From 812b78bf61f4de8cf612ff5d7ebd13560ff57bb3 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Fri, 16 Jan 2026 14:41:36 -0800
Subject: [PATCH] Use explicit PostgreSQL superuser name and fix check mode
 (#17)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## Summary
- Add `postgresql_superuser` variable (`eblume`) to prevent PostgreSQL from inheriting OS username during initdb
- Update all psql/createdb commands to use explicit `-U` flag
- Add `check_mode: false` to op commands so 1Password fetches run during `--check` mode
- Add PostgreSQL and Miniflux health checks to indri-services-check

## Test plan
- [x] Renamed existing superuser from `erichblume` to `eblume`
- [x] Ran `mise run provision-indri -- --tags postgresql --check --diff` successfully
- [x] Verified connection as `eblume` superuser via Tailscale
- [x] Ran `mise run indri-services-check` - all services healthy

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/17
---
 ansible/playbooks/indri.yml                |  4 ++++
 ansible/roles/postgresql/defaults/main.yml |  3 +++
 ansible/roles/postgresql/tasks/main.yml    | 15 +++++++++------
 mise-tasks/indri-services-check            |  5 +++++
 4 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/ansible/playbooks/indri.yml b/ansible/playbooks/indri.yml
index 40ca301..c198ac8 100644
--- a/ansible/playbooks/indri.yml
+++ b/ansible/playbooks/indri.yml
@@ -14,6 +14,7 @@
       register: _pg_superuser_pw
       changed_when: false
       no_log: true
+      check_mode: false
       tags: [postgresql]
 
     - name: Set PostgreSQL superuser password fact
@@ -29,6 +30,7 @@
       register: _pg_alloy_pw
       changed_when: false
       no_log: true
+      check_mode: false
       tags: [alloy, postgresql]
 
     - name: Set PostgreSQL alloy password fact
@@ -44,6 +46,7 @@
       register: _miniflux_db_pw
       changed_when: false
       no_log: true
+      check_mode: false
       tags: [miniflux, postgresql]
 
     - name: Set miniflux passwords fact
@@ -59,6 +62,7 @@
       register: _borgmatic_db_pw
       changed_when: false
       no_log: true
+      check_mode: false
       tags: [postgresql]
 
     - name: Build PostgreSQL user password lookup
diff --git a/ansible/roles/postgresql/defaults/main.yml b/ansible/roles/postgresql/defaults/main.yml
index 5e145bf..29aa850 100644
--- a/ansible/roles/postgresql/defaults/main.yml
+++ b/ansible/roles/postgresql/defaults/main.yml
@@ -1,6 +1,9 @@
 ---
 # PostgreSQL configuration
 
+# Superuser name (explicit, not inherited from OS user)
+postgresql_superuser: eblume
+
 # Formula and version
 postgresql_formula: postgresql@18
 
diff --git a/ansible/roles/postgresql/tasks/main.yml b/ansible/roles/postgresql/tasks/main.yml
index 65a98f6..d4c604b 100644
--- a/ansible/roles/postgresql/tasks/main.yml
+++ b/ansible/roles/postgresql/tasks/main.yml
@@ -20,6 +20,7 @@
   register: pg_superuser_password_result
   changed_when: false
   no_log: true
+  check_mode: false
   when: pg_superuser_password is not defined
 
 - name: Set superuser password fact
@@ -36,6 +37,7 @@
   register: pg_user_passwords_result
   changed_when: false
   no_log: true
+  check_mode: false
   when: pg_user_passwords is not defined
 
 - name: Build user password lookup
@@ -63,6 +65,7 @@
 - name: Initialize postgresql database cluster with superuser password
   ansible.builtin.command: >
     {{ postgresql_bin_dir }}/initdb
+    -U {{ postgresql_superuser }}
     --locale=en_US.UTF-8 -E UTF-8
     --pwfile=/tmp/.pg_init_pwfile
     {{ postgresql_data_dir }}
@@ -102,7 +105,7 @@
 
 - name: Check if postgresql users exist
   ansible.builtin.command: >
-    {{ postgresql_bin_dir }}/psql -h localhost -d postgres -tAc
+    {{ postgresql_bin_dir }}/psql -h localhost -U {{ postgresql_superuser }} -d postgres -tAc
     "SELECT 1 FROM pg_roles WHERE rolname = '{{ item.name }}';"
   environment:
     PGPASSWORD: "{{ pg_superuser_password }}"
@@ -114,7 +117,7 @@
 
