From de945add752d6cee508b65cc6d0d6724e7146ab4 Mon Sep 17 00:00:00 2001 From: Serreau Jovann Date: Fri, 20 Mar 2026 14:07:16 +0100 Subject: [PATCH] Fix PgBouncer auth: template pgbouncer.ini and userlist.txt with vault db_password - Create pgbouncer.ini.j2 with auth_type plain (no MD5 hash needed) - Create userlist.txt.j2 with vault db_password - Add Ansible tasks to deploy both files before docker-compose - Mount pgbouncer files as read-only in compose template Co-Authored-By: Claude Opus 4.6 (1M context) --- ansible/deploy.yml | 16 ++++++++++++++++ ansible/docker-compose-prod.yml.j2 | 4 ++-- ansible/pgbouncer.ini.j2 | 19 +++++++++++++++++++ ansible/userlist.txt.j2 | 1 + 4 files changed, 38 insertions(+), 2 deletions(-) create mode 100644 ansible/pgbouncer.ini.j2 create mode 100644 ansible/userlist.txt.j2 diff --git a/ansible/deploy.yml b/ansible/deploy.yml index 5b7bcf7..5004b5a 100644 --- a/ansible/deploy.yml +++ b/ansible/deploy.yml @@ -45,6 +45,22 @@ chdir: /var/www/e-ticket become_user: bot + - name: Deploy PgBouncer config + template: + src: pgbouncer.ini.j2 + dest: /var/www/e-ticket/docker/pgsql/pgbouncer.ini + owner: bot + group: bot + mode: "0600" + + - name: Deploy PgBouncer userlist + template: + src: userlist.txt.j2 + dest: /var/www/e-ticket/docker/pgsql/userlist.txt + owner: bot + group: bot + mode: "0600" + - name: Deploy docker-compose-prod.yml template: src: docker-compose-prod.yml.j2 diff --git a/ansible/docker-compose-prod.yml.j2 b/ansible/docker-compose-prod.yml.j2 index 1ab0991..72469df 100644 --- a/ansible/docker-compose-prod.yml.j2 +++ b/ansible/docker-compose-prod.yml.j2 @@ -70,8 +70,8 @@ services: image: edoburu/pgbouncer restart: unless-stopped volumes: - - ./docker/pgsql/pgbouncer.ini:/etc/pgbouncer/pgbouncer.ini - - ./docker/pgsql/userlist.txt:/etc/pgbouncer/userlist.txt + - ./docker/pgsql/pgbouncer.ini:/etc/pgbouncer/pgbouncer.ini:ro + - ./docker/pgsql/userlist.txt:/etc/pgbouncer/userlist.txt:ro depends_on: db-master: condition: service_healthy diff --git a/ansible/pgbouncer.ini.j2 b/ansible/pgbouncer.ini.j2 new file mode 100644 index 0000000..bbd53a4 --- /dev/null +++ b/ansible/pgbouncer.ini.j2 @@ -0,0 +1,19 @@ +[databases] +e-ticket = host=db-master port=5432 dbname=e-ticket +e-ticket_readonly = host=db-slave port=5432 dbname=e-ticket + +[pgbouncer] +listen_addr = 0.0.0.0 +listen_port = 6432 +auth_type = plain +auth_file = /etc/pgbouncer/userlist.txt +pool_mode = transaction +max_client_conn = 200 +default_pool_size = 20 +min_pool_size = 5 +reserve_pool_size = 5 +reserve_pool_timeout = 3 +server_lifetime = 3600 +server_idle_timeout = 600 +log_connections = 0 +log_disconnections = 0 diff --git a/ansible/userlist.txt.j2 b/ansible/userlist.txt.j2 new file mode 100644 index 0000000..c564af5 --- /dev/null +++ b/ansible/userlist.txt.j2 @@ -0,0 +1 @@ +"e-ticket" "{{ db_password }}"