-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
♻️ migrate postgresql to truenas jail
- Loading branch information
Showing
97 changed files
with
632 additions
and
253 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
postgresql_version: 15 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
postgresql_version: 16 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,3 @@ | ||
main_nas: false | ||
pool_name: vol1 | ||
snapshots_interval: "daily:14,weekly:12,monthly:12,yearly:3" | ||
uptime_kuma_id_truenas_cert: Oxu1GVb5tl |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,6 @@ | ||
main_nas: true | ||
pool_name: storage | ||
service_s3: true | ||
iocage_pool_name: storage | ||
postgresql_pool_name: storage | ||
minio_pool_name: storage | ||
snapshots_interval: "daily:14,weekly:12,monthly:3" | ||
uptime_kuma_id_truenas_cert: f8nAZOHoQb |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,21 +1,21 @@ | ||
--- | ||
all: | ||
hosts: | ||
localhost: | ||
ansible_connection: local | ||
ansible_python_interpreter: /usr/bin/python3 | ||
coreelec: | ||
ansible_host: coreelec.{{ secret_domain }} | ||
ansible_user: root | ||
minio: | ||
ansible_host: 192.168.9.14 | ||
ansible_user: minio | ||
children: | ||
truenas-instances: | ||
hosts: | ||
truenas: | ||
ansible_host: truenas.{{ secret_domain }} | ||
truenas-remote: | ||
ansible_port: 35875 | ||
# truenas-remote: | ||
# ansible_host: truenas-remote.{{ secret_domain }} | ||
# ansible_port: 35875 | ||
vars: | ||
ansible_user: homelab | ||
truenas-jails: | ||
hosts: | ||
minio_v2: | ||
postgresql_v15: | ||
postgresql_v16: |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
--- | ||
- name: jail-init | minio | start jail | ||
ansible.builtin.shell: | ||
cmd: iocage start minio | ||
become: true | ||
|
||
- name: jail-init | minio | create .ssh directory | ||
ansible.builtin.shell: | ||
cmd: iocage exec minio 'mkdir -p /root/.ssh; echo "" > /root/.ssh/authorized_keys; chmod 700 /root/.ssh; chmod 600 /root/.ssh/authorized_keys' | ||
become: true | ||
|
||
- name: jail-init | minio | deploy ssh keys | ||
ansible.builtin.shell: | ||
cmd: iocage exec minio 'echo "{{ item }}" >> /root/.ssh/authorized_keys' | ||
loop: "{{ public_ssh_keys }}" | ||
become: true | ||
|
||
- name: jail-init | minio | activate sshd | ||
ansible.builtin.shell: | ||
cmd: iocage exec minio 'sysrc sshd_enable="YES"' | ||
become: true | ||
|
||
- name: jail-init | minio | sshd permit root login | ||
ansible.builtin.shell: | ||
cmd: iocage exec minio 'echo "PermitRootLogin yes" >> /etc/ssh/sshd_config' | ||
become: true | ||
|
||
- name: jail-init | minio | start sshd | ||
ansible.builtin.shell: | ||
cmd: iocage exec minio 'service sshd start' | ||
become: true | ||
|
||
- name: jail-init | minio | install packages | ||
ansible.builtin.shell: | ||
cmd: iocage exec minio 'pkg install -y python39 bash sudo; ln -s /usr/local/bin/bash /bin/bash' | ||
become: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
--- | ||
- name: jails | check if jail exist | ||
ansible.builtin.shell: | ||
cmd: iocage list --header | awk '{print $2}' | grep --word-regexp {{ item }} | ||
loop: "{{ groups['truenas-jails'] }}" | ||
register: jails_check | ||
changed_when: false | ||
