diff --git a/ansible/arcodange/factory/inventory/group_vars/gitea/gitea.yml b/ansible/arcodange/factory/inventory/group_vars/gitea/gitea.yml index a0b807b..c889889 100644 --- a/ansible/arcodange/factory/inventory/group_vars/gitea/gitea.yml +++ b/ansible/arcodange/factory/inventory/group_vars/gitea/gitea.yml @@ -35,7 +35,6 @@ gitea: GITEA__mailer__PASSWD: '{{ gitea_vault.GITEA__mailer__PASSWD }}' GITEA__server__SSH_PORT: 2222 GITEA__server__SSH_DOMAIN: "{{ hostvars[groups.gitea[0]]['preferred_ip'] }}" - # GITEA__server__SSH_DOMAIN: "{{ lookup('dig', groups.gitea[0]) }}" # might work again if deactivate rpi wifi GITEA__server__SSH_LISTEN_PORT: 22 GITEA_server__DOMAIN: localhost GITEA_server__HTTP_PORT: 3000 diff --git a/ansible/arcodange/factory/playbooks/backup/gitea.yml b/ansible/arcodange/factory/playbooks/backup/gitea.yml index df92eca..75db5a8 100644 --- a/ansible/arcodange/factory/playbooks/backup/gitea.yml +++ b/ansible/arcodange/factory/playbooks/backup/gitea.yml @@ -9,7 +9,7 @@ gitea_user: "git" backup_dir: "{{ backup_root_dir }}/{{ backup_dirname }}" scripts_dir: "/home/pi/arcodange/docker_composes/gitea/scripts" - keep_days: 15 + keep_days: 3 tasks: - name: S'assurer que le répertoire de backup existe diff --git a/ansible/arcodange/factory/playbooks/backup/k3s_pvc.yml b/ansible/arcodange/factory/playbooks/backup/k3s_pvc.yml index 1954765..c347956 100644 --- a/ansible/arcodange/factory/playbooks/backup/k3s_pvc.yml +++ b/ansible/arcodange/factory/playbooks/backup/k3s_pvc.yml @@ -7,7 +7,7 @@ vars: backup_dir: "{{ backup_root_dir }}/{{ backup_dirname }}" scripts_dir: "/opt/k3s_volumes" - keep_days: 15 + keep_days: 3 tasks: - name: S'assurer que le répertoire de backup existe diff --git a/ansible/arcodange/factory/playbooks/backup/postgres.yml b/ansible/arcodange/factory/playbooks/backup/postgres.yml index d31daa1..223a010 100644 --- a/ansible/arcodange/factory/playbooks/backup/postgres.yml +++ b/ansible/arcodange/factory/playbooks/backup/postgres.yml @@ -9,7 +9,7 @@ postgres_user: "{{ postgres.dockercompose.services.postgres.environment.POSTGRES_USER }}" backup_dir: "{{ backup_root_dir }}/{{ backup_dirname }}" scripts_dir: "/home/pi/arcodange/docker_composes/postgres/scripts" - keep_days: 15 + keep_days: 3 tasks: - name: S'assurer que le répertoire de backup existe diff --git a/ansible/arcodange/factory/playbooks/setup/backup_nfs.yml b/ansible/arcodange/factory/playbooks/setup/backup_nfs.yml index 3657318..a0544b4 100644 --- a/ansible/arcodange/factory/playbooks/setup/backup_nfs.yml +++ b/ansible/arcodange/factory/playbooks/setup/backup_nfs.yml @@ -60,7 +60,7 @@ name: "{{ recurring_job }}" groups: [] task: backup - cron: "0 5 1,10,20 * *" + cron: "0 5 */2 * *" retain: 2 concurrency: 1 diff --git a/ansible/arcodange/factory/playbooks/setup/postgres.yml b/ansible/arcodange/factory/playbooks/setup/postgres.yml index b236156..a066c63 100644 --- a/ansible/arcodange/factory/playbooks/setup/postgres.yml +++ b/ansible/arcodange/factory/playbooks/setup/postgres.yml @@ -55,3 +55,123 @@ loop_var: database__pg_instruction loop: "{{ ['postgres', 'gitea'] | product(pg_instructions) }}" + +# --- + +- name: Change table owner (CronJob with dynamic roles and auto DB naming) + hosts: localhost + connection: local + gather_facts: false + + collections: + - kubernetes.core + + vars: + + namespace: kube-system + cronjob_name: pg-fix-table-ownership + + pg_conf: >- + {{ hostvars[groups.postgres[0]].postgres.dockercompose.services.postgres.environment }} + postgres_admin_credentials: + username: '{{ pg_conf.POSTGRES_USER }}' + password: '{{ pg_conf.POSTGRES_PASSWORD }}' + pg_host: "{{ hostvars[groups.postgres[0]]['preferred_ip'] }}" + + tasks: + + - name: Create Kubernetes Secret for PostgreSQL admin credentials + kubernetes.core.k8s: + state: present + definition: + apiVersion: v1 + kind: Secret + metadata: + name: postgres-admin-credentials + namespace: "{{ namespace }}" + type: Opaque + data: + username: "{{ postgres_admin_credentials.username | b64encode }}" + password: "{{ postgres_admin_credentials.password | b64encode }}" + + - name: Create cronjob to change table owners (dynamic roles, auto DB) + kubernetes.core.k8s: + state: present + definition: + apiVersion: batch/v1 + kind: CronJob + metadata: + name: "{{ cronjob_name }}" + namespace: "{{ namespace }}" + spec: + schedule: "0 3 * * *" # Exécution quotidienne à 3h du matin + successfulJobsHistoryLimit: 1 + failedJobsHistoryLimit: 3 + jobTemplate: + spec: + backoffLimit: 0 + template: + spec: + restartPolicy: Never + containers: + - name: psql + image: postgres:16.3 + envFrom: + - secretRef: + name: postgres-admin-credentials + env: + - name: PGPASSWORD + valueFrom: + secretKeyRef: + name: postgres-admin-credentials + key: password + command: + - /bin/sh + - -c + args: + - | + set -eu + + # Récupérer dynamiquement les rôles PostgreSQL + echo "Fetching roles from PostgreSQL..." + ROLES=$(psql \ + -h {{ pg_host }} \ + -U $username \ + -d postgres \ + -t -A \ + -c "SELECT rolname FROM pg_roles WHERE rolname LIKE '%_role';") + + echo "Roles found: $ROLES" + + # Pour chaque rôle, changer le propriétaire des tables dans sa base associée + for role in $ROLES; do + # Déduire le nom de la base en retirant "_role" + DB_NAME="${role%_role}" + echo "Database for $role: $DB_NAME" + + # Vérifier si la base existe + if psql -h {{ pg_host }} -U $username -d postgres -t -A -c "SELECT 1 FROM pg_database WHERE datname = '$DB_NAME';" | grep -q 1; then + echo "Changing owner to $role for all tables in $DB_NAME..." + psql \ + -h {{ pg_host }} \ + -U $username \ + -d "$DB_NAME" \ + -c " + DO \$\$ + DECLARE + r RECORD; + BEGIN + FOR r IN + SELECT tablename + FROM pg_tables + WHERE schemaname = 'public' + LOOP + EXECUTE format('ALTER TABLE public.%I OWNER TO %I', r.tablename, '$role'); + END LOOP; + END \$\$; + " + echo "Owner changed for $role in $DB_NAME" + else + echo "Database $DB_NAME does not exist, skipping..." + fi + done diff --git a/ansible/arcodange/factory/playbooks/system/k3s_config.yml b/ansible/arcodange/factory/playbooks/system/k3s_config.yml index 3c3aec2..ddcc98a 100644 --- a/ansible/arcodange/factory/playbooks/system/k3s_config.yml +++ b/ansible/arcodange/factory/playbooks/system/k3s_config.yml @@ -121,7 +121,6 @@ loadBalancer: servers: - url: "http://{{ hostvars[groups.gitea[0]]['preferred_ip'] }}:3000" - # - url: "http://{{ lookup('dig', groups.gitea[0]) }}:3000" # might work again if deactivate rpi wifi routers: dashboard: # rule: Host(`traefik.arcodange.duckdns.org`)