directlx
/
dlx-ansible
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: directlx:0281f7d80626905e57ef45ddd790835f84598980
Branches Tags
directlx:main
...
compare: directlx:5859751c66446b39c4ba69c6730dedc4eb3ef5c4
Branches Tags
directlx:main

3 Commits
0281f7d806 ... 5859751c66

Author SHA1 Message Date
directlx 5859751c66 Add HTTPS support for registry.directlx.dev via NPM 
Configure registry.directlx.dev to route through Nginx Proxy Manager
(192.168.200.71) for SSL/TLS termination, instead of direct access to
Docker registry at 192.168.200.200:5000.

Changes:
- Updated Pi-hole DNS to route registry.directlx.dev → NPM (192.168.200.71)
- Added gitea.directlx.dev to DNS records (previously missing)
- Created comprehensive NPM configuration guide with Docker-specific Nginx config
- Created Docker registry usage documentation with HTTPS examples
- Added local DNS configuration playbooks and documentation

Benefits:
- HTTPS encryption for Docker registry traffic
- Consistent SSL certificate management via Let's Encrypt
- No insecure-registry configuration needed on Docker clients
- Centralized proxy management through NPM

Next step: Configure NPM proxy host following docs/NPM-REGISTRY-SETUP.md

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
 2026-02-14 14:58:30 -05:00
directlx 9be34947b2 Fix www.directlx.dev accessibility with nginx firewall and DNS config 
This commit resolves connectivity issues for www.directlx.dev by:

1. Add nginx firewall configuration (host_vars/nginx.yml)
   - Allow ports 80/tcp (HTTP) and 443/tcp (HTTPS)
   - Enables NPM to proxy traffic to nginx backend

2. Add www.directlx.dev DNS record via Pi-hole
   - Configure playbooks/configure-directlx-dev-dns.yml
   - Route www.directlx.dev → NPM (192.168.200.71)
   - NPM then proxies to nginx (192.168.200.65)

Problem: After firewall changes, nginx server only allowed SSH (port 22),
blocking HTTP/HTTPS from NPM. Additionally, Pi-hole had no DNS record for
www.directlx.dev subdomain.

Solution: Applied firewall rules and DNS configuration to complete the
proxy chain: Browser → Pi-hole DNS → NPM → nginx.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
 2026-02-14 09:14:59 -05:00
directlx 015c708644 Add PostgreSQL user management playbook and documentation 
Created reusable Ansible playbook for creating PostgreSQL users with
flexible privilege options (superuser, createdb, createrole). Features
include auto-generated secure passwords, credential file export, and
comprehensive documentation with examples.

Files added:
- playbooks/create-postgres-user.yml - Automated user creation
- docs/POSTGRES-USER-MANAGEMENT.md - Usage guide and examples

Initial use case: Created hiveops superuser for HiveOps application.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
 2026-02-14 07:44:35 -05:00
9 changed files with 1397 additions and 0 deletions
Show Stats Expand all files Collapse all files

