P4: Miniflux migration + PostgreSQL consolidation (#33)

## Summary - Deploy miniflux in k8s via ArgoCD - Expose via Tailscale Ingress at feed.tail8d86e.ts.net - Retire brew PostgreSQL (no longer needed) - Rename k8s-pg to pg (canonical hostname) - Remove ansible miniflux and postgresql roles - Update borgmatic to backup pg.tail8d86e.ts.net - Update all zk documentation ## Deployment and Testing - [x] Miniflux pod running in k8s - [x] User login works at https://feed.tail8d86e.ts.net - [x] Feeds and entries visible - [x] brew miniflux and postgresql stopped - [x] Tailscale services migrated (feed, pg) - [x] zk documentation updated - [x] Run ansible to apply role removals - [ ] Verify borgmatic backup with new pg hostname 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/33
2026-01-20 09:04:47 -08:00 · 2026-01-20 09:04:47 -08:00 · 735b643429
commit 735b643429
parent 463f476374
25 changed files with 336 additions and 518 deletions
--- a/ansible/roles/alloy/defaults/main.yml
+++ b/ansible/roles/alloy/defaults/main.yml
@ -40,12 +40,7 @@ alloy_brew_logs:
  - path: /opt/homebrew/var/transmission/transmission-daemon.log
    service: transmission
    stream: stdout
-  - path: /opt/homebrew/var/log/postgresql@18.log
-    service: postgresql
-    stream: stdout
-  - path: /opt/homebrew/var/log/miniflux.log
-    service: miniflux
-    stream: stdout
+  # NOTE: postgresql and miniflux removed - now hosted in k8s

 alloy_mcquack_logs:
  - path: /Users/erichblume/Library/Logs/mcquack.devpi.out.log
@ -86,13 +81,14 @@ alloy_collect_zot: true
 alloy_zot_metrics_url: "http://localhost:5050/metrics"

 # PostgreSQL metrics collection
-alloy_collect_postgres: true
+# NOTE: Disabled - brew postgresql removed, k8s CNPG metrics TBD
+alloy_collect_postgres: false
 alloy_postgres_host: localhost
 alloy_postgres_port: 5432
 alloy_postgres_user: alloy
 alloy_postgres_database: postgres

-# 1Password settings for PostgreSQL metrics
+# 1Password settings for PostgreSQL metrics (unused when alloy_collect_postgres is false)
 alloy_op_vault: vg6xf6vvfmoh5hqjjhlhbeoaie
 alloy_op_postgres_item: guxu3j7ajhjyey6xxl2ovsl2ui
 alloy_op_postgres_field: alloy-user-pw
--- a/ansible/roles/borgmatic/defaults/main.yml
+++ b/ansible/roles/borgmatic/defaults/main.yml
@ -41,17 +41,12 @@ borgmatic_keep_monthly: 12
 borgmatic_keep_yearly: 1000

 # PostgreSQL databases to backup (streamed via pg_dump)
-# Password is read from ~/.pgpass (managed by postgresql role)
+# Password is read from ~/.pgpass (managed by this role)
 # pg_dump_command must be full path since LaunchAgent doesn't have homebrew in PATH
 borgmatic_pg_dump_command: /opt/homebrew/opt/postgresql@18/bin/pg_dump
 borgmatic_postgresql_databases:
-  # Brew PostgreSQL on indri (current production)
+  # k8s PostgreSQL (CloudNativePG)
  - name: miniflux
-    hostname: localhost
-    port: 5432
-    username: borgmatic
-  # k8s PostgreSQL (CloudNativePG) - backup both during migration
-  - name: miniflux
-    hostname: k8s-pg.tail8d86e.ts.net
+    hostname: pg.tail8d86e.ts.net
    port: 5432
    username: borgmatic
--- a/ansible/roles/borgmatic/tasks/main.yml
+++ b/ansible/roles/borgmatic/tasks/main.yml
@ -8,6 +8,17 @@
    state: directory
    mode: '0700'

