Default

Pigsty 4-node local sandbox demo config

  1. ---
  2. ######################################################################
  3. # File : pigsty.yml
  4. # Desc : Pigsty 4-node local sandbox demo config
  5. # Link : https://pigsty.cc/#/v-config
  6. # Ctime : 2020-05-22
  7. # Mtime : 2022-05-22
  8. # Copyright (C) 2018-2022 Ruohang Feng (rh@vonng.com)
  9. ######################################################################
  10. ######################################################################
  11. # Sandbox (4-node) #
  12. #====================================================================#
  13. # admin user : vagrant (nopass ssh & sudo already set) #
  14. # 1. meta : 10.10.10.10 (2 Core | 4GB) pg-meta #
  15. # 2. node-1 : 10.10.10.11 (1 Core | 1GB) pg-test-1 #
  16. # 3. node-2 : 10.10.10.12 (1 Core | 1GB) pg-test-2 #
  17. # 4. node-3 : 10.10.10.13 (1 Core | 1GB) pg-test-3 #
  18. # (replace these ip if your 4-node env have different ip addr) #
  19. # VIP 2: (l2 vip is available inside same LAN ) #
  20. # pg-meta ---> 10.10.10.2 ---> 10.10.10.10 #
  21. # pg-test ---> 10.10.10.3 ---> 10.10.10.1{1,2,3} #
  22. ######################################################################
  23. all:
  24. ##################################################################
  25. # CLUSTERS #
  26. ##################################################################
  27. # meta nodes, nodes, pgsql, redis, pgsql clusters are defined as
  28. # k:v pair inside `all.children`. Where the key is cluster name
  29. # and value is cluster definition consist of two parts:
  30. # `hosts`: cluster members ip and instance level variables
  31. # `vars` : cluster level variables
  32. ##################################################################
  33. children: # groups definition
  34. #================================================================#
  35. # Meta Nodes: Admin Controller #
  36. #================================================================#
  37. meta: # meta nodes are defined in this special group "meta"
  38. vars:
  39. meta_node: true # mark this group as meta nodes
  40. ansible_group_priority: 99 # overwrite with the highest priority
  41. nginx_enabled: true # setup repo & underlying nginx
  42. nameserver_enabled: false # setup dnsmasq
  43. prometheus_enabled: true # setup prometheus
  44. grafana_enabled: true # setup grafana
  45. loki_enabled: true # setup loki
  46. docker_enabled: true # setup docker
  47. dcs_safeguard: false # protect dcs server from fat fingers
  48. hosts: # add nodes to group 'meta'
  49. 10.10.10.10: { }
  50. # 10.10.10.11: { nginx_enabled: false }
  51. # 10.10.10.12: { nginx_enabled: false }
  52. #================================================================#
  53. #================================================================#
  54. # PGSQL Clusters #
  55. #================================================================#
  56. #----------------------------------#
  57. # pgsql cluster: pg-meta (CMDB) #
  58. #----------------------------------#
  59. # EXAMPLE pg-meta is the default SINGLE-NODE pgsql cluster deployed on meta node (10.10.10.10)
  60. pg-meta: # [REQUIRED], ansible group name , pgsql cluster name. should be unique among environment
  61. hosts: # `<cluster>.hosts` holds instances definition of this cluster
  62. 10.10.10.10: # [REQUIRED]: ip address is the key. values are instance level config entries (dict)
  63. pg_seq: 1 # [REQUIRED], unique identity parameter (+integer) among pg_cluster
  64. pg_role: primary # [REQUIRED], pg_role is mandatory identity parameter, primary|replica|offline
  65. pg_offline_query: true # instance with `pg_offline_query: true` will take offline traffic (saga, etl,...)
  66. # pg_upstream: x.x.x.x # some other variables can be overwritten on instance level. e.g: pg_upstream, pg_weight, etc...
  67. # pg_weight: 100 # load balance weight for this instance
  68. vars: # `<cluster>.vars` holds CLUSTER LEVEL CONFIG of this pgsql cluster
  69. pg_cluster: pg-meta # [REQUIRED], pgsql cluster name, unique among cluster, used as namespace of cluster resources
  70. # all vars below are [OPTIONAL] (overwrite global default)
  71. pg_version: 14 # pgsql version to be installed (use global version if missing)
  72. node_tune: tiny # node optimization profile: {oltp|olap|crit|tiny}, use tiny for vm sandbox
  73. pg_conf: tiny.yml # pgsql template: {oltp|olap|crit|tiny}, use tiny for sandbox
  74. patroni_watchdog_mode: off # disable patroni watchdog on meta node {off|require|automatic}
  75. pg_lc_ctype: en_US.UTF8 # use en_US.UTF8 locale for i18n char support (required by `pg_trgm`)
  76. # define business database meta , used as CMDB & default database for single-node setup
  77. pg_databases: # define business databases on this cluster, array of database definition
  78. - name: meta # required, `name` is the only mandatory field of a database definition
  79. baseline: cmdb.sql # optional, database sql baseline path, (relative path among ansible search path, e.g files/)
  80. # owner: postgres # optional, database owner, postgres by default
  81. # template: template1 # optional, which template to use, template1 by default
  82. # encoding: UTF8 # optional, database encoding, UTF8 by default. (MUST same as template database)
  83. # locale: C # optional, database locale, C by default. (MUST same as template database)
  84. # lc_collate: C # optional, database collate, C by default. (MUST same as template database)
  85. # lc_ctype: C # optional, database ctype, C by default. (MUST same as template database)
  86. # tablespace: pg_default # optional, default tablespace, 'pg_default' by default.
  87. # allowconn: true # optional, allow connection, true by default. false will disable connect at all
  88. # revokeconn: false # optional, revoke public connection privilege. false by default. (leave connect with grant option to owner)
  89. # pgbouncer: true # optional, add this database to pgbouncer database list? true by default
  90. comment: pigsty meta database # optional, comment string for this database
  91. connlimit: -1 # optional, database connection limit, default -1 disable limit
  92. schemas: [pigsty] # optional, additional schemas to be created, array of schema names
  93. extensions: # optional, additional extensions to be installed: array of schema definition `{name,schema}`
  94. - { name: adminpack, schema: pg_catalog } # install adminpack to pg_catalog
  95. - { name: postgis, schema: public } # if schema is omitted, extension will be installed according to search_path.
