Add postgres stunnel and service bootstrap

databases/postgres.nomad

@@ -17,9 +17,10 @@ job "postgres-server" {
       mode = "bridge"
 
       port "db" {
-        to = 5432
-        host_network = "wesher"
+        static = 5432
       }
+
+      port "tls" {}
     }
 
     volume "postgres-data" {
@@ -34,6 +35,12 @@ job "postgres-server" {
       port = "db"
     }
 
+    service {
+      name = "postgres-tls"
+      provider = "nomad"
+      port = "tls"
+    }
+
     task "postgres-server" {
       driver = "docker"
 
@@ -69,5 +76,53 @@ POSTGRES_PASSWORD={{ .superuser_pass }}
         memory = 256
       }
     }
+
+    task "stunnel" {
+      driver = "docker"
+
+      config {
+        image = "alpine:3.17"
+        ports = ["tls"]
+        args = ["/bin/sh", "${NOMAD_TASK_DIR}/start.sh"]
+      }
+
+      resources {
+        cpu = 100
+        memory = 100
+      }
+
+      template {
+        data = <<EOF
+set -e
+apk add stunnel
+exec stunnel ${NOMAD_TASK_DIR}/stunnel.conf
+        EOF
+        destination = "${NOMAD_TASK_DIR}/start.sh"
+      }
+
+      template {
+        data = <<EOF
+syslog = no
+foreground = yes
+delay = yes
+
+[postgres_server]
+accept = {{ env "NOMAD_PORT_tls" }}
+connect = 127.0.0.1:5432
+ciphers = PSK
+PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/stunnel_psk.txt
+        EOF
+        destination = "${NOMAD_TASK_DIR}/stunnel.conf"
+      }
+
+      template {
+        data = <<EOF
+{{ with nomadVar "nomad/jobs/postgres-server/postgres-server/stunnel" -}}
+{{ .allowed_psks }}
+{{- end }}
+EOF
+        destination = "${NOMAD_SECRETS_DIR}/stunnel_psk.txt"
+      }
+    }
   }
 }

services/service/main.tf

@@ -28,10 +28,12 @@ resource "nomad_job" "service" {
     templates    = var.templates
     host_volumes = var.host_volumes
 
-    use_mysql = var.use_mysql || var.mysql_bootstrap != null
-    use_redis = var.use_redis
-    use_ldap  = var.use_ldap
+    use_mysql    = var.use_mysql || var.mysql_bootstrap != null
+    use_redis    = var.use_redis
+    use_ldap     = var.use_ldap
+    use_postgres = var.use_postgres || var.postgres_bootstrap != null
 
-    mysql_bootstrap = var.mysql_bootstrap
+    mysql_bootstrap    = var.mysql_bootstrap
+    postgres_bootstrap = var.postgres_bootstrap
   })
 }

services/service/service_template.nomad

@@ -179,7 +179,7 @@ EOF
     }
 
     %{ if mysql_bootstrap != null ~}
-    task "${name}-bootstrap" {
+    task "mysql-bootstrap" {
       driver = "docker"
 
       lifecycle {
@@ -243,7 +243,73 @@ SELECT 'NOOP';
     }
     %{ endif }
 
-    %{ if use_mysql || use_redis || use_ldap ~}
+    %{ if postgres_bootstrap != null ~}
+    task "postgres-bootstrap" {
+      driver = "docker"
+
+      lifecycle {
+        hook = "prestart"
+        sidecar = false
+      }
+
+      config {
+        image = "postgres:14"
+        args = [
+          "/usr/bin/timeout",
+          "2m",
+          "/bin/bash",
+          "-c",
+          "until /bin/bash $${NOMAD_TASK_DIR}/bootstrap.sh; do sleep 10; done",
+        ]
+      }
+
+      template {
+        data = <<EOF
+{{ with nomadVar "nomad/jobs/${name}" -}}
+/usr/bin/createdb {{ .${postgres_bootstrap.db_name_key} }}
+{{ end }}
+/usr/bin/psql -X -f $${NOMAD_SECRETS_DIR/bootstrap.sql
+EOF
+        destination = "$${NOMAD_TASK_DIR}/boostrap.sh"
+      }
+
+      template {
+        data = <<EOF
+PGHOSTADDR=127.0.0.1
+PGPORT=5432
+{{ with nomadVar "nomad/jobs/${name}/${name}/bootstrap" }}
+PGUSER={{ .superuser }}
+# TODO: Passfile?
+PGPASSWORD={{ .superuser_pass }}
+{{ end }}
+        EOF
+        destination = "$${NOMAD_SECRETS_DIR}/db.env"
+        env = true
+      }
+
+      template {
+        data = <<EOF
+{{ with nomadVar "nomad/jobs/${name}" -}}
+DO $$
+BEGIN
+CREATE ROLE {{ .${postgres_bootstrap.db_user_key} }} LOGIN PASSWORD '{{ .${postgres_bootstrap.db_pass_key} }}';
+GRANT ALL ON DATABASE "{{ .${postgres_bootstrap.db_name_key} }}" TO {{ .${postgres_bootstrap.db_user_key} }};
+EXCEPTION WHEN duplicate_object THEN RAISE NOTICE '%, skipping', SQLERRM USING ERRCODE = SQLSTATE;
+END
+$$;
+{{ end }}
+        EOF
+        destination = "$${NOMAD_SECRETS_DIR}/bootstrap.sql"
+      }
+
+      resources {
+        cpu = 50
+        memory = 50
+      }
+    }
+    %{ endif }
+
+    %{ if use_mysql || use_redis || use_ldap || use_postgres ~}
     task "stunnel" {
       driver = "docker"
 
@@ -305,6 +371,16 @@ accept = 127.0.0.1:389
 connect = {{ .Address }}:{{ .Port }}
 {{- end }}
 PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/ldap_stunnel_psk.txt
+%{~ endif }
+
+%{~ if use_postgres }
+[postgres_client]
+client = yes
+accept = 127.0.0.1:5432
+{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "postgres-tls" -}}
+connect = {{ .Address }}:{{ .Port }}
+{{- end }}
+PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/postgres_stunnel_psk.txt
 %{~ endif }
         EOF
         destination = "$${NOMAD_TASK_DIR}/stunnel.conf"
@@ -334,6 +410,14 @@ EOF
         destination = "$${NOMAD_SECRETS_DIR}/ldap_stunnel_psk.txt"
       }
       %{~ endif }
+      %{~ if use_postgres }
+      template {
+        data = <<EOF
+{{- with nomadVar "nomad/jobs/${name}/${name}/stunnel" }}{{ .postgres_stunnel_psk }}{{ end -}}
+EOF
+        destination = "$${NOMAD_SECRETS_DIR}/postgres_stunnel_psk.txt"
+      }
+      %{~ endif }
     }
     %{~ endif }
   }

services/service/vars.tf

@@ -165,6 +165,11 @@ variable "use_ldap" {
   default = false
 }
 
+variable "use_postgres" {
+  type    = bool
+  default = false
+}
+
 variable "mysql_bootstrap" {
   type = object({
     enabled     = optional(bool, true)
@@ -177,6 +182,17 @@ variable "mysql_bootstrap" {
   default = null
 }
 
+variable "postgres_bootstrap" {
+  type = object({
+    enabled     = optional(bool, true)
+    db_name_key = optional(string, "db_name")
+    db_user_key = optional(string, "db_user")
+    db_pass_key = optional(string, "db_pass")
+  })
+
+  default = null
+}
+
 variable "constraints" {
   type = list(object({
     attribute = optional(string, "")