245
docs/DOCKER-REGISTRY-DNS.md Normal file
View File

@ -0,0 +1,245 @@
# Docker Registry DNS Configuration
## Overview
The Docker registry at `192.168.200.200:5000` is now accessible via the domain name `registry.directlx.dev` using HTTPS through Nginx Proxy Manager.
## DNS Resolution
- **Domain**: registry.directlx.dev
- **DNS Resolution**: 192.168.200.71 (NPM - Nginx Proxy Manager)
- **Backend**: 192.168.200.200:5000 (Docker Registry)
- **Protocol**: HTTPS (SSL terminated at NPM)
- **DNS Server**: Pi-hole (192.168.200.100)
## Usage
### Docker Push
```bash
# Tag your image
docker tag my-image:latest registry.directlx.dev/my-image:latest
# Push to registry
docker push registry.directlx.dev/my-image:latest
```
### Docker Pull
```bash
docker pull registry.directlx.dev/my-image:latest
```
### Docker Compose
Update your `.env` files to use the domain name:
```env
DOCKER_REGISTRY=registry.directlx.dev
```
Then in `docker-compose.yml`:
```yaml
services:
app:
image: ${DOCKER_REGISTRY}/my-image:latest
```
## Verification
### Test DNS Resolution
```bash
# Query Pi-hole directly
nslookup registry.directlx.dev 192.168.200.100
# Check local resolution
getent hosts registry.directlx.dev
```
Expected output: `192.168.200.71 registry.directlx.dev`
### Test Registry Connectivity
```bash
# Health check (via HTTPS)
curl -I https://registry.directlx.dev/v2/
# List repositories
curl https://registry.directlx.dev/v2/_catalog
```
### Test Docker Integration
```bash
# List tags for a repository
curl https://registry.directlx.dev/v2/hiveops-incident/tags/list
```
## Current Repositories
As of 2026-02-14, the registry contains:
- atm-incident-backend
- atm-incident-frontend
- hiveops-agent
- hiveops-auth
- hiveops-config
- hiveops-incident
- hiveops-incident-backend
- hiveops-incident-frontend
- hiveops-mgmt
- hiveops-release
- hiveops-remote
- smart-client
## Configuration Files
### Pi-hole DNS Record
Managed by: `playbooks/configure-directlx-dev-dns.yml`
```yaml
dns_records:
- { ip: "192.168.200.71", hostname: "registry" }
```
### NPM Proxy Host Configuration
Configure in NPM web UI (http://192.168.200.71:81):
**Domain Names:**
- registry.directlx.dev
**Forward Hostname/IP:** 192.168.200.200
**Forward Port:** 5000
**Scheme:** http
**SSL:**
- ✅ Force SSL
- ✅ HTTP/2 Support
- ✅ HSTS Enabled
- SSL Certificate: Let's Encrypt or custom
### Local /etc/hosts (Optional)
For local workstation access without Pi-hole DNS:
```bash
sudo tee -a /etc/hosts <<EOF
192.168.200.71 registry.directlx.dev
EOF
```
Or use the Ansible playbook:
```bash
ansible-playbook playbooks/configure-local-dns-localhost.yml --ask-become-pass
```
## Troubleshooting
### Registry Not Resolving
**Check DNS:**
```bash
nslookup registry.directlx.dev 192.168.200.100
```
If no result, re-run the DNS configuration playbook:
```bash
ansible-playbook playbooks/configure-directlx-dev-dns.yml
```
### Connection Refused
**Check registry is running:**
```bash
ansible docker -m shell -a "docker ps | grep registry"
```
**Check firewall:**
```bash
ansible docker -m shell -a "ufw status" -b
```
### Docker Daemon Configuration
With HTTPS enabled via NPM, no insecure registry configuration is needed. Docker will trust the SSL certificate.
If you encounter certificate issues, ensure the CA certificate is trusted on your system.
## Security Notes
- ✅ HTTPS enabled via NPM (SSL/TLS encryption)
- ✅ Registry accessible only on local network (192.168.200.0/24)
- ✅ SSL certificate from Let's Encrypt (valid and trusted)
- ⚠️ No authentication configured (suitable for internal use)
- For production, consider:
- Adding Docker registry authentication
- Implementing access controls
- Rate limiting at NPM level
## Quick Setup Guide
**Complete setup in 2 steps:**
1. **DNS Configuration** (✅ DONE)
```bash
ansible-playbook playbooks/configure-directlx-dev-dns.yml
```
2. **NPM Proxy Configuration** (⚠️ REQUIRED)
See: [NPM Registry Setup Guide](NPM-REGISTRY-SETUP.md)
Quick summary:
- Navigate to NPM Admin (http://192.168.200.71:81)
- Add Proxy Host for registry.directlx.dev
- Forward to: 192.168.200.200:5000
- Enable SSL with Let's Encrypt
- Add custom Nginx config (see guide)
## Related Documentation
- **[NPM Registry Setup Guide](NPM-REGISTRY-SETUP.md)** - Step-by-step NPM configuration ⭐
- [Local DNS Configuration](LOCAL-DNS-CONFIGURATION.md) - General DNS setup
- [SSL Offloading Fix](SSL-OFFLOADING-FIX.md) - HTTPS configuration
- Global CLAUDE.md - Docker registry URL reference
## Maintenance
### Update DNS Record
Edit `playbooks/configure-directlx-dev-dns.yml` and add/modify:
```yaml
dns_records:
- { ip: "NEW_IP", hostname: "registry" }
```
Then apply:
```bash
ansible-playbook playbooks/configure-directlx-dev-dns.yml
```
### Clear DNS Cache
On Pi-hole:
```bash
ansible pihole -m shell -a "pihole restartdns" -b
```
On local workstation:
```bash
sudo systemd-resolve --flush-caches
resolvectl flush-caches
```
---
**Created**: 2026-02-14
**Last Updated**: 2026-02-14
**Author**: DirectLX Infrastructure Team

247
docs/LOCAL-DNS-CONFIGURATION.md Normal file
View File

@ -0,0 +1,247 @@
# Local DNS Configuration for DirectLX Services
## Problem
DirectLX services (incident.directlx.dev, hiveops.directlx.dev, etc.) resolve to public IP `45.16.76.42`, which has unreliable connectivity:
- Connection timeouts (2+ minutes)
- Only ~33% success rate
- Intermittent failures
## Solution
Configure local DNS resolution to use the internal NPM server (`192.168.200.71`) instead of going through the public IP.
### Benefits
- ✅ Fast local network access (2-4ms vs 2+ minute timeouts)
- ✅ 100% reliability on local network
- ✅ No dependency on public IP routing
- ✅ Seamless HTTPS with valid certificates
## Playbooks
### 1. `configure-local-dns-localhost.yml`
Configure DNS on your local workstation **right now**.
**Usage:**
```bash
cd /source/dlx-src/dlx-ansible
ansible-playbook playbooks/configure-local-dns-localhost.yml --ask-become-pass
```
**What it does:**
- Adds directlx.dev entries to `/etc/hosts`
- Points all domains to `192.168.200.71` (NPM server)
- Tests connectivity automatically
- Shows before/after results
**Duration:** ~5 seconds
---
### 2. `configure-local-dns.yml`
Deploy local DNS configuration across **all infrastructure hosts**.
**Usage:**
```bash
cd /source/dlx-src/dlx-ansible
# Apply to all hosts except NPM server
ansible-playbook -i inventory/hosts.yml playbooks/configure-local-dns.yml
# Apply to specific group
ansible-playbook -i inventory/hosts.yml playbooks/configure-local-dns.yml --limit application
# Apply to specific host
ansible-playbook -i inventory/hosts.yml playbooks/configure-local-dns.yml --limit hiveops
```
**What it does:**
- Configures all hosts to use local NPM server
- Creates backup of `/etc/hosts` before changes
- Uses blockinfile for idempotent updates
- Verifies DNS resolution after configuration
- Tests HTTPS connectivity (optional)
**Target hosts:** All hosts except NPM server itself
**Duration:** ~10-20 seconds per host
---
## Manual Configuration
If you prefer to configure manually:
```bash
sudo tee -a /etc/hosts <<'EOF'
# DirectLX Local DNS Entries
192.168.200.71 incident.directlx.dev
192.168.200.71 hiveops.directlx.dev
192.168.200.71 mgmt.directlx.dev
192.168.200.71 release.directlx.dev
192.168.200.71 gitea.directlx.dev
192.168.200.71 smartjournal.directlx.dev
192.168.200.71 directlx.dev
192.168.200.71 www.directlx.dev
192.168.200.71 registry.directlx.dev
EOF
```
## Verification
### Test DNS Resolution
```bash
getent hosts incident.directlx.dev
# Expected: 192.168.200.71 incident.directlx.dev
```
### Test HTTPS Connectivity
```bash
curl -I https://incident.directlx.dev
# Expected: HTTP/1.1 200 OK (within 1 second)
```
### Test All Domains
```bash
for domain in incident.directlx.dev hiveops.directlx.dev mgmt.directlx.dev; do
echo "Testing $domain..."
time curl -I --max-time 5 https://$domain | head -1
done
```
## Rollback
If you need to remove the configuration:
```bash
# Restore from backup
sudo cp /etc/hosts.backup-<timestamp> /etc/hosts
# Or remove the Ansible-managed block
sudo sed -i '/# DirectLX Local DNS/,/# END DirectLX Local DNS/d' /etc/hosts
```
## Production Considerations
### Option 1: /etc/hosts (Current Solution)
- ✅ Simple and immediate
- ✅ No additional dependencies
- ❌ Must be applied to each host
- ❌ Manual management required
### Option 2: Pi-hole Split-Horizon DNS (Recommended Long-term)
Configure Pi-hole at `192.168.200.100` with local DNS records:
**Benefits:**
- ✅ Centralized management
- ✅ Automatic for all network clients
- ✅ No per-host configuration
- ✅ Easy to update
**Implementation:**
1. Log in to Pi-hole admin (`http://192.168.200.100/admin`)
2. Navigate to **Local DNS** → **DNS Records**
3. Add A records for each domain:
- Domain: `incident.directlx.dev` → IP: `192.168.200.71`
- Domain: `hiveops.directlx.dev` → IP: `192.168.200.71`
- Domain: `mgmt.directlx.dev` → IP: `192.168.200.71`
- Domain: `registry.directlx.dev` → IP: `192.168.200.71`
- etc.
### Option 3: Internal DNS Server (Enterprise)
Set up authoritative DNS for `directlx.dev` zone with split-horizon configuration.
## How It Works
### Before
```
Client → DNS Query → 45.16.76.42 (public IP)
Client → HTTPS Request → 45.16.76.42 → [timeout/unreliable]
```
### After
```
Client → /etc/hosts → 192.168.200.71 (local NPM)
Client → HTTPS Request → 192.168.200.71 (NPM) → 192.168.200.112 (backend)
```
## Network Architecture
```
┌─────────────────┐
│ Your Workstation│
│ 10.10.10.119 │
└────────┬────────┘
│ Local Network Route
┌────▼─────────────────┐
│ NPM (Nginx Proxy) │
│ 192.168.200.71 │
│ Port 443 (HTTPS) │
└────┬─────────────────┘
│ Proxy Pass
┌────▼──────────────────┐
│ HiveOps Backend │
│ 192.168.200.112:8080 │
└───────────────────────┘
```
## Troubleshooting
### Issue: Still getting timeouts
**Check DNS resolution:**
```bash
getent hosts incident.directlx.dev
```
Should show `192.168.200.71`, not `45.16.76.42`.
**Check /etc/hosts:**
```bash
grep directlx /etc/hosts
```
Should show entries with `192.168.200.71`.
### Issue: DNS resolving to wrong IP
**Check systemd-resolved cache:**
```bash
sudo systemd-resolve --flush-caches
resolvectl flush-caches
```
**Check NSS resolution order:**
```bash
grep hosts /etc/nsswitch.conf
```
Should show `files` before `dns`: `hosts: files dns`
### Issue: Certificate warnings
If you get SSL certificate warnings, it means you're connecting via IP instead of hostname.
**Solution:** Ensure you're using the domain name, not the IP:
```bash
# Wrong
curl https://192.168.200.71
# Correct
curl https://incident.directlx.dev
```
## Related Documentation
- [SSL Offloading Fix](SSL-OFFLOADING-FIX.md) - Spring Boot SSL configuration
- [Express Proxy Config](EXPRESS-PROXY-CONFIG.md) - Express.js proxy settings
- NPM Configuration - Located in `/data/nginx/proxy_host/` on 192.168.200.71
## Author
- **Created:** 2026-02-06
- **Purpose:** Fix unreliable public IP connectivity to DirectLX services
- **Repository:** dlx-src/dlx-ansible

360
docs/NPM-REGISTRY-SETUP.md Normal file
View File

@ -0,0 +1,360 @@
# NPM Configuration for Docker Registry (registry.directlx.dev)
## Overview
This guide configures Nginx Proxy Manager to proxy `registry.directlx.dev` to the backend Docker registry at `192.168.200.200:5000` with HTTPS/SSL termination.
## Prerequisites
- ✅ DNS configured: registry.directlx.dev → 192.168.200.71
- ✅ NPM running at 192.168.200.71
- ✅ Docker registry running at 192.168.200.200:5000
- ⚠️ NPM admin access required
## Step-by-Step Configuration
### 1. Access NPM Admin Panel
```bash
# Open in browser
http://192.168.200.71:81/
# Default credentials (if first time):
# Email: admin@example.com
# Password: changeme
```
### 2. Create Proxy Host
Navigate to: **Hosts****Proxy Hosts** → **Add Proxy Host**
#### Details Tab
**Domain Names:**
```
registry.directlx.dev
```
**Scheme:** `http`
**Forward Hostname / IP:** `192.168.200.200`
**Forward Port:** `5000`
**Options:**
- ☐ Cache Assets
- ☑ Block Common Exploits
- ☑ Websockets Support (for Docker registry v2 API)
- ☐ Access List
#### SSL Tab
**SSL Certificate:**
- Select existing Let's Encrypt certificate for `*.directlx.dev`, OR
- Request New SSL Certificate:
- ☑ Force SSL
- ☑ HTTP/2 Support
- ☑ HSTS Enabled
- ☑ HSTS Subdomains
- Email: `your-email@example.com`
- ☑ I Agree to the Let's Encrypt Terms of Service
**Note:** If using wildcard certificate, ensure DNS challenge is configured.
#### Advanced Tab (IMPORTANT for Docker Registry)
Add the following custom Nginx configuration:
```nginx
# Docker Registry v2 API requires specific headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Increase timeouts for large image pushes
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
# Disable buffering for chunked uploads
proxy_request_buffering off;
# Allow large body sizes for Docker images (5GB max)
client_max_body_size 5120M;
# Disable access log for registry (too verbose)
access_log off;
```
### 3. Save and Test
Click **Save** to create the proxy host.
### 4. Verify Configuration
#### Test DNS Resolution
```bash
nslookup registry.directlx.dev
# Should return: 192.168.200.71
```
#### Test HTTPS Access
```bash
curl -I https://registry.directlx.dev/v2/
# Expected: HTTP/2 200
```
#### Test Docker Registry API
```bash
# List repositories
curl -s https://registry.directlx.dev/v2/_catalog | jq '.'
# Expected output:
# {
# "repositories": [
# "atm-incident-backend",
# "hiveops-incident",
# ...
# ]
# }
```
#### Test Docker Pull
```bash
docker pull registry.directlx.dev/hiveops-incident:latest
```
## Troubleshooting
### 502 Bad Gateway
**Cause:** NPM can't reach backend registry
**Check backend is running:**
```bash
ansible docker -m shell -a "docker ps | grep registry"
ansible docker -m shell -a "curl -I http://localhost:5000/v2/"
```
**Check firewall:**
```bash
ansible docker -m shell -a "ufw status" -b
```
### SSL Certificate Error
**Cause:** Let's Encrypt can't verify domain
**Solution:**
1. Ensure port 80/443 are open on NPM server
2. Verify DNS propagation: `nslookup registry.directlx.dev`
3. Check NPM logs: **Tools** → **Error Logs**
### 413 Request Entity Too Large
**Cause:** `client_max_body_size` too small
**Solution:** Add to Advanced tab:
```nginx
client_max_body_size 5120M;
```
### Connection Timeout on Large Pushes
**Cause:** Timeout values too low
**Solution:** Add to Advanced tab:
```nginx
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
```
### Docker Push Hangs
**Cause:** Request buffering enabled
**Solution:** Add to Advanced tab:
```nginx
proxy_request_buffering off;
```
## Docker Client Configuration
### No Additional Configuration Required
With HTTPS enabled, Docker will work without insecure registry configuration:
```bash
# Just works!
docker pull registry.directlx.dev/my-image:latest
docker push registry.directlx.dev/my-image:latest
```
### Legacy HTTP Configuration (NOT RECOMMENDED)
If you need HTTP-only access (not recommended):
Edit `/etc/docker/daemon.json`:
```json
{
"insecure-registries": ["registry.directlx.dev"]
}
```
Restart Docker:
```bash
sudo systemctl restart docker
```
## Testing the Complete Setup
### 1. Tag and Push Test Image
```bash
# Pull a small test image
docker pull alpine:latest
# Tag for your registry
docker tag alpine:latest registry.directlx.dev/test-alpine:latest
# Push to registry
docker push registry.directlx.dev/test-alpine:latest
```
### 2. Verify Upload
```bash
# Check repository exists
curl -s https://registry.directlx.dev/v2/_catalog | jq '.repositories[] | select(. == "test-alpine")'
# Check tags
curl -s https://registry.directlx.dev/v2/test-alpine/tags/list | jq '.'
```
### 3. Pull from Another Machine
```bash
# Remove local image
docker rmi registry.directlx.dev/test-alpine:latest
# Pull from registry
docker pull registry.directlx.dev/test-alpine:latest
# Verify
docker images | grep test-alpine
```
### 4. Cleanup
```bash
# Remove test image from local
docker rmi alpine:latest registry.directlx.dev/test-alpine:latest
```
## NPM Configuration Summary
| Setting | Value |
|---------|-------|
| Domain | registry.directlx.dev |
| Scheme | http |
| Forward Host | 192.168.200.200 |
| Forward Port | 5000 |
| SSL | Enabled (Let's Encrypt) |
| Force SSL | Yes |
| HTTP/2 | Yes |
| HSTS | Yes |
| Max Body Size | 5120M |
| Timeouts | 300s |
## Security Considerations
### ✅ Implemented
- HTTPS/TLS encryption (via Let's Encrypt)
- SSL certificate validation
- Block common exploits enabled
- Large body size limits (prevents DoS)
- Access logging disabled (prevents log spam)
### ⚠️ Not Implemented (Consider for Production)
- Authentication (Docker registry supports basic auth, tokens, OAuth)
- Access lists (NPM can restrict by IP/network)
- Rate limiting (prevent abuse)
- Image scanning (vulnerability detection)
- Content trust (signed images)
### Authentication Setup (Optional)
To add basic authentication to the registry:
1. Generate htpasswd file on docker server:
```bash
ansible docker -m shell -a "docker run --rm --entrypoint htpasswd httpd:alpine -Bbn username password > /opt/docker-registry/auth/htpasswd"
```
2. Update registry configuration to use auth:
```yaml
auth:
htpasswd:
realm: Registry Realm
path: /auth/htpasswd
```
3. Restart registry container
4. Docker login:
```bash
docker login registry.directlx.dev
```
## Related Documentation
- [Docker Registry DNS Configuration](DOCKER-REGISTRY-DNS.md)
- [Local DNS Configuration](LOCAL-DNS-CONFIGURATION.md)
- [SSL Offloading Fix](SSL-OFFLOADING-FIX.md)
## Maintenance
### Update SSL Certificate
Certificates auto-renew via Let's Encrypt. To force renewal:
1. NPM Admin → **SSL Certificates**
2. Find `registry.directlx.dev` certificate
3. Click **...** → **Renew Certificate**
### Monitor Logs
```bash
# NPM access logs (if enabled)
ansible npm -m shell -a "tail -f /data/logs/proxy-host-*.log"
# NPM error logs
ansible npm -m shell -a "tail -f /data/logs/error.log"
# Registry logs
ansible docker -m shell -a "docker logs -f registry" -b
```
### Backup Configuration
```bash
# Backup NPM database
ansible npm -m shell -a "sqlite3 /data/database.sqlite .dump > /tmp/npm-backup.sql"
# Download backup
ansible npm -m fetch -a "src=/tmp/npm-backup.sql dest=./backups/"
```
---
**Created**: 2026-02-14
**Last Updated**: 2026-02-14
**Author**: DirectLX Infrastructure Team

