nomad
/
postgres
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
postgres/variables.yml

413 lines
11 KiB
YAML
Raw Permalink Blame History

---
# Name of the job to generate
# Also used to controler service names
instance: postgres
pg:
nomad:
# Set higher priority for the postgres job
priority: 80
vault:
pki:
ou: Postgres
# List of vault policies to attach to the task
policies:
- '[[ .instance ]][[ .consul.suffix ]]'
database:
role: '[[ .instance ]]-admin'
pgrole: dba
# Random secrets to generate if missing, and store in vault KV
rand_secrets:
fields:
- pg_pwd
- api_pwd
- monitor_pwd
- replicator_pwd
- rewind_pwd
- vault_initial_pwd
# Postgres server settings
server:
# Major version of postgres to use
pg_version: 15
# Version of patroni
patroni_version: 3.3.0
# The image to use
image: '[[ .docker.repo ]]patroni:[[ .pg.server.pg_version ]]-[[ .pg.server.patroni_version ]]-2'
# Number of postgres instance. Patroni will handle leader election and replication
count: 1
# Optional en vars to pass to the container
# You should set PGBACKREST_XXX variable if you intend to use the back service
# Eg
# env:
# PGBACKREST_PROCESS_MAX: 4
# PGBACKREST_REPO1_RETENTION_FULL: 1
# PGBACKREST_REPO1_RETENTION_DIFF: 7
# PGBACKREST_REPO1_TYPE: sftp
# PGBACKREST_REPO1_SFTP_HOST: pbs.lapiole.org
# PGBACKREST_REPO1_SFTP_HOST_USER: pitr
# PGBACKREST_REPO1_PATH: /postgres/pgbackrest
# PGBACKREST_REPO1_SFTP_HOST_KEY_HASH_TYPE: sha256
# # awk '{print $2}' ssh_host_ecdsa_key.pub | base64 -d | sha256sum
# PGBACKREST_REPO1_SFTP_HOST_FINGERPRINT: ce6eb1c79ce6596d7580f3b08021b48e39e5a30f2fd751a7fa82b480d821eb99
# PGBACKREST_REPO1_SFTP_HOST_KEY_CHECK_TYPE: fingerprint
env:
PGBACKREST_STANZA: '[[ .instance ]]'
nomad:
# Enforce running on distinct hosts
constraints:
- operator: distinct_hosts
value: true
update:
# When running in recovery mode, use huge deadlines as it can take a lot of time
healthy_deadline: '[[ .pg.server.recovery | ternary "48h" "2h" ]]'
progress_deadline: '[[ .pg.server.recovery | ternary "72h" "3h" ]]'
# In recovery mode, neither patroni nor postgres will be started. The container will start and wait for manual recovery
recovery: false
# Recovery configuration to pass to patroni config
recovery_conf: {}
# How many nodes should use synchronous replication. No effect unless count > 1
synchronous_node_count: 0
# Options to pass to initdb when initializing the cluster
initdb:
- "data-checksum"
- "encoding: UTF-8"
# Postgres parameters
# The following memory related settings can be expressed as a percentage, and wil be computed based on the memory allocation of the container
# shared_buffers effective_cache_size maintenance_work_mem wal_buffers work_mem
parameters:
log_line_prefix: "'[%m] u=%u,d=%d,a=%a,c=%h,xid=%x '"
wal_compression: zstd
log_min_duration_statement: 2000
log_timezone: '{{ env "TZ" }}'
timezone: '{{ env "TZ" }}'
log_destination: stderr
log_directory: /proc/1/fd
log_filename: 1
#logging_collector: on
#log_truncate_on_rotation: on
#log_rotation_size: 0
#log_rotation_age: 1440
log_statement: ddl
log_connections: on
log_disconnections: on
datestyle: 'ISO, DMY'
autovacuum_vacuum_threshold: 500
autovacuum_analyze_threshold: 500
autovacuum_vacuum_scale_factor: 0.1
autovacuum_analyze_scale_factor: 0.05
shared_buffers: 50%
maintenance_work_mem: 5%
work_mem: 1%
wal_keep_size: 512
# You can configure ldap auth for postgres
# users needing ldap auth should be members of the ldap_roles role in postgres
ldap_auth:
# Is the auth enabled
enabled: false
# List of servers to try to connect to
servers:
- localhost
# Port
port: 389
# Should StartTLS be used to connect
starttls: true
# The base DN where postgres will start looking for users
base_dn: OU=People,DC=example,DC=org
# Search filter to find matching users
search_filter: "(&(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(memberOf:1.2.840.113556.1.4.1941:=CN=Role_DBA,OU=Roles,DC=example,DC=org)(sAMAccountName=$username))"
# Optional bind DN and password to do the search operation
# If undefined, the search will be done anonymously
#bind_dn: CN=Postgres,OU=Apps,DC=example,DC=org
bind_password: '{{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.ldap_pwd }}{{ end }}'
# Resource allocation for the container
resources:
cpu: 1000
memory: 1024
# URL of the service as seen from the outside
# This is used to initialize connection from vault to handle database secrets
# public_url: postgres://postgres.example.org:5432
traefik:
proto: tcp
# List of entrypoint the service will listen to
entrypoints:
- postgres
prometheus:
enabled: '[[ .prometheus.available ]]'
metrics_url: http://localhost:9187
# Backup service uses pgbackrest to perform
# WAL archive, and regular full/incr/diff backups
backup:
