|
1 | | -- name: Create pgbouncer user |
2 | | - user: |
3 | | - name: pgbouncer |
4 | | - shell: /bin/false |
5 | | - comment: PgBouncer user |
6 | | - groups: postgres,ssl-cert |
7 | | - when: nixpkg_mode |
| 1 | +# PgBouncer |
| 2 | +- name: PgBouncer - download & install dependencies |
| 3 | + ansible.builtin.apt: |
| 4 | + pkg: |
| 5 | + - build-essential |
| 6 | + - libevent-dev |
| 7 | + - libssl-dev |
| 8 | + - libsystemd-dev |
| 9 | + - pkg-config |
| 10 | + update_cache: true |
| 11 | + cache_valid_time: 3600 |
8 | 12 |
|
9 | | -- name: PgBouncer - create a directory if it does not exist |
10 | | - file: |
11 | | - path: /etc/pgbouncer |
12 | | - state: directory |
13 | | - owner: pgbouncer |
14 | | - group: pgbouncer |
15 | | - mode: '0700' |
16 | | - when: nixpkg_mode |
| 13 | +- name: PgBouncer - download latest release |
| 14 | + ansible.builtin.get_url: |
| 15 | + checksum: "{{ pgbouncer_release_checksum }}" |
| 16 | + dest: "/tmp/pgbouncer-{{ pgbouncer_release }}.tar.gz" |
| 17 | + timeout: 60 |
| 18 | + url: "https://www.pgbouncer.org/downloads/files/{{ pgbouncer_release }}/pgbouncer-{{ pgbouncer_release }}.tar.gz" |
| 19 | + |
| 20 | +- name: PgBouncer - unpack archive |
| 21 | + ansible.builtin.unarchive: |
| 22 | + dest: '/tmp' |
| 23 | + remote_src: true |
| 24 | + src: "/tmp/pgbouncer-{{ pgbouncer_release }}.tar.gz" |
| 25 | + become: true |
| 26 | + |
| 27 | +- name: PgBouncer - configure |
| 28 | + ansible.builtin.command: |
| 29 | + cmd: './configure --prefix=/usr/local --with-systemd' |
| 30 | + args: |
| 31 | + chdir: "/tmp/pgbouncer-{{ pgbouncer_release }}" |
| 32 | + become: true |
17 | 33 |
|
18 | | -- name: PgBouncer - create a directory if it does not exist |
19 | | - file: |
20 | | - state: directory |
21 | | - owner: pgbouncer |
22 | | - group: pgbouncer |
23 | | - path: '{{ item }}' |
24 | | - mode: '0775' |
| 34 | +- name: PgBouncer - build and install |
| 35 | + community.general.make: |
| 36 | + chdir: "/tmp/pgbouncer-{{ pgbouncer_release }}" |
| 37 | + target: "{{ pgbouncer_make_item }}" |
| 38 | + become: true |
| 39 | + loop: |
| 40 | + - 'all' |
| 41 | + - 'install' |
| 42 | + loop_control: |
| 43 | + loop_var: 'pgbouncer_make_item' |
| 44 | + |
| 45 | +- name: Create pgbouncer user |
| 46 | + ansible.builtin.user: |
| 47 | + comment: 'PgBouncer user' |
| 48 | + groups: 'postgres,ssl-cert' |
| 49 | + name: 'pgbouncer' |
| 50 | + shell: '/usr/sbin/nolign' |
| 51 | + state: 'present' |
| 52 | + |
| 53 | +- name: Create PgBouncer directories if they do not exist |
| 54 | + ansible.builtin.file: |
| 55 | + group: 'pgbouncer' |
| 56 | + mode: "{{ pgbouncer_dir_item['mode'] }}" |
| 57 | + owner: 'pgbouncer' |
| 58 | + path: "{{ pgbouncer_dir_item['dir'] }}" |
| 59 | + state: 'directory' |
| 60 | + loop_control: |
| 61 | + loop_var: 'pgbouncer_dir_item' |
25 | 62 | with_items: |
26 | | - - '/etc/pgbouncer-custom' |
27 | | - when: nixpkg_mode |
| 63 | + - { mode: '0700', dir: '/etc/pgbouncer' } |
| 64 | + - { mode: '0775', dir: '/etc/pgbouncer-custom' } |
28 | 65 |
|
29 | | -- name: create placeholder config files |
30 | | - file: |
31 | | - path: '/etc/pgbouncer-custom/{{ item }}' |
32 | | - state: touch |
33 | | - owner: pgbouncer |
34 | | - group: pgbouncer |
35 | | - mode: 0664 |
| 66 | +- name: create PgBouncer placeholder config files |
| 67 | + ansible.builtin.file: |
| 68 | + group: 'pgbouncer' |
| 69 | + mode: '0664' |
| 70 | + owner: 'pgbouncer' |
| 71 | + path: "/etc/pgbouncer-custom/{{ pgbouncer_config_item }}" |
| 72 | + state: 'touch' |
| 73 | + loop_control: |
| 74 | + loop_var: 'pgbouncer_config_item' |
36 | 75 | with_items: |
37 | | - - 'generated-optimizations.ini' |
38 | 76 | - 'custom-overrides.ini' |
| 77 | + - 'generated-optimizations.ini' |
39 | 78 | - 'ssl-config.ini' |
40 | 79 | when: nixpkg_mode |
41 | 80 |
|
42 | 81 | - name: PgBouncer - adjust pgbouncer.ini |
43 | | - copy: |
44 | | - src: files/pgbouncer_config/pgbouncer.ini.j2 |
45 | | - dest: /etc/pgbouncer/pgbouncer.ini |
46 | | - owner: pgbouncer |
| 82 | + ansible.builtin.copy: |