244
docs/POSTGRES-USER-MANAGEMENT.md Normal file
View File

@ -0,0 +1,244 @@
# PostgreSQL User Management
This guide covers creating and managing PostgreSQL users on the postgres server (192.168.200.103).
## Quick Reference
### Create Superuser with Random Password
```bash
ansible-playbook playbooks/create-postgres-user.yml -e "pg_username=hiveops pg_superuser=true"
```
### Create User with Specific Password
```bash
ansible-playbook playbooks/create-postgres-user.yml -e "pg_username=myapp pg_password=SecurePass123"
```
### Create Database Creator User
```bash
ansible-playbook playbooks/create-postgres-user.yml -e "pg_username=dbadmin pg_createdb=true"
```
### Create Basic User (No Special Privileges)
```bash
ansible-playbook playbooks/create-postgres-user.yml -e "pg_username=readonly"
```
## Playbook Variables
| Variable | Required | Default | Description |
|----------|----------|---------|-------------|
| `pg_username` | Yes | - | PostgreSQL username to create |
| `pg_password` | No | Auto-generated | Password (random 32-char base64 if not provided) |
| `pg_superuser` | No | `false` | Grant SUPERUSER privilege |
| `pg_createdb` | No | `false` | Grant CREATEDB privilege |
| `pg_createrole` | No | `false` | Grant CREATEROLE privilege |
| `pg_login` | No | `true` | Allow user to login |
| `pg_save_credentials` | No | `false` | Save credentials to `/tmp/postgres-user-*.txt` |
## Examples
### Example 1: HiveOps Application User (Superuser)
```bash
ansible-playbook playbooks/create-postgres-user.yml \
-e "pg_username=hiveops" \
-e "pg_superuser=true" \
-e "pg_save_credentials=true"
```
**Output:**
- Random password generated
- Superuser privileges
- Credentials saved to `/tmp/postgres-user-hiveops-*.txt`
### Example 2: Application User with Database Creation
```bash
ansible-playbook playbooks/create-postgres-user.yml \
-e "pg_username=smartjournal" \
-e "pg_createdb=true" \
-e "pg_password=MySecurePassword123"
```
**Output:**
- Specific password used
- Can create databases
- Cannot create other users
### Example 3: Read-Only Application User
```bash
# First create the user
ansible-playbook playbooks/create-postgres-user.yml \
-e "pg_username=reporting"
# Then grant SELECT permissions manually
ansible postgres -m shell \
-a "psql -d mydb -c 'GRANT SELECT ON ALL TABLES IN SCHEMA public TO reporting;'" \
--become-user=postgres -b
```
### Example 4: Multiple Users at Once
```bash
# Create a variables file
cat > /tmp/users.yml <<EOF
---
users:
- username: hiveops
superuser: true
- username: smartjournal
createdb: true
- username: readonly
superuser: false
EOF
# Run for each user
for user in hiveops smartjournal readonly; do
ansible-playbook playbooks/create-postgres-user.yml \
-e "pg_username=$user" \
-e "@/tmp/users.yml"
done
```
## Ad-Hoc User Management
### Change User Password
```bash
ansible postgres -m shell \
-a "psql -c \"ALTER USER hiveops WITH PASSWORD 'new_password';\"" \
--become-user=postgres -b
```
### Grant Superuser to Existing User
```bash
ansible postgres -m shell \
-a "psql -c 'ALTER USER myuser WITH SUPERUSER;'" \
--become-user=postgres -b
```
### Revoke Superuser from User
```bash
ansible postgres -m shell \
-a "psql -c 'ALTER USER myuser WITH NOSUPERUSER;'" \
--become-user=postgres -b
```
### List All Users
```bash
ansible postgres -m shell \
-a "psql -c '\du'" \
--become-user=postgres -b
```
### Drop User
```bash
ansible postgres -m shell \
-a "psql -c 'DROP USER myuser;'" \
--become-user=postgres -b
```
## Database Permissions
### Grant All Privileges on Database
```bash
ansible postgres -m shell \
-a "psql -c 'GRANT ALL PRIVILEGES ON DATABASE mydb TO hiveops;'" \
--become-user=postgres -b
```
### Grant SELECT on All Tables
```bash
ansible postgres -m shell \
-a "psql -d mydb -c 'GRANT SELECT ON ALL TABLES IN SCHEMA public TO readonly;'" \
--become-user=postgres -b
```
### Grant CREATE on Schema
```bash
ansible postgres -m shell \
-a "psql -d mydb -c 'GRANT CREATE ON SCHEMA public TO myuser;'" \
--become-user=postgres -b
```
## Security Best Practices
1. **Use Strong Passwords**: Always use the auto-generated passwords or strong passwords (32+ characters)
2. **Principle of Least Privilege**: Only grant necessary permissions
3. **Superuser Sparingly**: Only create superusers when absolutely necessary
4. **Save Credentials Securely**: Use `pg_save_credentials=true` and move to vault
5. **Rotate Passwords**: Change passwords periodically for sensitive accounts
## Connection Examples
### psql Command Line
```bash
psql -h 192.168.200.103 -U hiveops -d mydatabase
```
### Spring Boot (application.properties)
```properties
spring.datasource.url=jdbc:postgresql://192.168.200.103:5432/hiveops
spring.datasource.username=hiveops
spring.datasource.password=j2ONAsFC6xPHk/VhktBE1qDKwUFsZQwjZvxf/rpViaE=
```
### Python (psycopg2)
```python
import psycopg2
conn = psycopg2.connect(
host="192.168.200.103",
port=5432,
database="hiveops",
user="hiveops",
password="j2ONAsFC6xPHk/VhktBE1qDKwUFsZQwjZvxf/rpViaE="
)
```
### Node.js (pg)
```javascript
const { Pool } = require('pg');
const pool = new Pool({
host: '192.168.200.103',
port: 5432,
database: 'hiveops',
user: 'hiveops',
password: 'j2ONAsFC6xPHk/VhktBE1qDKwUFsZQwjZvxf/rpViaE='
});
```
## Troubleshooting
### User Already Exists
The playbook will update the existing user with new privileges/password if it already exists.
### Permission Denied
Ensure you're using `-b` (become) flag and the postgres user exists on the server.
### Connection Refused
Check that PostgreSQL is listening on the network interface:
```bash
ansible postgres -m shell \
-a "grep listen_addresses /etc/postgresql/*/main/postgresql.conf" -b
```
Should be: `listen_addresses = '*'`
### Authentication Failed
Check `pg_hba.conf` for connection rules:
```bash
ansible postgres -m shell \
-a "cat /etc/postgresql/*/main/pg_hba.conf" -b
```
## History
### 2026-02-14
- Created playbook for automated PostgreSQL user creation
- Initial user created: `hiveops` (superuser)
- Password: `j2ONAsFC6xPHk/VhktBE1qDKwUFsZQwjZvxf/rpViaE=`
## Related Documentation
- [PostgreSQL Official Documentation](https://www.postgresql.org/docs/)
- [Security Best Practices](https://www.postgresql.org/docs/current/auth-methods.html)
- Ansible Project: `/source/dlx-src/dlx-ansible/`
- Playbook: `playbooks/create-postgres-user.yml`

