148 lines
5.2 KiB
Smarty
148 lines
5.2 KiB
Smarty
name: [[ .instance ]]-{{ env "NOMAD_ALLOC_INDEX" }}
|
|
scope: [[ .instance ]]
|
|
|
|
consul:
|
|
url: http://{{ sockaddr "GetInterfaceIP \"nomad\"" }}:8500
|
|
token: {{ with secret "[[ .vault.root ]]consul/creds/[[ .instance ]]" }}{{ .Data.token }}{{ end }}
|
|
|
|
bootstrap:
|
|
dcs:
|
|
[[- if and (gt .pg.server.count 1) (gt .pg.server.synchronous_node_count 0) ]]
|
|
synchronous_mode: True
|
|
synchronous_node_count: [[ .pg.server.synchronous_node_count ]]
|
|
#synchronous_mode_strict: True
|
|
[[- else ]]
|
|
synchronous_mode: False
|
|
[[- end ]]
|
|
|
|
initdb:
|
|
[[- range $idx, $opt := .initdb ]]
|
|
- [[ $opt ]]
|
|
[[- end ]]
|
|
|
|
post_bootstrap: /local/create_users.sh
|
|
|
|
postgresql:
|
|
|
|
create_replica_methods:
|
|
[[- if .pg.backup.pgbackrest.enabled ]]
|
|
- pgbackrest
|
|
[[- end ]]
|
|
- basebackup
|
|
|
|
[[- if .pg.backup.pgbackrest.enabled ]]
|
|
pgbackrest:
|
|
command: pgbackrest --delta restore
|
|
keep_data: true
|
|
no_params: true
|
|
[[- end ]]
|
|
|
|
callbacks:
|
|
on_role_change: /local/update_tags.sh
|
|
on_start: /local/update_tags.sh
|
|
|
|
connect_address: {{ env "NOMAD_HOST_ADDR_postgres" }}
|
|
bin_dir: /usr/pgsql-[[ .pg.server.pg_version ]]/bin
|
|
data_dir: /data/db/[[ .pg.server.pg_version ]]
|
|
listen: 0.0.0.0:{{ env "NOMAD_ALLOC_PORT_postgres" }}
|
|
use_pg_rewind: True
|
|
#remove_data_directory_on_rewind_failure: True
|
|
|
|
pg_hba:
|
|
- local all postgres peer
|
|
- local replication postgres peer
|
|
- local all postgres scram-sha-256
|
|
[[- if .pg.server.ldap_auth.enabled ]]
|
|
- host all +ldap_roles 127.0.0.0/8 ldap ldapserver="[[ join .pg.server.ldap_auth.servers " " ]]" ldapport=[[ .pg.server.ldap_auth.port ]] [[ if .pg.server.ldap_auth.starttls ]]ldaptls=1 [[ end ]]ldapbasedn="[[ .pg.server.ldap_auth.base_dn ]]"
|
|
[[- if and (has .pg.server.ldap_auth "bind_dn") (has .pg.server.ldap_auth "bind_password") ]] ldapbinddn="[[ .pg.server.ldap_auth.bind_dn ]]" ldapbindpasswd="[[ .pg.server.ldap_auth.bind_password ]]" [[ end -]]
|
|
ldapsearchfilter="[[ .pg.server.ldap_auth.search_filter ]]"
|
|
[[- end ]]
|
|
- host all all 127.0.0.0/8 scram-sha-256
|
|
- host replication backup 127.0.0.0/8 scram-sha-256
|
|
- hostssl replication replicator 0.0.0.0/0 cert clientcert=verify-full map=patroni-map
|
|
- hostssl postgres rewind 0.0.0.0/0 cert clientcert=verify-full map=patroni-map
|
|
- hostssl all all 0.0.0.0/0 cert clientcert=verify-full
|
|
|
|
pg_ident:
|
|
- patroni-map [[ .instance ]].service.[[ .consul.domain ]] postgres
|
|
- patroni-map [[ .instance ]].service.[[ .consul.domain ]] replicator
|
|
