tweack backup and setup cronjob to fix pg table ownership

ansible/arcodange/factory/inventory/group_vars/gitea/gitea.yml

@@ -35,7 +35,6 @@ gitea:
           GITEA__mailer__PASSWD: '{{ gitea_vault.GITEA__mailer__PASSWD }}'
           GITEA__server__SSH_PORT: 2222
           GITEA__server__SSH_DOMAIN: "{{ hostvars[groups.gitea[0]]['preferred_ip'] }}"
-          # GITEA__server__SSH_DOMAIN: "{{ lookup('dig', groups.gitea[0]) }}" # might work again if deactivate rpi wifi
           GITEA__server__SSH_LISTEN_PORT: 22
           GITEA_server__DOMAIN: localhost
           GITEA_server__HTTP_PORT: 3000

ansible/arcodange/factory/playbooks/backup/gitea.yml

@@ -9,7 +9,7 @@
     gitea_user: "git"
     backup_dir: "{{ backup_root_dir }}/{{ backup_dirname }}"
     scripts_dir: "/home/pi/arcodange/docker_composes/gitea/scripts"
-    keep_days: 15
+    keep_days: 3
 
   tasks:
     - name: S'assurer que le répertoire de backup existe

ansible/arcodange/factory/playbooks/backup/k3s_pvc.yml

@@ -7,7 +7,7 @@
   vars:
     backup_dir: "{{ backup_root_dir }}/{{ backup_dirname }}"
     scripts_dir: "/opt/k3s_volumes"
-    keep_days: 15
+    keep_days: 3
 
   tasks:
     - name: S'assurer que le répertoire de backup existe

ansible/arcodange/factory/playbooks/backup/postgres.yml

@@ -9,7 +9,7 @@
     postgres_user: "{{ postgres.dockercompose.services.postgres.environment.POSTGRES_USER }}"
     backup_dir: "{{ backup_root_dir }}/{{ backup_dirname }}"
     scripts_dir: "/home/pi/arcodange/docker_composes/postgres/scripts"
-    keep_days: 15
+    keep_days: 3
 
   tasks:
     - name: S'assurer que le répertoire de backup existe

ansible/arcodange/factory/playbooks/setup/backup_nfs.yml

@@ -60,7 +60,7 @@
             name: "{{ recurring_job }}"
             groups: []
             task: backup
-            cron: "0 5 1,10,20 * *"
+            cron: "0 5 */2 * *"
             retain: 2
             concurrency: 1
 

ansible/arcodange/factory/playbooks/setup/postgres.yml

@@ -55,3 +55,123 @@
         loop_var: database__pg_instruction
       loop:
         "{{ ['postgres', 'gitea'] | product(pg_instructions) }}"
+
+# ---
+
+- name: Change table owner (CronJob with dynamic roles and auto DB naming)
+  hosts: localhost
+  connection: local
+  gather_facts: false
+
+  collections:
+    - kubernetes.core
+
+  vars:
+
+    namespace: kube-system
+    cronjob_name: pg-fix-table-ownership
+
+    pg_conf: >-
+        {{ hostvars[groups.postgres[0]].postgres.dockercompose.services.postgres.environment }}
+    postgres_admin_credentials:
+      username: '{{ pg_conf.POSTGRES_USER }}'
+      password: '{{ pg_conf.POSTGRES_PASSWORD }}'
+    pg_host: "{{ hostvars[groups.postgres[0]]['preferred_ip'] }}"
+
+  tasks:
+
+    - name: Create Kubernetes Secret for PostgreSQL admin credentials
+      kubernetes.core.k8s:
+        state: present
+        definition:
+          apiVersion: v1
+          kind: Secret
+          metadata:
+            name: postgres-admin-credentials
+            namespace: "{{ namespace }}"
+          type: Opaque
+          data:
+            username: "{{ postgres_admin_credentials.username | b64encode }}"
+            password: "{{ postgres_admin_credentials.password | b64encode }}"
+
+    - name: Create cronjob to change table owners (dynamic roles, auto DB)
+      kubernetes.core.k8s:
+        state: present
+        definition:
+          apiVersion: batch/v1
+          kind: CronJob
+          metadata:
+            name: "{{ cronjob_name }}"
+            namespace: "{{ namespace }}"
+          spec:
+            schedule: "0 3 * * *"  # Exécution quotidienne à 3h du matin
+            successfulJobsHistoryLimit: 1
+            failedJobsHistoryLimit: 3
+            jobTemplate:
+              spec:
+                backoffLimit: 0
+                template:
+                  spec:
+                    restartPolicy: Never
+                    containers:
+                      - name: psql
+                        image: postgres:16.3
+                        envFrom:
+                          - secretRef:
+                              name: postgres-admin-credentials
+                        env:
+                          - name: PGPASSWORD
+                            valueFrom:
+                              secretKeyRef:
+                                name: postgres-admin-credentials
+                                key: password
+                        command:
+                          - /bin/sh
+                          - -c
+                        args:
+                          - |
+                            set -eu
+
+                            # Récupérer dynamiquement les rôles PostgreSQL
+                            echo "Fetching roles from PostgreSQL..."
+                            ROLES=$(psql \
+                              -h {{ pg_host }} \
+                              -U $username \
+                              -d postgres \
+                              -t -A \
+                              -c "SELECT rolname FROM pg_roles WHERE rolname LIKE '%_role';")
+
+                            echo "Roles found: $ROLES"
+
+                            # Pour chaque rôle, changer le propriétaire des tables dans sa base associée
+                            for role in $ROLES; do
+                              # Déduire le nom de la base en retirant "_role"
+                              DB_NAME="${role%_role}"
+                              echo "Database for $role: $DB_NAME"
+
+                              # Vérifier si la base existe
+                              if psql -h {{ pg_host }} -U $username -d postgres -t -A -c "SELECT 1 FROM pg_database WHERE datname = '$DB_NAME';" | grep -q 1; then
+                                echo "Changing owner to $role for all tables in $DB_NAME..."
+                                psql \
+                                  -h {{ pg_host }} \
+                                  -U $username \
+                                  -d "$DB_NAME" \
+                                  -c "
+                                    DO \$\$
+                                    DECLARE
+                                        r RECORD;
+                                    BEGIN
+                                        FOR r IN
+                                            SELECT tablename
+                                            FROM pg_tables
+                                            WHERE schemaname = 'public'
+                                        LOOP
+                                            EXECUTE format('ALTER TABLE public.%I OWNER TO %I', r.tablename, '$role');
+                                        END LOOP;
+                                    END \$\$;
+                                  "
+                                echo "Owner changed for $role in $DB_NAME"
+                              else
+                                echo "Database $DB_NAME does not exist, skipping..."
+                              fi
+                            done

ansible/arcodange/factory/playbooks/system/k3s_config.yml

@@ -121,7 +121,6 @@
                     loadBalancer:
                       servers:
                         - url: "http://{{ hostvars[groups.gitea[0]]['preferred_ip'] }}:3000"
-                        # - url: "http://{{ lookup('dig', groups.gitea[0]) }}:3000" # might work again if deactivate rpi wifi
                 routers:
                   dashboard:
                     # rule: Host(`traefik.arcodange.duckdns.org`)