feat: finish up new postgres setup

2026-01-13 13:01:03 +00:00 · 2023-10-15 13:52:57 +02:00 · 2023-10-15 13:52:57 +02:00 · 33733de02c
commit 33733de02c
parent eb72e031d4
4 changed files with 217 additions and 48 deletions
--- a/.terraform.lock.hcl
+++ b/.terraform.lock.hcl
@ -1,6 +1,28 @@
 # This file is maintained automatically by "terraform init".
 # Manual edits may be lost in future updates.

+provider "registry.terraform.io/cyrilgdn/postgresql" {
+  version     = "1.21.0"
+  constraints = ">= 1.21.0"
+  hashes = [
+    "h1:v7X6z6j8Uo07+QJPuO3EVM8N1uy6t2k+1GiRGioOPGc=",
+    "zh:17e3d204dabc116276c763bb0cd159aa315789d3b0bcd3b8aede935509960ab6",
+    "zh:1a7e5ac1921afdb3b12a49714c5f446a7604bfa1eb7bd9c123d607f8cbda45e4",
+    "zh:24a880623e30928ee866c84016b1db4e0458764c7a547b808e2d398e90456d42",
+    "zh:255c6162d35ace6a313a50c4ceb5452bd5582d7bb097a44e75ac4901e635ca13",
+    "zh:281ab48b69d0852b5138fe5ea2301ff7fdff30748f1f7878ac837c71622d3f7b",
+    "zh:3d4e0ae2809e743272e5d2640b64354c48140e225c2ba6f1a211700ea70e0754",
+    "zh:4f4df290e3ff626d8b274c624852d21d194a397a7f580ebe0cbf0ff64dd8fa31",
+    "zh:5997ce8f7cbcd7ff5a443d037b83857b17b64be928e9d9338dd494466733df60",
+    "zh:a05f0b65b0abf4488cdaf7b239206940940be77fd51f458f2a0986c6a17436aa",
+    "zh:aeb6c6da639abb6126f38be90a7bc428f925461bf599388ff092e059e0bb1a94",
+    "zh:d30bb053b6000c32cc8d03da231c30eaecddd926200adf2e9ad9c0186c2ad1ad",
+    "zh:d978827683b324c75141fa80ebc28dcaf181acd0be0a47b1e5f9579a72a08151",
+    "zh:f51fae9206361cbe865e30b06d106270d6acf7ece0550953b0d6b55afe6be9ba",
+    "zh:fa49a2702c529865c20f57185d6dd41072fdd9a13ac1a49e30eb88605c31af7a",
+  ]
+}
+
 provider "registry.terraform.io/hashicorp/http" {
  version     = "3.4.0"
  constraints = ">= 3.3.0"
@ -77,24 +99,24 @@ provider "registry.terraform.io/hashicorp/tls" {
 }

