♻️ migrate postgresql to truenas jail

ansible/ansible.cfg

@@ -18,6 +18,7 @@ fact_caching_connection     = ~/.ansible/facts_cache
 remote_port                 = 22
 timeout                     = 60
 host_key_checking           = False
+privatekeyfile              = ~/.ssh/id_ed25519
 # Plugin settings
 vars_plugins_enabled        = host_group_vars,community.sops.sops
 

ansible/inventory/group_vars/all/all.sops.yml

@@ -1,5 +1,9 @@
 kind: Secret
 secret_domain: ENC[AES256_GCM,data:SjdnR9pDjveodvo=,iv:GKvdD7c3bmaQN+CAYoKwAy78em9vYljGyl6VfGmJk9E=,tag:hz92J7d1NokEeyB6vxr3Uw==,type:str]
+public_ssh_keys:
+    - ENC[AES256_GCM,data:/J9ejzvJHV5wdz9Dj0jUmAaVtIkgVpEoIRJocNGhszY2bmu5mruwWSz6E+XkcAGE0zQMo/9N8imIZoXfq0UQSyfCCitrA09x1z0Hf0s3iSA=,iv:jzA3bIQw+pL4tjNASNMwMcdHW+vSxgVo4Czo/ja0AO8=,tag:iTEDjARfH96oXATQu8VR8Q==,type:str]
+    - ENC[AES256_GCM,data:c105qLvE6iHoBQl4X0qEFDPXOsiA+YGUVK4gl7O0pqHZ6IIs3m1Z28PKl84GuaPL1pV7I55KccQdAnqjQw0XSZ/lWI+IC2BXj3dJ6paLZNU=,iv:lQod/AwDquA22zJLmvpiuQvaPXo1JFSOV+9yybVjMZc=,tag:Z2eArvfrP8YN3irG45wMRw==,type:str]
+    - ENC[AES256_GCM,data:pMYg+hNpYCl5fwvNbz0bjm0KaEuIGMeBXXblTGpbur17Nxulnn5DQ5H3k8Wash1F9BJeBfQOTGXDx1XEfp2CDlymuLHdjP6xU7+daD0/JbA=,iv:49Mh9zGN5AJgTXGb8lF38jyme46nd7RqKil3PI13ww8=,tag:2c6jSEZImNEWvM3Asc2jhw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -15,8 +19,8 @@ sops:
             c3JkOFZzYnpINjQ5QnNkaE9IYUdXL3MKsBelDv/z5nTYC6/1Zm8kmzqEoLBVPnhy
             v0v/6n1GksmzslbNdKhy+xtxHYrqouhc2P4hNi0R8p8u76RXERN5fg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-11-11T15:03:36Z"
-    mac: ENC[AES256_GCM,data:PYjJ/WxF8UXZPnccFdjtwsS+W2N1TQmNFtTIHazFLFiSxC4b6li7TcOEpQL2HClWeXwJXkUnWGUfH9YLEPVxlAqBygaDBdghPN0uTrKaV4ZaiAQ1EhtKfGDkIGvb+aDpbRuNH77nXzDv4ws3ObSdTCsHp2LOepi4NVSuEw6MlOY=,iv:Bk+VTEsAyeRQkf9wbcBpANeXvIvGn6JzOuHRM0ilF/s=,tag:6MT3xUDX/o3e1zu8WrGm/A==,type:str]
+    lastmodified: "2024-01-13T09:43:41Z"
+    mac: ENC[AES256_GCM,data:R7gzINLxiaqSh4JgP9jhMTG1GaM5WnUA24Uv5OMVB3cHIjgE65o3ybjbmPGpAejpfQ+lKSKKXxeWRpissn9h6DVr1RLi5jnXlngMt5REDiNSsxRI7j3aktTvd2wJQUcGObrhngp+lhFPsufZuOg7hFdvcgCP3SM7sDwrxBaOjgk=,iv:XqaEQtFhBkm1qV7khzhftE2Sxy5xUH/I4/CBqKW9R+w=,tag:FRbncSBOFqVrFTEXmZf+uw==,type:str]
     pgp: []
     unencrypted_regex: ^(kind)$
     version: 3.8.1

