Use explicit PostgreSQL superuser name and fix check mode (#17)
## Summary - Add `postgresql_superuser` variable (`eblume`) to prevent PostgreSQL from inheriting OS username during initdb - Update all psql/createdb commands to use explicit `-U` flag - Add `check_mode: false` to op commands so 1Password fetches run during `--check` mode - Add PostgreSQL and Miniflux health checks to indri-services-check ## Test plan - [x] Renamed existing superuser from `erichblume` to `eblume` - [x] Ran `mise run provision-indri -- --tags postgresql --check --diff` successfully - [x] Verified connection as `eblume` superuser via Tailscale - [x] Ran `mise run indri-services-check` - all services healthy 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/17
This commit is contained in:
parent
adf6f4fbe9
commit
812b78bf61
4 changed files with 21 additions and 6 deletions
|
|
@ -14,6 +14,7 @@
|
|||
register: _pg_superuser_pw
|
||||
changed_when: false
|
||||
no_log: true
|
||||
check_mode: false
|
||||
tags: [postgresql]
|
||||
|
||||
- name: Set PostgreSQL superuser password fact
|
||||
|
|
@ -29,6 +30,7 @@
|
|||
register: _pg_alloy_pw
|
||||
changed_when: false
|
||||
no_log: true
|
||||
check_mode: false
|
||||
tags: [alloy, postgresql]
|
||||
|
||||
- name: Set PostgreSQL alloy password fact
|
||||
|
|
@ -44,6 +46,7 @@
|
|||
register: _miniflux_db_pw
|
||||
changed_when: false
|
||||
no_log: true
|
||||
check_mode: false
|
||||
tags: [miniflux, postgresql]
|
||||
|
||||
- name: Set miniflux passwords fact
|
||||
|
|
@ -59,6 +62,7 @@
|
|||
register: _borgmatic_db_pw
|
||||
changed_when: false
|
||||
no_log: true
|
||||
check_mode: false
|
||||
tags: [postgresql]
|
||||
|
||||
- name: Build PostgreSQL user password lookup
|
||||
|
|
|
|||
|
|
@ -1,6 +1,9 @@
|
|||
---
|
||||
# PostgreSQL configuration
|
||||
|
||||
# Superuser name (explicit, not inherited from OS user)
|
||||
postgresql_superuser: eblume
|
||||
|
||||
# Formula and version
|
||||
postgresql_formula: postgresql@18
|
||||
|
||||
|
|
|
|||
|
|
@ -20,6 +20,7 @@
|
|||
register: pg_superuser_password_result
|
||||
changed_when: false
|
||||
no_log: true
|
||||
check_mode: false
|
||||
when: pg_superuser_password is not defined
|
||||
|
||||
- name: Set superuser password fact
|
||||
|
|
@ -36,6 +37,7 @@
|
|||
register: pg_user_passwords_result
|
||||
changed_when: false
|
||||
no_log: true
|
||||
check_mode: false
|
||||
when: pg_user_passwords is not defined
|
||||
|
||||
- name: Build user password lookup
|
||||
|
|
@ -63,6 +65,7 @@
|
|||
- name: Initialize postgresql database cluster with superuser password
|
||||
ansible.builtin.command: >
|
||||
{{ postgresql_bin_dir }}/initdb
|
||||
-U {{ postgresql_superuser }}
|
||||
--locale=en_US.UTF-8 -E UTF-8
|
||||
--pwfile=/tmp/.pg_init_pwfile
|
||||
{{ postgresql_data_dir }}
|
||||
|
|
@ -102,7 +105,7 @@
|
|||
|
||||
- name: Check if postgresql users exist
|
||||
ansible.builtin.command: >
|
||||
{{ postgresql_bin_dir }}/psql -h localhost -d postgres -tAc
|
||||
{{ postgresql_bin_dir }}/psql -h localhost -U {{ postgresql_superuser }} -d postgres -tAc
|
||||
"SELECT 1 FROM pg_roles WHERE rolname = '{{ item.name }}';"
|
||||
environment:
|
||||
PGPASSWORD: "{{ pg_superuser_password }}"
|
||||
|
|
@ -114,7 +117,7 @@
|
|||
|
||||
- name: Create postgresql users with passwords
|
||||
ansible.builtin.command: >
|
||||
{{ postgresql_bin_dir }}/psql -h localhost -d postgres -c
|
||||
{{ postgresql_bin_dir }}/psql -h localhost -U {{ postgresql_superuser }} -d postgres -c
