postgres/variables.yml

---

pg:
  # Name of the job to generate
  # Also used to controler service names
  instance: postgres

  # Postgres server settings
  server:
    # The image to use
    image: danielberteaud/patroni:15.23.10-7

    # Number of postgres instance. Patroni will handle leader election and replication
    count: 1

    # Optional en vars to pass to the container
    # You should set PGBACKREST_XXX variable if you intend to use the back service
    # Eg
    # env:
    #   PGBACKREST_PROCESS_MAX: 4
    #   PGBACKREST_REPO1_RETENTION_FULL_TYPE: time
    #   PGBACKREST_REPO1_RETENTION_FULL: 30
    #   PGBACKREST_REPO1_RETENTION_DIFF: 7
    #   PGBACKREST_REPO1_TYPE: sftp
    #   PGBACKREST_REPO1_SFTP_HOST: pbs.lapiole.org
    #   PGBACKREST_REPO1_SFTP_HOST_USER: pitr
    #   PGBACKREST_REPO1_PATH: /postgres/pgbackrest
    #   PGBACKREST_REPO1_SFTP_HOST_KEY_HASH_TYPE: sha256
    #   # awk '{print $2}' ssh_host_ecdsa_key.pub | base64 -d | sha256sum
    #   PGBACKREST_REPO1_SFTP_HOST_FINGERPRINT: ce6eb1c79ce6596d7580f3b08021b48e39e5a30f2fd751a7fa82b480d821eb99
    #   PGBACKREST_REPO1_SFTP_HOST_KEY_CHECK_TYPE: fingerprint
    env: {}

    # In recovery mode, neither patroni nor postgres will be started. The container will start and wait for manual recovery
    recovery: False

    # Recovery configuration to pass to patroni config
    recovery_conf: {}

    # How many nodes should use synchronous replication. No effet unless count > 1
    synchronous_node_count: 0

    # Postgres parameters
    # The following memory related settings can be expressed as a percentage, and wil be computed based on the memory allocation of the container
    # shared_buffers effective_cache_size maintenance_work_mem wal_buffers work_mem
    parameters:
      log_line_prefix: "'[%l-1] user=%u,db=%d,app=%a,client=%h '"
      wal_compression: zstd
      log_min_duration_statement: 2000
      log_timezone: '{{ env "TZ" }}'
      timezone: '{{ env "TZ" }}'
      log_destination: stderr
      log_directory: /proc/1/fd
      log_filename: 1
      datestyle: 'ISO, DMY'
      autovacuum_vacuum_threshold: 500
      autovacuum_analyze_threshold: 500
      autovacuum_vacuum_scale_factor: 0.1
      autovacuum_analyze_scale_factor: 0.05
      shared_buffers: 25%
      maintenance_work_mem: 5%
      work_mem: 1%
      archive_timeout: 900
      wal_keep_size: 512

    # You can configure ldap auth for postgres
    # users needing ldap auth should be members of the ldap_roles role in postgres
    ldap_auth:

      # Is the auth enabled
      enabled: false

      # List of servers to try to connect to
      servers:
        - localhost

      # Port
      port: 389

      # Should StartTLS be used to connect
      starttls: true

      # The base DN where postgres will start looking for users
      base_dn: OU=People,DC=example,DC=org

      # Search filter to find matching users
      search_filter: "(&(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(memberOf:1.2.840.113556.1.4.1941:=CN=Role_DBA,OU=Roles,DC=example,DC=org)(sAMAccountName=$username))"

      # Optional bind DN and password to do the search operation
      # If undefined, the search will be done anonymously
      #bind_dn: CN=Postgres,OU=Apps,DC=example,DC=org
      bind_password: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .pg.instance ]]" }}{{ .Data.data.ldap_pwd }}{{ end }}'

    # Resource allocation for the container
    resources:
      cpu: 500
      memory: 1024

    # URL of the service as seen from the outside
    # This is used to initialize connection from vault to handle database secrets
    # public_url: postgres://postgres.example.org:5432

    traefik:

      # If the postgres service (the master) should be exposed by Traefik      
      enabled: True

      # List of entrypoint the service will listen to
      entrypoints:
        - postgres

      # List of Traefik middleware to apply
      middlewares: []

    prometheus:
      metrics_url: http://localhost:9187

  # Backup service uses pgbackrest to perform
  # WAL archive, and regular full/incr/diff backups
  backup:

    # Additional env var.
    # Note that pg.server.env will be inherited so PGBACKREST config only needs to be set there
    env: {}