  96. - { name: timescaledb } # some extensions are not relocatable, you can just omit the schema part
  97. - { name: grafana, owner: dbuser_grafana , revokeconn: true , comment: grafana primary database }
  98. - { name: bytebase, owner: dbuser_bytebase , revokeconn: true , comment: bytebase primary database }
  99. - { name: kong, owner: dbuser_kong , revokeconn: true , comment: kong the api gateway database }
  100. # define business users for this cluster
  101. pg_users: # define business users/roles on this cluster, array of user definition
  102. # define admin user for meta database (This user are used for pigsty app deployment by default)
  103. - name: dbuser_meta # required, `name` is the only mandatory field of a user definition
  104. password: md5d3d10d8cad606308bdb180148bf663e1 # md5 salted password of 'DBUser.Meta'
  105. # optional, plain text and md5 password are both acceptable (prefixed with `md5`)
  106. login: true # optional, can login, true by default (new biz ROLE should be false)
  107. superuser: false # optional, is superuser? false by default
  108. createdb: false # optional, can create database? false by default
  109. createrole: false # optional, can create role? false by default
  110. inherit: true # optional, can this role use inherited privileges? true by default
  111. replication: false # optional, can this role do replication? false by default
  112. bypassrls: false # optional, can this role bypass row level security? false by default
  113. pgbouncer: true # optional, add this user to pgbouncer user-list? false by default (production user should be true explicitly)
  114. connlimit: -1 # optional, user connection limit, default -1 disable limit
  115. expire_in: 3650 # optional, now + n days when this role is expired (OVERWRITE expire_at)
  116. expire_at: '2030-12-31' # optional, YYYY-MM-DD 'timestamp' when this role is expired (OVERWRITTEN by expire_in)
  117. comment: pigsty admin user # optional, comment string for this user/role
  118. roles: [dbrole_admin] # optional, belonged roles. default roles are: dbrole_{admin,readonly,readwrite,offline}
  119. parameters: {} # optional, role level parameters with `ALTER ROLE SET`
  120. # search_path: public # key value config parameters according to postgresql documentation (e.g: use pigsty as default search_path)
  121. - {name: dbuser_view ,password: DBUser.Viewer ,pgbouncer: true ,roles: [dbrole_readonly], comment: read-only viewer for meta database}
  122. - {name: dbuser_grafana ,password: DBUser.Grafana ,pgbouncer: true ,roles: [dbrole_admin] ,comment: admin user for grafana database }
  123. - {name: dbuser_bytebase ,password: DBUser.Bytebase ,pgbouncer: true ,roles: [dbrole_admin] ,comment: admin user for bytebase database }
  124. - {name: dbuser_kong ,password: DBUser.Kong ,pgbouncer: true ,roles: [dbrole_admin] ,comment: admin user for kong api gateway }
  125. pg_hba_rules_extra:
  126. - title: allow grafana bytebase kong intranet access
  127. role: common
  128. rules:
  129. - host kong dbuser_kong 10.0.0.0/8 md5
  130. - host bytebase dbuser_bytebase 10.0.0.0/8 md5
  131. - host grafana dbuser_grafana 10.0.0.0/8 md5
  132. vip_mode: l2
  133. vip_address: 10.10.10.2
  134. vip_cidrmask: 8
  135. vip_interface: eth1
  136. node_crontab:
  137. - '00 01 * * * postgres /pg/bin/pg-backup 2>>/pg/log/backup.log'
  138. #----------------------------------#
  139. # pgsql cluster: pg-test (3 nodes) #
  140. #----------------------------------#
  141. # pg-test ---> 10.10.10.3 ---> 10.10.10.1{1,2,3}
  142. pg-test: # define the new 3-node cluster pg-test
  143. hosts:
  144. 10.10.10.11: { pg_seq: 1, pg_role: primary } # primary instance, leader of cluster
  145. 10.10.10.12: { pg_seq: 2, pg_role: replica } # replica instance, follower of leader
  146. 10.10.10.13: { pg_seq: 3, pg_role: replica, pg_offline_query: true } # replica with offline access
  147. vars:
  148. pg_cluster: pg-test # define pgsql cluster name
  149. pg_version: 14 # test postgresql 13 with pg-test cluster
  150. pg_users:
  151. - name: test
  152. password: test
  153. pgbouncer: true
  154. roles: [ dbrole_admin ]
  155. pg_databases: # create a database and user named 'test'
  156. - name: test
  157. vip_mode: l2 # enable/disable vip (require members in same LAN)
  158. vip_address: 10.10.10.3 # virtual ip address for this cluster
  159. vip_cidrmask: 8 # cidr network mask length
  160. vip_interface: eth1 # interface to add virtual ip
  161. pg_services_extra: # extra services in addition to pg_services_default, array of service definition
  162. # standby service will route {ip|name}:5435 to sync replica's pgbouncer (5435->6432 standby)
  163. - name: standby # required, service name, the actual svc name will be prefixed with `pg_cluster`, e.g: pg-meta-standby
  164. src_ip: "*" # required, service bind ip address, `*` for all ip, `vip` for cluster `vip_address`
  165. src_port: 5435 # required, service exposed port (work as kubernetes service node port mode)
  166. dst_port: pgbouncer # optional, destination port, postgres|pgbouncer|<port_number> , pgbouncer(6432) by default
  167. check_method: http # optional, health check method: http is the only available method for now
  168. check_port: patroni # optional, health check port: patroni|pg_exporter|<port_number> , patroni(8008) by default
  169. check_url: /sync # optional, health check url path, /read-only?lag=0 by default
  170. check_code: 200 # optional, health check expected http code, 200 by default
  171. selector: "[]" # required, JMESPath to filter inventory ()
  172. selector_backup: "[? pg_role == `primary`]" # primary used as backup server for standby service (will not work because /sync for )
  173. haproxy: # optional, adhoc parameters for haproxy service provider (vip_l4 is another service provider)
  174. maxconn: 3000 # optional, max allowed front-end connection
  175. balance: roundrobin # optional, haproxy load balance algorithm (roundrobin by default, other: leastconn)
  176. default_server_options: 'inter 3s fastinter 1s downinter 5s rise 3 fall 3 on-marked-down shutdown-sessions slowstart 30s maxconn 3000 maxqueue 128 weight 100'
  177. #================================================================#
  178. # REDIS Clusters #
  179. #================================================================#
  180. #----------------------------------#
  181. # redis sentinel example #
  182. #----------------------------------#
  183. redis-meta:
  184. hosts:
  185. 10.10.10.10:
  186. redis_node: 1
  187. redis_instances: { 6001 : {} ,6002 : {} , 6003 : {} }
  188. vars:
  189. redis_cluster: redis-meta
  190. redis_mode: sentinel
  191. redis_max_memory: 64MB
  192. #----------------------------------#
  193. # redis cluster example #
  194. #----------------------------------#
  195. redis-test:
  196. hosts:
  197. 10.10.10.11:
  198. redis_node: 1
  199. redis_instances: { 6501 : {} ,6502 : {} ,6503 : {} ,6504 : {} ,6505 : {} ,6506 : {} }
  200. 10.10.10.12:
  201. redis_node: 2
  202. redis_instances: { 6501 : {} ,6502 : {} ,6503 : {} ,6504 : {} ,6505 : {} ,6506 : {} }
  203. vars:
  204. redis_cluster: redis-test # name of this redis 'cluster'
  205. redis_mode: cluster # standalone,cluster,sentinel
  206. redis_max_memory: 32MB # max memory used by each redis instance
  207. redis_mem_policy: allkeys-lru # memory eviction policy
