dbaas+vault: provision tasks CNPG database, role and rotating password

The new tasks PWA (Reminders-style front-end over Nextcloud CalDAV, per
tasks/docs/2026-07-03-tasks-pwa-design.md) needs its own Postgres database
for Connected Accounts and sync state. Follows the tripit/job_hunter
pattern exactly: idempotent null_resource creates role+db on the CNPG
primary with a placeholder password, and the Vault database engine static
role pg-tasks (added to the postgresql connection allowed_roles) rotates
the real password every 7 days, consumed by the tasks stack via a
vault-database ExternalSecret.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-07-03 19:53:13 +00:00
parent 9dcd3b0d5d
commit e0db1054e7
2 changed files with 40 additions and 0 deletions

View file

@ -675,6 +675,7 @@ resource "vault_database_secret_backend_connection" "postgresql" {
"pg-nextcloud-todos",
"pg-technitium",
"pg-goldmane-edges",
"pg-tasks",
]
postgresql {
@ -903,6 +904,17 @@ resource "vault_database_secret_backend_static_role" "pg_goldmane_edges" {
rotation_period = 604800
}
# tasks PWA (Reminders-style front-end over Nextcloud CalDAV) 7-day rotation
# for the `tasks` CNPG role. Consumed by stacks/tasks via a vault-database
# ExternalSecret -> TASKS_DB_DSN (remoteRef static-creds/pg-tasks).
resource "vault_database_secret_backend_static_role" "pg_tasks" {
backend = vault_mount.database.path
db_name = vault_database_secret_backend_connection.postgresql.name
name = "pg-tasks"
username = "tasks"
rotation_period = 604800
}
# =============================================================================
# Kubernetes Secrets Engine Dynamic K8s Credentials
# =============================================================================