setup pgbouncer role and pg function

2024-09-02 11:29:15 +02:00
parent aa127b53ec
commit 1332def067
3 changed files with 40 additions and 4 deletions
--- a/ansible/arcodange/factory/inventory/group_vars/hard_disk/postgres.yml
+++ b/ansible/arcodange/factory/inventory/group_vars/hard_disk/postgres.yml
@@ -23,6 +23,10 @@ postgres:
        networks:
          - gitea
        ports:
-          - "5432"
+          - "5432:5432"
        volumes:
-          - /arcodange/{{postgres_partition}}/postgres/data:/var/lib/postgresql/data
+          - /arcodange/{{postgres_partition}}/postgres/data:/var/lib/postgresql/data
+
+pgbouncer:
+  auth_user: &pgbouncer_auth pgbouncer_auth
+  auth_user_password: *pgbouncer_auth
--- a/ansible/arcodange/factory/playbooks/setup/postgres.yml
+++ b/ansible/arcodange/factory/playbooks/setup/postgres.yml
@@ -31,4 +31,36 @@
        app_name: postgres
        partition: "{{ applications.postgres.partition }}"
        postgres_container_name: "{{ applications.postgres.dockercompose.services.postgres.container_name }}"
-        # applications_databases: "{{ applications_databases }}" # kept for documentation purposes
+        # applications_databases: "{{ applications_databases }}" # kept for documentation purposes
+    
+    - name: Create auth_user for pgbouncer (connection pool component)
+      ansible.builtin.shell: |
+        docker exec -it {{ postgres_container_name }} psql -U postgres -d {{ database }} -tc "{{ pg_instruction.replace('$','\$') }}"
+      vars:
+        postgres_container_name: "{{ applications.postgres.dockercompose.services.postgres.container_name }}"
+        pg_instructions:
+          - >-
+            DO $$
+            BEGIN
+            CREATE ROLE {{ pgbouncer.auth_user }}
+            WITH LOGIN PASSWORD '{{ pgbouncer.auth_user_password }}';
+            EXCEPTION WHEN duplicate_object THEN RAISE NOTICE '%, skipping', SQLERRM USING ERRCODE = SQLSTATE;
+            END
+            $$;
+          - >-
+            CREATE OR REPLACE FUNCTION user_lookup(in i_username text, out uname text, out phash text)
+            RETURNS record AS $$
+            BEGIN
+                SELECT usename, passwd FROM pg_catalog.pg_shadow
+                WHERE usename = i_username INTO uname, phash;
+                RETURN;
+            END;
+            $$ LANGUAGE plpgsql SECURITY DEFINER;
+            REVOKE ALL ON FUNCTION user_lookup FROM public;
+            GRANT EXECUTE ON FUNCTION user_lookup TO {{ pgbouncer.auth_user }};
+        database: "{{ database__pg_instruction[0] }}"
+        pg_instruction: "{{ database__pg_instruction[1] }}"
+      loop_control:
+        loop_var: database__pg_instruction
+      loop:
+        "{{ applications_databases.values() | map(attribute='db_name') | product(pg_instructions) }}"
--- a/ansible/arcodange/factory/playbooks/setup/roles/deploy_postgresql/defaults/main.yml
+++ b/ansible/arcodange/factory/playbooks/setup/roles/deploy_postgresql/defaults/main.yml
@@ -1,4 +1,4 @@
 partition: pg_data
 app_name: postgres
 postgres_container_name: postgres
-applications_databases: {}
+applications_databases: {} #{app_name: {db_name; db_user; db_password}}