- Add custom query for pg_database XID age monitoring
- Add gauge showing XID age with threshold warnings (yellow at 150M, red at 180M)
- Add time series chart for XID age trends
- URL-encode postgres password in alloy connection string
XID (transaction ID) exhaustion can cause PostgreSQL to shut down to prevent
wraparound. Default autovacuum_freeze_max_age is 200M, so warnings start well
before that threshold.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The password contained special characters (@, !, *) that broke the
connection string URL parsing. Added urlencode filter to the template.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add tags to pre_tasks so they only run when relevant roles are included
- Make tailscale_serve idempotent by checking serve status JSON before
configuring services (skips if already configured)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Move borgmatic config.yaml from manual to ansible-managed template
- Add postgresql_databases backup for miniflux database
- Consolidate 1Password credential fetching to playbook pre_tasks
to reduce auth prompts during full playbook runs
- Roles now check if credentials are already defined before fetching,
so they still work when running with --tags
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Without specifying a database, psql defaults to connecting to a
database named after the current user, which doesn't exist on a
fresh install.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The OAuth client acts as tag:blumeops, so it needs to own all tags
it manages on devices. This enables Pulumi to set device tags
automatically instead of requiring manual Tailscale admin console
changes.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Remove superuser from .pgpass since it's not needed for automated
operations. Only borgmatic (with pg_read_all_data role) needs
passwordless access for pg_dump backups.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Instead of manually applying tags to indri in Tailscale admin,
use tailscale.DeviceTags resource to manage them declaratively.
This includes all service tags (grafana, forge, kiwix, devpi, loki,
pg, feed) plus homelab and blumeops tags.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- All passwords fetched from 1Password at runtime using `op` CLI
- pg_hba.conf uses scram-sha-256 everywhere (no trust mode)
- initdb uses --pwfile for secure superuser password bootstrap
- All password-handling tasks use no_log: true
- Add borgmatic user with pg_read_all_data for backup dumps
- Remove pg-setup mise task (no longer needed)
- Miniflux fetches password directly from 1Password
Requires: `op signin` before running ansible
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add postgresql ansible role (postgresql@18 via homebrew)
- Creates miniflux database and user
- Configures pg_hba.conf for local scram-sha-256 auth
- Exposed via Tailscale at pg.tail8d86e.ts.net:5432
- Add miniflux ansible role (RSS/Atom feed reader)
- Depends on postgresql role
- Configures via /opt/homebrew/etc/miniflux.conf
- Reads DB password from ~/.miniflux-db-password
- Supports first-run admin creation via miniflux_create_admin flag
- Exposed via Tailscale at feed.tail8d86e.ts.net
- Update Pulumi ACL tags (tag:pg, tag:feed)
- Update tailscale_serve role with new service definitions
- Update Alloy log collection for both services
- Update indri.yml playbook with new roles
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