failed_when: jails_check.rc != 0 and jails_check.rc != 1 | ||
|
||
- name: jails | is iocage fetch required | ||
ansible.builtin.set_fact: | ||
jail_missing: true | ||
loop: "{{ jails_check.results }}" | ||
when: item.rc == 1 | ||
|
||
- block: | ||
- name: jails | get current FreeBSD release | ||
ansible.builtin.shell: | ||
cmd: freebsd-version | cut -d '-' -f 1-2 | ||
register: release | ||
failed_when: release.rc != 0 | ||
|
||
- name: jails | fetch iocage template {{ release.stdout }} | ||
ansible.builtin.shell: | ||
cmd: iocage fetch -r {{ release.stdout }} | ||
become: true | ||
|
||
- name: jails | create jail | ||
ansible.builtin.shell: | ||
cmd: iocage create -r {{ release.stdout }} -n {{ item.item }} dhcp=on | ||
loop: "{{ jails_check.results }}" | ||
when: item.rc == 1 | ||
become: true | ||
when: jail_missing | ||
|
||
- name: jails | init jails | ||
ansible.builtin.include_tasks: init.yml | ||
loop: "{{ jails_check.results }}" | ||
loop_control: | ||
loop_var: outside_item | ||
when: outside_item.rc == 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
--- | ||
- name: jail-minio | get jail ip | ||
ansible.builtin.shell: | ||
cmd: iocage exec minio_v2 ifconfig epair0b | grep 'inet' | awk -F ' ' '{ print $2 }' | ||
changed_when: false | ||
register: minio_jail_ip | ||
become: true | ||
|
||
- name: jail-minio_v2 | copy letsencrypt certificate | ||
ansible.builtin.copy: | ||
src: /mnt/{{ pool_name }}/home/homelab/letsencrypt/xpander.ovh/{{ item.src }} | ||
remote_src: true | ||
dest: /mnt/{{ iocage_pool_name }}/iocage/jails/minio_v2/root/home/minio/certs/{{ item.dest }} | ||
owner: 1002 | ||
group: 1002 | ||
mode: 0600 | ||
loop: | ||
- { src: "fullchain.pem", dest: "public.crt" } | ||
- { src: "key.pem", dest: "private.key" } | ||
register: certificates | ||
become: true | ||
|
||
- block: | ||
- name: jail-minio | install minio | ||
ansible.builtin.pkgng: | ||
name: | ||
- minio | ||
- curl | ||
state: present | ||
register: installation | ||
|
||
- name: jail-minio | create minio configuration in /etc/rc.conf | ||
ansible.builtin.blockinfile: | ||
path: /etc/rc.conf | ||
state: present | ||
block: | | ||
# MINIO | ||
minio_enable="YES" | ||
minio_address=":9000" | ||
minio_console_address=":9001" | ||
minio_disks="/mnt/data" | ||
minio_certs="/home/minio/certs" | ||
minio_env="MINIO_ACCESS_KEY={{ minio_access_key }} MINIO_SECRET_KEY={{ minio_secret_key }}" | ||
no_log: false | ||
register: configuration | ||
|
||
- name: jail-minio | restart minio service | ||
ansible.builtin.service: | ||
name: minio | ||
state: restarted | ||
enabled: true | ||
when: configuration.changed == true or installation.changed == true or certificates.changed == true | ||
|
||
- name: jail-minio | wait for 5 seconds | ||
ansible.builtin.pause: | ||
seconds: 5 | ||
|
||
- name: jail-minio | check minio service | ||
ansible.builtin.command: curl -s localhost:9000/minio/health/live | ||
register: curl_result | ||
ignore_errors: true | ||
changed_when: false | ||
|
||
- name: jail-minio | fail if curl command failed | ||
ansible.builtin.fail: | ||
msg: 'Curl command failed' | ||
when: curl_result.rc != 0 | ||
|
||
delegate_to: "{{ minio_jail_ip.stdout }}" | ||
remote_user: root |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
--- | ||
