.service
Before=container-database-pgadmin.service
OnFailure=status-mail@%n.service
[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
TimeoutStopSec=70
ExecStartPre=/bin/rm -f %t/container-database-pgadmin-chown.pid %t/container-database-pgadmin-chown.ctr-id
ExecStart=/usr/bin/podman run \
--conmon-pidfile %t/container-database-pgadmin-chown.pid \
--cidfile %t/container-database-pgadmin-chown.ctr-id \
--cgroups=no-conmon \
--pod-id-file %t/pod-database.pod-id \
--replace \
-v {{ services_data_directory }}/pod-database/pgadmin/_data:/var/lib/pgadmin \
-v ./.config/service/pgadmin.password:/run/secrets/pgadmin.password \
--user=0 \
--entrypoint="/bin/sh" \
--name=pod-database-pgadmin-chown \
docker.io/dpage/pgadmin4:{{ services_service_deploy_versions.pgadmin4 }} \
-c "chown -R 5050:5050 /var/lib/pgadmin /run/secrets/pgadmin.password"
ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/container-database-pgadmin-chown.ctr-id
Type=oneshot
[Install]
WantedBy=container-database-pgadmin.service

View File

@ -0,0 +1,38 @@
[Unit]
Description=Podman container-database-pgadmin.service
Documentation=man:podman-generate-systemd(1)
Wants=network.target
After=network-online.target
BindsTo=pod-database.service container-database-postgres.service
Requires=container-database-pgadmin-chown.service
After=pod-database.service container-database-postgres.service container-database-pgadmin-chown.service
OnFailure=status-mail@%n.service
[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
TimeoutStopSec=70
ExecStartPre=/bin/rm -f %t/container-database-pgadmin.pid %t/container-database-pgadmin.ctr-id
ExecStart=/usr/bin/podman run \
--conmon-pidfile %t/container-database-pgadmin.pid \
--cidfile %t/container-database-pgadmin.ctr-id \
--cgroups=no-conmon \
--pod-id-file %t/pod-database.pod-id \
--replace \
--label "io.containers.autoupdate=image" \
--log-driver=journald \
-dt \
-v {{ system_etc_root_directory }}/resolv.conf:/etc/resolv.conf:ro \
-v {{ services_data_directory }}/pod-database/pgadmin/_data:/var/lib/pgadmin \
-v ./.config/service/pgadmin.password:/run/secrets/pgadmin.password:ro \
-e PGADMIN_DEFAULT_EMAIL="{{ services[services_service_name].pgadmin.email }}" \
-e PGADMIN_DEFAULT_PASSWORD_FILE=/run/secrets/pgadmin.password \
--name=pod-database-pgadmin \
docker.io/dpage/pgadmin4:{{ services_service_deploy_versions.pgadmin4 }}
ExecStop=/usr/bin/podman stop --ignore --cidfile %t/container-database-pgadmin.ctr-id -t 10
ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/container-database-pgadmin.ctr-id
PIDFile=%t/container-database-pgadmin.pid
Type=forking
[Install]
WantedBy=multi-user.target default.target

View File

@ -3,8 +3,8 @@ Description=Podman pod-database.service
Documentation=man:podman-generate-systemd(1)
Wants=network.target
After=network-online.target
Requires=container-database-postgres.service
Before=container-database-postgres.service
Requires=container-database-postgres.service container-database-pgadmin.service
Before=container-database-postgres.service container-database-pgadmin.service
OnFailure=status-mail@%n.service
[Service]

View File

@ -24,14 +24,14 @@
register: services_deploy_rproxy_generic_config
- name: "{{ services_service_name }} : stream nginx reverse proxy configuration"
ansible.builtin.copy:
ansible.builtin.template:
src: "{{ services_deploy_rproxy_nginx_stream_config }}"
dest: "{{ services_service_user_home }}/.config/service/stream.conf"
mode: 0644
register: services_deploy_rproxy_stream_config
- name: "{{ services_service_name }} : subdomain nginx reverse proxy configuration"
ansible.builtin.copy:
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ services_service_user_home }}/.config/service/nginx-conf.d/{{ item | basename }}"
mode: 0644

View File

@ -63,7 +63,7 @@
- "services:rproxy:deploy"
vars:
services_service_name: "rproxy"
services_deploy_rproxy_nginx_stream_config: "files/services/deploy/rproxy/stream.conf"
services_deploy_rproxy_nginx_stream_config: "files/services/deploy/stream.conf"
services_deploy_rproxy_nginx_subdomain_config_files:
- "files/services/deploy/rproxy/nginx-conf.d/http-default.conf"
- "files/services/deploy/rproxy/nginx-conf.d/wojciechkozlowski.eu.conf"
@ -83,10 +83,11 @@
- "services:lrproxy:deploy"
vars:
services_service_name: "lrproxy"
services_deploy_rproxy_nginx_stream_config: "files/services/deploy/lrproxy/stream.conf"
services_deploy_rproxy_nginx_stream_config: "files/services/deploy/stream.conf"
services_deploy_rproxy_nginx_subdomain_config_files:
- "files/services/deploy/lrproxy/nginx-conf.d/archive.music.thenineworlds.net.conf"
- "files/services/deploy/lrproxy/nginx-conf.d/cloud.wojciechkozlowski.eu.conf"
- "files/services/deploy/lrproxy/nginx-conf.d/database.thenineworlds.net.conf"
- "files/services/deploy/lrproxy/nginx-conf.d/git.thenineworlds.net.conf"
- "files/services/deploy/lrproxy/nginx-conf.d/music.thenineworlds.net.conf"
- "files/services/deploy/lrproxy/nginx-conf.d/notes.thenineworlds.net.conf"

View File

@ -8,6 +8,7 @@ services_deploy_versions:
nginx: "stable"
database:
postgres: "15"
pgadmin4: "7"
cloud:
nginx: "stable"
nextcloud: "27-fpm"

View File

@ -6,6 +6,7 @@ services_volumes:
lrproxy:
etc-letsencrypt:
database:
pgadmin:
wal:
extra_zfs_properties:
recordsize: "8192" # 8K