- patroni-map [[ .instance ]].service.[[ .consul.domain ]] rewind
|
|
|
|
parameters:
|
|
ssl: on
|
|
ssl_cert_file: /secrets/postgres.bundle.pem
|
|
ssl_key_file: /secrets/postgres.bundle.pem
|
|
ssl_ca_file: /local/postgres.ca.pem
|
|
#ssl_crl_file: /local/postgres.crl.pem
|
|
[[- if not (has .pg.server.parameters "unix_socket_directories") ]]
|
|
# Add a socket in /alloc/data/postgres
|
|
# so other tasks in the same group can reach it
|
|
unix_socket_directories: /run/postgresql, /alloc/data/postgres
|
|
[[- end ]]
|
|
[[- range $k, $v := .pg.server.parameters ]]
|
|
[[- if and (regexp.Match "^(shared_buffers|effective_cache_size|maintenance_work_mem|wal_buffers|work_mem)$" $k) (regexp.Match "^\\d+%$" $v) ]]
|
|
[[- $v = regexp.Find "\\d+" $v ]]
|
|
[[- $v = printf "%dMB" (conv.ToInt64 (div (mul (conv.ToInt64 $v) (conv.ToInt64 $.pg.server.resources.memory)) 100)) ]]
|
|
[[- end ]]
|
|
[[ $k ]]: [[ $v ]]
|
|
[[- end ]]
|
|
[[- if .pg.backup.pgbackrest.enabled ]]
|
|
[[- if not (has .pg.server.parameters "archive_command") ]]
|
|
archive_command: pgbackrest archive-push "%p"
|
|
[[- end ]]
|
|
[[- if not (has .pg.server.parameters "archive_mode") ]]
|
|
archive_mode: True
|
|
[[- end ]]
|
|
[[- end ]]
|
|
|
|
recovery_conf:
|
|
[[- range $k, $v := .pg.server.recovery_conf ]]
|
|
[[ $k ]]: [[ $v ]]
|
|
[[- end ]]
|
|
[[- if .pg.backup.pgbackrest.enabled ]]
|
|
[[- if not (has .pg.server.recovery_conf "restore_command") ]]
|
|
restore_command: pgbackrest archive-get %f "%p"
|
|
[[- end ]]
|
|
[[- end ]]
|
|
|
|
authentication:
|
|
superuser:
|
|
username: postgres
|
|
password: '{{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.pg_pwd }}{{ end }}'
|
|
sslmode: verify-ca
|
|
sslrootcert: /local/postgres.ca.pem
|
|
|
|
replication:
|
|
username: replicator
|
|
sslmode: verify-ca
|
|
sslrootcert: /local/postgres.ca.pem
|
|
sslcert: /secrets/postgres.bundle.pem
|
|
sslkey: /secrets/postgres.bundle.pem
|
|
|
|
rewind:
|
|
username: rewind
|
|
sslmode: verify-ca
|
|
sslrootcert: /local/postgres.ca.pem
|
|
sslcert: /secrets/postgres.bundle.pem
|
|
sslkey: /secrets/postgres.bundle.pem
|
|
|
|
restapi:
|
|
connect_address: {{ env "NOMAD_HOST_ADDR_patroni" }}
|
|
listen: 0.0.0.0:{{ env "NOMAD_ALLOC_PORT_patroni" }}
|
|
keyfile: /secrets/postgres.bundle.pem
|
|
certfile: /secrets/postgres.bundle.pem
|
|
cafile: /local/postgres.ca.pem
|
|
verify_client: optional
|
|
authentication:
|
|
username: patroni
|
|
password: '{{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.api_pwd }}{{ end }}'
|
|
|
|
ctl:
|
|
insecure: False
|
|
keyfile: /secrets/postgres.bundle.pem
|
|
certfile: /secrets/postgres.bundle.pem
|
|
cafile: /local/postgres.ca.pem
|
|
|
|
watchdog:
|
|
mode: off
|