eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

P4: Miniflux migration + PostgreSQL consolidation (#33)

Browse source 
## Summary
- Deploy miniflux in k8s via ArgoCD
- Expose via Tailscale Ingress at feed.tail8d86e.ts.net
- Retire brew PostgreSQL (no longer needed)
- Rename k8s-pg to pg (canonical hostname)
- Remove ansible miniflux and postgresql roles
- Update borgmatic to backup pg.tail8d86e.ts.net
- Update all zk documentation

## Deployment and Testing
- [x] Miniflux pod running in k8s
- [x] User login works at https://feed.tail8d86e.ts.net
- [x] Feeds and entries visible
- [x] brew miniflux and postgresql stopped
- [x] Tailscale services migrated (feed, pg)
- [x] zk documentation updated
- [x] Run ansible to apply role removals
- [ ] Verify borgmatic backup with new pg hostname

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/33
This commit is contained in:
Erich Blume 2026-01-20 09:04:47 -08:00
commit 735b643429
25 changed files with 336 additions and 518 deletions
Download patch file Download diff file Expand all files Collapse all files

67
ansible/playbooks/indri.yml
View file

@ -2,59 +2,10 @@
- name: Configure indri
hosts: indri
# Fetch all 1Password credentials upfront to minimize prompts
# Fetch 1Password credentials upfront to minimize prompts
# Each role also fetches its own credentials (with 'when: <var> is not defined')
# so they still work when running with --tags
# Tags ensure pre_tasks only run when relevant roles are included
pre_tasks:
- name: Fetch PostgreSQL superuser password
ansible.builtin.command:
cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get guxu3j7ajhjyey6xxl2ovsl2ui --fields password --reveal
delegate_to: localhost
register: _pg_superuser_pw
changed_when: false
no_log: true
check_mode: false
tags: [postgresql]
- name: Set PostgreSQL superuser password fact
ansible.builtin.set_fact:
postgresql_superuser_password: "{{ _pg_superuser_pw.stdout }}"
no_log: true
tags: [postgresql]
- name: Fetch PostgreSQL alloy user password
ansible.builtin.command:
cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get guxu3j7ajhjyey6xxl2ovsl2ui --fields alloy-user-pw --reveal
delegate_to: localhost
register: _pg_alloy_pw
changed_when: false
no_log: true
check_mode: false
tags: [alloy, postgresql]
- name: Set PostgreSQL alloy password fact
ansible.builtin.set_fact:
alloy_postgres_password: "{{ _pg_alloy_pw.stdout }}"
no_log: true
tags: [alloy, postgresql]
- name: Fetch miniflux database password
ansible.builtin.command:
cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get ns6wylqiuqgczpo7gq2akaxbti --fields password --reveal
delegate_to: localhost
register: _miniflux_db_pw
changed_when: false
no_log: true
check_mode: false
tags: [miniflux, postgresql]
- name: Set miniflux passwords fact
ansible.builtin.set_fact:
miniflux_db_password: "{{ _miniflux_db_pw.stdout }}"
no_log: true
tags: [miniflux, postgresql]
- name: Fetch borgmatic database password
ansible.builtin.command:
cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get mw2bv5we7woicjza7hc6s44yvy --fields db-password --reveal
@ -63,16 +14,13 @@
changed_when: false
no_log: true
check_mode: false
tags: [postgresql]
tags: [borgmatic]
- name: Build PostgreSQL user password lookup
- name: Set borgmatic database password fact
ansible.builtin.set_fact:
postgresql_user_passwords:
miniflux: "{{ _miniflux_db_pw.stdout }}"
borgmatic: "{{ _borgmatic_db_pw.stdout }}"
alloy: "{{ _pg_alloy_pw.stdout }}"
borgmatic_db_password: "{{ _borgmatic_db_pw.stdout }}"
no_log: true
tags: [postgresql]
tags: [borgmatic]
roles:
- role: loki
@ -110,9 +58,6 @@
tags: minikube_metrics
- role: plex_metrics
tags: plex_metrics
- role: postgresql
tags: postgresql
- role: miniflux
tags: miniflux
# NOTE: postgresql and miniflux roles removed - now hosted in k8s
- role: tailscale_serve
tags: tailscale-serve

12
ansible/roles/alloy/defaults/main.yml
View file

@ -40,12 +40,7 @@ alloy_brew_logs:
- path: /opt/homebrew/var/transmission/transmission-daemon.log
service: transmission
stream: stdout
- path: /opt/homebrew/var/log/postgresql@18.log
service: postgresql
stream: stdout
- path: /opt/homebrew/var/log/miniflux.log
service: miniflux
stream: stdout
# NOTE: postgresql and miniflux removed - now hosted in k8s
alloy_mcquack_logs:
- path: /Users/erichblume/Library/Logs/mcquack.devpi.out.log
@ -86,13 +81,14 @@ alloy_collect_zot: true
alloy_zot_metrics_url: "http://localhost:5050/metrics"
# PostgreSQL metrics collection
alloy_collect_postgres: true
# NOTE: Disabled - brew postgresql removed, k8s CNPG metrics TBD
alloy_collect_postgres: false
alloy_postgres_host: localhost
alloy_postgres_port: 5432
alloy_postgres_user: alloy
alloy_postgres_database: postgres
# 1Password settings for PostgreSQL metrics
# 1Password settings for PostgreSQL metrics (unused when alloy_collect_postgres is false)
alloy_op_vault: vg6xf6vvfmoh5hqjjhlhbeoaie
alloy_op_postgres_item: guxu3j7ajhjyey6xxl2ovsl2ui
alloy_op_postgres_field: alloy-user-pw

11
ansible/roles/borgmatic/defaults/main.yml
View file

@ -41,17 +41,12 @@ borgmatic_keep_monthly: 12
borgmatic_keep_yearly: 1000
# PostgreSQL databases to backup (streamed via pg_dump)
# Password is read from ~/.pgpass (managed by postgresql role)
# Password is read from ~/.pgpass (managed by this role)
# pg_dump_command must be full path since LaunchAgent doesn't have homebrew in PATH
borgmatic_pg_dump_command: /opt/homebrew/opt/postgresql@18/bin/pg_dump
borgmatic_postgresql_databases:
# Brew PostgreSQL on indri (current production)
# k8s PostgreSQL (CloudNativePG)
- name: miniflux
hostname: localhost
port: 5432
username: borgmatic
# k8s PostgreSQL (CloudNativePG) - backup both during migration
- name: miniflux
hostname: k8s-pg.tail8d86e.ts.net
hostname: pg.tail8d86e.ts.net
port: 5432
username: borgmatic

11
ansible/roles/borgmatic/tasks/main.yml
View file

@ -8,6 +8,17 @@
state: directory
mode: '0700'
# .pgpass is used by pg_dump for database backups
# Password is fetched in playbook pre_tasks as borgmatic_db_password
- name: Write .pgpass file for borgmatic PostgreSQL backups
ansible.builtin.copy:
content: |
# Managed by ansible (borgmatic role) - k8s PostgreSQL backup credentials
pg.tail8d86e.ts.net:5432:*:borgmatic:{{ borgmatic_db_password }}
dest: ~/.pgpass
mode: '0600'
no_log: true
- name: Deploy borgmatic configuration
ansible.builtin.template:
src: config.yaml.j2

