[Nomad/DPUL-C] Add configuration and read-only user to figgy prod db

pulibrary · Oct 23, 2024 · 6522285 · 6522285
1 parent a223a45
commit 6522285
Show file tree

Hide file tree

Showing 3 changed files with 75 additions and 25 deletions.
diff --git a/group_vars/nomad/dpulc/staging.yml b/group_vars/nomad/dpulc/staging.yml
@@ -8,11 +8,14 @@ dpul_c_postgres_admin_user: "postgres"
 dpul_c_staging_figgy_db_host: "figgy-db-staging1.princeton.edu"
 dpul_c_staging_figgy_db_name: "figgy_staging"
 dpul_c_staging_figgy_db_password: "{{ vault_dpul_c_staging_figgy_db_password }}"
+dpul_c_production_figgy_db_host: "figgy-db-prod1.princeton.edu"
+dpul_c_production_figgy_db_name: "figgy_production"
+dpul_c_production_figgy_db_password: "{{ vault_dpul_c_production_figgy_db_password }}"
 dpul_c_nomad_env_vars:
   DB_NAME: '{{ dpul_c_db_name }}'
   DB_USER: '{{ dpul_c_db_user }}'
   DB_PASSWORD: '{{ dpul_c_db_password }}'
   POSTGRES_HOST: '{{ dpul_c_postgres_host }}'
   SECRET_KEY_BASE: '{{ vault_dpul_c_secret_key_base }}'
   SOLR_URL: 'http://lib-solr8d-staging.princeton.edu:8983/solr/dpulc-staging'
-  FIGGY_DATABASE_URL: 'ecto://dpulc_staging:{{ dpul_c_staging_figgy_db_password }}@{{ dpul_c_staging_figgy_db_host }}/{{ dpul_c_staging_figgy_db_name }}'
+  FIGGY_DATABASE_URL: 'ecto://dpulc_staging:{{ dpul_c_production_figgy_db_password }}@{{ dpul_c_production_figgy_db_host }}/{{ dpul_c_production_figgy_db_name }}'
diff --git a/group_vars/nomad/dpulc/vault.yml b/group_vars/nomad/dpulc/vault.yml
@@ -1,17 +1,21 @@
 $ANSIBLE_VAULT;1.1;AES256
-63636438363930626363653233343036616165326137643766666434353866366364353534393063
-6434383035643037393439353537356438393337316465630a346539343536373065316362353433
-38656261316139623364373064366439643937616466616230303538333235303562303035373364
-3461663163663461360a366134363531656234633663396235643962343530333964653733646136
-62373532356534643264336538386335346239343035666535646638333739316639316466633164
-62663761333136306463623861346665316165343561363461316664356233313630333630333433
-62626234623938663934643239653733366234636236386637396463663635386666643938313263
-37643038653238646363313537386162383634336365363066646432386134303630393563303765
-64636337653433393130343035373861396165623463333837333734356331323432346330663564
-35376362363338613862366561653233636661323662353036346165353732323635396364373065
-65333737313934346165336661633035666564306336626563643035633434333361336131333133
-35633631393236666236353033333439613335653562383766646334366337653430616538306633
-32373636636361316233336433326331663335323734363364376533353866363363333436363462
-35373539303333633936386162633336363330393032653733656233303630636665356664663834
-35333235383865323531303962653961356661373233353731303232363437633436376364646538
-39663432346562343637
+33366231336536626433396436666233376138363135333133376332383538613837343330393031
+3764373330613038623135393661323131316639363333330a383630396365393762663033313138
+61396238353364653339343166656139363166646365383633623932353334623230663866623231
+6363663530336435320a636331656530623138613835306239626636396261326531313661393466
+37326334323332656430326561626134346434343032363632386637633466636130396261373333
+65633838383037353432343337653835383333383637373965616464613263323733613066363661
+36326163343263633939356132633636326438316266303262383837653034373539386266323730
+64323034643466393565316135386630346135373763373037346338383439353765336439376262
+62636562386430346364353563646166353835616165373237383539633230336530326165383131
+31623766363133666333636538396363623930323666353166616535306435353265353661356633
+62363534333234353030316663306464393963313362316663323362316564373933613862643735
+66636433633663313033353763663833633433626436333037323831356339626131303738383961
+61653835333839303463363538386632323536336138356338316537633033653832383165333262
+31373935373633663732633934303237636533353365373236336261363135666466383830643566
+61626536326139646435303764316565343161323835663839383136666132333161363666663562
+66303361653161633533306132366263316264353531353038373865373933383166376336383865
+31626335376431363363396432613137316132386534653763326566366664353234633139633066
+61326565373762636633333738326539323063633431343038613839646238333533396465626161
+30663838383362646235373532363865356630333334646538383939656363313738636336396233
+32313830373264653164
diff --git a/roles/pul_nomad/tasks/dpul_c.yml b/roles/pul_nomad/tasks/dpul_c.yml
@@ -21,7 +21,17 @@
   become_user: '{{ dpul_c_postgres_admin_user }}'
   run_once: true
 