 - name: Create postgresql users with passwords
   ansible.builtin.command: >
-    {{ postgresql_bin_dir }}/psql -h localhost -d postgres -c
+    {{ postgresql_bin_dir }}/psql -h localhost -U {{ postgresql_superuser }} -d postgres -c
     "CREATE USER {{ item.item.name }} WITH PASSWORD '{{ pg_user_passwords[item.item.name] }}';"
   environment:
     PGPASSWORD: "{{ pg_superuser_password }}"
@@ -125,7 +128,7 @@
 
 - name: Update postgresql user passwords (idempotent)
   ansible.builtin.command: >
-    {{ postgresql_bin_dir }}/psql -h localhost -d postgres -c
+    {{ postgresql_bin_dir }}/psql -h localhost -U {{ postgresql_superuser }} -d postgres -c
     "ALTER USER {{ item.name }} WITH PASSWORD '{{ pg_user_passwords[item.name] }}';"
   environment:
     PGPASSWORD: "{{ pg_superuser_password }}"
@@ -137,7 +140,7 @@
 
 - name: Grant roles to users
   ansible.builtin.command: >
-    {{ postgresql_bin_dir }}/psql -h localhost -d postgres -c "GRANT {{ item.1 }} TO {{ item.0.name }};"
+    {{ postgresql_bin_dir }}/psql -h localhost -U {{ postgresql_superuser }} -d postgres -c "GRANT {{ item.1 }} TO {{ item.0.name }};"
   environment:
     PGPASSWORD: "{{ pg_superuser_password }}"
   loop: "{{ postgresql_users | subelements('roles', skip_missing=True) }}"
@@ -148,7 +151,7 @@
 
 - name: Check if postgresql databases exist
   ansible.builtin.command: >
-    {{ postgresql_bin_dir }}/psql -h localhost -d postgres -tAc
+    {{ postgresql_bin_dir }}/psql -h localhost -U {{ postgresql_superuser }} -d postgres -tAc
     "SELECT 1 FROM pg_database WHERE datname = '{{ item.name }}';"
   environment:
     PGPASSWORD: "{{ pg_superuser_password }}"
@@ -160,7 +163,7 @@
 
 - name: Create postgresql databases
   ansible.builtin.command: >
-    {{ postgresql_bin_dir }}/createdb -h localhost
+    {{ postgresql_bin_dir }}/createdb -h localhost -U {{ postgresql_superuser }}
     --owner={{ item.item.owner }}
     {{ item.item.name }}
   environment:
diff --git a/mise-tasks/indri-services-check b/mise-tasks/indri-services-check
index 6aa9edf..a7b7593 100755
--- a/mise-tasks/indri-services-check
+++ b/mise-tasks/indri-services-check
@@ -52,6 +52,8 @@ check_service "transmission-metrics" "ssh indri 'launchctl list | grep transmiss
 check_service "kiwix-serve" "ssh indri 'launchctl list | grep kiwix | grep -v \"^-\"'"
 check_service "forgejo" "ssh indri 'brew services list | grep forgejo | grep started'"
 check_service "devpi" "ssh indri 'launchctl list | grep devpi | grep -v \"^-\"'"
+check_service "postgresql" "ssh indri 'brew services list | grep postgresql | grep started'"
+check_service "miniflux" "ssh indri 'brew services list | grep miniflux | grep started'"
 
 echo ""
 echo "HTTP endpoints (via Tailscale):"
@@ -61,10 +63,13 @@ check_http "Grafana" "http://indri:3000/api/health"
 check_http "Kiwix" "http://indri:5501/"
 check_http "Forgejo" "http://indri:3001/"
 check_http "Devpi" "http://indri:3141/+api"
+check_http "Miniflux" "https://feed.tail8d86e.ts.net/healthcheck"
 # Transmission RPC is localhost-only by design, check via SSH
 check_service "Transmission RPC" "ssh indri 'curl -sf http://127.0.0.1:9091/transmission/rpc'"
 # Check that transmission metrics are being collected
 check_service "Transmission metrics" "ssh indri 'test -f /opt/homebrew/var/node_exporter/textfile/transmission.prom'"
+# PostgreSQL uses TCP not HTTP, check via pg_isready
+check_service "PostgreSQL" "ssh indri '/opt/homebrew/opt/postgresql@18/bin/pg_isready -h localhost'"
 
 echo ""
 if [ $FAILED -eq 0 ]; then