+# .pgpass is used by pg_dump for database backups
+# Password is fetched in playbook pre_tasks as borgmatic_db_password
+- name: Write .pgpass file for borgmatic PostgreSQL backups
+  ansible.builtin.copy:
+    content: |
+      # Managed by ansible (borgmatic role) - k8s PostgreSQL backup credentials
+      pg.tail8d86e.ts.net:5432:*:borgmatic:{{ borgmatic_db_password }}
+    dest: ~/.pgpass
+    mode: '0600'
+  no_log: true
+
 - name: Deploy borgmatic configuration
  ansible.builtin.template:
    src: config.yaml.j2
--- a/ansible/roles/miniflux/defaults/main.yml
+++ b/ansible/roles/miniflux/defaults/main.yml
@ -1,36 +0,0 @@
---
-# Miniflux configuration
-
-# Network settings
-miniflux_listen_addr: "127.0.0.1:8080"
-miniflux_base_url: "https://feed.tail8d86e.ts.net/"
-
-# Database connection (password fetched from 1Password)
-miniflux_db_host: localhost
-miniflux_db_port: 5432
-miniflux_db_name: miniflux
-miniflux_db_user: miniflux
-
-# Config paths
-miniflux_config_file: /opt/homebrew/etc/miniflux.conf
-
-# 1Password settings for admin password
-miniflux_op_vault: vg6xf6vvfmoh5hqjjhlhbeoaie
-miniflux_op_item: ns6wylqiuqgczpo7gq2akaxbti
-
-# First run settings
-# Set miniflux_create_admin to 1 for initial setup, then 0 after
-miniflux_create_admin: 0
-miniflux_admin_username: admin
-
-# Always run migrations to keep schema updated
-miniflux_run_migrations: 1
-
-# Polling settings
-miniflux_polling_frequency: 60
-miniflux_batch_size: 100
-miniflux_polling_scheduler: "entry_frequency"
-
-# Cleanup settings (archive old entries)
-miniflux_cleanup_archive_unread_days: 180
-miniflux_cleanup_archive_read_days: 60
--- a/ansible/roles/miniflux/handlers/main.yml
+++ b/ansible/roles/miniflux/handlers/main.yml
@ -1,6 +0,0 @@
---
- name: Restart miniflux
-  ansible.builtin.command: brew services restart miniflux
-  async: 120
-  poll: 0
-  changed_when: true
--- a/ansible/roles/miniflux/meta/main.yml
+++ b/ansible/roles/miniflux/meta/main.yml
@ -1,4 +0,0 @@
---
-# Role ordering is controlled by indri.yml playbook - do not add dependencies here
-# (Ansible's tag accumulation prevents proper deduplication when using meta dependencies)
-dependencies: []
--- a/ansible/roles/miniflux/tasks/main.yml
+++ b/ansible/roles/miniflux/tasks/main.yml
@ -1,64 +0,0 @@
---
-# Miniflux installation and configuration
-#
-# Prerequisites:
-#   - PostgreSQL role has run (creates database, user, and ~/.miniflux-db-password)
-#   - 1Password CLI authenticated on control machine
-#
-# First run:
-#   mise run provision-indri -- --tags miniflux -e miniflux_create_admin=1
-
- name: Install miniflux via homebrew
-  community.general.homebrew:
-    name: miniflux
-    state: present
-
-# === Fetch passwords from 1Password ===
-# These are skipped when running full playbook (pre_tasks sets them)
-# but run when using --tags miniflux
-
- name: Fetch miniflux database password from 1Password
-  ansible.builtin.command:
