Horacio Duran
822e42dbb8
This template allows deploying a forgejo en either Scaleway or Hetzner (untested) without much knowledge about them. It DOES require knowledge about Terragrunt and ansible. A wizard of sorts is provided but it will not guarantee success without some knowledge about the underlying technology.
163 lines
5.1 KiB
YAML
163 lines
5.1 KiB
YAML
---
|
|
# PostgreSQL setup tasks
|
|
|
|
- name: Install PostgreSQL
|
|
ansible.builtin.apt:
|
|
name:
|
|
- "postgresql-{{ postgres_version }}"
|
|
- "postgresql-contrib-{{ postgres_version }}"
|
|
- python3-psycopg2
|
|
state: present
|
|
update_cache: yes
|
|
become: yes
|
|
|
|
- name: Ensure PostgreSQL is started and enabled
|
|
ansible.builtin.systemd:
|
|
name: postgresql
|
|
state: started
|
|
enabled: yes
|
|
become: yes
|
|
|
|
- name: Create PostgreSQL data directory
|
|
ansible.builtin.file:
|
|
path: "{{ postgres_data_dir }}"
|
|
state: directory
|
|
owner: postgres
|
|
group: postgres
|
|
mode: '0700'
|
|
become: yes
|
|
when: forgejo_use_external_volume | bool
|
|
|
|
- name: Check if PostgreSQL database exists
|
|
ansible.builtin.command:
|
|
cmd: psql -U postgres -lqt
|
|
register: postgres_db_list
|
|
changed_when: false
|
|
become: yes
|
|
become_user: postgres
|
|
|
|
- name: Create Forgejo PostgreSQL database
|
|
community.postgresql.postgresql_db:
|
|
name: "{{ forgejo_db_name }}"
|
|
encoding: UTF8
|
|
lc_collate: en_US.UTF-8
|
|
lc_ctype: en_US.UTF-8
|
|
template: template0
|
|
state: present
|
|
become: yes
|
|
become_user: postgres
|
|
when: forgejo_db_name not in postgres_db_list.stdout
|
|
|
|
- name: Create Forgejo PostgreSQL user
|
|
community.postgresql.postgresql_user:
|
|
name: "{{ forgejo_db_user }}"
|
|
password: "{{ forgejo_db_password }}"
|
|
state: present
|
|
become: yes
|
|
become_user: postgres
|
|
no_log: yes
|
|
|
|
- name: Grant database privileges to Forgejo user
|
|
community.postgresql.postgresql_privs:
|
|
database: "{{ forgejo_db_name }}"
|
|
roles: "{{ forgejo_db_user }}"
|
|
type: database
|
|
privs: ALL
|
|
become: yes
|
|
become_user: postgres
|
|
|
|
- name: Grant schema privileges to Forgejo user
|
|
community.postgresql.postgresql_privs:
|
|
database: "{{ forgejo_db_name }}"
|
|
roles: "{{ forgejo_db_user }}"
|
|
type: schema
|
|
objs: public
|
|
privs: ALL
|
|
become: yes
|
|
become_user: postgres
|
|
|
|
- name: Set Forgejo user as owner of public schema
|
|
community.postgresql.postgresql_owner:
|
|
db: "{{ forgejo_db_name }}"
|
|
new_owner: "{{ forgejo_db_user }}"
|
|
obj_name: public
|
|
obj_type: schema
|
|
become: yes
|
|
become_user: postgres
|
|
|
|
- name: Configure PostgreSQL for optimal performance
|
|
ansible.builtin.lineinfile:
|
|
path: "/etc/postgresql/{{ postgres_version }}/main/postgresql.conf"
|
|
regexp: "{{ item.regexp }}"
|
|
line: "{{ item.line }}"
|
|
state: present
|
|
become: yes
|
|
loop:
|
|
- { regexp: '^max_connections', line: "max_connections = {{ postgres_max_connections }}" }
|
|
- { regexp: '^shared_buffers', line: "shared_buffers = {{ postgres_shared_buffers }}" }
|
|
- { regexp: '^effective_cache_size', line: "effective_cache_size = {{ postgres_effective_cache_size }}" }
|
|
- { regexp: '^maintenance_work_mem', line: "maintenance_work_mem = 128MB" }
|
|
- { regexp: '^checkpoint_completion_target', line: "checkpoint_completion_target = 0.9" }
|
|
- { regexp: '^wal_buffers', line: "wal_buffers = 16MB" }
|
|
- { regexp: '^default_statistics_target', line: "default_statistics_target = 100" }
|
|
- { regexp: '^random_page_cost', line: "random_page_cost = 1.1" }
|
|
- { regexp: '^effective_io_concurrency', line: "effective_io_concurrency = 200" }
|
|
- { regexp: '^work_mem', line: "work_mem = 8MB" }
|
|
- { regexp: '^min_wal_size', line: "min_wal_size = 1GB" }
|
|
- { regexp: '^max_wal_size', line: "max_wal_size = 4GB" }
|
|
notify: Restart PostgreSQL
|
|
|
|
- name: Configure PostgreSQL to listen on all interfaces
|
|
ansible.builtin.lineinfile:
|
|
path: "/etc/postgresql/{{ postgres_version }}/main/postgresql.conf"
|
|
regexp: "^#?listen_addresses"
|
|
line: "listen_addresses = '*'"
|
|
state: present
|
|
become: yes
|
|
notify: Restart PostgreSQL
|
|
|
|
- name: Configure PostgreSQL authentication
|
|
ansible.builtin.lineinfile:
|
|
path: "/etc/postgresql/{{ postgres_version }}/main/pg_hba.conf"
|
|
regexp: "{{ item.regexp }}"
|
|
line: "{{ item.line }}"
|
|
state: present
|
|
become: yes
|
|
loop:
|
|
- regexp: '^local\s+all\s+postgres'
|
|
line: 'local all postgres peer'
|
|
- regexp: '^local\s+all\s+all'
|
|
line: 'local all all peer'
|
|
- regexp: '^host\s+all\s+all\s+127\.0\.0\.1'
|
|
line: 'host all all 127.0.0.1/32 scram-sha-256'
|
|
- regexp: '^host\s+all\s+all\s+::1'
|
|
line: 'host all all ::1/128 scram-sha-256'
|
|
notify: Restart PostgreSQL
|
|
|
|
- name: Allow Docker network to connect to PostgreSQL
|
|
ansible.builtin.lineinfile:
|
|
path: "/etc/postgresql/{{ postgres_version }}/main/pg_hba.conf"
|
|
line: 'host all all 172.16.0.0/12 scram-sha-256'
|
|
insertafter: '^host\s+all\s+all\s+127'
|
|
state: present
|
|
become: yes
|
|
notify: Restart PostgreSQL
|
|
|
|
- name: Enable PostgreSQL extensions
|
|
community.postgresql.postgresql_ext:
|
|
name: "{{ item }}"
|
|
db: "{{ forgejo_db_name }}"
|
|
state: present
|
|
become: yes
|
|
become_user: postgres
|
|
loop:
|
|
- pg_trgm
|
|
- btree_gin
|
|
|
|
- name: Create PostgreSQL backup script
|
|
ansible.builtin.template:
|
|
src: postgres_backup.sh.j2
|
|
dest: /usr/local/bin/postgres_backup.sh
|
|
mode: '0755'
|
|
become: yes
|
|
when: forgejo_enable_backups | bool
|