|
||||
"CREATE USER {{ item.item.name }} WITH PASSWORD '{{ pg_user_passwords[item.item.name] }}';"
|
||||
environment:
|
||||
PGPASSWORD: "{{ pg_superuser_password }}"
|
||||
|
|
@ -125,7 +128,7 @@
|
|||
|
||||
- name: Update postgresql user passwords (idempotent)
|
||||
ansible.builtin.command: >
|
||||
{{ postgresql_bin_dir }}/psql -h localhost -d postgres -c
|
||||
{{ postgresql_bin_dir }}/psql -h localhost -U {{ postgresql_superuser }} -d postgres -c
|
||||
"ALTER USER {{ item.name }} WITH PASSWORD '{{ pg_user_passwords[item.name] }}';"
|
||||
environment:
|
||||
PGPASSWORD: "{{ pg_superuser_password }}"
|
||||
|
|
@ -137,7 +140,7 @@
|
|||
|
||||
- name: Grant roles to users
|
||||
ansible.builtin.command: >
|
||||
{{ postgresql_bin_dir }}/psql -h localhost -d postgres -c "GRANT {{ item.1 }} TO {{ item.0.name }};"
|
||||
{{ postgresql_bin_dir }}/psql -h localhost -U {{ postgresql_superuser }} -d postgres -c "GRANT {{ item.1 }} TO {{ item.0.name }};"
|
||||
environment:
|
||||
PGPASSWORD: "{{ pg_superuser_password }}"
|
||||
loop: "{{ postgresql_users | subelements('roles', skip_missing=True) }}"
|
||||
|
|
@ -148,7 +151,7 @@
|
|||
|
||||
- name: Check if postgresql databases exist
|
||||
ansible.builtin.command: >
|
||||
{{ postgresql_bin_dir }}/psql -h localhost -d postgres -tAc
|
||||
{{ postgresql_bin_dir }}/psql -h localhost -U {{ postgresql_superuser }} -d postgres -tAc
|
||||
"SELECT 1 FROM pg_database WHERE datname = '{{ item.name }}';"
|
||||
environment:
|
||||
PGPASSWORD: "{{ pg_superuser_password }}"
|
||||
|
|
@ -160,7 +163,7 @@
|
|||
|
||||
- name: Create postgresql databases
|
||||
ansible.builtin.command: >
|
||||
{{ postgresql_bin_dir }}/createdb -h localhost
|
||||
{{ postgresql_bin_dir }}/createdb -h localhost -U {{ postgresql_superuser }}
|
||||
--owner={{ item.item.owner }}
|
||||
{{ item.item.name }}
|
||||
environment:
|
||||
|
|
|
|||
|
|
@ -52,6 +52,8 @@ check_service "transmission-metrics" "ssh indri 'launchctl list | grep transmiss
|
|||
check_service "kiwix-serve" "ssh indri 'launchctl list | grep kiwix | grep -v \"^-\"'"
|
||||
check_service "forgejo" "ssh indri 'brew services list | grep forgejo | grep started'"
|
||||
check_service "devpi" "ssh indri 'launchctl list | grep devpi | grep -v \"^-\"'"
|
||||
check_service "postgresql" "ssh indri 'brew services list | grep postgresql | grep started'"
|
||||
check_service "miniflux" "ssh indri 'brew services list | grep miniflux | grep started'"
|
||||
|
||||
echo ""
|
||||
echo "HTTP endpoints (via Tailscale):"
|
||||
|
|
@ -61,10 +63,13 @@ check_http "Grafana" "http://indri:3000/api/health"
|
|||
check_http "Kiwix" "http://indri:5501/"
|
||||
check_http "Forgejo" "http://indri:3001/"
|
||||
check_http "Devpi" "http://indri:3141/+api"
|
||||
check_http "Miniflux" "https://feed.tail8d86e.ts.net/healthcheck"
|
||||
# Transmission RPC is localhost-only by design, check via SSH
|
||||
check_service "Transmission RPC" "ssh indri 'curl -sf http://127.0.0.1:9091/transmission/rpc'"
|
||||
# Check that transmission metrics are being collected
|
||||
check_service "Transmission metrics" "ssh indri 'test -f /opt/homebrew/var/node_exporter/textfile/transmission.prom'"
|
||||
# PostgreSQL uses TCP not HTTP, check via pg_isready
|
||||
check_service "PostgreSQL" "ssh indri '/opt/homebrew/opt/postgresql@18/bin/pg_isready -h localhost'"
|
||||
|
||||
echo ""
|
||||
if [ $FAILED -eq 0 ]; then
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue