postgresql: Configure for dedicated DB servers

I am going to use the *postgresql* group for the dedicated database
servers.  The configuration for those machines will be quite a bit
different than for the one existing machine that is a member of that
group already: the Nextcloud server.  Rather than undefine/override all
the group-level settings at the host level, I have removed the Nextcloud
server from the *postgresql* group, and updated the `nextcloud.yml`
playbook to apply the *postgresql-server* role itself.

Eventually, I want to move the Nextcloud database to the central
database servers.  At that point, I will remove the *postgresql-server*
role from the `nextcloud.yml` playbook.

group_vars/nextcloud.yml

@@ -19,3 +19,6 @@ nextcloud_smtp:
   host: mail.pyrocufflink.blue
   port: 25
 dnf_automatic_exclude: nextcloud
+
+postgresql_config_dir: /var/lib/pgsql/data
+postgresql_allow_remote: false

group_vars/postgresql.yml

@@ -0,0 +1,51 @@
+data_volumes:
+- dev: /dev/vdb
+  fstype: ext4
+  mountpoint: /var/lib/pgsql
+
+postgresql_cert_domain: postgresql.{{ ansible_domain }}
+postgresql_cert_acme_email: '{{ ansible_hostname }}@pyrocufflink.net'
+postgresql_cert_acme_server: https://ca.pyrocufflink.blue:32599/acme/acme/directory
+postgresql_allow_remote: true
+postgresql_allow_sameuser_peer: false
+
+postgresql_config:
+  listen_addresses: '''*'''
+  ssl: 'on'
+  ssl_cert_file: '''{{ postgresql_config_dir }}/server.cer'''
+  ssl_key_file: '''{{ postgresql_config_dir }}/server.key'''
+  ssl_ca_file: '''{{ postgresql_config_dir }}/ca.crt'''
+
+  archive_mode: '''on'''
+  archive_timeout: 5min
+  archive_command: '''wal-g-pg --config /etc/postgresql/wal-g.yml wal-push %p'''
+  restore_command: '''wal-g-pg --config /etc/postgresql/wal-g.yml wal-fetch %f %p'''
+  hot_standby: 'on'
+
+pg_hba_extra:
+- type: hostssl
+  database: sameuser
+  user: all
+  address: 0.0.0.0/0
+  method: cert
+
+postgresql_restore_command: >-
+  runuser -u postgres --
+  wal-g-pg --config /etc/postgresql/wal-g.yml backup-fetch {{ pgdata_dir }} LATEST
+
+wal_g_aws_access_key_id: Ps0tjAlLFxnQkelX
+wal_g_aws_secret_access_key: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  31313034633265346365356533623137323835386434313738353362386338666531656635306663
+  3032636433343062366537306663383739633838383633350a353030316534356239363962333164
+  30663565333566616563333766323163643466363639613733323262363135333362663364356533
+  3161646331336265640a333639393463376538343466373362353133626562623562316539356464
+  38613465326234346465336261306336623065613962363362383534346435633637626132613364
+  3062396235663433623535373065626238643663623831306464
+
+wal_g_pg_config:
+  AWS_ACCESS_KEY_ID: '{{ wal_g_aws_access_key_id }}'
+  AWS_SECRET_ACCESS_KEY: '{{ wal_g_aws_secret_access_key }}'
+  WALG_S3_PREFIX: s3://pgbackup/spilo/postgresql-default/wal/15
+  AWS_S3_FORCE_PATH_STYLE: true
+  AWS_ENDPOINT: https://burp.pyrocufflink.blue:9000

hosts

@@ -90,7 +90,6 @@ cloud0.pyrocufflink.blue
 burp1.pyrocufflink.blue
 
 [postgresql]
-cloud0.pyrocufflink.blue
 
 [public-web]
 web0.pyrocufflink.blue

nextcloud.yml

@@ -2,5 +2,6 @@
   vars_files:
   - vault/nextcloud
   roles:
+  - postgresql-server
   - apache
   - nextcloud

postgresql.yml

@@ -1,3 +1,11 @@
 - hosts: postgresql
   roles:
+  - role: trustca
+    ca: dch-root-ca-r2
+  - role: postgresql-cert
+    tags:
+    - postgresql-cert
+  - role: wal-g-pg
+    tags:
+    - wal-g
   - postgresql-server