ansible/inventory/host_vars/postgresql_v15.yml

@@ -0,0 +1 @@
+postgresql_version: 15

ansible/inventory/host_vars/postgresql_v16.yml

@@ -0,0 +1 @@
+postgresql_version: 16

ansible/inventory/host_vars/truenas-remote.yaml

@@ -1,4 +1,3 @@
 main_nas: false
 pool_name: vol1
 snapshots_interval: "daily:14,weekly:12,monthly:12,yearly:3"
-uptime_kuma_id_truenas_cert: Oxu1GVb5tl

ansible/inventory/host_vars/truenas.sops.yaml

@@ -2,6 +2,9 @@ kind: Secret
 root_api_key: ENC[AES256_GCM,data:Fhj1MGeHxe/A6O7uVjMrCEu7J4rsiWrhbXgbAenb5CunoRPu0XLV/227WAFc4wFkboFNnt3bjzugvdvM5w/0JSry,iv:7uuHkrSKGShhIso8RgIJsOSYOxBiyyM/D5Dg+IGDh1Y=,tag:dP4gfIIUAEBUm91h5IHSug==,type:str]
 ansible_password: ENC[AES256_GCM,data:zRaOy+b26VWMCVIPKLU=,iv:S+BX0fqVizWTZZr0A4MaXkw/4XhE2Pb+RGPjvnWuUpk=,tag:TUcGk8Hp9Zv17L/pmX4E7g==,type:str]
 ansible_become_pass: ENC[AES256_GCM,data:xGVU7dW/MMI9bV6Vz+M=,iv:6/ikVQfHxjdCy5KKT+Yksj/OFws2WRcy8oDI2Oay7Eo=,tag:JOLmvpOAIjIHJ/K7Eaoxjw==,type:str]
+minio_access_key: ENC[AES256_GCM,data:S4jElnraMiUip89QcF9VjQ==,iv:gSgUnDPTgIyXvmXt/ocIB3v6Dcq+c8ADrmQXVwgXVAM=,tag:ykHGBcHbZ431gvkxp6q+iA==,type:str]
+minio_secret_key: ENC[AES256_GCM,data:kfeIRjsEGFAsQmVw9QsyoA==,iv:milmhE0Y2mdW6Yx910IsRRwNO7JxsYhUL5wBDTOUBLU=,tag:Ghy68+5i4m/0+IIve23YJQ==,type:str]
+postgresql_password: ENC[AES256_GCM,data:Fm/TW9zb36GzPOstV2kt96WJPAJ/0ylsSKDzzJdLmmsUQINSsXag5g==,iv:KkdOsbTN8i6taJXpavBTXCcJhRyMzmwf3gjh/nubu5M=,tag:0wWqT3ij2mudjT/vZT9OjA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -17,8 +20,8 @@ sops:
             aG5zWW1XclBOS2cxMkwzZ3c1R1psNGsKzeSHHV7AYXCUNiiXJlBRFVWMZtfK3naj
             VRtF22+DYfjumQuwam2ZzhdLQ//1ciHnkJc58dKeTbYUHzC+fWpaZQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-07-21T19:48:18Z"
-    mac: ENC[AES256_GCM,data:nBonR9Ab5aY+F7w0HE+TRLScRtF5cQNxh3Uvc7jewiLnieolRQtfNiGzKk4YRgqFV8zRTbwS0jvpiqynhxl/ctIKWl2odVDrNkZljidn3jbSz5HUp+f6zxP3DCRXzsBFpunDT8CSdHBhdUWv+82WtFwg2pLH+nTtY11QkH4rQQk=,iv:ILeqDNEEPnb0serEObPMA2LC16ddScH1NwOiZ0M0EHo=,tag:puyv0jvBkCm/X/za6u3oVA==,type:str]
+    lastmodified: "2024-01-14T10:19:17Z"
+    mac: ENC[AES256_GCM,data:51zO9hPDmKOQN3ui9+/4tHVg+xYIoNw0y/BQ/f0QSW968ZhotHftQqLS7i9h14871zWPI8/J7m7hWb4X8LIS4Hn8Bf6PsBt6efm0QSsNvvaiUUwisn/WgbQXp7fF6NyN3f1beHJAm5a/qmVbuCYwySwDlZfAbrHnyY3ogq3dKjs=,iv:V2F4Dc7VxodM6d6ioD8tROjwPcU671a8IZzm8GWpihc=,tag:5JU0/QzcGjn2xJLbSB/tJA==,type:str]
     pgp: []
     unencrypted_regex: ^(kind)$
-    version: 3.7.3
+    version: 3.8.1