- block: | ||
- name: jail-minio_v2_v2 | create zfs pools | ||
community.general.zfs: | ||
name: "{{ minio_pool_name }}/minio_v2" | ||
state: present | ||
extra_zfs_properties: | ||
atime: off | ||
setuid: off | ||
|
||
- name: jail-minio_v2 | create empty data dir | ||
ansible.builtin.shell: | ||
cmd: iocage exec minio_v2 mkdir -p /mnt/data | ||
|
||
- name: jail-minio_v2 | mount data | ||
ansible.builtin.shell: | ||
cmd: iocage fstab -a minio /mnt/{{ minio_pool_name }}/minio /mnt/data nullfs rw 0 0 | ||
|
||
- name: jail-minio_v2 | change create minio user | ||
ansible.builtin.shell: | ||
cmd: iocage exec minio_v2 'pw useradd minio -u 1002 -g 1002 -d /home/minio -m' | ||
|
||
- name: jail-minio_v2 | change owner on data dir | ||
ansible.builtin.shell: | ||
cmd: iocage exec minio_v2 'chown 1002:1002 /mnt/data' | ||
|
||
- name: jail-minio_v2 | create certificates folder | ||
ansible.builtin.file: | ||
path: /mnt/{{ iocage_pool_name }}/iocage/jails/minio_v2/root/home/minio/certs | ||
owner: 1002 | ||
group: 1002 | ||
become: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
--- | ||
- name: jail-{{ outside_item.item }} | get jail ip | ||
ansible.builtin.shell: | ||
cmd: iocage exec {{ outside_item.item }} ifconfig epair0b | grep 'inet' | awk -F ' ' '{ print $2 }' | ||
changed_when: false | ||
register: postgresql_jail_ip | ||
become: true | ||
|
||
- name: jail-{{ outside_item.item }} | copy letsencrypt certificate | ||
ansible.builtin.copy: | ||
src: /mnt/{{ pool_name }}/home/homelab/letsencrypt/xpander.ovh/{{ item.src }} | ||
remote_src: true | ||
dest: /mnt/{{ postgresql_pool_name }}/postgresql/data{{ hostvars[outside_item.item]['postgresql_version'] }}/{{ item.dest }} | ||
owner: 770 | ||
group: 770 | ||
mode: 0600 | ||
loop: | ||
- { src: "fullchain.pem", dest: "server.crt" } | ||
- { src: "key.pem", dest: "server.key" } | ||
register: certificates | ||
become: true | ||
tags: | ||
- certificates | ||
|
||
- block: | ||
- name: jail-{{ outside_item.item }} | configure pg_hba | ||
ansible.builtin.template: | ||
src: postgresql/pg_hba.conf | ||
dest: /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }}/pg_hba.conf | ||
owner: postgres | ||
group: postgres | ||
register: pg_hba | ||
|
||
- name: jail-{{ outside_item.item }} | postgresql configuration | ||
community.postgresql.postgresql_set: | ||
name: "{{ item.name }}" | ||
value: "{{ item.value }}" | ||
loop: | ||
# listen to all addresses | ||
- { name: 'listen_addresses', value: '*' } | ||
# disable full page writes because of ZFS | ||
- { name: 'full_page_writes', value: 'off' } | ||
# SSL configuration | ||
- { name: 'ssl', value: 'on' } | ||
- { name: 'ssl_cert_file', value: 'server.crt' } | ||
- { name: 'ssl_key_file', value: 'server.key' } | ||
- { name: 'ssl_prefer_server_ciphers', value: 'on' } | ||
loop_control: | ||
loop_var: item | ||
become: true | ||
vars: | ||
ansible_become_user: postgres | ||
register: pg_conf | ||
|
||
- name: restart postgresql | ||
ansible.builtin.service: | ||
name: postgresql | ||
state: reloaded | ||
when: certificates.changed or pg_hba.changed or pg_conf.changed | ||
tags: | ||
- certificates | ||
|
||
delegate_to: "{{ postgresql_jail_ip.stdout }}" | ||
remote_user: root |
Oops, something went wrong.