postgres/templates/patroni.yml.tpl

name: [[ .instance ]]-{{ env "NOMAD_ALLOC_INDEX" }}
scope: [[ .instance ]]

consul:
  url: http://{{ sockaddr "GetInterfaceIP \"nomad\"" }}:8500
  token: {{ with secret "[[ .consul.kv.root ]]consul/creds/[[ .instance ]]" }}{{ .Data.token }}{{ end }}

bootstrap:
  dcs:
[[- if and (gt .pg.server.count 1) (gt .pg.server.synchronous_node_count 0) ]]
    synchronous_mode: True
    synchronous_node_count: [[ .pg.server.synchronous_node_count ]]
    #synchronous_mode_strict: True
[[- else ]]
    synchronous_mode: False
[[- end ]]

  initdb:
    - data-checksum
    - encoding: UTF-8
    #- locale-provider: icu
    #- icu-locale: [[ .locale.lang ]]

  post_bootstrap: /local/create_users.sh

postgresql:

  create_replica_methods:
[[- if .pg.backup.pgbackrest.enabled ]]
    - pgbackrest
[[- end ]]
    - basebackup

[[- if .pg.backup.pgbackrest.enabled ]]
  pgbackrest:
    command: pgbackrest --delta restore
    keep_data: true
    no_params: true
[[- end ]]

  callbacks:
    on_role_change: /local/update_tags.sh
    on_start: /local/update_tags.sh

  connect_address: {{ env "NOMAD_HOST_ADDR_postgres" }}
  bin_dir: /usr/pgsql-15/bin
  data_dir: /data/db/15
  listen: 0.0.0.0:{{ env "NOMAD_ALLOC_PORT_postgres" }}
  use_pg_rewind: True
  #remove_data_directory_on_rewind_failure: True

  pg_hba:
    - local   all         postgres                  peer
    - local   replication postgres                  peer
    - local   all         postgres                  scram-sha-256
[[- if .pg.server.ldap_auth.enabled ]]
    - host    all         +ldap_roles  127.0.0.0/8  ldap ldapserver="[[ join .pg.server.ldap_auth.servers " " ]]" ldapport=[[ .pg.server.ldap_auth.port ]] [[ if .pg.server.ldap_auth.starttls ]]ldaptls=1 [[ end ]]ldapbasedn="[[ .pg.server.ldap_auth.base_dn ]]"
    [[- if and (has .pg.server.ldap_auth "bind_dn") (has .pg.server.ldap_auth "bind_password") ]] ldapbinddn="[[ .pg.server.ldap_auth.bind_dn ]]" ldapbindpasswd="[[ .pg.server.ldap_auth.bind_password ]]" [[ end -]]
    ldapsearchfilter="[[ .pg.server.ldap_auth.search_filter ]]"
[[- end ]]
    - host    all         all          127.0.0.0/8  scram-sha-256
    - host    replication backup       127.0.0.0/8  scram-sha-256
    - hostssl replication replicator   0.0.0.0/0    cert clientcert=verify-full map=patroni-map
    - hostssl postgres    rewind       0.0.0.0/0    cert clientcert=verify-full map=patroni-map
    - hostssl all         all          0.0.0.0/0    cert clientcert=verify-full

  pg_ident:
    - patroni-map [[ .instance ]].service.[[ .consul.domain ]] postgres
    - patroni-map [[ .instance ]].service.[[ .consul.domain ]] replicator
    - patroni-map [[ .instance ]].service.[[ .consul.domain ]] rewind

  parameters:
    ssl: on
    ssl_cert_file: /secrets/postgres.bundle.pem
    ssl_key_file: /secrets/postgres.bundle.pem
    ssl_ca_file: /local/postgres.ca.pem
    #ssl_crl_file: /local/postgres.crl.pem
[[- if not (has .pg.server.parameters "unix_socket_directories") ]]
    # Add a socket in /alloc/data/postgres
    # so other tasks in the same group can reach it
    unix_socket_directories: /run/postgresql, /alloc/data/postgres
[[- end ]]
[[- range $k, $v := .pg.server.parameters ]]
  [[- if and (regexp.Match "^(shared_buffers|effective_cache_size|maintenance_work_mem|wal_buffers|work_mem)$" $k) (regexp.Match "^\\d+%$" $v) ]]
    [[- $v = regexp.Find "\\d+" $v ]]
    [[- $v = printf "%dMB" (conv.ToInt64 (div (mul (conv.ToInt64 $v) (conv.ToInt64 $.pg.server.resources.memory)) 100)) ]]
  [[- end ]]
    [[ $k ]]: [[ $v ]]
[[- end ]]
[[- if .pg.backup.pgbackrest.enabled ]]
  [[- if not (has .pg.server.parameters "archive_command") ]]
    archive_command: pgbackrest archive-push "%p"
  [[- end ]]
  [[- if not (has .pg.server.parameters "archive_mode") ]]
    archive_mode: True
  [[- end ]]
[[- end ]]

  recovery_conf:
[[- range $k, $v := .pg.server.recovery_conf ]]
    [[ $k ]]: [[ $v ]]
[[- end ]]
[[- if .pg.backup.pgbackrest.enabled ]]
  [[- if not (has .pg.server.recovery_conf "restore_command") ]]
    restore_command: pgbackrest archive-get %f "%p"
  [[- end ]]
[[- end ]]

  authentication:
    superuser:
      username: postgres
      password: '{{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.pg_pwd }}{{ end }}'
      sslmode: verify-ca
      sslrootcert: /local/postgres.ca.pem

    replication:
      username: replicator
      sslmode: verify-ca
      sslrootcert: /local/postgres.ca.pem
      sslcert: /secrets/postgres.bundle.pem
      sslkey: /secrets/postgres.bundle.pem

    rewind:
      username: rewind
      sslmode: verify-ca
      sslrootcert: /local/postgres.ca.pem
      sslcert: /secrets/postgres.bundle.pem
      sslkey: /secrets/postgres.bundle.pem

restapi:
  connect_address: {{ env "NOMAD_HOST_ADDR_patroni" }}
  listen: 0.0.0.0:{{ env "NOMAD_ALLOC_PORT_patroni" }}
  keyfile: /secrets/postgres.bundle.pem
  certfile: /secrets/postgres.bundle.pem
  cafile: /local/postgres.ca.pem
  verify_client: optional
  authentication:
    username: patroni
    password: '{{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.api_pwd }}{{ end }}'

ctl:
  insecure: False
  keyfile: /secrets/postgres.bundle.pem
  certfile: /secrets/postgres.bundle.pem
  cafile: /local/postgres.ca.pem

watchdog:
  mode: off