-    cmd: op --vault {{ miniflux_op_vault }} item get {{ miniflux_op_item }} --fields password --reveal
-  delegate_to: localhost
-  register: miniflux_db_password_result
-  changed_when: false
-  no_log: true
-  when: miniflux_db_password is not defined
-
- name: Set database password fact
-  ansible.builtin.set_fact:
-    miniflux_db_password: "{{ miniflux_db_password_result.stdout }}"
-  no_log: true
-  when: miniflux_db_password is not defined
-
- name: Fetch miniflux admin password from 1Password (for first run)
-  ansible.builtin.command:
-    cmd: op --vault {{ miniflux_op_vault }} item get {{ miniflux_op_item }} --fields admin-password --reveal
-  delegate_to: localhost
-  register: miniflux_admin_password_result
-  changed_when: false
-  no_log: true
-  when: miniflux_create_admin | int == 1
-
- name: Set admin password fact
-  ansible.builtin.set_fact:
-    miniflux_admin_password: "{{ miniflux_admin_password_result.stdout }}"
-  no_log: true
-  when: miniflux_create_admin | int == 1
-
-# === Deploy configuration ===
-
- name: Deploy miniflux configuration
-  ansible.builtin.template:
-    src: miniflux.conf.j2
-    dest: "{{ miniflux_config_file }}"
-    mode: '0600'
-  notify: Restart miniflux
-  no_log: true
-
- name: Ensure miniflux service is started
-  ansible.builtin.command: brew services start miniflux
-  register: miniflux_brew_start
-  changed_when: "'Successfully started' in miniflux_brew_start.stdout"
-  failed_when: false
--- a/ansible/roles/miniflux/templates/miniflux.conf.j2
+++ b/ansible/roles/miniflux/templates/miniflux.conf.j2
@ -1,32 +0,0 @@
-# {{ ansible_managed }}
-# Miniflux configuration - KEY=VALUE format
-# Passwords fetched from 1Password at deploy time.
-
-# Server settings
-LISTEN_ADDR={{ miniflux_listen_addr }}
-BASE_URL={{ miniflux_base_url }}
-
-# Database connection
-DATABASE_URL=postgres://{{ miniflux_db_user }}:{{ miniflux_db_password }}@{{ miniflux_db_host }}:{{ miniflux_db_port }}/{{ miniflux_db_name }}?sslmode=disable
-
-# Migrations (always run to keep schema updated)
-RUN_MIGRATIONS={{ miniflux_run_migrations }}
-
-{% if miniflux_create_admin | int == 1 and miniflux_admin_password is defined %}
-# First run admin creation (remove these after initial setup)
-CREATE_ADMIN=1
-ADMIN_USERNAME={{ miniflux_admin_username }}
-ADMIN_PASSWORD={{ miniflux_admin_password }}
-{% endif %}
-
-# Polling settings
-POLLING_FREQUENCY={{ miniflux_polling_frequency }}
-BATCH_SIZE={{ miniflux_batch_size }}
-POLLING_SCHEDULER={{ miniflux_polling_scheduler }}
-
-# Cleanup settings
-CLEANUP_ARCHIVE_UNREAD_DAYS={{ miniflux_cleanup_archive_unread_days }}
-CLEANUP_ARCHIVE_READ_DAYS={{ miniflux_cleanup_archive_read_days }}
-
-# Logging
-LOG_LEVEL=info
--- a/ansible/roles/podman/tasks/main.yml
+++ b/ansible/roles/podman/tasks/main.yml
@ -24,6 +24,7 @@
    cmd: podman machine list --format json
  register: podman_machine_list
  changed_when: false
+  check_mode: false  # Safe to run in check mode - read-only