  208. #----------------------------------#
  209. # redis standalone example #
  210. #----------------------------------#
  211. redis-common:
  212. hosts:
  213. 10.10.10.13:
  214. redis_node: 1
  215. redis_instances:
  216. 6501: {}
  217. 6502: { replica_of: '10.10.10.13 6501' }
  218. 6503: { replica_of: '10.10.10.13 6501' }
  219. vars:
  220. redis_cluster: redis-common # name of this redis 'cluster'
  221. redis_mode: standalone # standalone,cluster,sentinel
  222. redis_max_memory: 64MB # max memory used by each redis instance
  223. ####################################################################
  224. # VARS #
  225. ####################################################################
  226. vars: # global variables
  227. version: v1.5.1 # pigsty version string
  228. #================================================================#
  229. # VARS: INFRA #
  230. #================================================================#
  231. #-----------------------------------------------------------------
  232. # CONNECT
  233. #-----------------------------------------------------------------
  234. # INSTANCE level ansible connect parameters
  235. # ansible_user: vagrant # which user to be used (when connecting to remote nodes)
  236. # ansible_port: 22 # which port to be used (when connecting to remote nodes)
  237. # ansible_host: meta # ssh alias host name (when connecting to remote nodes)
  238. # ansible_ssh_private_key_file: ~/.ssh/id_rsa # ssh private key file
  239. # ansible_ssh_common_args: '-o StrictHostKeyChecking=no' # ssh common args
  240. proxy_env: # global proxy env when downloading packages
  241. no_proxy: "localhost,127.0.0.1,10.0.0.0/8,192.168.0.0/16,*.pigsty,*.aliyun.com,mirrors.*,*.myqcloud.com,*.tsinghua.edu.cn"
  242. # http_proxy: # set your proxy here: e.g http://user:pass@proxy.xxx.com
  243. # https_proxy: # set your proxy here: e.g http://user:pass@proxy.xxx.com
  244. # all_proxy: # set your proxy here: e.g http://user:pass@proxy.xxx.com
  245. #-----------------------------------------------------------------
  246. # CA
  247. #-----------------------------------------------------------------
  248. ca_method: create # create|copy|recreate
  249. ca_subject: "/CN=root-ca" # self-signed CA subject
  250. ca_homedir: /ca # ca cert directory
  251. ca_cert: ca.crt # ca public key/cert
  252. ca_key: ca.key # ca private key
  253. #-----------------------------------------------------------------
  254. # NGINX
  255. #-----------------------------------------------------------------
  256. nginx_enabled: true # build local repo on this node
  257. nginx_port: 80 # repo listen address, must same as repo_address
  258. nginx_home: /www # default repo home dir
  259. nginx_upstream: # domain names and upstream servers
  260. - { name: home , domain: pigsty , endpoint: "10.10.10.10:80" }
  261. - { name: grafana , domain: g.pigsty , endpoint: "10.10.10.10:3000" }
  262. - { name: loki , domain: l.pigsty , endpoint: "10.10.10.10:3100" }
  263. - { name: prometheus , domain: p.pigsty , endpoint: "10.10.10.10:9090" }
  264. - { name: alertmanager , domain: a.pigsty , endpoint: "10.10.10.10:9093" }
  265. - { name: consul , domain: c.pigsty , endpoint: "127.0.0.1:8500" } #== ^ required ==#
  266. - { name: postgrest , domain: api.pigsty , endpoint: "127.0.0.1:8884" } #== v optional ==#
  267. - { name: pgadmin , domain: adm.pigsty , endpoint: "127.0.0.1:8885" }
  268. - { name: pgweb , domain: cli.pigsty , endpoint: "127.0.0.1:8886" }
  269. - { name: bytebase , domain: ddl.pigsty , endpoint: "127.0.0.1:8887" }
  270. - { name: jupyter , domain: lab.pigsty , endpoint: "127.0.0.1:8888" }
  271. - { name: gitea , domain: git.pigsty , endpoint: "127.0.0.1:8889" }
  272. - { name: minio , domain: sss.pigsty , endpoint: "127.0.0.1:9000" }
  273. nginx_indexes: # application nav links on home page
  274. - { name: PgAdmin4 , url : 'http://adm.pigsty' , comment: 'PgAdmin4 for PostgreSQL' }
  275. - { name: PGWeb , url : 'http://cli.pigsty' , comment: 'PGWEB Browser Client' }
  276. - { name: ByteBase , url : 'http://ddl.pigsty' , comment: 'ByteBase Schema Migrator' }
  277. - { name: PostgREST , url : 'http://api.pigsty' , comment: 'Kong API Gateway' }
  278. - { name: Gitea , url : 'http://git.pigsty' , comment: 'Minio Object Storage' }
  279. - { name: Minio , url : 'http://sss.pigsty' , comment: 'Minio Object Storage' }
  280. - { name: Explain , url : '/pev2' , comment: 'postgres explain visualizer' }
  281. - { name: Package , url : '/pigsty' , comment: 'local yum repo packages' }
  282. - { name: PG Logs , url : '/logs' , comment: 'postgres raw csv logs' }
  283. - { name: Schemas , url : '/schema' , comment: 'schemaspy summary report' }
  284. - { name: Reports , url : '/report' , comment: 'pgbadger summary report' }
  285. - { name: ISD , url : '${grafana}/d/isd-overview' , comment: 'noaa isd data visualization' }
  286. - { name: Covid , url : '${grafana}/d/covid-overview' , comment: 'covid data visualization' }
  287. - { name: Worktime , url : '${grafana}/d/worktime-overview' , comment: 'worktime query' }
  288. - { name: DBTrend , url : '${grafana}/d/dbeng-trending' , comment: 'DB Engine Trending Graph' }
  289. #-----------------------------------------------------------------
  290. # REPO
  291. #-----------------------------------------------------------------
  292. repo_name: pigsty # repo name, pigsty by default
  293. repo_address: pigsty # external address to this repo (ip:port or url)
  294. repo_rebuild: false # force re-download packages
  295. repo_remove: true # remove existing upstream repo
  296. repo_upstreams: # where to download packages?
  297. - name: base
  298. description: CentOS-$releasever - Base
  299. gpgcheck: no
  300. baseurl:
  301. - https://mirrors.tuna.tsinghua.edu.cn/centos/$releasever/os/$basearch/
  302. - http://mirrors.aliyun.com/centos/$releasever/os/$basearch/
  303. - http://mirror.centos.org/centos/$releasever/os/$basearch/
  304. - name: updates
  305. description: CentOS-$releasever - Updates
  306. gpgcheck: no
  307. baseurl:
  308. - https://mirrors.tuna.tsinghua.edu.cn/centos/$releasever/updates/$basearch/
  309. - http://mirrors.aliyun.com/centos/$releasever/updates/$basearch/
  310. - http://mirror.centos.org/centos/$releasever/updates/$basearch/
  311. - name: extras
  312. description: CentOS-$releasever - Extras
  313. baseurl:
  314. - https://mirrors.tuna.tsinghua.edu.cn/centos/$releasever/extras/$basearch/
  315. - http://mirrors.aliyun.com/centos/$releasever/extras/$basearch/
  316. - http://mirror.centos.org/centos/$releasever/extras/$basearch/
  317. gpgcheck: no
  318. - name: epel
  319. description: CentOS $releasever - epel
  320. gpgcheck: no
  321. baseurl:
  322. - https://mirrors.tuna.tsinghua.edu.cn/epel/$releasever/$basearch
  323. - http://mirrors.aliyun.com/epel/$releasever/$basearch
  324. - http://download.fedoraproject.org/pub/epel/$releasever/$basearch
  325. - name: grafana
  326. description: Grafana Official Yum Repo
  327. enabled: yes
  328. gpgcheck: no
  329. baseurl:
  330. - https://mirrors.tuna.tsinghua.edu.cn/grafana/yum/rpm
  331. - https://packages.grafana.com/oss/rpm
  332. - name: prometheus
  333. description: Prometheus and exporters
  334. gpgcheck: no
