Use explicit PostgreSQL superuser name and fix check mode

- Add postgresql_superuser variable (eblume) to prevent inheriting OS username
- Update initdb to use -U flag for explicit superuser creation
- Update all psql/createdb commands to use explicit -U flag
- Add check_mode: false to op commands so 1Password fetches run in --check mode
- Add PostgreSQL and Miniflux to indri-services-check

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

ansible/playbooks/indri.yml

@@ -14,6 +14,7 @@
       register: _pg_superuser_pw
       changed_when: false
       no_log: true
+      check_mode: false
       tags: [postgresql]
 
     - name: Set PostgreSQL superuser password fact
@@ -29,6 +30,7 @@
       register: _pg_alloy_pw
       changed_when: false
       no_log: true
+      check_mode: false
       tags: [alloy, postgresql]
 
     - name: Set PostgreSQL alloy password fact
@@ -44,6 +46,7 @@
       register: _miniflux_db_pw
       changed_when: false
       no_log: true
+      check_mode: false
       tags: [miniflux, postgresql]
 
     - name: Set miniflux passwords fact
@@ -59,6 +62,7 @@
       register: _borgmatic_db_pw
       changed_when: false
       no_log: true
+      check_mode: false
       tags: [postgresql]
 
     - name: Build PostgreSQL user password lookup

ansible/roles/postgresql/defaults/main.yml

@@ -1,6 +1,9 @@
 ---
 # PostgreSQL configuration
 
+# Superuser name (explicit, not inherited from OS user)
+postgresql_superuser: eblume
+
 # Formula and version
 postgresql_formula: postgresql@18
 

ansible/roles/postgresql/tasks/main.yml

@@ -20,6 +20,7 @@
   register: pg_superuser_password_result
   changed_when: false
   no_log: true
+  check_mode: false
   when: pg_superuser_password is not defined
 
 - name: Set superuser password fact
@@ -36,6 +37,7 @@
   register: pg_user_passwords_result
   changed_when: false
   no_log: true
+  check_mode: false
   when: pg_user_passwords is not defined
 
 - name: Build user password lookup
@@ -63,6 +65,7 @@
 - name: Initialize postgresql database cluster with superuser password
   ansible.builtin.command: >
     {{ postgresql_bin_dir }}/initdb
+    -U {{ postgresql_superuser }}
     --locale=en_US.UTF-8 -E UTF-8
     --pwfile=/tmp/.pg_init_pwfile
     {{ postgresql_data_dir }}
@@ -102,7 +105,7 @@
 
 - name: Check if postgresql users exist
   ansible.builtin.command: >
-    {{ postgresql_bin_dir }}/psql -h localhost -d postgres -tAc
+    {{ postgresql_bin_dir }}/psql -h localhost -U {{ postgresql_superuser }} -d postgres -tAc
     "SELECT 1 FROM pg_roles WHERE rolname = '{{ item.name }}';"
   environment:
     PGPASSWORD: "{{ pg_superuser_password }}"
@@ -114,7 +117,7 @@
 
 - name: Create postgresql users with passwords
   ansible.builtin.command: >
-    {{ postgresql_bin_dir }}/psql -h localhost -d postgres -c
+    {{ postgresql_bin_dir }}/psql -h localhost -U {{ postgresql_superuser }} -d postgres -c
     "CREATE USER {{ item.item.name }} WITH PASSWORD '{{ pg_user_passwords[item.item.name] }}';"
   environment:
     PGPASSWORD: "{{ pg_superuser_password }}"
@@ -125,7 +128,7 @@
 
 - name: Update postgresql user passwords (idempotent)
   ansible.builtin.command: >
-    {{ postgresql_bin_dir }}/psql -h localhost -d postgres -c
+    {{ postgresql_bin_dir }}/psql -h localhost -U {{ postgresql_superuser }} -d postgres -c
     "ALTER USER {{ item.name }} WITH PASSWORD '{{ pg_user_passwords[item.name] }}';"
   environment:
     PGPASSWORD: "{{ pg_superuser_password }}"
@@ -137,7 +140,7 @@
 
 - name: Grant roles to users
   ansible.builtin.command: >
-    {{ postgresql_bin_dir }}/psql -h localhost -d postgres -c "GRANT {{ item.1 }} TO {{ item.0.name }};"
+    {{ postgresql_bin_dir }}/psql -h localhost -U {{ postgresql_superuser }} -d postgres -c "GRANT {{ item.1 }} TO {{ item.0.name }};"
   environment:
     PGPASSWORD: "{{ pg_superuser_password }}"
   loop: "{{ postgresql_users | subelements('roles', skip_missing=True) }}"
@@ -148,7 +151,7 @@
 
 - name: Check if postgresql databases exist
   ansible.builtin.command: >
-    {{ postgresql_bin_dir }}/psql -h localhost -d postgres -tAc
+    {{ postgresql_bin_dir }}/psql -h localhost -U {{ postgresql_superuser }} -d postgres -tAc
     "SELECT 1 FROM pg_database WHERE datname = '{{ item.name }}';"
   environment:
     PGPASSWORD: "{{ pg_superuser_password }}"
@@ -160,7 +163,7 @@
 
 - name: Create postgresql databases
   ansible.builtin.command: >
-    {{ postgresql_bin_dir }}/createdb -h localhost
+    {{ postgresql_bin_dir }}/createdb -h localhost -U {{ postgresql_superuser }}
     --owner={{ item.item.owner }}
     {{ item.item.name }}
   environment:

mise-tasks/indri-services-check

@@ -52,6 +52,8 @@ check_service "transmission-metrics" "ssh indri 'launchctl list | grep transmiss
 check_service "kiwix-serve" "ssh indri 'launchctl list | grep kiwix | grep -v \"^-\"'"
 check_service "forgejo" "ssh indri 'brew services list | grep forgejo | grep started'"
 check_service "devpi" "ssh indri 'launchctl list | grep devpi | grep -v \"^-\"'"
+check_service "postgresql" "ssh indri 'brew services list | grep postgresql | grep started'"
+check_service "miniflux" "ssh indri 'brew services list | grep miniflux | grep started'"
 
 echo ""
 echo "HTTP endpoints (via Tailscale):"
@@ -61,10 +63,13 @@ check_http "Grafana" "http://indri:3000/api/health"
 check_http "Kiwix" "http://indri:5501/"
 check_http "Forgejo" "http://indri:3001/"
 check_http "Devpi" "http://indri:3141/+api"
+check_http "Miniflux" "https://feed.tail8d86e.ts.net/healthcheck"
 # Transmission RPC is localhost-only by design, check via SSH
 check_service "Transmission RPC" "ssh indri 'curl -sf http://127.0.0.1:9091/transmission/rpc'"
 # Check that transmission metrics are being collected
 check_service "Transmission metrics" "ssh indri 'test -f /opt/homebrew/var/node_exporter/textfile/transmission.prom'"
+# PostgreSQL uses TCP not HTTP, check via pg_isready
+check_service "PostgreSQL" "ssh indri '/opt/homebrew/opt/postgresql@18/bin/pg_isready -h localhost'"
 
 echo ""
 if [ $FAILED -eq 0 ]; then