ansible/inventory/host_vars/truenas.yaml

@@ -1,5 +1,6 @@
 main_nas: true
 pool_name: storage
-service_s3: true
+iocage_pool_name: storage
+postgresql_pool_name: storage
+minio_pool_name: storage
 snapshots_interval: "daily:14,weekly:12,monthly:3"
-uptime_kuma_id_truenas_cert: f8nAZOHoQb

ansible/inventory/hosts.yml

@@ -1,21 +1,21 @@
 ---
 all:
   hosts:
-    localhost:
-      ansible_connection: local
-      ansible_python_interpreter: /usr/bin/python3
     coreelec:
       ansible_host: coreelec.{{ secret_domain }}
       ansible_user: root
-    minio:
-      ansible_host: 192.168.9.14
-      ansible_user: minio
   children:
     truenas-instances:
       hosts:
         truenas:
           ansible_host: truenas.{{ secret_domain }}
-        truenas-remote:
-          ansible_port: 35875
+        # truenas-remote:
+        #   ansible_host: truenas-remote.{{ secret_domain }}
+        #   ansible_port: 35875
       vars:
         ansible_user: homelab
+    truenas-jails:
+      hosts:
+        minio_v2:
+        postgresql_v15:
+        postgresql_v16:

ansible/roles/truenas/tasks/jails/init.yml

@@ -0,0 +1,36 @@
+---
+- name: jail-init | minio | start jail
+  ansible.builtin.shell:
+    cmd: iocage start minio
+  become: true
+
+- name: jail-init | minio | create .ssh directory
+  ansible.builtin.shell:
+    cmd: iocage exec minio 'mkdir -p /root/.ssh; echo "" > /root/.ssh/authorized_keys; chmod 700 /root/.ssh; chmod 600 /root/.ssh/authorized_keys'
+  become: true
+
+- name: jail-init | minio | deploy ssh keys
+  ansible.builtin.shell:
+    cmd: iocage exec minio 'echo "{{ item }}" >> /root/.ssh/authorized_keys'
+  loop: "{{ public_ssh_keys }}"
+  become: true
+
+- name: jail-init | minio | activate sshd
+  ansible.builtin.shell:
+    cmd: iocage exec minio 'sysrc sshd_enable="YES"'
+  become: true
+
+- name: jail-init | minio | sshd permit root login
+  ansible.builtin.shell:
+    cmd: iocage exec minio 'echo "PermitRootLogin yes" >> /etc/ssh/sshd_config'
+  become: true
+
+- name: jail-init | minio | start sshd
+  ansible.builtin.shell:
+    cmd: iocage exec minio 'service sshd start'
+  become: true
+
+- name: jail-init | minio | install packages
+  ansible.builtin.shell:
+    cmd: iocage exec minio 'pkg install -y python39 bash sudo; ln -s /usr/local/bin/bash /bin/bash'
+  become: true