7
host_vars/nginx.yml Normal file
View File

@ -0,0 +1,7 @@
---
# Nginx web server specific variables
common_firewall_allowed_ports:
- "22/tcp" # SSH
- "80/tcp" # HTTP
- "443/tcp" # HTTPS

40
playbooks/configure-directlx-dev-dns.yml Normal file
View File

@ -0,0 +1,40 @@
---
- name: Configure Pi-hole DNS for directlx.dev services (via NPM)
hosts: pihole
vars:
dns_domain: directlx.dev
# All services routed through NPM (192.168.200.71)
dns_records:
- { ip: "192.168.200.71", hostname: "www" }
- { ip: "192.168.200.71", hostname: "gitea" }
- { ip: "192.168.200.71", hostname: "mgmt" }
- { ip: "192.168.200.71", hostname: "hiveops" }
- { ip: "192.168.200.71", hostname: "browser" }
- { ip: "192.168.200.71", hostname: "smartjournal" }
- { ip: "192.168.200.71", hostname: "incidents" }
- { ip: "192.168.200.71", hostname: "remote" }
- { ip: "192.168.200.71", hostname: "registry" }
tasks:
- name: Copy DNS update script
ansible.builtin.template:
src: ../templates/pihole-hosts.py.j2
dest: /tmp/update_pihole_hosts_directlx.py
mode: '0755'
- name: Update Pi-hole DNS hosts for directlx.dev
ansible.builtin.command: python3 /tmp/update_pihole_hosts_directlx.py
register: update_result
changed_when: "'updated' in update_result.stdout.lower()"
notify: Restart pihole-FTL
- name: Cleanup script
ansible.builtin.file:
path: /tmp/update_pihole_hosts_directlx.py
state: absent
handlers:
- name: Restart pihole-FTL
ansible.builtin.systemd:
name: pihole-FTL
state: restarted

70
playbooks/configure-local-dns-localhost.yml Normal file
View File

@ -0,0 +1,70 @@
---
- name: Configure Local DNS Resolution on This Workstation
hosts: localhost
connection: local
become: true
vars:
npm_server_ip: "192.168.200.71"
directlx_domains:
- incident.directlx.dev
- hiveops.directlx.dev
- mgmt.directlx.dev
- release.directlx.dev
- gitea.directlx.dev
- smartjournal.directlx.dev
- directlx.dev
- www.directlx.dev
- registry.directlx.dev
tasks:
- name: Backup /etc/hosts
ansible.builtin.copy:
src: /etc/hosts
dest: "/etc/hosts.backup-{{ ansible_date_time.epoch }}"
remote_src: true
mode: '0644'
changed_when: false
- name: Add DirectLX local DNS entries
ansible.builtin.blockinfile:
path: /etc/hosts
marker: "# {mark} DirectLX Local DNS"
block: |
# DirectLX services - use local NPM server
{% for domain in directlx_domains %}
{{ npm_server_ip }} {{ domain }}
{% endfor %}
create: false
backup: false
- name: Test DNS resolution
ansible.builtin.shell: |
echo "Testing DNS resolution..."
getent hosts incident.directlx.dev
echo ""
echo "Testing HTTPS connectivity..."
curl -I --max-time 5 https://incident.directlx.dev 2>&1 | head -3
register: test_results
changed_when: false
failed_when: false
- name: Display results
ansible.builtin.debug:
msg: |
============================================================
✅ Local DNS Configuration Complete!
============================================================
{{ test_results.stdout }}
You can now access DirectLX services reliably:
- https://incident.directlx.dev
- https://hiveops.directlx.dev
- https://mgmt.directlx.dev
- https://release.directlx.dev
- https://gitea.directlx.dev
- https://smartjournal.directlx.dev
- https://registry.directlx.dev (Docker Registry)
All domains resolve to NPM: {{ npm_server_ip }}
============================================================

35
playbooks/configure-local-dns.yml Normal file
View File

@ -0,0 +1,35 @@
---
- name: Configure local machine to use Pi-hole DNS
hosts: localhost
connection: local
become: true
vars:
pihole_ip: 192.168.200.100
tasks:
- name: Create systemd-resolved drop-in directory
ansible.builtin.file:
path: /etc/systemd/resolved.conf.d
state: directory
mode: '0755'
- name: Configure systemd-resolved to use Pi-hole
ansible.builtin.copy:
dest: /etc/systemd/resolved.conf.d/pihole.conf
content: |
[Resolve]
DNS={{ pihole_ip }}
FallbackDNS=8.8.8.8 8.8.4.4
Domains=~.
mode: '0644'
notify: Restart systemd-resolved
- name: Flush DNS cache
ansible.builtin.command: resolvectl flush-caches
changed_when: false
handlers:
- name: Restart systemd-resolved
ansible.builtin.systemd:
name: systemd-resolved
state: restarted

