alo-cluster/services/postgres.hcl

job "postgres" {
  datacenters = ["alo"]

  meta {
    uuid = uuidv4()
  }


  group "db" {
    network {
      port "db" {
        static = 5432
      }
      port "exporter" {
        to = 9187
      }
      port "admin" { }
    }

    task "postgres" {
      driver = "docker"

      config {
        image = "postgis/postgis:15-3.4-alpine"
        ports = ["db"]
        volumes = [ "/data/compute/appdata/postgres:/var/lib/postgresql/data" ]
      }

      env {
        POSTGRES_PASSWORD = "{{ with nomadVar \"secrets/postgresql\" }}{{ .postgres_password }}{{ end }}"
      }

      service {
        name = "postgres"
        port = "db"
        check {
          type = "tcp"
          port = "db"
          interval = "30s"
          timeout = "2s"
        }
      }

      resources {
        cpu = 1000
        memory = 1024
      }
    }

    task "exporter" {
      driver = "docker"

      config {
        image = "quay.io/prometheuscommunity/postgres-exporter"
        ports = ["exporter"]
      }

      env {
        DATA_SOURCE_NAME = "postgresql://postgres:{{ with nomadVar \"secrets/postgresql\" }}{{ .postgres_password }}{{ end }}@${NOMAD_ADDR_db}/postgres?sslmode=disable"
      }

      service {
        name = "postgres-exporter"
        port = "exporter"
        tags = ["metrics"]
      }
    }

    task "pgadmin" {
      driver = "docker"

      config {
        image = "dpage/pgadmin4:latest"
        ports = ["admin"]
        volumes = [ "/data/compute/appdata/pgadmin:/var/lib/pgadmin" ]
      }

      env {
        PGADMIN_LISTEN_PORT = "${NOMAD_PORT_admin}"
        PGADMIN_DEFAULT_EMAIL = "${var.default_email}"
        PGADMIN_DEFAULT_PASSWORD = "${var.default_password}"
        PGADMIN_DISABLE_POSTFIX = "True"
        PGADMIN_CONFIG_MAIL_SERVER = "'192.168.1.1'"
        PGADMIN_CONFIG_AUTHENTICATION_SOURCES = "['oauth2', 'internal']"
        PGADMIN_CONFIG_OAUTH2_AUTO_CREATE_USER = "True"
        PGADMIN_CONFIG_OAUTH2_CONFIG = <<EOH
        [{
            'OAUTH2_NAME' : 'authentik',
            'OAUTH2_DISPLAY_NAME' : 'SSO',
            'OAUTH2_CLIENT_ID' : 'o4p3B03ayTQ2kpwmM7GswbcfO78JHCTdoZqKJEut',
            'OAUTH2_CLIENT_SECRET' : '7UYHONOCVdjpRMK9Ojwds0qPPpxCiztbIRhK7FJ2IFBpUgN6tnmpEjlkPYimiGKfaHLhy4XE7kQm7Et1Jm0hgyia0iB1VIlp623ckppbwkM6IfpTE1LfEmTMtPrxSngx',
            'OAUTH2_TOKEN_URL' : 'https://authentik.v.paler.net/application/o/token/',
            'OAUTH2_AUTHORIZATION_URL' : 'https://authentik.v.paler.net/application/o/authorize/',
            'OAUTH2_API_BASE_URL' : 'https://authentik.v.paler.net/',
            'OAUTH2_USERINFO_ENDPOINT' : 'https://authentik.v.paler.net/application/o/userinfo/',
            'OAUTH2_SERVER_METADATA_URL' : 'https://authentik.v.paler.net/application/o/pgadmin/.well-known/openid-configuration',
            'OAUTH2_SCOPE' : 'openid email profile',
            'OAUTH2_ICON' : 'fa-database',
            'OAUTH2_BUTTON_COLOR' : '#00ff00'
        }]
EOH
      }

      service {
        name = "pgadmin"
        port = "admin"
        tags = [
          "traefik.enable=true",
          "traefik.http.routers.pgadmin.entryPoints=websecure",
        ]
      }
    }
  }
}

variable "default_email" {
  type = string
  default = "petru@paler.net"
}

variable "default_password" {
  type = string
  default = "ahheina6aeki3Hu0aht3"
}