Joakim
3506e55016
Major architectural change from rootless user services to system-level (rootful) containers to enable group-based Unix socket access for containerized applications. Infrastructure Changes: - PostgreSQL: Export postgres-clients group GID as Ansible fact - Valkey: Export valkey-clients group GID as Ansible fact - Valkey: Add socket-fix service to maintain correct socket group ownership - Both: Set socket directories to 770 with client group ownership Authentik Role Refactoring: - Remove rootless container configuration (subuid/subgid, lingering, user systemd) - Deploy Quadlet files to /etc/containers/systemd/ (system-level) - Use dynamic GID facts in container PodmanArgs (--group-add) - Simplify user creation to system user with infrastructure group membership - Update handlers for system scope service management - Remove unnecessary container security options (no user namespace isolation) Container Template Changes: - Pod: Remove --userns args, change WantedBy to multi-user.target - Containers: Replace Annotation with PodmanArgs using dynamic GIDs - Remove /dev/shm mounts and SecurityLabelDisable (not needed for rootful) - Change WantedBy to multi-user.target for system services Documentation Updates: - Add ADR-005: Rootful Containers with Infrastructure Fact Pattern - Update ADR-003: Podman + systemd for system-level deployment - Update authentik-deployment-guide.md for system scope commands - Update service-integration-guide.md with rootful pattern examples - Document discarded rootless approach and rationale Why Rootful Succeeds: - Direct UID/GID mapping preserves supplementary groups - Container process groups match host socket group ownership - No user namespace remapping breaking permissions Why Rootless Failed (Discarded): - User namespace UID/GID remapping broke group-based socket access - Supplementary groups remapped into subgid range didn't match socket ownership - Even with --userns=host and keep_original_groups, permissions failed Pattern Established: - Infrastructure roles create client groups and export GID facts - Application roles validate facts and consume in container templates - Rootful containers run as dedicated users with --group-add for socket access - System-level deployment provides standard systemd service management Deployment Validated: - Services in /system.slice/ ✓ - Process groups: 961 (valkey-clients), 962 (postgres-clients), 966 (authentik) ✓ - Socket permissions: 770 with client groups ✓ - HTTP endpoint responding ✓
61 lines
1.9 KiB
YAML
61 lines
1.9 KiB
YAML
---
|
|
# =================================================================
|
|
# PostgreSQL Infrastructure Role - Simplified Configuration
|
|
# =================================================================
|
|
# Provides PostgreSQL database server as shared infrastructure
|
|
# Applications manage their own databases/users
|
|
|
|
# =================================================================
|
|
# Essential Configuration
|
|
# =================================================================
|
|
|
|
# Service Management
|
|
postgresql_service_enabled: true
|
|
postgresql_service_state: "started"
|
|
|
|
# Network Security
|
|
postgresql_listen_addresses: "localhost"
|
|
postgresql_port: 5432
|
|
|
|
# Unix Socket Configuration
|
|
postgresql_unix_socket_enabled: true
|
|
postgresql_unix_socket_directories: "/var/run/postgresql"
|
|
postgresql_unix_socket_permissions: "0770"
|
|
|
|
# Group-Based Access Control
|
|
postgresql_client_group: "postgres-clients"
|
|
postgresql_client_group_create: true
|
|
|
|
# Authentication
|
|
postgresql_auth_method: "scram-sha-256"
|
|
|
|
# Database Cluster Setup
|
|
postgresql_encoding: "UTF8"
|
|
postgresql_locale: "C.UTF-8"
|
|
postgresql_data_checksums: true
|
|
|
|
# Security
|
|
postgresql_systemd_security: true
|
|
|
|
# =================================================================
|
|
# Optional Performance (Conservative Defaults)
|
|
# =================================================================
|
|
|
|
# Basic performance settings - PostgreSQL defaults are excellent
|
|
postgresql_max_connections: 100
|
|
postgresql_shared_buffers: "128MB"
|
|
|
|
# =================================================================
|
|
# Infrastructure Notes
|
|
# =================================================================
|
|
# This role provides minimal PostgreSQL infrastructure
|
|
# Applications should create their own databases/users:
|
|
#
|
|
# - postgresql_user:
|
|
# name: myapp
|
|
# password: "{{ vault_myapp_password }}"
|
|
# - postgresql_db:
|
|
# name: myapp
|
|
# owner: myapp
|
|
#
|
|
# PostgreSQL's built-in defaults are used for everything else |