Update to 2022-02-18 16:00

2025-10-31 02:41:36 +01:00 · 2022-02-18 16:00:06 +01:00
parent 67e32c9d59
commit 767adc1e83
19 changed files with 282 additions and 2 deletions
--- a/roles/pgweb/defaults/main.yml
+++ b/roles/pgweb/defaults/main.yml
@@ -0,0 +1,37 @@
+---
+
+# Version of pgweb to install
+pgweb_version: 0.11.10
+# URL of the archive
+pgweb_archive_url: https://github.com/sosedoff/pgweb/releases/download/v{{ pgweb_version }}/pgweb_linux_amd64.zip
+# Expected sha256 of the archive
+pgweb_archive_sha256: 9aa0ae44a2512fc8960fccb96003bec169abce5dc92aaf285bf73b48e3022558
+# Where will pgweb be installed
+pgweb_root_dir: /opt/pgweb
+# SHould ansible handle upgrades or just initial install
+pgweb_manage_upgrade: True
+
+# User under which pgweb will run (will be created)
+pgweb_user: pgweb
+
+# Port on which pgweb will listen
+pgweb_port: 8086
+# List of IP adddresses/CIDR for which the port will be opened (if iptables_manage == True)
+pgweb_src_ip: []
+
+# pgweb_bookmarks:
+#   - name: my_db
+#     url: postgres://user:url_encoded_pass@server.example.org:5432/db_name?sslmode=disabled
+#   - name: other_db
+#     host: postgres.example.org # mandatory (if url isn't given)
+#     database: db_name          # mandatory (if url isn't given)
+#     port: 5433
+#     user: sqladmin
+#     pass: S3cr3t.
+pgweb_bookmarks: []
+# Set it to another location if you want to manage bookmarks independently
+pg_web_bookmark_dir: "{{ pgweb_root_dir }}/bookmarks"
+
+# If connections with SSH tunnels is allowed
+pgweb_ssh_tunnels: False
+
--- a/roles/pgweb/handlers/main.yml
+++ b/roles/pgweb/handlers/main.yml
@@ -0,0 +1,4 @@
+---
+
+- name: restart pgweb
+  service: name=pgweb state=restarted
--- a/roles/pgweb/tasks/archive_post.yml
+++ b/roles/pgweb/tasks/archive_post.yml
@@ -0,0 +1,10 @@
+---
+
+- name: Compress previous version
+  command: tar cf {{ pgweb_root_dir }}/archives/{{ pgweb_current_version }}.tar.zst --use-compress-program=zstd ./
+  args:
+    chdir: "{{ pgweb_root_dir }}/archives/{{ pgweb_current_version }}"
+    warn: False
+  environment:
+    ZSTD_CLEVEL: 10
+  tags: pgweb
--- a/roles/pgweb/tasks/archive_pre.yml
+++ b/roles/pgweb/tasks/archive_pre.yml
@@ -0,0 +1,10 @@
+---
+
+- name: Create archive directory
+  file: path={{ pgweb_root_dir }}/archives/{{ pgweb_current_version }} state=directory mode=700
+  tags: pgweb,pg
+
+- name: Archive previous version
+  copy: src={{ pgweb_root_dir }}/bin/pgweb dest={{ pgweb_root_dir }}/archives/{{ pgweb_current_version }} remote_src=True
+  tags: pgweb,pg
+
--- a/roles/pgweb/tasks/cleanup.yml
+++ b/roles/pgweb/tasks/cleanup.yml
@@ -0,0 +1,13 @@
+---
+
+- name: Remove tmp and obsolete files
+  file: path={{ item }} state=absent
+  loop:
+    - "{{ pgweb_root_dir }}/tmp/pgweb_linux_amd64"
+    - "{{ pgweb_root_dir }}/tmp/pgweb_linux_amd64.zip"
+  tags: pgweb,pg
+
+- name: Remove temp previous version dir
+  file: path={{ pgweb_root_dir }}/archives/{{ pgweb_current_version }} state=absent
+  when: pgweb_install_mode == 'upgrade'
+  tags: pgweb,pg
--- a/roles/pgweb/tasks/conf.yml
+++ b/roles/pgweb/tasks/conf.yml
@@ -0,0 +1,20 @@
+---
+
+- name: List existing bookmarks
+  shell: ls -1 {{ pgweb_root_dir }}/bookmarks/ | perl -pe 's/\.toml$//'