36
ansible/roles/miniflux/defaults/main.yml
View file

@ -1,36 +0,0 @@
---
# Miniflux configuration
# Network settings
miniflux_listen_addr: "127.0.0.1:8080"
miniflux_base_url: "https://feed.tail8d86e.ts.net/"
# Database connection (password fetched from 1Password)
miniflux_db_host: localhost
miniflux_db_port: 5432
miniflux_db_name: miniflux
miniflux_db_user: miniflux
# Config paths
miniflux_config_file: /opt/homebrew/etc/miniflux.conf
# 1Password settings for admin password
miniflux_op_vault: vg6xf6vvfmoh5hqjjhlhbeoaie
miniflux_op_item: ns6wylqiuqgczpo7gq2akaxbti
# First run settings
# Set miniflux_create_admin to 1 for initial setup, then 0 after
miniflux_create_admin: 0
miniflux_admin_username: admin
# Always run migrations to keep schema updated
miniflux_run_migrations: 1
# Polling settings
miniflux_polling_frequency: 60
miniflux_batch_size: 100
miniflux_polling_scheduler: "entry_frequency"
# Cleanup settings (archive old entries)
miniflux_cleanup_archive_unread_days: 180
miniflux_cleanup_archive_read_days: 60

6
ansible/roles/miniflux/handlers/main.yml
View file

@ -1,6 +0,0 @@
---
- name: Restart miniflux
ansible.builtin.command: brew services restart miniflux
async: 120
poll: 0
changed_when: true

4
ansible/roles/miniflux/meta/main.yml
View file

@ -1,4 +0,0 @@
---
# Role ordering is controlled by indri.yml playbook - do not add dependencies here
# (Ansible's tag accumulation prevents proper deduplication when using meta dependencies)
dependencies: []

64
ansible/roles/miniflux/tasks/main.yml
View file

@ -1,64 +0,0 @@
---
# Miniflux installation and configuration
#
# Prerequisites:
# - PostgreSQL role has run (creates database, user, and ~/.miniflux-db-password)
# - 1Password CLI authenticated on control machine
#
# First run:
# mise run provision-indri -- --tags miniflux -e miniflux_create_admin=1
- name: Install miniflux via homebrew
community.general.homebrew:
name: miniflux
state: present
# === Fetch passwords from 1Password ===
# These are skipped when running full playbook (pre_tasks sets them)
# but run when using --tags miniflux
- name: Fetch miniflux database password from 1Password
ansible.builtin.command:
cmd: op --vault {{ miniflux_op_vault }} item get {{ miniflux_op_item }} --fields password --reveal
delegate_to: localhost
register: miniflux_db_password_result
changed_when: false
no_log: true
when: miniflux_db_password is not defined
- name: Set database password fact
ansible.builtin.set_fact:
miniflux_db_password: "{{ miniflux_db_password_result.stdout }}"
no_log: true
when: miniflux_db_password is not defined
- name: Fetch miniflux admin password from 1Password (for first run)
ansible.builtin.command:
cmd: op --vault {{ miniflux_op_vault }} item get {{ miniflux_op_item }} --fields admin-password --reveal
delegate_to: localhost
register: miniflux_admin_password_result
changed_when: false
no_log: true
when: miniflux_create_admin | int == 1
- name: Set admin password fact
ansible.builtin.set_fact:
miniflux_admin_password: "{{ miniflux_admin_password_result.stdout }}"
no_log: true
when: miniflux_create_admin | int == 1
# === Deploy configuration ===
- name: Deploy miniflux configuration
ansible.builtin.template:
src: miniflux.conf.j2
dest: "{{ miniflux_config_file }}"
mode: '0600'
notify: Restart miniflux
no_log: true
- name: Ensure miniflux service is started
ansible.builtin.command: brew services start miniflux
register: miniflux_brew_start
changed_when: "'Successfully started' in miniflux_brew_start.stdout"
failed_when: false