  335. baseurl: https://packagecloud.io/prometheus-rpm/release/el/$releasever/$basearch
  336. - name: pgdg-common
  337. description: PostgreSQL common RPMs for RHEL/CentOS $releasever - $basearch
  338. gpgcheck: no
  339. baseurl:
  340. - http://mirrors.tuna.tsinghua.edu.cn/postgresql/repos/yum/common/redhat/rhel-$releasever-$basearch
  341. - https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-$releasever-$basearch
  342. - name: pgdg14
  343. description: PostgreSQL 14 for RHEL/CentOS $releasever - $basearch
  344. gpgcheck: no
  345. baseurl:
  346. - https://mirrors.tuna.tsinghua.edu.cn/postgresql/repos/yum/14/redhat/rhel-$releasever-$basearch
  347. - https://download.postgresql.org/pub/repos/yum/14/redhat/rhel-$releasever-$basearch
  348. - name: timescaledb
  349. description: TimescaleDB for RHEL/CentOS $releasever - $basearch
  350. gpgcheck: no
  351. baseurl:
  352. - https://packagecloud.io/timescale/timescaledb/el/7/$basearch
  353. - name: centos-sclo
  354. description: CentOS-$releasever - SCLo
  355. gpgcheck: no
  356. #mirrorlist: http://mirrorlist.centos.org?arch=$basearch&release=$releasever&repo=sclo-sclo
  357. baseurl: http://mirrors.aliyun.com/centos/$releasever/sclo/$basearch/sclo/
  358. - name: centos-sclo-rh
  359. description: CentOS-$releasever - SCLo rh
  360. gpgcheck: no
  361. #mirrorlist: http://mirrorlist.centos.org?arch=$basearch&release=7&repo=sclo-rh
  362. baseurl: http://mirrors.aliyun.com/centos/$releasever/sclo/$basearch/rh/
  363. - name: nginx
  364. description: Nginx Official Yum Repo
  365. skip_if_unavailable: true
  366. gpgcheck: no
  367. baseurl: http://nginx.org/packages/centos/$releasever/$basearch/
  368. - name: harbottle # for latest consul & kubernetes
  369. description: Copr repo for main owned by harbottle
  370. skip_if_unavailable: true
  371. gpgcheck: no
  372. baseurl: https://download.copr.fedorainfracloud.org/results/harbottle/main/epel-$releasever-$basearch/
  373. - name: pg_probackup # for pg_probackup
  374. description: PG_PROBACKUP Centos packages for PostgresPro Standard and Enterprise - $basearch
  375. skip_if_unavailable: true
  376. gpgcheck: no
  377. baseurl: https://repo.postgrespro.ru/pg_probackup-forks/rpm/latest/centos-$releasever-$basearch
  378. - name: docker-ce # for latest docker
  379. description: Docker CE Stable - $basearch
  380. skip_if_unavailable: true
  381. gpgcheck: no
  382. baseurl:
  383. - https://mirrors.aliyun.com/docker-ce/linux/centos/$releasever/$basearch/stable
  384. - https://download.docker.com/linux/centos/$releasever/$basearch/stable
  385. repo_packages: # which packages to be included # what to download #
  386. - epel-release nginx wget yum-utils yum createrepo sshpass zip unzip # ---- boot ---- #
  387. - ntp chrony uuid lz4 bzip2 nc pv jq vim-enhanced make patch bash lsof wget git tuned perf ftp lrzsz rsync # ---- node ---- #
  388. - numactl grubby sysstat dstat iotop bind-utils net-tools tcpdump socat ipvsadm telnet ca-certificates keepalived # ----- utils ----- #
  389. - readline zlib openssl openssh-clients libyaml libxml2 libxslt libevent perl perl-devel perl-ExtUtils* # --- deps:pg --- #
  390. - readline-devel zlib-devel uuid-devel libuuid-devel libxml2-devel libxslt-devel openssl-devel libicu-devel # --- deps:devel -- #
  391. - grafana prometheus2 pushgateway alertmanager mtail consul consul_exporter consul-template etcd dnsmasq # ----- meta ----- #
  392. - node_exporter nginx_exporter blackbox_exporter redis_exporter # ---- exporter --- #
  393. - ansible python python-pip python-psycopg2 # - ansible & py3 - #
  394. - python3 python3-psycopg2 python36-requests python3-etcd python3-consul python36-urllib3 python36-idna python36-pyOpenSSL python36-cryptography
  395. - patroni patroni-consul patroni-etcd pgbouncer pg_cli pgbadger pg_activity tail_n_mail # -- pgsql common - #
  396. - pgcenter boxinfo check_postgres emaj pgbconsole pg_bloat_check pgquarrel barman barman-cli pgloader pgFormatter pitrery pspg pgxnclient PyGreSQL
  397. - postgresql14* postgis32_14* citus_14* pglogical_14* timescaledb-2-postgresql-14 pg_repack_14 wal2json_14 # -- pg14 packages -#
  398. - pg_qualstats_14 pg_stat_kcache_14 pg_stat_monitor_14 pg_top_14 pg_track_settings_14 pg_wait_sampling_14 pg_probackup-std-14
  399. - pg_statement_rollback_14 system_stats_14 plproxy_14 plsh_14 pldebugger_14 plpgsql_check_14 pgmemcache_14 # plr_14
  400. - mysql_fdw_14 ogr_fdw_14 tds_fdw_14 sqlite_fdw_14 firebird_fdw_14 hdfs_fdw_14 mongo_fdw_14 osm_fdw_14 pgbouncer_fdw_14
  401. - hypopg_14 geoip_14 rum_14 hll_14 ip4r_14 prefix_14 pguri_14 tdigest_14 topn_14 periods_14
  402. - bgw_replstatus_14 count_distinct_14 credcheck_14 ddlx_14 extra_window_functions_14 logerrors_14 mysqlcompat_14 orafce_14
  403. - repmgr_14 pg_auth_mon_14 pg_auto_failover_14 pg_background_14 pg_bulkload_14 pg_catcheck_14 pg_comparator_14
  404. - pg_cron_14 pg_fkpart_14 pg_jobmon_14 pg_partman_14 pg_permissions_14 pg_prioritize_14 pgagent_14
  405. - pgaudit16_14 pgauditlogtofile_14 pgcryptokey_14 pgexportdoc_14 pgfincore_14 pgimportdoc_14 powa_14 pgmp_14 pgq_14
  406. - pgquarrel-0.7.0-1 pgsql_tweaks_14 pgtap_14 pgtt_14 postgresql-unit_14 postgresql_anonymizer_14 postgresql_faker_14
  407. - safeupdate_14 semver_14 set_user_14 sslutils_14 table_version_14 # pgrouting_14 osm2pgrouting_14
  408. - clang coreutils diffutils rpm-build rpm-devel rpmlint rpmdevtools bison flex # gcc gcc-c++ # - build utils - #
  409. - docker-ce docker-compose kubelet kubectl kubeadm kubernetes-cni helm # - cloud native- #
  410. repo_url_packages: # extra packages from url
  411. - https://github.com/Vonng/loki-rpm/releases/download/v2.5.0/loki-2.5.0.x86_64.rpm
  412. - https://github.com/Vonng/loki-rpm/releases/download/v2.5.0/promtail-2.5.0.x86_64.rpm
  413. - https://github.com/Vonng/pg_exporter/releases/download/v0.5.0/pg_exporter-0.5.0.x86_64.rpm
  414. - https://github.com/cybertec-postgresql/vip-manager/releases/download/v1.0.2/vip-manager-1.0.2-1.x86_64.rpm
  415. - https://github.com/Vonng/haproxy-rpm/releases/download/v2.5.7/haproxy-2.5.7-1.el7.x86_64.rpm
  416. - https://github.com/Vonng/pigsty-pkg/releases/download/misc/redis-6.2.7-1.el7.remi.x86_64.rpm
  417. - https://github.com/dalibo/pev2/releases/download/v0.24.0/pev2.tar.gz
  418. - https://github.com/Vonng/pigsty-pkg/releases/download/misc/polysh-0.4-1.noarch.rpm
  419. #-----------------------------------------------------------------
  420. # NAMESERVER
  421. #-----------------------------------------------------------------
  422. nameserver_enabled: false # setup dnsmasq
  423. dns_records: # dynamic dns record resolved by dnsmasq
  424. - 10.10.10.2 pg-meta # sandbox vip for pg-meta
  425. - 10.10.10.3 pg-test # sandbox vip for pg-test
  426. - 10.10.10.10 pg-meta-1 # sandbox instance pg-meta-1
  427. - 10.10.10.11 pg-test-1 # sandbox instance node-1
  428. - 10.10.10.12 pg-test-2 # sandbox instance node-2
  429. - 10.10.10.13 pg-test-3 # sandbox instance node-3
  430. #-----------------------------------------------------------------
  431. # PROMETHEUS
  432. #-----------------------------------------------------------------
  433. prometheus_enabled: true # setup prometheus
  434. prometheus_data_dir: /data/prometheus/data
  435. prometheus_options: '--storage.tsdb.retention=15d'
  436. prometheus_reload: false # reload prometheus instead of recreate it?