 - name: Initialize podman machine (if not exists)
  ansible.builtin.command:
@ -38,6 +39,7 @@
    cmd: podman machine list --format "{{ '{{' }}.Running{{ '}}' }}"
  register: podman_running
  changed_when: false
+  check_mode: false  # Safe to run in check mode - read-only

 - name: Start podman machine (if stopped)
  ansible.builtin.command:
@ -52,4 +54,5 @@
    msg: "WARNING: podman machine may not have started. Run 'podman machine start' manually on indri if needed."
  when:
    - "'true' not in podman_running.stdout"
+    - podman_start is defined
    - podman_start.rc != 0 or "'started successfully' not in podman_start.stdout"
--- a/ansible/roles/postgresql/defaults/main.yml
+++ b/ansible/roles/postgresql/defaults/main.yml
@ -1,44 +0,0 @@
---
-# PostgreSQL configuration
-
-# Superuser name (explicit, not inherited from OS user)
-postgresql_superuser: eblume
-
-# Formula and version
-postgresql_formula: postgresql@18
-
-# Paths (keg-only formula on macOS)
-postgresql_bin_dir: /opt/homebrew/opt/postgresql@18/bin
-postgresql_data_dir: /opt/homebrew/var/postgresql@18
-postgresql_config_dir: /opt/homebrew/var/postgresql@18
-
-# Network settings
-postgresql_port: 5432
-postgresql_listen_addresses: "localhost"
-
-# 1Password vault and item IDs for credentials
-postgresql_op_vault: vg6xf6vvfmoh5hqjjhlhbeoaie
-postgresql_op_superuser_item: guxu3j7ajhjyey6xxl2ovsl2ui
-postgresql_op_miniflux_item: ns6wylqiuqgczpo7gq2akaxbti
-postgresql_op_borgmatic_item: mw2bv5we7woicjza7hc6s44yvy
-
-# Databases to create
-postgresql_databases:
-  - name: miniflux
-    owner: miniflux
-
-# Users to create (passwords fetched from 1Password)
-postgresql_users:
-  - name: miniflux
-    op_item: "{{ postgresql_op_miniflux_item }}"
-    op_field: password
-  - name: borgmatic
-    op_item: "{{ postgresql_op_borgmatic_item }}"
-    op_field: db-password
-    roles:
-      - pg_read_all_data
-  - name: alloy
-    op_item: "{{ postgresql_op_superuser_item }}"
-    op_field: alloy-user-pw
-    roles:
-      - pg_monitor
--- a/ansible/roles/postgresql/handlers/main.yml
+++ b/ansible/roles/postgresql/handlers/main.yml
@ -1,6 +0,0 @@
---
- name: Restart postgresql
-  ansible.builtin.command: brew services restart {{ postgresql_formula }}
-  async: 120
-  poll: 0
-  changed_when: true
--- a/ansible/roles/postgresql/tasks/main.yml
+++ b/ansible/roles/postgresql/tasks/main.yml
@ -1,190 +0,0 @@
---
-# PostgreSQL installation and configuration
-#
-# Passwords are fetched from 1Password at runtime using the `op` CLI.
-# Requires: `op` authenticated on the control machine (run `op signin` first).
-
- name: Install postgresql via homebrew
-  community.general.homebrew:
-    name: "{{ postgresql_formula }}"
-    state: present
-
-# === Fetch passwords from 1Password (on control machine) ===
-# These are skipped when running full playbook (pre_tasks sets them)
-# but run when using --tags postgresql
-
- name: Fetch superuser password from 1Password
-  ansible.builtin.command:
-    cmd: op --vault {{ postgresql_op_vault }} item get {{ postgresql_op_superuser_item }} --fields password --reveal
-  delegate_to: localhost
-  register: postgresql_superuser_password_result
-  changed_when: false
-  no_log: true
-  check_mode: false
-  when: postgresql_superuser_password is not defined
-
- name: Set superuser password fact
-  ansible.builtin.set_fact:
-    postgresql_superuser_password: "{{ postgresql_superuser_password_result.stdout }}"
-  no_log: true
-  when: postgresql_superuser_password is not defined
-
- name: Fetch user passwords from 1Password