+  register: pgweb_current_bookmarks
+  changed_when: False
+  tags: pgweb,pg
+
+- name: Remove unmanaged bookmarks
+  file: path={{ pgweb_root_dir }}/bookmarks/{{ item }}.toml state=absent
+  loop: "{{ pgweb_current_bookmarks.stdout_lines }}"
+  when: not item in pgweb_bookmarks | map(attribute='name') | list
+  notify: restart pgweb
+  tags: pgweb,pg
+
+- name: Configure bookmarks
+  template: src=bookmark.toml.j2 dest={{ pgweb_root_dir }}/bookmarks/{{ item.name }}.toml owner=root group={{ pgweb_user }} mode=640
+  loop: "{{ pgweb_bookmarks }}"
+  notify: restart pgweb
+  tags: pgweb,pg
--- a/roles/pgweb/tasks/directories.yml
+++ b/roles/pgweb/tasks/directories.yml
@@ -0,0 +1,25 @@
+---
+
+- name: Create directories
+  file: path={{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }}
+  loop:
+    - dir: "{{ pgweb_root_dir }}"
+    - dir: "{{ pgweb_root_dir }}/bin"
+    - dir: "{{ pgweb_root_dir }}/bookmarks"
+    - dir: "{{ pgweb_root_dir }}/archives"
+      owner: root
+      group: root
+      mode: 700
+    - dir: "{{ pgweb_root_dir }}/backup"
+      owner: root
+      group: root
+      mode: 700
+    - dir: "{{ pgweb_root_dir }}/meta"
+      owner: root
+      group: root
+      mode: 700
+    - dir: "{{ pgweb_root_dir }}/tmp"
+      owner: "{{ pgweb_user }}"
+      group: "{{ pgweb_user }}"
+      mode: 700
+  tags: pgweb,pg
--- a/roles/pgweb/tasks/facts.yml
+++ b/roles/pgweb/tasks/facts.yml
@@ -0,0 +1,20 @@
+---
+
+- include_vars: "{{ item }}"
+  with_first_found:
+    - "{{ role_path }}/vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
+    - "{{ role_path }}/vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml"
+    - "{{ role_path }}/vars/{{ ansible_distribution }}.yml"
+    - "{{ role_path }}/vars/{{ ansible_os_family }}.yml"
+  tags: pgweb,pg
+
+# Detect installed version (if any) and detect if it's an install / upgrade / nothing
+- block:
+    - import_tasks: ../includes/webapps_set_install_mode.yml
+      vars:
+        - root_dir: "{{ pgweb_root_dir }}"
+        - version: "{{ pgweb_version }}"
+    - set_fact: pgweb_install_mode={{ (install_mode == 'upgrade' and not pgweb_manage_upgrade) | ternary('none',install_mode) }}
+    - set_fact: pgweb_current_version={{ current_version | default('') }}
+  tags: pgweb,pg
+
--- a/roles/pgweb/tasks/install.yml
+++ b/roles/pgweb/tasks/install.yml
@@ -0,0 +1,40 @@
+---
+
+- name: Install dependencies
+  package: name={{ pgweb_packages }}
+  tags: pgweb,pg
+
+- when: pgweb_install_mode != 'none'
+  block:
+    - name: Download pgweb
+      get_url:
+        url: "{{ pgweb_archive_url }}"
+        dest: "{{ pgweb_root_dir }}/tmp/"
+        checksum: sha256:{{ pgweb_archive_sha256 }}
+
+    - name: Extract archive
+      unarchive:
+        src: "{{ pgweb_root_dir }}/tmp/pgweb_linux_amd64.zip"
+        dest: "{{ pgweb_root_dir }}/tmp/"
+        remote_src: True
+
+    - name: Install pgweb binary
+      copy:
+        src: "{{ pgweb_root_dir }}/tmp/pgweb_linux_amd64"
+        dest: "{{ pgweb_root_dir }}/bin/pgweb"
+        remote_src: True
+        mode: 755
+      notify: restart pgweb
+
+  tags: pgweb,pg
+
+- name: Install systemd unit
+  template: src=pgweb.service.j2 dest=/etc/systemd/system/pgweb.service