  437. prometheus_sd_method: static # service discovery method: static|consul
  438. prometheus_sd_interval: 5s # service discovery refresh interval
  439. prometheus_scrape_interval: 10s # global scrape & evaluation interval
  440. prometheus_scrape_timeout: 8s # scrape timeout
  441. #-----------------------------------------------------------------
  442. # EXPORTER
  443. #-----------------------------------------------------------------
  444. exporter_install: none # none|yum|binary, none by default
  445. exporter_repo_url: '' # if set, repo will be added to /etc/yum.repos.d/
  446. exporter_metrics_path: /metrics # default metric path for pg related exporter
  447. #-----------------------------------------------------------------
  448. # GRAFANA
  449. #-----------------------------------------------------------------
  450. grafana_enabled: true # enable grafana? only works on meta nodes
  451. grafana_endpoint: http://10.10.10.10:3000 # grafana endpoint url
  452. grafana_admin_username: admin # default grafana admin username
  453. grafana_admin_password: pigsty # default grafana admin password
  454. grafana_database: sqlite3 # default grafana database type: sqlite3|postgres
  455. grafana_pgurl: postgres://dbuser_grafana:DBUser.Grafana@meta:5436/grafana
  456. grafana_plugin_method: install # none|install|always, none will skip plugin install
  457. grafana_plugin_cache: /www/pigsty/plugins.tgz # path to grafana plugins cache tarball
  458. grafana_plugin_list: # plugins that will be downloaded via grafana-cli
  459. - marcusolsson-csv-datasource
  460. - marcusolsson-json-datasource
  461. - marcusolsson-treemap-panel
  462. grafana_plugin_git: # plugins that will be downloaded via git
  463. - https://github.com/Vonng/vonng-echarts-panel
  464. #-----------------------------------------------------------------
  465. # LOKI
  466. #-----------------------------------------------------------------
  467. loki_enabled: true # enable loki? only works on meta nodes
  468. loki_clean: false # whether remove existing loki data
  469. loki_endpoint: http://10.10.10.10:3100/loki/api/v1/push # where to push data
  470. loki_options: '-config.file=/etc/loki.yml -config.expand-env=true'
  471. loki_data_dir: /data/loki # default loki data dir
  472. loki_retention: 15d # log retention period
  473. #-----------------------------------------------------------------
  474. # DCS
  475. #-----------------------------------------------------------------
  476. dcs_name: pigsty # consul dc name
  477. dcs_servers: # dcs server dict in name:ip format
  478. meta-1: 10.10.10.10 # using existing external dcs cluster is recommended for HA
  479. # meta-2: 10.10.10.11 # node with ip in dcs_servers will be initialized as dcs servers
  480. # meta-3: 10.10.10.12 # it's recommend to reuse meta nodes as dcs servers if no ad hoc cluster available
  481. dcs_registry: consul # where to register services: none | consul | etcd | both
  482. dcs_safeguard: false # if true, running dcs will NOT be removed
  483. dcs_clean: true # if true, running dcs will be purged during node init, DANGEROUS
  484. #-----------------------------------------------------------------
  485. # CONSUL
  486. #-----------------------------------------------------------------
  487. consul_enabled: true # enable consul server/agent by default?
  488. consul_data_dir: /data/consul # consul data dir (/data/consul by default)
  489. #-----------------------------------------------------------------
  490. # ETCD
  491. #-----------------------------------------------------------------
  492. etcd_enabled: true # enable etcd server by default?
  493. etcd_data_dir: /data/etcd # etcd data dir (/data/etcd by default)
  494. #================================================================#
  495. # VARS: NODES #
  496. #================================================================#
  497. # global variables for nodes (including meta)
  498. #-----------------------------------------------------------------
  499. # NODE_IDENTITY
  500. #-----------------------------------------------------------------
  501. meta_node: false # node with meta_node flag will be marked as admin node
  502. # nodename: # [OPTIONAL] # node instance identity, used as `ins`, hostname by default
  503. node_cluster: nodes # [OPTIONAL] # node cluster identity, used as `cls`, 'nodes' by default
  504. nodename_overwrite: true # overwrite node's hostname with nodename?
  505. nodename_exchange: false # exchange nodename among play hosts?
  506. #-----------------------------------------------------------------
  507. # NODE_DNS
  508. #-----------------------------------------------------------------
  509. node_etc_hosts_default: # static dns records in /etc/hosts
  510. - 10.10.10.10 meta pigsty p.pigsty g.pigsty a.pigsty c.pigsty l.pigsty
  511. - 10.10.10.10 api.pigsty adm.pigsty cli.pigsty ddl.pigsty lab.pigsty git.pigsty sss.pigsty
  512. node_etc_hosts: [] # extra static dns records in /etc/hosts
  513. node_dns_method: add # add (default) | none (skip) | overwrite (remove old settings)
  514. node_dns_servers: # dynamic nameserver in /etc/resolv.conf
  515. - 10.10.10.10
  516. node_dns_options: # dns resolv options
  517. - options single-request-reopen timeout:1 rotate
  518. - domain service.consul
  519. #-----------------------------------------------------------------
  520. # NODE_REPO
  521. #-----------------------------------------------------------------
  522. node_repo_method: local # none|local: ad local repo|public: add upstream directly
  523. node_repo_remove: true # remove existing repo on nodes?
  524. node_repo_local_urls: # list local repo url, if node_repo_method = local
  525. - http://pigsty/pigsty.repo
  526. node_packages: [ ] # extra packages for all nodes
  527. node_packages_default: # common packages for all nodes
  528. - wget,sshpass,ntp,chrony,tuned,uuid,lz4,make,patch,bash,lsof,wget,unzip,git,ftp,vim-minimal,ca-certificates
  529. - numactl,grubby,sysstat,dstat,iotop,bind-utils,net-tools,tcpdump,socat,ipvsadm,telnet,tuned,nc,pv,jq,perf
  530. - readline,zlib,openssl,openssl-libs,openssh-clients,python3,python36-requests,node_exporter,consul,etcd,promtail
  531. node_packages_meta: # extra packages for meta nodes
  532. - grafana,prometheus2,alertmanager,loki,nginx_exporter,blackbox_exporter,pushgateway,redis,postgresql14
  533. - nginx,ansible,pgbadger,python-psycopg2,dnsmasq,coreutils,diffutils,polysh,docker-ce,docker-compose
  534. node_packages_meta_pip: jupyterlab
  535. #-----------------------------------------------------------------
  536. # NODE_TUNE
  537. #-----------------------------------------------------------------
  538. node_disable_firewall: true # disable firewall
  539. node_disable_selinux: true # disable selinux
  540. node_disable_numa: false # disable numa (node reboot required)
  541. node_disable_swap: false # disable swap, use with caution
  542. node_static_network: true # keep dns resolver settings after reboot
  543. node_disk_prefetch: false # setup disk prefetch on HDD to increase performance
  544. node_kernel_modules: [ softdog, br_netfilter, ip_vs, ip_vs_rr, ip_vs_rr, ip_vs_wrr, ip_vs_sh ]
  545. node_tune: tiny # install and activate tuned profile: none|oltp|olap|crit|tiny
  546. node_sysctl_params: { } # set additional sysctl parameters, k:v format
  547. #-----------------------------------------------------------------
  548. # NODE_ADMIN
  549. #-----------------------------------------------------------------
  550. node_data_dir: /data # main data directory
  551. node_admin_enabled: true # create a default admin user defined by `node_admin_*` ?