# Additional env var.
# Note that pg.server.env will be inherited so PGBACKREST config only needs to be set there
env: {}
# pgbackrest based backups
pgbackrest:
enabled: false
# Schedules for backups. Empty string to disable
cron:
full: 15 02 * * sun
diff: 15 02 * * mon,tue,wed,thu,fri,sat
incr: ''
# pg_dump based backups
dumps:
enabled: false
format: custom
compression: 6
cron: 39 03 * * *
# Resource allocations
resources:
cpu: 300
memory: 50
memory_max: 256
# Postgres exporter for prometheus
# Only used if prometheus.enabled is true
exporter:
version: 0.15.0
# Image to use
image: '[[ .docker.repo ]]postgres-exporter:[[ .pg.exporter.version ]]-1'
# Additional env var
env: {}
# Resources
resources:
cpu: 50
memory: 32
# manage can create database, users and sync permissions from LDAP (using ldap2pg)
manage:
# Image to use
image: '[[ .docker.repo ]]ldap2pg:6.0-10'
# Resource allocation
resources:
cpu: 50
memory: 32
# Services to wait before running
wait_for:
- service: 'master.[[ .instance ]]'
# Additional env var
env:
WAIT_FOR_TARGETS: localhost:5432
# Connection to postgres through the service mesg
consul:
connect:
upstreams:
- destination_name: "[[ .instance ]]"
local_bind_port: 5432
# List of databases to create (so permissions can be applied)
# For each database, a role with the same name (and NOLOGIN) will be created and be owner of the database
# databases:
# - name: vaultwarden
# - name: odoo
# owner: erp
# encoding: UTF-8
# locale: fr_FR.utf8
# template: template1
# extensions:
# - uuid-ossp
databases: []
# Schedule to run ldap2pg regularily, to ensure permissions are up to date
# This is especially useful when syncing roles from LDAP
# An empty string disable running the job as a cron
cron: ""
# mode can be dry (no change will be made) or real
#
mode: dry
# Default config for ldap2pg (except for rules which are handled separately)
default_config:
version: 6
postgres:
managed_roles_query: |
VALUES
('public'),
('managed_roles')
UNION
SELECT DISTINCT role.rolname
FROM pg_roles AS role
JOIN pg_auth_members AS ms ON ms.member = role.oid
JOIN pg_roles AS parent
ON parent.rolname = 'managed_roles' AND parent.oid = ms.roleid
ORDER BY 1;
privileges:
user:
- __connect__
- __usage_on_schema__
reader:
- user
- __select_on_tables__
- __select_on_sequences__
- __usage_on_sequences__
writer:
- reader
- __temporary__
- __insert_on_tables__
- __update_on_tables__
- __delete_on_tables__
- __update_on_sequences__
- __execute_on_functions__
- __trigger_on_tables__
owner:
- writer
- __create_on_schemas__
- __truncate_on_tables__
rewinder:
- __connect__
- __execute_on_functions__
# Custom config : will be merged on top of default_config
config: {}
# A set of default rules to apply
default_rules:
- roles:
- name: managed_roles
comment: Parent role for all ldap2pg managed roles
- name: ldap_roles
comment: "Parent role for LDAP synced roles"
options: NOLOGIN
parents:
- managed_roles
- name: backup
comment: "DB backup"
options: LOGIN REPLICATION
parents:
- pg_read_all_data
- managed_roles
- name: dba
comment: "Databases admins"
options: SUPERUSER NOLOGIN
parents:
- managed_roles
- name: rewind
comment: "Databases rewinder"
options: LOGIN
parents:
- managed_roles
- name: monitor
comment: "Databases monitor"
options: LOGIN
parents:
- managed_roles
- pg_monitor
- name: vault
comment: "Hashicorp Vault"
options: SUPERUSER LOGIN
parents:
- managed_roles
- grant:
role: vault
privileges: reader
databases: postgres
- grant:
role: monitor
privileges: user
- grant:
role: rewind
privileges: rewinder
databases: postgres
- grant:
role: dba
privileges: owner
# Additional custom rules to apply (will be appended to default_rules)
rules: []
# Settings for major upgrades
upgrade:
# Set to true to run the upgrade
enabled: false
# Docker image to use
image: '[[ .docker.repo ]]postgres-major-upgrade:latest'
# Custom env var to set in the container
env: {}
# Options to pass to pg_upgrade
options:
# Will only work if using XFS, ZFS or btrfs. Else, replace with link
- clone
# Major postgres versions, eg
# from: 15
# to: 16
from: ""
to: ""
# Resource allocation
resources:
cpu: '[[ .pg.server.resources.cpu ]]'
memory: '[[ .pg.server.resources.memory ]]'
# Volumes
volumes:
# The data volume is used to store postgres data
# It'll be opened as single-node-writer, and it's recommended to be a block based volume (eg, iSCSI)
# The volumes are connected using per_alloc, so the alloc ID will be appended. Eg postgres-data[0], postgres-data[1] etc.
data:
type: csi
source: '[[ .instance ]]-data'
per_alloc: true
# Backup volume (can be used for pgbackrest and dumps)
# Will be opened as multi-node-multi-writer. Can be NFS
backup:
type: csi
source: '[[ .instance ]]-backup'
access_mode: multi-node-multi-writer
Reference in New Issue View Git Blame Copy Permalink