+  register: pgweb_unit
+  notify: restart pgweb
+  tags: pgweb,pg
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: pgweb_unit.changed
+  tags: pgweb,pg
--- a/roles/pgweb/tasks/iptables.yml
+++ b/roles/pgweb/tasks/iptables.yml
@@ -0,0 +1,8 @@
+---
+
+- name:  Handle pgweb ports in the firewall
+  iptables_raw:
+    name: pgweb_port
+    state: "{{ (pgweb_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp --dport {{ pgweb_port }} -s {{ pgweb_src_ip | join(',') }} -j ACCEPT"
+  tags: firewall,pgweb,pg
--- a/roles/pgweb/tasks/main.yml
+++ b/roles/pgweb/tasks/main.yml
@@ -0,0 +1,17 @@
+---
+
+- include: user.yml
+- include: directories.yml
+- include: facts.yml
+- include: archive_pre.yml
+  when: pgweb_install_mode == 'upgrade'
+- include: install.yml
+- include: conf.yml
+- include: iptables.yml
+  when: iptables_manage | default(True)
+- include: services.yml
+- include: archive_post.yml
+  when: pgweb_install_mode == 'upgrade'
+- include: write_version.yml
+- include: cleanup.yml
+
--- a/roles/pgweb/tasks/services.yml
+++ b/roles/pgweb/tasks/services.yml
@@ -0,0 +1,5 @@
+---
+
+- name: Start and enable service
+  service: name=pgweb state=started enabled=True
+  tags: pgweb,pg
--- a/roles/pgweb/tasks/user.yml
+++ b/roles/pgweb/tasks/user.yml
@@ -0,0 +1,9 @@
+---
+
+- name: Create user account
+  user:
+    name: "{{ pgweb_user }}"
+    system: True
+    home: "{{ pgweb_root_dir }}"
+    shell: /sbin/nologin
+  tags: pgweb,pg
--- a/roles/pgweb/tasks/write_version.yml
+++ b/roles/pgweb/tasks/write_version.yml
@@ -0,0 +1,5 @@
+---
+
+- name: Write installed version
+  copy: content={{ pgweb_version }} dest={{ pgweb_root_dir }}/meta/ansible_version
+  tags: pgweb,pg
--- a/roles/pgweb/templates/bookmark.toml.j2
+++ b/roles/pgweb/templates/bookmark.toml.j2
@@ -0,0 +1,18 @@
+{% if item.url is defined %}
+url = "{{ item.url }}"
+{% else %}
+host = "{{ item.host }}"
+database = "{{ item.database }}"
+{% if item.port is defined %}
+port = {{ item.port }}
+{% endif %}
+{% if item.user is defined %}
+user = "{{ item.user }}"
+{% endif %}
+{% if item.pass is defined %}
+password = "{{ item.pass }}"
+{% endif %}
+{% if item.ssl is defined %}
+ssl = "{{ item.ssl }}"
+{% endif %}
+{% endif %}
--- a/roles/pgweb/templates/pgweb.service.j2
+++ b/roles/pgweb/templates/pgweb.service.j2
@@ -0,0 +1,34 @@
+[Unit]
+Description=PgWeb Postgres Browser
+After=network.target
+
+[Service]
+Type=simple
+User={{ pgweb_user }}
+Group={{ pgweb_user }}
+ExecStart={{ pgweb_root_dir }}/bin/pgweb \
+             --listen {{ pgweb_port }} \
+             --bind {{ (pgweb_src_ip | length > 0) | ternary('0.0.0.0','127.0.0.1') }} \
+             --bookmarks-dir={{ pgweb_bookmarks_dir }} \
+{% if not pgweb_ssh_tunnels %}
+             --no-ssh \
+{% endif %}
+             --sessions
+RuntimeDirectory=pgweb
+RestartSec=30
+Restart=always
+NoNewPrivileges=true
+PrivateDevices=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+RestrictRealtime=true
+RestrictNamespaces=yes
+ReadWritePaths=/run
+PrivateTmp=true
+MemoryDenyWriteExecute=yes
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/pgweb/vars/RedHat-8.yml
+++ b/roles/pgweb/vars/RedHat-8.yml
@@ -0,0 +1,5 @@
+---
+
+pgweb_packages:
+  - tar
+  - zstd