-- name: 'pul_nomad_dpulc | create figgy postgresql db user'
+- name: 'pul_nomad_dpulc | ensure access to postgres server for client connections'
+  ansible.builtin.lineinfile:
+    path: '/etc/postgresql/{{ dpul_c_postgres_version }}/main/pg_hba.conf'
+    line: 'host  all      all {{ ansible_default_ipv4.address }}/32       md5'
+  delegate_to: '{{ dpul_c_postgres_host }}'
+  register: remote_postgres_configured
+  throttle: 1 # have this task run one machine at a time to avoid race condition
+  when:
+    - "nomad_node_role == 'client'"
+
+- name: 'pul_nomad_dpulc | create figgy staging postgresql db user'
   community.postgresql.postgresql_user:
     name: 'dpulc_staging'
     password: '{{ dpul_c_staging_figgy_db_password }}'
@@ -32,7 +42,7 @@
   become_user: '{{ dpul_c_postgres_admin_user }}'
   run_once: true
 
-- name: 'pul_nomad_dpulc | grant read privileges for read-only user'
+- name: 'pul_nomad_dpulc | grant read privileges for figgy staging read-only user'
   delegate_to: '{{ dpul_c_staging_figgy_db_host }}'
   become: true
   become_user: '{{ dpul_c_postgres_admin_user }}'
@@ -46,21 +56,46 @@
     roles: 'dpulc_staging'
     grant_option: true
 
-- name: 'pul_nomad_dpulc | ensure access to postgres server for client connections'
+- name: 'pul_nomad_dpulc | ensure access to figgy staging postgres server for client connections'
   ansible.builtin.lineinfile:
     path: '/etc/postgresql/{{ dpul_c_postgres_version }}/main/pg_hba.conf'
     line: 'host  all      all {{ ansible_default_ipv4.address }}/32       md5'
-  delegate_to: '{{ dpul_c_postgres_host }}'
-  register: remote_postgres_configured
+  delegate_to: '{{ dpul_c_staging_figgy_db_host }}'
+  register: remote_figgy_postgres_configured
   throttle: 1 # have this task run one machine at a time to avoid race condition
   when:
     - "nomad_node_role == 'client'"
 
-- name: 'pul_nomad_dpulc | ensure access to figgy postgres server for client connections'
+- name: 'pul_nomad_dpulc | create figgy production postgresql db user'
+  community.postgresql.postgresql_user:
+    name: 'dpulc_staging'
+    password: '{{ dpul_c_production_figgy_db_password }}'
+    encrypted: true
+    state: 'present'
+  delegate_to: '{{ dpul_c_production_figgy_db_host }}'
+  become: true
+  become_user: '{{ dpul_c_postgres_admin_user }}'
+  run_once: true
+
+- name: 'pul_nomad_dpulc | grant read privileges for figgy production read-only user'
+  delegate_to: '{{ dpul_c_production_figgy_db_host }}'
+  become: true
+  become_user: '{{ dpul_c_postgres_admin_user }}'
+  run_once: true
+  community.postgresql.postgresql_privs:
+    database: '{{ dpul_c_production_figgy_db_name }}'
+    state: present
+    privs: SELECT
+    type: table
+    objs: ALL_IN_SCHEMA
+    roles: 'dpulc_staging'
+    grant_option: true
+
+- name: 'pul_nomad_dpulc | ensure access to figgy production postgres server for client connections'
   ansible.builtin.lineinfile:
     path: '/etc/postgresql/{{ dpul_c_postgres_version }}/main/pg_hba.conf'
     line: 'host  all      all {{ ansible_default_ipv4.address }}/32       md5'
-  delegate_to: '{{ dpul_c_staging_figgy_db_host }}'
+  delegate_to: '{{ dpul_c_production_figgy_db_host }}'
   register: remote_figgy_postgres_configured
   throttle: 1 # have this task run one machine at a time to avoid race condition
   when:
@@ -74,14 +109,22 @@
     - remote_postgres_configured.changed
   delegate_to: '{{ dpul_c_postgres_host }}'
 
-- name: 'pul_nomad_dpulc | reload figgy postgresql'
+- name: 'pul_nomad_dpulc | reload figgy staging postgresql'
   ansible.builtin.service:
     name: postgresql
     state: reloaded
   when:
     - remote_postgres_configured.changed
   delegate_to: '{{ dpul_c_staging_figgy_db_host }}'
 
+- name: 'pul_nomad_dpulc | reload production figgy postgresql'
+  ansible.builtin.service:
+    name: postgresql
+    state: reloaded
+  when:
+    - remote_postgres_configured.changed
+  delegate_to: '{{ dpul_c_production_figgy_db_host }}'
+
 - name: 'pul_nomad_dpulc | add the application environment variables'
   ansible.builtin.shell:
     cmd: '/usr/local/bin/nomad var put -force nomad/jobs/dpulc-staging {{ dpul_c_nomad_env_vars.keys() | zip(dpul_c_nomad_env_vars.values()) | map("join", "=") | join(" ") }}'