 provider "registry.terraform.io/hetznercloud/hcloud" {
-  version     = "1.39.0"
-  constraints = ">= 1.36.2"
+  version     = "1.43.0"
+  constraints = ">= 1.36.2, >= 1.38.2"
  hashes = [
-    "h1:CSo1Bl3eKS0Fl3ORGr9M0VqNSJ0NYAQ/CxZEzc5HevU=",
-    "zh:0b1cef3a2bf213c8c0df0973c21d494ce5e554db3d8d33bd9b1727b50f4a245c",
-    "zh:41c4fed19cb42fd8b56c13a4114faa8fd0bdfd9b1343d2ae663e80da44ccfee7",
-    "zh:482c4291807579fc45f77a6ae8833f6fcda7074c4f2244b51bada9407cdf896d",
-    "zh:5001fac99e3afc76cea257821a980906bf9d40bc3b9a61684b7fd4ad4665479a",
-    "zh:519829f197aeaeda60dc638aa7b91d0c1e5b04665a0c5c7f6d472db2fe5872f2",
-    "zh:583289f8cf59278371ce92055331b0243fd82a7d14a6bfbddfe3d7eac02d0af0",
-    "zh:5ea84f53b801b19be790eb74310553ac5d683ce51d4c43ae3e874e2b8814b6d2",
-    "zh:951b5a71e1556e9e4bc184e3d58146aa5b751653f5574df92e64f9d2e2ea4865",
-    "zh:a80f4d28ce471e8e324c774f68c590909ca182c4840b2b2500ff490de30f6fd1",
-    "zh:e0dd8dde8b5bdb49c04f934523fa445d3603891f8f7e840fd31dca18ac765b74",
-    "zh:e1b83cf2dd0070589007355598b6688309a181f724761fa58ff644fa355e06a3",
-    "zh:e839f34ebf03dda4c38a33f129f22320cba05e180fbfc31c79c2bd1ea90962b8",
-    "zh:f76b925d11df719fbe439bd5f6a5cfb62f3b490ccc9a8361d6aa8540436aeda5",
-    "zh:faa204076bc2f82270b0b0563cc921fb66046ed6a7885fa26d619117ed1b9e01",
+    "h1:sz3EJDy3a27acP59b5s0qUzonXTPxrPWi/LzPh7m2Do=",
+    "zh:0286b6af01849a2661cd6d9d54ee23a0840191681121e2fffb8ec44c96c54aae",
+    "zh:03b1bc5e9c30b1a0d2d5233053e129c49b84bbc9a223820a6cd70207088c2991",
+    "zh:0a34a2b9841551b73427ea1c9f53df2754698825b31ebdeb4d0e7923a9e4c20a",
+    "zh:13a1b17a4e01275e0cfcc0fc5df72a25b2cc739f4b8b0d4eac7f8b0256f974cb",
+    "zh:29e2d646f6b9870176c5b7f5adda98409b87129c96b37d0ed77882f1b8b083fc",
+    "zh:5188e8ce66d0f183c9f341ca86c1b61b58518df93592d4923d871eaab7304824",
+    "zh:870516460cbc7216e3f0c76df6d7ac3e06c1fb6378b8938378da8376eb371224",
+    "zh:8c360eb7af5bc9151d2c31042b76433bc674c219955a2f698ee52b9b3446069d",
+    "zh:a7b7c6779c8a49e9487cc7d6c91251e11d9d4f261c53dfa3ffaf4c85ac5d3218",
+    "zh:b4ce6a41ae156f57d61ea55c7634f33cb11118bdb1b5a911d91ba7246ae5c8d2",
+    "zh:c2273075a6e40962aa695afdbb394b5e0914356cc9aa43b6171991f2218aa21e",
+    "zh:eb31c3fe3224d45365b6328a902928a67eb3e0db3b1e4820b4f3f6f601409b0d",
+    "zh:f7db8627ab00ca5ba2696eb05c7f84a6ef3ac425c402432d0acb2b6992813515",
+    "zh:ff4a8ae9dd668b0b6624b476b2ee0906e125e06a526110f1de7179f3fbdf311d",
  ]
 }