| 83 | + dest: '/etc/pgbouncer/pgbouncer.ini' |
47 | 84 | mode: '0700' |
48 | | - when: nixpkg_mode |
| 85 | + owner: 'pgbouncer' |
| 86 | + src: 'files/pgbouncer_config/pgbouncer.ini.j2' |
49 | 87 |
|
50 | | -- name: PgBouncer - create a directory if it does not exist |
51 | | - file: |
52 | | - path: /etc/pgbouncer/userlist.txt |
53 | | - state: touch |
54 | | - owner: pgbouncer |
| 88 | +- name: PgBouncer - create a userlist file if it does not exist |
| 89 | + ansible.builtin.file: |
55 | 90 | mode: '0700' |
56 | | - when: nixpkg_mode |
57 | | - |
| 91 | + owner: 'pgbouncer' |
| 92 | + path: '/etc/pgbouncer/userlist.txt' |
| 93 | + state: 'touch' |
| 94 | + |
58 | 95 | - name: import /etc/tmpfiles.d/pgbouncer.conf |
59 | | - template: |
60 | | - src: files/pgbouncer_config/tmpfiles.d-pgbouncer.conf.j2 |
61 | | - dest: /etc/tmpfiles.d/pgbouncer.conf |
62 | | - become: yes |
63 | | - when: nixpkg_mode |
| 96 | + ansible.builtin.template: |
| 97 | + dest: '/etc/tmpfiles.d/pgbouncer.conf' |
| 98 | + src: 'files/pgbouncer_config/tmpfiles.d-pgbouncer.conf.j2' |
| 99 | + become: true |
64 | 100 |
|
65 | 101 | - name: PgBouncer - By default allow ssl connections. |
66 | | - become: yes |
67 | | - copy: |
68 | | - dest: /etc/pgbouncer-custom/ssl-config.ini |
69 | | - content: | |
70 | | - client_tls_sslmode = allow |
71 | | - when: nixpkg_mode |
| 102 | + ansible.builtin.lineinfile: |
| 103 | + line: 'client_tls_sslmode = allow' |
| 104 | + path: '/etc/pgbouncer-custom/ssl-config.ini' |
| 105 | + become: true |
72 | 106 |
|
73 | 107 | - name: Grant pg_hba and pgbouncer grp perm for adminapi updates |
74 | | - shell: | |
75 | | - chmod g+w /etc/postgresql/pg_hba.conf |
76 | | - chmod g+w /etc/pgbouncer-custom/ssl-config.ini |
77 | | - when: nixpkg_mode |
| 108 | + ansible.builtin.file: |
| 109 | + mode: '0664' |
| 110 | + path: "{{ pgbouncer_group_item }}" |
| 111 | + loop: |
| 112 | + - /etc/pgbouncer-custom/ssl-config.ini |
| 113 | + - /etc/postgresql/pg_hba.conf |
| 114 | + loop_control: |
| 115 | + loop_var: 'pgbouncer_group_item' |
78 | 116 |
|
79 | 117 | # Add fail2ban filter |
80 | 118 | - name: import jail.d/pgbouncer.conf |
81 | | - template: |
82 | | - src: files/fail2ban_config/jail-pgbouncer.conf.j2 |
83 | | - dest: /etc/fail2ban/jail.d/pgbouncer.conf |
84 | | - become: yes |
85 | | - when: nixpkg_mode |
| 119 | + ansible.builtin.template: |
| 120 | + dest: '/etc/fail2ban/jail.d/pgbouncer.conf' |
| 121 | + src: 'files/fail2ban_config/jail-pgbouncer.conf.j2' |
| 122 | + become: true |
86 | 123 |
|
87 | 124 | - name: import filter.d/pgbouncer.conf |
88 | | - template: |
89 | | - src: files/fail2ban_config/filter-pgbouncer.conf.j2 |
90 | | - dest: /etc/fail2ban/filter.d/pgbouncer.conf |
91 | | - become: yes |
92 | | - when: nixpkg_mode |
| 125 | + ansible.builtin.template: |
| 126 | + dest: '/etc/fail2ban/filter.d/pgbouncer.conf' |
| 127 | + src: 'files/fail2ban_config/filter-pgbouncer.conf.j2' |
| 128 | + become: true |
93 | 129 |
|
94 | 130 | # Add systemd file for PgBouncer |
95 | | -- name: PgBouncer - import postgresql.service |
96 | | - template: |
97 | | - src: files/pgbouncer_config/pgbouncer.service.j2 |
98 | | - dest: /etc/systemd/system/pgbouncer.service |
99 | | - become: yes |
100 | | - when: nixpkg_mode |
101 | | - |
102 | | -- name: install pgbouncer from supabase nix binary cache |
103 | | - become: yes |
104 | | - shell: | |
105 | | - sudo -u pgbouncer bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile add github:supabase/postgres/{{ git_commit_sha }}#pgbouncer" |
106 | | - when: stage2_nix |
| 131 | +- name: PgBouncer - import pgbouncer.service |
| 132 | + ansible.builtin.template: |
| 133 | + dest: '/etc/systemd/system/pgbouncer.service' |
| 134 | + src: 'files/pgbouncer_config/pgbouncer.service.j2' |
| 135 | + become: true |
107 | 136 |
|
108 | 137 | - name: PgBouncer - reload systemd |
109 | | - systemd: |
110 | | - daemon_reload: yes |
111 | | - when: stage2_nix |
| 138 | + ansible.builtin.systemd_service: |
| 139 | + daemon_reload: true |
0 commit comments