dbaas+vault: provision tasks CNPG database, role and rotating password

The new tasks PWA (Reminders-style front-end over Nextcloud CalDAV, per
tasks/docs/2026-07-03-tasks-pwa-design.md) needs its own Postgres database
for Connected Accounts and sync state. Follows the tripit/job_hunter
pattern exactly: idempotent null_resource creates role+db on the CNPG
primary with a placeholder password, and the Vault database engine static
role pg-tasks (added to the postgresql connection allowed_roles) rotates
the real password every 7 days, consumed by the tasks stack via a
vault-database ExternalSecret.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-07-03 19:53:13 +00:00
parent 9dcd3b0d5d
commit e0db1054e7
2 changed files with 40 additions and 0 deletions

View file

@ -1511,6 +1511,34 @@ resource "null_resource" "pg_instagram_poster_db" {
}
}
# Create tasks database for the tasks PWA (Reminders-style front-end over
# Nextcloud CalDAV; FastAPI + SvelteKit SPA see ~/code/tasks). Stores
# Connected Accounts (Fernet-encrypted Nextcloud app passwords) + sync state.
# Role password is managed by Vault Database Secrets Engine (static role
# `pg-tasks`, 7d rotation). Tables are created by alembic on app startup.
resource "null_resource" "pg_tasks_db" {
depends_on = [null_resource.pg_cluster]
triggers = {
db_name = "tasks"
username = "tasks"
}
provisioner "local-exec" {
command = <<-EOT
PRIMARY=$(kubectl --kubeconfig ${var.kube_config_path} get cluster -n dbaas pg-cluster -o jsonpath='{.status.currentPrimary}')
kubectl --kubeconfig ${var.kube_config_path} exec -n dbaas $PRIMARY -c postgres -- \
bash -c '
psql -U postgres -tc "SELECT 1 FROM pg_catalog.pg_roles WHERE rolname = '"'"'tasks'"'"'" | grep -q 1 || \
psql -U postgres -c "CREATE ROLE tasks WITH LOGIN PASSWORD '"'"'changeme-vault-will-rotate'"'"'"
psql -U postgres -tc "SELECT 1 FROM pg_catalog.pg_database WHERE datname = '"'"'tasks'"'"'" | grep -q 1 || \
psql -U postgres -c "CREATE DATABASE tasks OWNER tasks"
psql -U postgres -c "GRANT ALL PRIVILEGES ON DATABASE tasks TO tasks"
'
EOT
}
}
# Old PostgreSQL deployment kept commented for rollback reference
# resource "kubernetes_deployment" "postgres" {
# metadata {