joakim/rick-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8e8aabd5e7c0c2809b2d38fc4cf37209f63557ae
rick-infra/roles/postgresql/tasks/main.yml
Joakim 3506e55016 Migrate to rootful container architecture with infrastructure fact pattern 
Major architectural change from rootless user services to system-level (rootful)
containers to enable group-based Unix socket access for containerized applications.

Infrastructure Changes:
- PostgreSQL: Export postgres-clients group GID as Ansible fact
- Valkey: Export valkey-clients group GID as Ansible fact
- Valkey: Add socket-fix service to maintain correct socket group ownership
- Both: Set socket directories to 770 with client group ownership

Authentik Role Refactoring:
- Remove rootless container configuration (subuid/subgid, lingering, user systemd)
- Deploy Quadlet files to /etc/containers/systemd/ (system-level)
- Use dynamic GID facts in container PodmanArgs (--group-add)
- Simplify user creation to system user with infrastructure group membership
- Update handlers for system scope service management
- Remove unnecessary container security options (no user namespace isolation)

Container Template Changes:
- Pod: Remove --userns args, change WantedBy to multi-user.target
- Containers: Replace Annotation with PodmanArgs using dynamic GIDs
- Remove /dev/shm mounts and SecurityLabelDisable (not needed for rootful)
- Change WantedBy to multi-user.target for system services

Documentation Updates:
- Add ADR-005: Rootful Containers with Infrastructure Fact Pattern
- Update ADR-003: Podman + systemd for system-level deployment
- Update authentik-deployment-guide.md for system scope commands
- Update service-integration-guide.md with rootful pattern examples
- Document discarded rootless approach and rationale

Why Rootful Succeeds:
- Direct UID/GID mapping preserves supplementary groups
- Container process groups match host socket group ownership
- No user namespace remapping breaking permissions

Why Rootless Failed (Discarded):
- User namespace UID/GID remapping broke group-based socket access
- Supplementary groups remapped into subgid range didn't match socket ownership
- Even with --userns=host and keep_original_groups, permissions failed

Pattern Established:
- Infrastructure roles create client groups and export GID facts
- Application roles validate facts and consume in container templates
- Rootful containers run as dedicated users with --group-add for socket access
- System-level deployment provides standard systemd service management

Deployment Validated:
- Services in /system.slice/ ✓
- Process groups: 961 (valkey-clients), 962 (postgres-clients), 966 (authentik) ✓
- Socket permissions: 770 with client groups ✓
- HTTP endpoint responding ✓
2025-12-14 16:56:50 +01:00

139 lines
4.3 KiB
YAML
Raw Blame History

---
# PostgreSQL Infrastructure Role - Simplified Tasks
- name: Install PostgreSQL
pacman:
name: postgresql
state: present
- name: Install PostgreSQL Python library (for Ansible modules)
pacman:
name: python-psycopg2
state: present
- name: Create PostgreSQL client access group
group:
name: "{{ postgresql_client_group }}"
system: true
when: postgresql_client_group_create
- name: Ensure postgres user is in client group
user:
name: postgres
groups: "{{ postgresql_client_group }}"
append: true
when: postgresql_client_group_create
- name: Check if PostgreSQL data directory exists and is initialized
stat:
path: "/var/lib/postgres/data/PG_VERSION"
register: postgresql_initialized
- name: Initialize PostgreSQL database cluster
command: >
initdb
-D /var/lib/postgres/data
--locale={{ postgresql_locale }}
--encoding={{ postgresql_encoding }}
--auth-local=peer
--auth-host={{ postgresql_auth_method }}
{{ '--data-checksums' if postgresql_data_checksums else '' }}
become: true
become_user: postgres
when: not postgresql_initialized.stat.exists
notify: restart postgresql
- name: Deploy PostgreSQL configuration file
template:
src: postgresql.conf.j2
dest: /var/lib/postgres/data/postgresql.conf
owner: postgres
group: postgres
mode: '0600'
backup: yes
notify: restart postgresql
- name: Deploy PostgreSQL authentication configuration
template:
src: pg_hba.conf.j2
dest: /var/lib/postgres/data/pg_hba.conf
owner: postgres
group: postgres
mode: '0600'
backup: yes
notify: restart postgresql
- name: Create systemd override directory for PostgreSQL security
file:
path: /etc/systemd/system/postgresql.service.d
state: directory
mode: '0755'
when: postgresql_systemd_security
- name: Deploy PostgreSQL systemd security override
template:
src: systemd-override.conf.j2
dest: /etc/systemd/system/postgresql.service.d/override.conf
mode: '0644'
when: postgresql_systemd_security
notify:
- reload systemd
- restart postgresql
- name: Create PostgreSQL Unix socket directory
file:
path: "{{ postgresql_unix_socket_directories }}"
state: directory
owner: postgres
group: "{{ postgresql_client_group }}"
mode: '0770'
when: postgresql_unix_socket_enabled
- name: Get PostgreSQL client group GID for containerized applications
shell: "getent group {{ postgresql_client_group }} | cut -d: -f3"
register: postgresql_client_group_lookup
changed_when: false
when: postgresql_client_group_create
- name: Set PostgreSQL client group GID as fact
set_fact:
postgresql_client_group_gid: "{{ postgresql_client_group_lookup.stdout }}"
when: postgresql_client_group_create and postgresql_client_group_lookup.stdout is defined
- name: Enable and start PostgreSQL service
systemd:
name: postgresql
enabled: "{{ postgresql_service_enabled }}"
state: "{{ postgresql_service_state }}"
daemon_reload: true
- name: Wait for PostgreSQL to be ready (TCP)
wait_for:
port: "{{ postgresql_port }}"
host: "{{ postgresql_listen_addresses }}"
timeout: 30
when: postgresql_service_state == "started" and postgresql_listen_addresses != ""
- name: Wait for PostgreSQL to be ready (Unix Socket)
postgresql_ping:
login_unix_socket: "{{ postgresql_unix_socket_directories }}"
login_user: postgres
become: true
become_user: postgres
register: postgresql_socket_ready
until: postgresql_socket_ready is succeeded
retries: 10
delay: 3
when: postgresql_service_state == "started" and postgresql_unix_socket_enabled and postgresql_listen_addresses == ""
- name: Display PostgreSQL infrastructure status
debug:
msg: |
✅ PostgreSQL infrastructure ready!
📡 Service: {% if postgresql_unix_socket_enabled and postgresql_listen_addresses == "" %}Unix Socket ({{ postgresql_unix_socket_directories }}){% else %}{{ postgresql_listen_addresses }}:{{ postgresql_port }}{% endif %}
🔒 Auth: {{ postgresql_auth_method }}
📊 Checksums: {{ 'Enabled' if postgresql_data_checksums else 'Disabled' }}
{% if postgresql_unix_socket_enabled %}🔌 Socket: {{ postgresql_unix_socket_directories }} (mode {{ postgresql_unix_socket_permissions }}){% endif %}
🏗️ Ready for applications to create databases/users
Reference in New Issue View Git Blame Copy Permalink