@ -115,24 +137,24 @@ provider "registry.terraform.io/timohirt/hetznerdns" {
 }

 provider "registry.terraform.io/vercel/vercel" {
-  version     = "0.13.0"
+  version     = "0.15.1"
  constraints = ">= 0.11.4"
  hashes = [
-    "h1:l9vuiR6lpYwWp2Xp7A9P9jzYkOcWXere6U0coeOoHZI=",
-    "zh:04b66adecd88f6bb35f3f05ac4221d8b5b6275de63572ecf30736fec79b5e159",
-    "zh:0ca88a52504eeb003bcf9e26f0db52f612117617d0dfeac40fad1f027d4fb835",
-    "zh:32b42efb1377f9754e7c81e638e38ba523fa2e2f81ad250ceb86743fb3bd0717",
-    "zh:69ad1d115bfb04e7cd710d0fed6322fdfe54ec3124555da3c5b64a35563285fa",
-    "zh:6e5fad3f937157c93e53014931872934ba00b798ffe815ee984a404fc4ac7181",
-    "zh:7728b3b7bda927a02f42d137458363c700d05837c27f582c947e32ca8bf52f76",
-    "zh:8072a43ef60715ca9018181a98cf15d00dd2ca9fc685334eaa8af7c72c6160d4",
-    "zh:96dfc99c3a8773bb1f53c9e69c0cfb9beefa6517dbfdb624ced1efe1b9791173",
-    "zh:a4abf50db68dfbc1ffec6f60701af72b79d9b2644015864c06910b45e054f194",
-    "zh:aa5a0dbdde01d181372b14ed2a2a4145d1407842ae4b100857bad76d093fac8f",
-    "zh:aea16fca85a18b5f042819a337c5f8a42152585842eb8dc68ae599922a7f6317",
-    "zh:d9dc30660212085e3592b529dff7128c024e9bd5fd029673b7706c505070235b",
-    "zh:e16b50b8d538c1177e5e399784420b3fccb836f4fd186606379b06b52a18b901",
+    "h1:d42ttLGR3WnrXGAkySaC4kZyC4uyYCuOkMind866VrQ=",
+    "zh:08c2c7efe98d789cb56d8553dc87fd05ac116a338c969a3d310725a3108ef948",
+    "zh:239d542da442a359d8e0a64aec0607abf4d62be04f99d48897dd218fdd381c04",
+    "zh:349537ff170064cd8eda8c9bba45ea62b9dc9832659f94b8b42151c4f76a9b2d",
+    "zh:4bbb592c8c5af8133afa03a9855a0c81fb85726cc486422924a6cf2a3224ca6e",
+    "zh:58125ae7f9f71427f302c7f6073123ad758e32b797a6dadcfef7d602b92a33f0",
+    "zh:608f9eb6f68ae250a262ca5b88c40e880ca11ddea0edd350df1020daeaa56a3b",
+    "zh:7276dfb564cc0e1f4919083bbfaab1971b91bba23c29286b66ddb4c87c91461e",
+    "zh:73a43ca95f41ff6964147ce7d78d38ae837de31a6c29c9d4bf7e30607cffdbd9",
+    "zh:76446f3c58e65775095ccae8eb3f466d2b221011afe4cf091da12f91142c0fe5",
+    "zh:8157990ba8000704423de44eddfd915de617467d1ee24215fd1eca8e5b0f931f",
+    "zh:92df7ff0795954c943996dccc0f1f17cc89f477b057ad0d6a7e80479f8b158b1",
+    "zh:9ebbd201853aa646f823398e0837e45c572ea2a748174edf8a744591f2ee2c4d",
+    "zh:a4709e8ae34c4f6a42f7c23f0034dd44aa71882edc88faaaaf63eb4f74dcfbfc",
+    "zh:e63b0c3ef1a08b07f14fa769100892a5063eb4fd3e5852b198a847ea389a587c",
    "zh:f26e0763dbe6a6b2195c94b44696f2110f7f55433dc142839be16b9697fa5597",
-    "zh:fc52e444f327a45d80a26f85e1146d5563b322196291bc13d53b45f314dacfff",
  ]
 }
--- a/postgres.tf
+++ b/postgres.tf
@ -1,27 +1,30 @@
+locals {
+  postgres_dns = "pg.apricote.de"
+}
+
 resource "hcloud_volume" "postgres_data" {
-  name      = "postgres-data"
-  location  = "fsn1"
-  format    = "ext4"
-  automount = true
-  size      = 10
+  name     = "postgres-data"
+  location = "fsn1"
+  format   = "ext4"
+  size     = 10
 }

 resource "hcloud_volume" "postgres_backup" {
-  name      = "postgres-backup"
-  location  = "fsn1"
-  format    = "ext4"
-  automount = true
-  size      = 10
+  name     = "postgres-backup"
+  location = "fsn1"
+  format   = "ext4"
+  size     = 10
 }

 module "postgres" {
-  source  = "pellepelster/solidblocks-rds-postgresql/hcloud"
-  version = "0.1.19"
+  source = "../solidblocks/solidblocks-hetzner/modules/rds-postgresql"
+  # version = "0.1.19"

  data_volume   = hcloud_volume.postgres_data.id
  backup_volume = hcloud_volume.postgres_backup.id

-  databases = var.postgres_databases
+  databases         = var.postgres_databases
+  db_admin_password = var.postgres_password_admin

  location = "fsn1"

@ -31,10 +34,45 @@ module "postgres" {
  ssh_keys               = [data.hcloud_ssh_key.default.id]