149
playbooks/create-postgres-user.yml Normal file
View File

@ -0,0 +1,149 @@
---
# Playbook: Create PostgreSQL User
# Description: Creates a PostgreSQL user with specified privileges
# Usage:
# Basic user:
# ansible-playbook playbooks/create-postgres-user.yml -e "pg_username=myuser"
#
# With specific password:
# ansible-playbook playbooks/create-postgres-user.yml -e "pg_username=myuser pg_password=mypassword"
#
# With specific privileges:
# ansible-playbook playbooks/create-postgres-user.yml -e "pg_username=myuser pg_superuser=true"
# ansible-playbook playbooks/create-postgres-user.yml -e "pg_username=myuser pg_createdb=true"
#
# Variables:
# pg_username: Username to create (required)
# pg_password: Password for user (optional, will generate random if not provided)
# pg_superuser: Grant SUPERUSER privilege (default: false)
# pg_createdb: Grant CREATEDB privilege (default: false)
# pg_createrole: Grant CREATEROLE privilege (default: false)
# pg_login: Allow user to login (default: true)
- name: Create PostgreSQL User
hosts: postgres
become: true
gather_facts: false
vars:
pg_superuser: false
pg_createdb: false
pg_createrole: false
pg_login: true
pg_generate_password: "{{ pg_password is not defined }}"
tasks:
- name: Validate required variables
ansible.builtin.assert:
that:
- pg_username is defined
- pg_username | length > 0
fail_msg: "pg_username is required. Usage: ansible-playbook playbooks/create-postgres-user.yml -e 'pg_username=myuser'"
- name: Generate random password if not provided
ansible.builtin.shell: openssl rand -base64 32
register: generated_password
delegate_to: localhost
become: false
when: pg_generate_password | bool
changed_when: false
- name: Set password variable
ansible.builtin.set_fact:
pg_password: "{{ generated_password.stdout if pg_generate_password | bool else pg_password }}"
- name: Build role attributes
ansible.builtin.set_fact:
role_attrs: >-
{{
(pg_superuser | bool) | ternary('SUPERUSER', 'NOSUPERUSER')
}}
{{
(pg_createdb | bool) | ternary('CREATEDB', 'NOCREATEDB')
}}
{{
(pg_createrole | bool) | ternary('CREATEROLE', 'NOCREATEROLE')
}}
{{
(pg_login | bool) | ternary('LOGIN', 'NOLOGIN')
}}
- name: Check if user already exists
ansible.builtin.shell: |
psql -tAc "SELECT 1 FROM pg_roles WHERE rolname='{{ pg_username }}'"
become_user: postgres
register: user_exists
changed_when: false
failed_when: false
- name: Create PostgreSQL user
ansible.builtin.shell: |
psql -c "CREATE USER {{ pg_username }} WITH {{ role_attrs }} PASSWORD '{{ pg_password }}';"
become_user: postgres
when: user_exists.stdout != "1"
register: user_created
- name: Update existing user
ansible.builtin.shell: |
psql -c "ALTER USER {{ pg_username }} WITH {{ role_attrs }} PASSWORD '{{ pg_password }}';"
become_user: postgres
when: user_exists.stdout == "1"
register: user_updated
- name: Verify user creation
ansible.builtin.shell: |
psql -c '\du {{ pg_username }}'
become_user: postgres
register: user_details
changed_when: false
- name: Display user information
ansible.builtin.debug:
msg:
- "=========================================="
- "PostgreSQL User Created Successfully"
- "=========================================="
- "Username: {{ pg_username }}"
- "Password: {{ pg_password }}"
- "Server: {{ ansible_host }}"
- "Port: 5432"
- ""
- "Connection String:"
- "postgresql://{{ pg_username }}:{{ pg_password }}@{{ ansible_host }}:5432/database_name"
- ""
- "Privileges:"
- " Superuser: {{ pg_superuser }}"
- " Create DB: {{ pg_createdb }}"
- " Create Role: {{ pg_createrole }}"
- " Login: {{ pg_login }}"
- ""
- "User Details:"
- "{{ user_details.stdout_lines }}"
- ""
- "⚠️ IMPORTANT: Save this password securely!"
- "=========================================="
- name: Save credentials to file (optional)
ansible.builtin.copy:
content: |
# PostgreSQL User Credentials
# Created: {{ ansible_date_time.iso8601 }}
Username: {{ pg_username }}
Password: {{ pg_password }}
Server: {{ ansible_host }}
Port: 5432
Connection String:
postgresql://{{ pg_username }}:{{ pg_password }}@{{ ansible_host }}:5432/database_name
Privileges:
- Superuser: {{ pg_superuser }}
- Create DB: {{ pg_createdb }}
- Create Role: {{ pg_createrole }}
- Login: {{ pg_login }}
dest: "/tmp/postgres-user-{{ pg_username }}-{{ ansible_date_time.epoch }}.txt"
mode: '0600'
delegate_to: localhost
become: false
when: pg_save_credentials | default(false) | bool