-  ansible.builtin.command:
-    cmd: op --vault {{ postgresql_op_vault }} item get {{ item.op_item }} --fields {{ item.op_field }} --reveal
-  delegate_to: localhost
-  loop: "{{ postgresql_users }}"
-  register: postgresql_user_passwords_result
-  changed_when: false
-  no_log: true
-  check_mode: false
-  when: postgresql_user_passwords is not defined
-
- name: Build user password lookup
-  ansible.builtin.set_fact:
-    postgresql_user_passwords: "{{ postgresql_user_passwords | default({}) | combine({item.item.name: item.stdout}) }}"
-  loop: "{{ postgresql_user_passwords_result.results }}"
-  no_log: true
-  when: postgresql_user_passwords is not defined
-
-# === Initialize PostgreSQL cluster ===
-
- name: Check if postgresql data directory is initialized
-  ansible.builtin.stat:
-    path: "{{ postgresql_data_dir }}/PG_VERSION"
-  register: postgresql_data_check
-
- name: Create temporary password file for initdb
-  ansible.builtin.copy:
-    content: "{{ postgresql_superuser_password }}"
-    dest: /tmp/.pg_init_pwfile
-    mode: '0600'
-  when: not postgresql_data_check.stat.exists
-  no_log: true
-
- name: Initialize postgresql database cluster with superuser password
-  ansible.builtin.command: >
-    {{ postgresql_bin_dir }}/initdb
-    -U {{ postgresql_superuser }}
-    --locale=en_US.UTF-8 -E UTF-8
-    --pwfile=/tmp/.pg_init_pwfile
-    {{ postgresql_data_dir }}
-  when: not postgresql_data_check.stat.exists
-  changed_when: true
-
- name: Remove temporary password file
-  ansible.builtin.file:
-    path: /tmp/.pg_init_pwfile
-    state: absent
-  when: not postgresql_data_check.stat.exists
-
-# === Configure and start PostgreSQL ===
-
- name: Deploy pg_hba.conf
-  ansible.builtin.template:
-    src: pg_hba.conf.j2
-    dest: "{{ postgresql_config_dir }}/pg_hba.conf"
-    mode: '0600'
-  notify: Restart postgresql
-
- name: Ensure postgresql service is started
-  ansible.builtin.command: brew services start {{ postgresql_formula }}
-  register: postgresql_brew_start
-  changed_when: "'Successfully started' in postgresql_brew_start.stdout"
-  failed_when: false
-
- name: Wait for postgresql to accept connections
-  ansible.builtin.command: >
-    {{ postgresql_bin_dir }}/pg_isready -h localhost -p {{ postgresql_port }}
-  register: postgresql_ready
-  until: postgresql_ready.rc == 0
-  retries: 10
-  delay: 2
-  changed_when: false
-
-# === Create users with passwords ===
-
- name: Check if postgresql users exist
-  ansible.builtin.command: >
-    {{ postgresql_bin_dir }}/psql -h localhost -U {{ postgresql_superuser }} -d postgres -tAc
-    "SELECT 1 FROM pg_roles WHERE rolname = '{{ item.name }}';"
-  environment:
-    PGPASSWORD: "{{ postgresql_superuser_password }}"
-  loop: "{{ postgresql_users }}"
-  register: postgresql_user_check
-  changed_when: false
-  failed_when: false
-  no_log: true
-
- name: Create postgresql users with passwords
-  ansible.builtin.command: >
-    {{ postgresql_bin_dir }}/psql -h localhost -U {{ postgresql_superuser }} -d postgres -c
-    "CREATE USER {{ item.item.name }} WITH PASSWORD '{{ postgresql_user_passwords[item.item.name] }}';"
-  environment:
-    PGPASSWORD: "{{ postgresql_superuser_password }}"
-  loop: "{{ postgresql_user_check.results }}"
-  when: item.stdout != "1"
-  changed_when: true
-  no_log: true
-
- name: Update postgresql user passwords (idempotent)
-  ansible.builtin.command: >
-    {{ postgresql_bin_dir }}/psql -h localhost -U {{ postgresql_superuser }} -d postgres -c