32
ansible/roles/miniflux/templates/miniflux.conf.j2
View file

@ -1,32 +0,0 @@
# {{ ansible_managed }}
# Miniflux configuration - KEY=VALUE format
# Passwords fetched from 1Password at deploy time.
# Server settings
LISTEN_ADDR={{ miniflux_listen_addr }}
BASE_URL={{ miniflux_base_url }}
# Database connection
DATABASE_URL=postgres://{{ miniflux_db_user }}:{{ miniflux_db_password }}@{{ miniflux_db_host }}:{{ miniflux_db_port }}/{{ miniflux_db_name }}?sslmode=disable
# Migrations (always run to keep schema updated)
RUN_MIGRATIONS={{ miniflux_run_migrations }}
{% if miniflux_create_admin | int == 1 and miniflux_admin_password is defined %}
# First run admin creation (remove these after initial setup)
CREATE_ADMIN=1
ADMIN_USERNAME={{ miniflux_admin_username }}
ADMIN_PASSWORD={{ miniflux_admin_password }}
{% endif %}
# Polling settings
POLLING_FREQUENCY={{ miniflux_polling_frequency }}
BATCH_SIZE={{ miniflux_batch_size }}
POLLING_SCHEDULER={{ miniflux_polling_scheduler }}
# Cleanup settings
CLEANUP_ARCHIVE_UNREAD_DAYS={{ miniflux_cleanup_archive_unread_days }}
CLEANUP_ARCHIVE_READ_DAYS={{ miniflux_cleanup_archive_read_days }}
# Logging
LOG_LEVEL=info

3
ansible/roles/podman/tasks/main.yml
View file

@ -24,6 +24,7 @@
cmd: podman machine list --format json
register: podman_machine_list
changed_when: false
check_mode: false # Safe to run in check mode - read-only
- name: Initialize podman machine (if not exists)
ansible.builtin.command:
@ -38,6 +39,7 @@
cmd: podman machine list --format "{{ '{{' }}.Running{{ '}}' }}"
register: podman_running
changed_when: false
check_mode: false # Safe to run in check mode - read-only
- name: Start podman machine (if stopped)
ansible.builtin.command:
@ -52,4 +54,5 @@
msg: "WARNING: podman machine may not have started. Run 'podman machine start' manually on indri if needed."
when:
- "'true' not in podman_running.stdout"
- podman_start is defined
- podman_start.rc != 0 or "'started successfully' not in podman_start.stdout"

44
ansible/roles/postgresql/defaults/main.yml
View file

@ -1,44 +0,0 @@
---
# PostgreSQL configuration
# Superuser name (explicit, not inherited from OS user)
postgresql_superuser: eblume
# Formula and version
postgresql_formula: postgresql@18
# Paths (keg-only formula on macOS)
postgresql_bin_dir: /opt/homebrew/opt/postgresql@18/bin
postgresql_data_dir: /opt/homebrew/var/postgresql@18
postgresql_config_dir: /opt/homebrew/var/postgresql@18
# Network settings
postgresql_port: 5432
postgresql_listen_addresses: "localhost"
# 1Password vault and item IDs for credentials
postgresql_op_vault: vg6xf6vvfmoh5hqjjhlhbeoaie
postgresql_op_superuser_item: guxu3j7ajhjyey6xxl2ovsl2ui
postgresql_op_miniflux_item: ns6wylqiuqgczpo7gq2akaxbti
postgresql_op_borgmatic_item: mw2bv5we7woicjza7hc6s44yvy
# Databases to create
postgresql_databases:
- name: miniflux
owner: miniflux
# Users to create (passwords fetched from 1Password)
postgresql_users:
- name: miniflux
op_item: "{{ postgresql_op_miniflux_item }}"
op_field: password
- name: borgmatic
op_item: "{{ postgresql_op_borgmatic_item }}"
op_field: db-password
roles:
- pg_read_all_data
- name: alloy
op_item: "{{ postgresql_op_superuser_item }}"
op_field: alloy-user-pw
roles:
- pg_monitor

6
ansible/roles/postgresql/handlers/main.yml
View file

@ -1,6 +0,0 @@
---
- name: Restart postgresql
ansible.builtin.command: brew services restart {{ postgresql_formula }}
async: 120
poll: 0
changed_when: true