  552. node_admin_uid: 88 # uid and gid for this admin user
  553. node_admin_username: dba # name of this admin user, dba by default
  554. node_admin_ssh_exchange: true # exchange admin ssh key among each pgsql cluster ?
  555. node_admin_pk_current: true # add current user's ~/.ssh/id_rsa.pub to admin authorized_keys ?
  556. node_admin_pk_list: # ssh public keys to be added to admin user (REPLACE WITH YOURS!)
  557. - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC7IMAMNavYtWwzAJajKqwdn3ar5BhvcwCnBTxxEkXhGlCO2vfgosSAQMEflfgvkiI5nM1HIFQ8KINlx1XLO7SdL5KdInG5LIJjAFh0pujS4kNCT9a5IGvSq1BrzGqhbEcwWYdju1ZPYBcJm/MG+JD0dYCh8vfrYB/cYMD0SOmNkQ== vagrant@pigsty.com'
  558. #-----------------------------------------------------------------
  559. # NODE_TIME
  560. #-----------------------------------------------------------------
  561. node_timezone: Asia/Hong_Kong # default node timezone, empty will not change
  562. node_ntp_enabled: true # enable ntp service? false will leave ntp service untouched
  563. node_ntp_service: ntp # ntp service provider: ntp|chrony
  564. node_ntp_servers: # default NTP servers
  565. - pool cn.pool.ntp.org iburst
  566. - pool pool.ntp.org iburst
  567. - pool time.pool.aliyun.com iburst
  568. - server 10.10.10.10 iburst
  569. - server ntp.tuna.tsinghua.edu.cn iburst
  570. node_crontab_overwrite: true # true will overwrite /etc/crontab, false will append crontab
  571. node_crontab: [ ] # crontab entries in /etc/crontab
  572. #-----------------------------------------------------------------
  573. # DOCKER
  574. #-----------------------------------------------------------------
  575. docker_enabled: false # enable docker on all nodes? (you can enable them on meta nodes only)
  576. docker_cgroups_driver: systemd # docker cgroup fs driver
  577. docker_registry_mirrors: [] # docker registry mirror
  578. docker_image_cache: /tmp/docker.tgz # docker images tarball to be loaded if exists
  579. #-----------------------------------------------------------------
  580. # NODE_EXPORTER
  581. #-----------------------------------------------------------------
  582. node_exporter_enabled: true # setup node_exporter on instance
  583. node_exporter_port: 9100 # default port for node exporter
  584. node_exporter_options: '--no-collector.softnet --no-collector.nvme --collector.ntp --collector.tcpstat --collector.processes'
  585. #-----------------------------------------------------------------
  586. # PROMTAIL
  587. #-----------------------------------------------------------------
  588. promtail_enabled: true # enable promtail logging collector?
  589. promtail_clean: false # remove promtail status file? false by default
  590. promtail_port: 9080 # default listen address for promtail
  591. promtail_options: '-config.file=/etc/promtail.yml -config.expand-env=true'
  592. promtail_positions: /var/log/positions.yaml # position status for promtail
  593. #================================================================#
  594. # VARS: PGSQL #
  595. #================================================================#
  596. #-----------------------------------------------------------------
  597. # PG_IDENTITY
  598. #-----------------------------------------------------------------
  599. # pg_cluster: # <CLUSTER> <REQUIRED> : pgsql cluster name
  600. # pg_role: replica # <INSTANCE> <REQUIRED> : pg role : primary, replica, offline
  601. # pg_seq: 0 # <INSTANCE> <REQUIRED> : instance seq number
  602. # pg_instances: {} # <INSTANCE> : define multiple pg instances on node, used by monly & gpsql
  603. # pg_upstream: # <INSTANCE> : replication upstream ip addr
  604. # pg_shard: # <CLUSTER> : pgsql shard name
  605. # pg_sindex: 0 # <CLUSTER> : pgsql shard index
  606. # gp_role: master # <CLUSTER> : gpsql role, master or segment
  607. pg_offline_query: false # <INSTANCE> [FLAG] set to true to enable offline query on this instance (instance level)
  608. pg_backup: false # <INSTANCE> [FLAG] store base backup on this node (instance level, reserved)
  609. pg_weight: 100 # <INSTANCE> [FLAG] default load balance weight (instance level)
  610. pg_hostname: true # [FLAG] reuse postgres identity name as node identity?
  611. pg_preflight_skip: false # [FLAG] skip preflight identity check
  612. #-----------------------------------------------------------------
  613. # PG_BUSINESS
  614. #-----------------------------------------------------------------
  615. # overwrite these variables on <CLUSTER> level
  616. pg_users: [] # business users
  617. pg_databases: [] # business databases
  618. pg_services_extra: [] # extra services
  619. pg_hba_rules_extra: [] # extra hba rules
  620. pgbouncer_hba_rules_extra: [] # extra pgbouncer hba rules
  621. # WARNING: change these in production environment!
  622. pg_admin_username: dbuser_dba
  623. pg_admin_password: DBUser.DBA
  624. pg_monitor_username: dbuser_monitor
  625. pg_monitor_password: DBUser.Monitor
  626. pg_replication_username: replicator
  627. pg_replication_password: DBUser.Replicator
  628. #-----------------------------------------------------------------
  629. # PG_INSTALL
  630. #-----------------------------------------------------------------
  631. pg_dbsu: postgres # os user for database, postgres by default (unwise to change it)
  632. pg_dbsu_uid: 26 # os dbsu uid and gid, 26 for default postgres users and groups
  633. pg_dbsu_sudo: limit # dbsu sudo privilege: none|limit|all|nopass, limit by default
  634. pg_dbsu_home: /var/lib/pgsql # postgresql home directory
  635. pg_dbsu_ssh_exchange: true # exchange postgres dbsu ssh key among same cluster ?
  636. pg_version: 14 # default postgresql version to be installed
  637. pgdg_repo: false # add pgdg official repo before install (in case of no local repo available)
  638. pg_add_repo: false # add postgres relate repo before install ?