-    "ALTER USER {{ item.name }} WITH PASSWORD '{{ postgresql_user_passwords[item.name] }}';"
-  environment:
-    PGPASSWORD: "{{ postgresql_superuser_password }}"
-  loop: "{{ postgresql_users }}"
-  changed_when: false
-  no_log: true
-
-# === Grant roles to users ===
-
- name: Grant roles to users
-  ansible.builtin.command: >
-    {{ postgresql_bin_dir }}/psql -h localhost -U {{ postgresql_superuser }}
-    -d postgres -c "GRANT {{ item.1 }} TO {{ item.0.name }};"
-  environment:
-    PGPASSWORD: "{{ postgresql_superuser_password }}"
-  loop: "{{ postgresql_users | subelements('roles', skip_missing=True) }}"
-  changed_when: false
-  no_log: true
-
-# === Create databases ===
-
- name: Check if postgresql databases exist
-  ansible.builtin.command: >
-    {{ postgresql_bin_dir }}/psql -h localhost -U {{ postgresql_superuser }} -d postgres -tAc
-    "SELECT 1 FROM pg_database WHERE datname = '{{ item.name }}';"
-  environment:
-    PGPASSWORD: "{{ postgresql_superuser_password }}"
-  loop: "{{ postgresql_databases }}"
-  register: postgresql_db_check
-  changed_when: false
-  failed_when: false
-  no_log: true
-
- name: Create postgresql databases
-  ansible.builtin.command: >
-    {{ postgresql_bin_dir }}/createdb -h localhost -U {{ postgresql_superuser }}
-    --owner={{ item.item.owner }}
-    {{ item.item.name }}
-  environment:
-    PGPASSWORD: "{{ postgresql_superuser_password }}"
-  loop: "{{ postgresql_db_check.results }}"
-  when: item.stdout != "1"
-  changed_when: true
-  no_log: true
-
-# === Write credential files for local access ===
-
-# .pgpass is used by borgmatic for pg_dump backups
-# Only includes read-only roles (borgmatic has pg_read_all_data)
- name: Write .pgpass file for borgmatic backups
-  ansible.builtin.copy:
-    content: |
-      # Managed by ansible - only read-only roles
-      localhost:{{ postgresql_port }}:*:borgmatic:{{ postgresql_user_passwords['borgmatic'] }}
-      k8s-pg.tail8d86e.ts.net:5432:*:borgmatic:{{ postgresql_user_passwords['borgmatic'] }}
-    dest: ~/.pgpass
-    mode: '0600'
-  no_log: true
--- a/ansible/roles/postgresql/templates/pg_hba.conf.j2
+++ b/ansible/roles/postgresql/templates/pg_hba.conf.j2
@ -1,16 +0,0 @@
-# {{ ansible_managed }}
-# PostgreSQL Client Authentication Configuration File
-#
-# All connections require password authentication (scram-sha-256).
-# Passwords are managed via 1Password and fetched by ansible at runtime.
-
-# TYPE  DATABASE        USER            ADDRESS                 METHOD
-
-# Local connections (Unix socket)
-local   all             all                                     scram-sha-256
-
-# IPv4 local connections (services connect via TCP)
-host    all             all             127.0.0.1/32            scram-sha-256
-
-# IPv6 local connections
-host    all             all             ::1/128                 scram-sha-256
--- a/ansible/roles/tailscale_serve/defaults/main.yml
+++ b/ansible/roles/tailscale_serve/defaults/main.yml
@ -3,7 +3,7 @@
 # Each service maps a Tailscale service name to local endpoints

 tailscale_serve_services:
-  # NOTE: svc:grafana removed - now hosted in k8s (see argocd/apps/grafana.yaml)
+  # NOTE: svc:grafana, svc:pg, svc:feed removed - now hosted in k8s

  - name: svc:forge
    https:
@ -23,16 +23,6 @@ tailscale_serve_services:
      port: 443
      upstream: http://127.0.0.1:3141

-  - name: svc:pg
-    tcp:
-      port: 5432
-      upstream: tcp://localhost:5432
-
-  - name: svc:feed
-    https:
-      port: 443
-      upstream: http://localhost:8080
-
  - name: svc:registry
    https:
      port: 443