  ssl_enable              = true
-  ssl_domains             = ["pg.apricote.de"]
+  ssl_domains             = [local.postgres_dns]
  ssl_email               = "certs@apricote.de"
  ssl_dns_provider        = "hetzner"
  ssl_dns_provider_config = { HETZNER_API_KEY : var.hetzner_dns_token }
+
+  postgres_extra_config = replace(<<-EOT
+# DB Version: 15
+# OS Type: linux
+# DB Type: mixed
+# Total Memory (RAM): 4 GB
+# CPUs num: 2
+# Connections num: 50
+# Data Storage: san
+
+max_connections = 100
+shared_buffers = 1GB
+effective_cache_size = 3GB
+maintenance_work_mem = 256MB
+checkpoint_completion_target = 0.9
+wal_buffers = 16MB
+default_statistics_target = 100
+random_page_cost = 1.1
+effective_io_concurrency = 300
+work_mem = 5242kB
+huge_pages = off
+min_wal_size = 1GB
+max_wal_size = 4GB
+
+# pg_stats_statements
+# https://www.postgresql.org/docs/current/pgstatstatements.html
+shared_preload_libraries = 'pg_stat_statements'
+compute_query_id = 'on'
+EOT
+    , "\n", "\\n")
+  # password_encryption = 'scram-sha-256'
+
+  post_script = <<-EOT
+apt-get install --no-install-recommends -qq -y postgresql-client
+EOT
 }

 resource "hetznerdns_record" "pg_apricote_de_a" {
@ -45,3 +83,83 @@ resource "hetznerdns_record" "pg_apricote_de_a" {
  type  = "A"
  ttl   = 60
 }
+
+resource "hetznerdns_record" "pg_apricote_de_aaaa" {
+  zone_id = hetznerdns_zone.apricote_de.id
+
+  name  = "pg"
+  value = module.postgres.ipv6_address
+  type  = "AAAA"
+  ttl   = 60
+}
+
+provider "postgresql" {
+  host            = local.postgres_dns
+  port            = 5432
+  database        = "postgres"
+  username        = "rds"
+  password        = var.postgres_password_admin
+  sslmode         = "verify-full"
+  connect_timeout = 15
+}
+
+# Listory
+resource "postgresql_role" "listory" {
+  name     = "listory"
+  login    = true
+  password = var.postgres_password_listory
+}
+
+resource "postgresql_database" "listory" {
+  name              = "listory"
+  owner             = postgresql_role.listory.name
+  lc_collate        = "de-DE.UTF-8"
+  lc_ctype          = "de-DE.UTF-8"
+  connection_limit  = -1
+  allow_connections = true
+}
+
+resource "postgresql_extension" "listory_pgcrypto" {
+  name     = "pgcrypto"
+  database = postgresql_database.listory.name
+}
+
+resource "postgresql_extension" "listory_uuid" {
+  name     = "uuid-ossp"
+  database = postgresql_database.listory.name
+}
+
+# Gitea
+resource "postgresql_role" "gitea" {
+  name     = "gitea"
+  login    = true
+  password = var.postgres_password_gitea
+}
+
+resource "postgresql_database" "gitea" {
+  name              = "gitea"
+  owner             = postgresql_role.gitea.name
+  lc_collate        = "de-DE.UTF-8"
+  lc_ctype          = "de-DE.UTF-8"
+  connection_limit  = -1
+  allow_connections = true
+}
+
+# pghero + postgres_exporter
+resource "postgresql_extension" "pg_stat_statements" {
+  for_each = toset([
+    postgresql_database.listory.name,
+    postgresql_database.gitea.name
+  ])
+  name     = "pg_stat_statements"
+  database = each.value
+}
+
+# postgres_exporter
+resource "postgresql_role" "exporter" {
+  name     = "exporter"
+  login    = true
+  password = var.postgres_password_exporter
+
+  roles = ["pg_monitor"]
+}
--- a/variables.tf
+++ b/variables.tf
@ -12,4 +12,28 @@ variable "postgres_databases" {
    password = string
  }))
  sensitive = true
-}
+}
+
+variable "postgres_password_admin" {
+  description = "Postgres admin password"
+  type        = string
+  sensitive   = true
+}
+
+variable "postgres_password_listory" {
+  description = "Postgres listory password"
+  type        = string
+  sensitive   = true
+}
+
+variable "postgres_password_gitea" {
+  description = "Postgres gitea password"
+  type        = string
+  sensitive   = true
+}
+
+variable "postgres_password_exporter" {
+  description = "Postgres exporter password"
+  type        = string
+  sensitive   = true
+}
--- a/versions.tf
+++ b/versions.tf
@ -15,6 +15,11 @@ terraform {
      version = ">= 0.11.4"
    }

+    postgresql = {
+      source  = "cyrilgdn/postgresql"
+      version = ">= 1.21.0"
+    }
+
    random = {
      source = "hashicorp/random"
    }