190
ansible/roles/postgresql/tasks/main.yml
View file

@ -1,190 +0,0 @@
---
# PostgreSQL installation and configuration
#
# Passwords are fetched from 1Password at runtime using the `op` CLI.
# Requires: `op` authenticated on the control machine (run `op signin` first).
- name: Install postgresql via homebrew
community.general.homebrew:
name: "{{ postgresql_formula }}"
state: present
# === Fetch passwords from 1Password (on control machine) ===
# These are skipped when running full playbook (pre_tasks sets them)
# but run when using --tags postgresql
- name: Fetch superuser password from 1Password
ansible.builtin.command:
cmd: op --vault {{ postgresql_op_vault }} item get {{ postgresql_op_superuser_item }} --fields password --reveal
delegate_to: localhost
register: postgresql_superuser_password_result
changed_when: false
no_log: true
check_mode: false
when: postgresql_superuser_password is not defined
- name: Set superuser password fact
ansible.builtin.set_fact:
postgresql_superuser_password: "{{ postgresql_superuser_password_result.stdout }}"
no_log: true
when: postgresql_superuser_password is not defined
- name: Fetch user passwords from 1Password
ansible.builtin.command:
cmd: op --vault {{ postgresql_op_vault }} item get {{ item.op_item }} --fields {{ item.op_field }} --reveal
delegate_to: localhost
loop: "{{ postgresql_users }}"
register: postgresql_user_passwords_result
changed_when: false
no_log: true
check_mode: false
when: postgresql_user_passwords is not defined
- name: Build user password lookup
ansible.builtin.set_fact:
postgresql_user_passwords: "{{ postgresql_user_passwords | default({}) | combine({item.item.name: item.stdout}) }}"
loop: "{{ postgresql_user_passwords_result.results }}"
no_log: true
when: postgresql_user_passwords is not defined
# === Initialize PostgreSQL cluster ===
- name: Check if postgresql data directory is initialized
ansible.builtin.stat:
path: "{{ postgresql_data_dir }}/PG_VERSION"
register: postgresql_data_check
- name: Create temporary password file for initdb
ansible.builtin.copy:
content: "{{ postgresql_superuser_password }}"
dest: /tmp/.pg_init_pwfile
mode: '0600'
when: not postgresql_data_check.stat.exists
no_log: true
- name: Initialize postgresql database cluster with superuser password
ansible.builtin.command: >
{{ postgresql_bin_dir }}/initdb
-U {{ postgresql_superuser }}
--locale=en_US.UTF-8 -E UTF-8
--pwfile=/tmp/.pg_init_pwfile
{{ postgresql_data_dir }}
when: not postgresql_data_check.stat.exists
changed_when: true
- name: Remove temporary password file
ansible.builtin.file:
path: /tmp/.pg_init_pwfile
state: absent
when: not postgresql_data_check.stat.exists
# === Configure and start PostgreSQL ===
- name: Deploy pg_hba.conf
ansible.builtin.template:
src: pg_hba.conf.j2
dest: "{{ postgresql_config_dir }}/pg_hba.conf"
mode: '0600'
notify: Restart postgresql
- name: Ensure postgresql service is started
ansible.builtin.command: brew services start {{ postgresql_formula }}
register: postgresql_brew_start
changed_when: "'Successfully started' in postgresql_brew_start.stdout"
failed_when: false
- name: Wait for postgresql to accept connections
ansible.builtin.command: >
{{ postgresql_bin_dir }}/pg_isready -h localhost -p {{ postgresql_port }}
register: postgresql_ready
until: postgresql_ready.rc == 0
retries: 10
delay: 2
changed_when: false
# === Create users with passwords ===
- name: Check if postgresql users exist
ansible.builtin.command: >
{{ postgresql_bin_dir }}/psql -h localhost -U {{ postgresql_superuser }} -d postgres -tAc
"SELECT 1 FROM pg_roles WHERE rolname = '{{ item.name }}';"
environment:
PGPASSWORD: "{{ postgresql_superuser_password }}"
loop: "{{ postgresql_users }}"
register: postgresql_user_check
changed_when: false
failed_when: false
no_log: true
- name: Create postgresql users with passwords
ansible.builtin.command: >
{{ postgresql_bin_dir }}/psql -h localhost -U {{ postgresql_superuser }} -d postgres -c
"CREATE USER {{ item.item.name }} WITH PASSWORD '{{ postgresql_user_passwords[item.item.name] }}';"
environment:
PGPASSWORD: "{{ postgresql_superuser_password }}"
loop: "{{ postgresql_user_check.results }}"
when: item.stdout != "1"
changed_when: true
no_log: true
- name: Update postgresql user passwords (idempotent)
ansible.builtin.command: >
{{ postgresql_bin_dir }}/psql -h localhost -U {{ postgresql_superuser }} -d postgres -c
"ALTER USER {{ item.name }} WITH PASSWORD '{{ postgresql_user_passwords[item.name] }}';"
environment:
PGPASSWORD: "{{ postgresql_superuser_password }}"
loop: "{{ postgresql_users }}"
changed_when: false
no_log: true
# === Grant roles to users ===
- name: Grant roles to users
ansible.builtin.command: >
{{ postgresql_bin_dir }}/psql -h localhost -U {{ postgresql_superuser }}
-d postgres -c "GRANT {{ item.1 }} TO {{ item.0.name }};"
environment:
PGPASSWORD: "{{ postgresql_superuser_password }}"
loop: "{{ postgresql_users | subelements('roles', skip_missing=True) }}"
changed_when: false
no_log: true
# === Create databases ===
- name: Check if postgresql databases exist
ansible.builtin.command: >
{{ postgresql_bin_dir }}/psql -h localhost -U {{ postgresql_superuser }} -d postgres -tAc
"SELECT 1 FROM pg_database WHERE datname = '{{ item.name }}';"
environment:
PGPASSWORD: "{{ postgresql_superuser_password }}"
loop: "{{ postgresql_databases }}"
register: postgresql_db_check
changed_when: false
failed_when: false
no_log: true
- name: Create postgresql databases
ansible.builtin.command: >
{{ postgresql_bin_dir }}/createdb -h localhost -U {{ postgresql_superuser }}
--owner={{ item.item.owner }}
{{ item.item.name }}
environment:
PGPASSWORD: "{{ postgresql_superuser_password }}"
loop: "{{ postgresql_db_check.results }}"
when: item.stdout != "1"
changed_when: true
no_log: true
# === Write credential files for local access ===
# .pgpass is used by borgmatic for pg_dump backups
# Only includes read-only roles (borgmatic has pg_read_all_data)
- name: Write .pgpass file for borgmatic backups
ansible.builtin.copy:
content: |
# Managed by ansible - only read-only roles
localhost:{{ postgresql_port }}:*:borgmatic:{{ postgresql_user_passwords['borgmatic'] }}
k8s-pg.tail8d86e.ts.net:5432:*:borgmatic:{{ postgresql_user_passwords['borgmatic'] }}
dest: ~/.pgpass
mode: '0600'
no_log: true