ansible/roles/truenas/tasks/jails/main.yml

@@ -0,0 +1,41 @@
+---
+- name: jails | check if jail exist
+  ansible.builtin.shell:
+    cmd: iocage list --header | awk '{print $2}' | grep --word-regexp {{ item }}
+  loop: "{{ groups['truenas-jails'] }}"
+  register: jails_check
+  changed_when: false
+  failed_when: jails_check.rc != 0 and jails_check.rc != 1
+
+- name: jails | is iocage fetch required
+  ansible.builtin.set_fact:
+    jail_missing: true
+  loop: "{{ jails_check.results }}"
+  when: item.rc == 1
+
+- block:
+    - name: jails | get current FreeBSD release
+      ansible.builtin.shell:
+        cmd: freebsd-version | cut -d '-' -f 1-2
+      register: release
+      failed_when: release.rc != 0
+
+    - name: jails | fetch iocage template {{ release.stdout }}
+      ansible.builtin.shell:
+        cmd: iocage fetch -r {{ release.stdout }}
+      become: true
+
+    - name: jails | create jail
+      ansible.builtin.shell:
+        cmd: iocage create -r {{ release.stdout }} -n {{ item.item }} dhcp=on
+      loop: "{{ jails_check.results }}"
+      when: item.rc == 1
+      become: true
+  when: jail_missing
+
+- name: jails | init jails
+  ansible.builtin.include_tasks: init.yml
+  loop: "{{ jails_check.results }}"
+  loop_control:
+    loop_var: outside_item
+  when: outside_item.rc == 1

ansible/roles/truenas/tasks/jails/minio-conf.yml

@@ -0,0 +1,70 @@
+---
+- name: jail-minio | get jail ip
+  ansible.builtin.shell:
+    cmd: iocage exec minio_v2 ifconfig epair0b | grep 'inet' | awk -F ' ' '{ print $2 }'
+  changed_when: false
+  register: minio_jail_ip
+  become: true
+
+- name: jail-minio_v2 | copy letsencrypt certificate
+  ansible.builtin.copy:
+    src: /mnt/{{ pool_name }}/home/homelab/letsencrypt/xpander.ovh/{{ item.src }}
+    remote_src: true
+    dest: /mnt/{{ iocage_pool_name }}/iocage/jails/minio_v2/root/home/minio/certs/{{ item.dest }}
+    owner: 1002
+    group: 1002
+    mode: 0600
+  loop:
+    - { src: "fullchain.pem", dest: "public.crt" }
+    - { src: "key.pem", dest: "private.key" }
+  register: certificates
+  become: true
+
+- block:
+  - name: jail-minio | install minio
+    ansible.builtin.pkgng:
+      name:
+        - minio
+        - curl
+      state: present
+    register: installation
+
+  - name: jail-minio | create minio configuration in /etc/rc.conf
+    ansible.builtin.blockinfile:
+      path: /etc/rc.conf
+      state: present
+      block: |
+        # MINIO
+        minio_enable="YES"
+        minio_address=":9000"
+        minio_console_address=":9001"
+        minio_disks="/mnt/data"
+        minio_certs="/home/minio/certs"
+        minio_env="MINIO_ACCESS_KEY={{ minio_access_key }} MINIO_SECRET_KEY={{ minio_secret_key }}"
+    no_log: false
+    register: configuration
+
+  - name: jail-minio | restart minio service
+    ansible.builtin.service:
+      name: minio
+      state: restarted
+      enabled: true
+    when: configuration.changed == true or installation.changed == true or certificates.changed == true
+
+  - name: jail-minio | wait for 5 seconds
+    ansible.builtin.pause:
+      seconds: 5
+
+  - name: jail-minio | check minio service
+    ansible.builtin.command: curl -s localhost:9000/minio/health/live
+    register: curl_result
+    ignore_errors: true
+    changed_when: false
+
+  - name: jail-minio | fail if curl command failed
+    ansible.builtin.fail:
+      msg: 'Curl command failed'
+    when: curl_result.rc != 0
+
+  delegate_to: "{{ minio_jail_ip.stdout }}"
+  remote_user: root

