- All passwords fetched from 1Password at runtime using `op` CLI
- pg_hba.conf uses scram-sha-256 everywhere (no trust mode)
- initdb uses --pwfile for secure superuser password bootstrap
- All password-handling tasks use no_log: true
- Add borgmatic user with pg_read_all_data for backup dumps
- Remove pg-setup mise task (no longer needed)
- Miniflux fetches password directly from 1Password
Requires: `op signin` before running ansible
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add postgresql ansible role (postgresql@18 via homebrew)
- Creates miniflux database and user
- Configures pg_hba.conf for local scram-sha-256 auth
- Exposed via Tailscale at pg.tail8d86e.ts.net:5432
- Add miniflux ansible role (RSS/Atom feed reader)
- Depends on postgresql role
- Configures via /opt/homebrew/etc/miniflux.conf
- Reads DB password from ~/.miniflux-db-password
- Supports first-run admin creation via miniflux_create_admin flag
- Exposed via Tailscale at feed.tail8d86e.ts.net
- Update Pulumi ACL tags (tag:pg, tag:feed)
- Update tailscale_serve role with new service definitions
- Update Alloy log collection for both services
- Update indri.yml playbook with new roles
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