    # pgbackrest based backups
    pgbackrest:
      enabled: False

      # Schedules for backups. Empty string to disable
      cron:
        full: 15 02 1 * *
        diff: 15 02 2-31 * 0
        incr: 15 02 2-31 * 1-6

    # pg_dump based backups
    dumps:
      enabled: False
      format: custom
      compression: 6
      cron: 39 03 * * *

    # Resource allocations
    resources:
      cpu: 100
      memory: 50
      memory_max: 256

  # Postgres exporter for prometheus
  # Only used if prometheus.enabled is True
  exporter:
    # Image to use
    image: quay.io/prometheuscommunity/postgres-exporter:latest
    # Additional env var
    env: {}
    # Resources
    resources:
      cpu: 20
      memory: 32

  # manage can create database, users and sync permissions from LDAP (using ldap2pg)
  manage:
    # Image to use
    image: danielberteaud/ldap2pg:6.0-2

    # Resource allocation
    resources:
      cpu: 20
      memory: 32

    # Services to wait before running
    wait_for:
      - service: 'master.[[ .pg.instance ]]'

    # Additional env var
    env: {}

    # Connection to postgres through the service mesg
    consul:
      connect:
        upstreams:
          - destination_name: "[[ .pg.instance ]]"
            local_bind_port: 5432

    # List of databases to create (so permissions can be applied)
    # For each database, a role with the same name (and NOLOGIN) will be created and be owner of the database
    # databases:
    #   - name: vaultwarden
    #   - name: odoo
    #     owner: erp
    #     encoding: UTF-8
    #     locale: fr_FR.utf8
    databases: []

    # Schedule to run ldap2pg regularily, to ensure permissions are up to date
    # This is especially useful when syncing roles from LDAP
    # An empty string disable running the job as a cron
    cron: ""

    # mode can be dry (no change will be made) or real
    #
    mode: dry

    # Default config for ldap2pg (except for rules which are handled separately)
    default_config:
      version: 6
      postgres:
        managed_roles_query: |
          VALUES
            ('public'),
            ('managed_roles')
      
          UNION
      
          SELECT DISTINCT role.rolname
          FROM pg_roles AS role
          JOIN pg_auth_members AS ms ON ms.member = role.oid
          JOIN pg_roles AS parent
            ON parent.rolname = 'managed_roles' AND parent.oid = ms.roleid
          ORDER BY 1;
      privileges:
        reader:
          - __connect__
          - __usage_on_schemas__
          - __select_on_tables__
          - __select_on_sequences__
          - __usage_on_sequences__
        writer:
          - reader
          - __temporary__
          - __insert_on_tables__
          - __update_on_tables__
          - __delete_on_tables__
          - __update_on_sequences__
          - __execute_on_functions__
          - __trigger_on_tables__
        owner:
          - writer
          - __create_on_schemas__
          - __truncate_on_tables__
        rewinder:
          - __connect__
          - __execute_on_functions__

    # Custom config : will be merged on top of default_config
    config: {}

    # A set of default rules to apply
    default_rules:
      - roles:
          - name: managed_roles
            comment: Parent role for all ldap2pg managed roles

          - name: ldap_roles
            comment: "Parent role for LDAP synced roles"
            options: NOLOGIN
            parents:
              - managed_roles

          - name: backup
            comment: "DB backup"
            options: LOGIN REPLICATION
            parents:
              - pg_read_all_data
              - managed_roles

          - name: dba
            comment: "Databases admins"
            options: SUPERUSER NOLOGIN
            parents:
              - managed_roles

          - name: rewind
            comment: "Databases rewinder"
            options: LOGIN
            parents:
              - managed_roles

          - name: vault
            comment: "Hashicorp Vault"
            options: CREATEROLE LOGIN
            parents:
              - managed_roles

      - grant:
          role: vault
          privileges: reader
          databases: postgres

      - grant:
          role: rewind
          privileges: rewinder
          databases: postgres

      - grant:
          role: dba
          privileges: owner

    # Additional custom rules to apply (will be appended to default_rules)
    rules: []

  # Volumes
  volumes:
    # The data volume is used to store postgres data
    # It'll be opened as single-node-writer, and it's recommended to be a block based volume (eg, iSCSI)
    # The volumes are connected using per_alloc, so the alloc ID will be appended. Eg postgres-data[0], postgres-data[1] etc.
    data:
      type: csi
      source: '[[ .pg.instance ]]-data'
    # Backup volume (can be used for pgbackrest and dumps)
    # Will be opened as multi-node-multi-writer. Can be NFS
    backup:
      type: csi
      source: '[[ .pg.instance ]]-backup'