Add database creation steps
This commit is contained in:
parent
7a8ad1c418
commit
ecc56cf778
GPG key ID:
CBBBE7371E81C4EA
|
|
@ -1,7 +1,10 @@
|
|||
# vim: ft=yaml.ansible
|
||||
# code: language=ansible
|
||||
---
|
||||
internal_subnet: 10.2.16.0/24
|
||||
postgresql_version: 14
|
||||
|
||||
db_passwords:
|
||||
nextcloud: "{{ vault_db_passwords.nextcloud }}"
|
||||
databases:
|
||||
nextcloud:
|
||||
username: nextcloud
|
||||
password: "{{ vault_db_passwords.nextcloud }}"
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
# vim: ft=yaml.ansible
|
||||
# code: language=ansible
|
||||
---
|
||||
internal_subnet: 10.2.18.0/24
|
||||
tls_email: "{{ vault_tls_email }}"
|
||||
njalla_api_token: "{{ vault_njalla_api_token }}"
|
||||
|
|
|
|||
|
|
@ -1,7 +1,10 @@
|
|||
# vim: ft=yaml.ansible
|
||||
# code: language=ansible
|
||||
---
|
||||
internal_subnet: 10.2.19.0/24
|
||||
postgresql_version: 14
|
||||
|
||||
db_passwords:
|
||||
nextcloud: "{{ vault_db_passwords.nextcloud }}"
|
||||
databases:
|
||||
nextcloud:
|
||||
username: nextcloud
|
||||
password: "{{ vault_db_passwords.nextcloud }}"
|
||||
|
|
|
|||
|
|
@ -24,8 +24,7 @@
|
|||
state: directory
|
||||
|
||||
- name: Configure apps
|
||||
ansible.builtin.include_tasks:
|
||||
file: configure_app.yml
|
||||
ansible.builtin.include_tasks: configure_app.yml
|
||||
vars:
|
||||
app_name: "{{ item }}"
|
||||
app_vars: "{{ apps_vars[item] }}"
|
||||
|
|
|
|||
|
|
@ -15,8 +15,8 @@ services:
|
|||
environment:
|
||||
POSTGRES_HOST: "{{ db_host }}"
|
||||
POSTGRES_DB: nextcloud
|
||||
POSTGRES_USER: nextcloud
|
||||
POSTGRES_PASSWORD: {{ db_passwords.nextcloud }}
|
||||
POSTGRES_USER: "{{ databases.nextcloud.username }}"
|
||||
POSTGRES_PASSWORD: {{ databases.nextcloud.password }}
|
||||
REDIS_HOST: redis
|
||||
REDIS_HOST_PASSWORD: {{ redis_passwords.nextcloud }}
|
||||
MAIL_FROM_ADDRESS: noreply
|
||||
|
|
|
|||
35
roles/postgresql/tasks/database.yml
Normal file
35
roles/postgresql/tasks/database.yml
Normal file
|
|
@ -0,0 +1,35 @@
|
|||
# vim: ft=yaml.ansible
|
||||
# code: language=ansible
|
||||
---
|
||||
- name: Create database user '{{ db_vars.username }}'
|
||||
community.postgresql.postgresql_user:
|
||||
name: "{{ db_vars.username }}"
|
||||
password: "{{ db_vars.password }}"
|
||||
state: present
|
||||
environment:
|
||||
PGOPTIONS: '-c password_encryption=scram-sha-256'
|
||||
|
||||
- name: Create database '{{ db_name }}'
|
||||
community.postgresql.postgresql_db:
|
||||
name: "{{ db_name }}"
|
||||
owner: "{{ db_vars.username }}"
|
||||
template: template0
|
||||
encoding: UTF-8
|
||||
state: present
|
||||
|
||||
- name: Grant all priviliges to owner on database '{{ db_name }}'
|
||||
community.postgresql.postgresql_privs:
|
||||
database: "{{ db_name }}"
|
||||
roles: "{{ db_vars.username }}"
|
||||
privs: ALL
|
||||
state: present
|
||||
|
||||
- name: Allow connections to database '{{ db_name }}'
|
||||
community.postgresql.postgresql_pg_hba:
|
||||
dest: "{{ postgresql_pgdata }}/pg_hba.conf"
|
||||
contype: host
|
||||
users: "{{ db_vars.username }}"
|
||||
databases: "{{ db_name }}"
|
||||
source: "{{ internal_subnet }}"
|
||||
method: scram-sha-256
|
||||
state: present
|
||||
|
|
@ -21,6 +21,7 @@
|
|||
name:
|
||||
- postgresql{{ postgresql_version }}-server
|
||||
- python{{ ansible_python.version.major }}-psycopg2
|
||||
- python{{ ansible_python.version.major }}-ipaddress
|
||||
state: present
|
||||
|
||||
- name: Create PostgreSQL service override folder
|
||||
|
|
@ -58,3 +59,10 @@
|
|||
name: "{{ postgresql_service }}"
|
||||
enabled: true
|
||||
state: started
|
||||
|
||||
- name: Set up databases
|
||||
ansible.builtin.include_tasks: database.yml
|
||||
vars:
|
||||
db_name: "{{ item.key }}"
|
||||
db_vars: "{{ item.value }}"
|
||||
loop: "{{ databases | dict2items }}"
|
||||
|
|
|
|||
|
|
@ -68,29 +68,17 @@
|
|||
# state: enabled
|
||||
# loop: "{{ groups['control_infra'] }}"
|
||||
|
||||
- name: Firewall rules for DB servers
|
||||
when: hostname in groups['production'] or hostname in groups['staging']
|
||||
- name: Firewall rules for database servers
|
||||
when: hostname in groups['dbservers']
|
||||
notify: Reload firewalld
|
||||
block:
|
||||
- name: Production | Allow incoming connections from app servers to PostgreSQL port in zone 'internal'
|
||||
- name: Allow incoming connections from internal subnet to PostgreSQL port in zone 'internal'
|
||||
ansible.posix.firewalld:
|
||||
zone: internal
|
||||
source: "{{ hostvars[item].internal_ipv4 }}"
|
||||
source: "{{ internal_subnet }}"
|
||||
service: postgresql
|
||||
permanent: true
|
||||
state: enabled
|
||||
loop: "{{ groups['app_prod'] }}"
|
||||
when: hostname in groups['db_prod']
|
||||
|
||||
- name: Staging | Allow incoming connections from app servers to PostgreSQL port in zone 'internal'
|
||||
ansible.posix.firewalld:
|
||||
zone: internal
|
||||
source: "{{ hostvars[item].internal_ipv4 }}"
|
||||
service: postgresql
|
||||
permanent: true
|
||||
state: enabled
|
||||
loop: "{{ groups['app_stage'] }}"
|
||||
when: hostname in groups['db_stage']
|
||||
|
||||
- name: Firewall rules for proxy servers
|
||||
when: hostname in group['proxyservers']
|
||||
|
|
|
|||
Loading…
Reference in a new issue