16
ansible/roles/postgresql/templates/pg_hba.conf.j2
View file

@ -1,16 +0,0 @@
# {{ ansible_managed }}
# PostgreSQL Client Authentication Configuration File
#
# All connections require password authentication (scram-sha-256).
# Passwords are managed via 1Password and fetched by ansible at runtime.
# TYPE DATABASE USER ADDRESS METHOD
# Local connections (Unix socket)
local all all scram-sha-256
# IPv4 local connections (services connect via TCP)
host all all 127.0.0.1/32 scram-sha-256
# IPv6 local connections
host all all ::1/128 scram-sha-256

12
ansible/roles/tailscale_serve/defaults/main.yml
View file

@ -3,7 +3,7 @@
# Each service maps a Tailscale service name to local endpoints
tailscale_serve_services:
# NOTE: svc:grafana removed - now hosted in k8s (see argocd/apps/grafana.yaml)
# NOTE: svc:grafana, svc:pg, svc:feed removed - now hosted in k8s
- name: svc:forge
https:
@ -23,16 +23,6 @@ tailscale_serve_services:
port: 443
upstream: http://127.0.0.1:3141
- name: svc:pg
tcp:
port: 5432
upstream: tcp://localhost:5432
- name: svc:feed
https:
port: 443
upstream: http://localhost:8080
- name: svc:registry
https:
port: 443