ansible/roles/truenas/tasks/jails/minio-init.yml

@@ -0,0 +1,32 @@
+---
+- block:
+    - name: jail-minio_v2_v2 | create zfs pools
+      community.general.zfs:
+        name: "{{ minio_pool_name }}/minio_v2"
+        state: present
+        extra_zfs_properties:
+          atime: off
+          setuid: off
+
+    - name: jail-minio_v2 | create empty data dir
+      ansible.builtin.shell:
+        cmd: iocage exec minio_v2 mkdir -p /mnt/data
+
+    - name: jail-minio_v2 | mount data
+      ansible.builtin.shell:
+        cmd: iocage fstab -a minio /mnt/{{ minio_pool_name }}/minio /mnt/data nullfs rw 0 0
+
+    - name: jail-minio_v2 | change create minio user
+      ansible.builtin.shell:
+        cmd: iocage exec minio_v2 'pw useradd minio -u 1002 -g 1002 -d /home/minio -m'
+
+    - name: jail-minio_v2 | change owner on data dir
+      ansible.builtin.shell:
+        cmd: iocage exec minio_v2 'chown 1002:1002 /mnt/data'
+
+    - name: jail-minio_v2 | create certificates folder
+      ansible.builtin.file:
+        path: /mnt/{{ iocage_pool_name }}/iocage/jails/minio_v2/root/home/minio/certs
+        owner: 1002
+        group: 1002
+  become: true

ansible/roles/truenas/tasks/jails/postgresql-conf.yml

@@ -0,0 +1,64 @@
+---
+- name: jail-{{ outside_item.item }} | get jail ip
+  ansible.builtin.shell:
+    cmd: iocage exec {{ outside_item.item }} ifconfig epair0b | grep 'inet' | awk -F ' ' '{ print $2 }'
+  changed_when: false
+  register: postgresql_jail_ip
+  become: true
+
+- name: jail-{{ outside_item.item }} | copy letsencrypt certificate
+  ansible.builtin.copy:
+    src: /mnt/{{ pool_name }}/home/homelab/letsencrypt/xpander.ovh/{{ item.src }}
+    remote_src: true
+    dest: /mnt/{{ postgresql_pool_name }}/postgresql/data{{ hostvars[outside_item.item]['postgresql_version'] }}/{{ item.dest }}
+    owner: 770
+    group: 770
+    mode: 0600
+  loop:
+    - { src: "fullchain.pem", dest: "server.crt" }
+    - { src: "key.pem", dest: "server.key" }
+  register: certificates
+  become: true
+  tags:
+    - certificates
+
+- block:
+  - name: jail-{{ outside_item.item }} | configure pg_hba
+    ansible.builtin.template:
+      src: postgresql/pg_hba.conf
+      dest: /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }}/pg_hba.conf
+      owner: postgres
+      group: postgres
+    register: pg_hba
+
+  - name: jail-{{ outside_item.item }} | postgresql configuration
+    community.postgresql.postgresql_set:
+      name: "{{ item.name }}"
+      value: "{{ item.value }}"
+    loop:
+      # listen to all addresses
+      - { name: 'listen_addresses', value: '*' }
+      # disable full page writes because of ZFS
+      - { name: 'full_page_writes', value: 'off' }
+      # SSL configuration
+      - { name: 'ssl', value: 'on' }
+      - { name: 'ssl_cert_file', value: 'server.crt' }
+      - { name: 'ssl_key_file', value: 'server.key' }
+      - { name: 'ssl_prefer_server_ciphers', value: 'on' }
+    loop_control:
+      loop_var: item
+    become: true
+    vars:
+      ansible_become_user: postgres
+    register: pg_conf
+
+  - name: restart postgresql
+    ansible.builtin.service:
+      name: postgresql
+      state: reloaded
+    when: certificates.changed or pg_hba.changed or pg_conf.changed
+    tags:
+      - certificates
+
+  delegate_to: "{{ postgresql_jail_ip.stdout }}"
+  remote_user: root