  639. pg_bin_dir: /usr/pgsql/bin # postgres binary dir, default is /usr/pgsql/bin, which use /usr/pgsql -> /usr/pgsql-{ver}
  640. pg_packages: # postgresql related packages. `${pg_version} will be replaced by `pg_version`
  641. - postgresql${pg_version}* # postgresql kernel packages
  642. - postgis32_${pg_version}* # postgis
  643. - citus_${pg_version}* # citus
  644. - timescaledb-2-postgresql-${pg_version} # timescaledb
  645. - pgbouncer pg_exporter pgbadger pg_activity node_exporter consul haproxy vip-manager
  646. - patroni patroni-consul patroni-etcd python3 python3-psycopg2 python36-requests python3-etcd
  647. - python3-consul python36-urllib3 python36-idna python36-pyOpenSSL python36-cryptography
  648. pg_extensions: # postgresql extensions, `${pg_version} will be replaced by actual `pg_version`
  649. - pg_repack_${pg_version} pg_qualstats_${pg_version} pg_stat_kcache_${pg_version} pg_stat_monitor_${pg_version} wal2json_${pg_version}
  650. # - ogr_fdw${pg_version} mysql_fdw_${pg_version} redis_fdw_${pg_version} mongo_fdw${pg_version} hdfs_fdw_${pg_version}
  651. # - count_distinct${version} ddlx_${version} geoip${version} orafce${version}
  652. # - hypopg_${version} ip4r${version} jsquery_${version} logerrors_${version} periods_${version} pg_auto_failover_${version} pg_catcheck${version}
  653. # - pg_fkpart${version} pg_jobmon${version} pg_partman${version} pg_prioritize_${version} pg_track_settings${version} pgaudit15_${version}
  654. # - pgcryptokey${version} pgexportdoc${version} pgimportdoc${version} pgmemcache-${version} pgmp${version} pgq-${version} pgquarrel pgrouting_${version}
  655. # - pguint${version} pguri${version} prefix${version} safeupdate_${version} semver${version} table_version${version} tdigest${version}
  656. #-----------------------------------------------------------------
  657. # PG_BOOTSTRAP
  658. #-----------------------------------------------------------------
  659. pg_safeguard: false # true will disable pg_clean at all, even for pgsql-remove.yml
  660. pg_clean: true # true will clean running postgres during pgsql init (DANGEROUS)
  661. pg_data: /pg/data # postgres data directory (soft link)
  662. pg_fs_main: /data # primary data disk mount point /pg -> {{ pg_fs_main }}/postgres/{{ pg_instance }}
  663. pg_fs_bkup: /data/backups # backup disk mount point /pg/* -> {{ pg_fs_bkup }}/postgres/{{ pg_instance }}/*
  664. pg_dummy_filesize: 64MiB # /pg/dummy hold some disk space for emergency use
  665. pg_listen: '0.0.0.0' # postgres listen address, '0.0.0.0' (all ipv4 addr) by default
  666. pg_port: 5432 # postgres port, 5432 by default
  667. pg_localhost: /var/run/postgresql # localhost unix socket dir for connection
  668. patroni_enabled: true # if not enabled, no postgres cluster will be created
  669. patroni_mode: default # pause|default|remove
  670. pg_dcs_type: consul # which dcs to use: consul or etcd or raft
  671. pg_namespace: /pg # top level key namespace in dcs
  672. patroni_port: 8008 # default patroni port
  673. patroni_watchdog_mode: automatic # watchdog mode: off|automatic|required
  674. pg_conf: tiny.yml # pgsql template: {oltp|olap|crit|tiny}.yml
  675. pg_libs: 'timescaledb, pg_stat_statements, auto_explain' # extensions to be loaded
  676. pg_delay: 0 # apply delay for standby cluster leader
  677. pg_checksum: false # enable data checksum by default
  678. pg_encoding: UTF8 # database cluster encoding, UTF8 by default
  679. pg_locale: C # database cluster local, C by default
  680. pg_lc_collate: C # database cluster collate, C by default
  681. pg_lc_ctype: en_US.UTF8 # database character type, en_US.UTF8 by default (for i18n full-text search)
  682. pgbouncer_enabled: true # if not enabled, pgbouncer will not be created
  683. pgbouncer_port: 6432 # pgbouncer port, 6432 by default
  684. pgbouncer_poolmode: transaction # pooling mode: session|transaction|statement, transaction pooling by default
  685. pgbouncer_max_db_conn: 100 # max connection to single database, DO NOT set this larger than postgres max conn or db connlimit
  686. #-----------------------------------------------------------------
  687. # PG_PROVISION
  688. #-----------------------------------------------------------------
  689. pg_provision: true # whether provisioning postgres cluster
  690. pg_init: pg-init # init script for cluster template
  691. pg_default_roles:
  692. - { name: dbrole_readonly , login: false , comment: role for global read-only access } # production read-only role
  693. - { name: dbrole_readwrite , login: false , roles: [dbrole_readonly], comment: role for global read-write access } # production read-write role
  694. - { name: dbrole_offline , login: false , comment: role for restricted read-only access (offline instance) } # restricted-read-only role
  695. - { name: dbrole_admin , login: false , roles: [pg_monitor, dbrole_readwrite] , comment: role for object creation } # production DDL change role
  696. - { name: postgres , superuser: true , comment: system superuser } # system dbsu, name is designated by `pg_dbsu`
  697. - { name: dbuser_dba , superuser: true , roles: [dbrole_admin] , comment: system admin user } # admin dbsu, name is designated by `pg_admin_username`
  698. - { name: replicator , replication: true , bypassrls: true , roles: [pg_monitor, dbrole_readonly] , comment: system replicator } # replicator
  699. - { name: dbuser_monitor , roles: [pg_monitor, dbrole_readonly] , comment: system monitor user , parameters: {log_min_duration_statement: 1000 } } # monitor user
  700. - { name: dbuser_stats , password: DBUser.Stats , roles: [dbrole_offline] , comment: business offline user for offline queries and ETL } # ETL user
  701. pg_default_privileges: # - privileges - #
  702. - GRANT USAGE ON SCHEMAS TO dbrole_readonly
  703. - GRANT SELECT ON TABLES TO dbrole_readonly
  704. - GRANT SELECT ON SEQUENCES TO dbrole_readonly
  705. - GRANT EXECUTE ON FUNCTIONS TO dbrole_readonly
  706. - GRANT USAGE ON SCHEMAS TO dbrole_offline
  707. - GRANT SELECT ON TABLES TO dbrole_offline
  708. - GRANT SELECT ON SEQUENCES TO dbrole_offline
  709. - GRANT EXECUTE ON FUNCTIONS TO dbrole_offline
  710. - GRANT INSERT, UPDATE, DELETE ON TABLES TO dbrole_readwrite
  711. - GRANT USAGE, UPDATE ON SEQUENCES TO dbrole_readwrite
  712. - GRANT TRUNCATE, REFERENCES, TRIGGER ON TABLES TO dbrole_admin
  713. - GRANT CREATE ON SCHEMAS TO dbrole_admin
  714. pg_default_schemas: [ monitor ] # default schemas to be created
  715. pg_default_extensions: # default extensions to be created
  716. - { name: 'pg_stat_statements', schema: 'monitor' }
  717. - { name: 'pgstattuple', schema: 'monitor' }
  718. - { name: 'pg_qualstats', schema: 'monitor' }
  719. - { name: 'pg_buffercache', schema: 'monitor' }
  720. - { name: 'pageinspect', schema: 'monitor' }
  721. - { name: 'pg_prewarm', schema: 'monitor' }
  722. - { name: 'pg_visibility', schema: 'monitor' }
  723. - { name: 'pg_freespacemap', schema: 'monitor' }
  724. - { name: 'pg_repack', schema: 'monitor' }
  725. - name: postgres_fdw
  726. - name: file_fdw
  727. - name: btree_gist
  728. - name: btree_gin
  729. - name: pg_trgm
  730. - name: intagg
  731. - name: intarray
  732. pg_reload: true # reload postgres after hba changes
  733. pg_hba_rules: # postgres host-based authentication rules
  734. - title: allow meta node password access
  735. role: common
  736. rules:
  737. - host all all 10.10.10.10/32 md5
  738. - title: allow intranet admin password access
  739. role: common
  740. rules:
  741. - host all +dbrole_admin 10.0.0.0/8 md5
  742. - host all +dbrole_admin 172.16.0.0/12 md5
  743. - host all +dbrole_admin 192.168.0.0/16 md5
  744. - title: allow intranet password access
  745. role: common
  746. rules:
  747. - host all all 10.0.0.0/8 md5
  748. - host all all 172.16.0.0/12 md5
  749. - host all all 192.168.0.0/16 md5
  750. - title: allow local read/write (local production user via pgbouncer)
  751. role: common
  752. rules:
  753. - local all +dbrole_readonly md5
  754. - host all +dbrole_readonly 127.0.0.1/32 md5
  755. - title: allow offline query (ETL,SAGA,Interactive) on offline instance
  756. role: offline
  757. rules:
  758. - host all +dbrole_offline 10.0.0.0/8 md5
  759. - host all +dbrole_offline 172.16.0.0/12 md5
  760. - host all +dbrole_offline 192.168.0.0/16 md5
  761. pgbouncer_hba_rules: # pgbouncer host-based authentication rules
  762. - title: local password access
  763. role: common
  764. rules:
  765. - local all all md5
  766. - host all all 127.0.0.1/32 md5
  767. - title: intranet password access
  768. role: common
  769. rules:
  770. - host all all 10.0.0.0/8 md5
  771. - host all all 172.16.0.0/12 md5
  772. - host all all 192.168.0.0/16 md5
  773. #-----------------------------------------------------------------
  774. # PG_EXPORTER
  775. #-----------------------------------------------------------------
  776. pg_exporter_enabled: true # setup pg_exporter on instance
  777. pg_exporter_config: pg_exporter.yml # use fast cache exporter for demo
  778. pg_exporter_port: 9630 # pg_exporter listen port
  779. pg_exporter_params: 'sslmode=disable' # url query parameters for pg_exporter
  780. pg_exporter_url: '' # optional, overwrite auto-generate postgres connstr
  781. pg_exporter_auto_discovery: true # optional, discovery available database on target instance ?
  782. pg_exporter_exclude_database: 'template0,template1,postgres' # optional, comma separated list of database that WILL NOT be monitored when auto-discovery enabled
  783. pg_exporter_include_database: '' # optional, comma separated list of database that WILL BE monitored when auto-discovery enabled, empty string will disable include mode
  784. pg_exporter_options: '--log.level=info --log.format="logger:syslog?appname=pg_exporter&local=7"'
  785. pgbouncer_exporter_enabled: true # setup pgbouncer_exporter on instance (if you don't have pgbouncer, disable it)
  786. pgbouncer_exporter_port: 9631 # pgbouncer_exporter listen port
  787. pgbouncer_exporter_url: '' # optional, overwrite auto-generate pgbouncer connstr
  788. pgbouncer_exporter_options: '--log.level=info --log.format="logger:syslog?appname=pgbouncer_exporter&local=7"'
  789. #-----------------------------------------------------------------
  790. # PG_SERVICE
  791. #-----------------------------------------------------------------
  792. pg_services: # how to expose postgres service in cluster?
  793. - name: primary # service name {{ pg_cluster }}-primary
  794. src_ip: "*"
  795. src_port: 5433
  796. dst_port: pgbouncer # 5433 route to pgbouncer
  797. check_url: /primary # primary health check, success when instance is primary
  798. selector: "[]" # select all instance as primary service candidate
  799. - name: replica # service name {{ pg_cluster }}-replica
  800. src_ip: "*"
  801. src_port: 5434
  802. dst_port: pgbouncer
  803. check_url: /read-only # read-only health check. (including primary)
  804. selector: "[]" # select all instance as replica service candidate
  805. selector_backup: "[? pg_role == `primary` || pg_role == `offline` ]"
  806. - name: default # service's actual name is {{ pg_cluster }}-default
  807. src_ip: "*" # service bind ip address, * for all, vip for cluster virtual ip address
  808. src_port: 5436 # bind port, mandatory
  809. dst_port: postgres # target port: postgres|pgbouncer|port_number , pgbouncer(6432) by default
  810. check_method: http # health check method: only http is available for now
  811. check_port: patroni # health check port: patroni|pg_exporter|port_number , patroni by default
  812. check_url: /primary # health check url path, / as default
  813. check_code: 200 # health check http code, 200 as default
  814. selector: "[]" # instance selector
  815. haproxy: # haproxy specific fields
  816. maxconn: 3000 # default front-end connection
  817. balance: roundrobin # load balance algorithm (roundrobin by default)
  818. default_server_options: 'inter 3s fastinter 1s downinter 5s rise 3 fall 3 on-marked-down shutdown-sessions slowstart 30s maxconn 3000 maxqueue 128 weight 100'
  819. - name: offline # service name {{ pg_cluster }}-offline
  820. src_ip: "*"
  821. src_port: 5438
  822. dst_port: postgres
  823. check_url: /replica # offline MUST be a replica
  824. selector: "[? pg_role == `offline` || pg_offline_query ]" # instances with pg_role == 'offline' or instance marked with 'pg_offline_query == true'
  825. selector_backup: "[? pg_role == `replica` && !pg_offline_query]" # replica are used as backup server in offline service
  826. haproxy_enabled: true # enable haproxy on this node?
  827. haproxy_reload: true # reload haproxy after config?
  828. haproxy_auth_enabled: false # enable authentication for haproxy admin?
  829. haproxy_admin_username: admin # default haproxy admin username
  830. haproxy_admin_password: pigsty # default haproxy admin password
  831. haproxy_exporter_port: 9101 # default admin/exporter port
  832. haproxy_client_timeout: 24h # client side connection timeout
  833. haproxy_server_timeout: 24h # server side connection timeout
  834. vip_mode: none # none | l2 | l4 , l4 not implemented yet
  835. vip_reload: true # reload vip after config?
  836. # vip_address: 127.0.0.1 # virtual ip address ip (l2 or l4)
  837. # vip_cidrmask: 24 # virtual ip address cidr mask (l2 only)
  838. # vip_interface: eth0 # virtual ip network interface (l2 only)
  839. # dns_mode: vip # vip|all|selector: how to resolve cluster DNS?
  840. # dns_selector: '[]' # if dns_mode == vip, filter instances been resolved
  841. #================================================================#
  842. # VARS: REDIS #
  843. #================================================================#
  844. # REDIS are not enabled by default
  845. #-----------------------------------------------------------------
  846. # REDIS_IDENTITY
  847. #-----------------------------------------------------------------
  848. #redis_cluster: redis-test # name of this redis cluster @ cluster level
  849. #redis_node: 1 # redis node identifier, integer sequence @ node level
  850. #redis_instances: {} # redis instances definition of this redis node @ node level
  851. #-----------------------------------------------------------------
  852. # REDIS_NODE
  853. #-----------------------------------------------------------------
  854. redis_fs_main: /data # main fs mountpoint for redis data
  855. redis_exporter_enabled: true # install redis exporter on redis nodes?
  856. redis_exporter_port: 9121 # default port for redis exporter
  857. redis_exporter_options: '' # default cli args for redis exporter
  858. #-----------------------------------------------------------------
  859. # REDIS_PROVISION
  860. #-----------------------------------------------------------------
  861. redis_safeguard: false # force redis_clean = abort if true
  862. redis_clean: true # abort|skip|clean if redis server already exists
  863. redis_rmdata: true # remove redis data when purging redis server?
  864. redis_mode: standalone # standalone,cluster,sentinel
  865. redis_conf: redis.conf # config template path (except sentinel)
  866. redis_bind_address: '0.0.0.0' # bind address, empty string turns to inventory_hostname
  867. redis_max_memory: 1GB # max memory used by each redis instance
  868. redis_mem_policy: allkeys-lru # memory eviction policy
  869. redis_password: '' # masterauth & requirepass password, disable by empty string
  870. redis_rdb_save: ['1200 1'] # redis rdb save directives, disable with empty list
  871. redis_aof_enabled: false # redis aof enabled
  872. redis_rename_commands: {} # rename dangerous commands
  873. redis_cluster_replicas: 1 # how many replicas for a master in redis cluster ?
  874. ...

Last modified 2022-06-20: add timescaledb (3c335f4)