Add new users for Grafana and Metabase

Adds the new roles necessary for grafana and metabase, grants them access to the metricity table as well as giving them the pg_read_all_data role for read-only access to the metricity database.
author: Joe Banks <[email protected]> 2024-05-28 21:49:03 +0100
committer: Joe Banks <[email protected]> 2024-05-28 21:49:03 +0100
commit: 9f1b2a35152da1d16e13510ac589e0d09c6fb762 (patch)
tree: 9cfd24db7693b794694ce102bfdd5e11bbd5528a /ansible/roles/postgres
parent: Update site and metricity with new metricity db user credentials (diff)
2 files changed, 73 insertions, 34 deletions
diff --git a/ansible/roles/postgres/vars/main/db_passwords.yml b/ansible/roles/postgres/vars/main/db_passwords.yml
index fb9e975..76403cb 100644
--- a/ansible/roles/postgres/vars/main/db_passwords.yml
+++ b/ansible/roles/postgres/vars/main/db_passwords.yml
@@ -1,29 +1,37 @@
 $ANSIBLE_VAULT;1.1;AES256
-33323139363965656336373638346238616137373563396164363966663133346139666262323766
-6366623134383761353833373830313266613439643631390a666135346462303638396134376233
-37353435363838393738626334653762333630653039396661613262373964376432616661623739
-3064303439653961380a306535326665316666343637336266356539373863333062383864336239
-34613435316438316465383661633461393835643535316364373963343561363930333232303537
-65323036646638313737333837353738356462323731396430353361656232323830393734613863
-36326261623563323435643034303634316330336464663334393337343135326638383164643062
-33663032623139346461303762343730393332393236663031316236336237373864326238313931
-39396237396237333037663233353838623365386362376431326432393862663033323038396536
-39336134616131343265626566616565303634383662373836636631356364646533396637383764
-33373466636230643834616463383133636533303034306165323330393163353339303263323236
-61313835393761336136346136643764643831383437633733326230376566313235663663373764
-30353534343834323263623362343565353063643764346239653435356561633735666363376436
-30383965393761356561656131613534353930643662393137303263376561653631346465356431
-31343261626164653061633230353965613761343664623564316131336434356336663762396164
-36316138383963613533613535656265393232656638373162333535313430353931306236626365
-63356566356661353237653462336230326339356230353036653766633834623061366436663162
-39323264303634643636333736363630353632306431373439333831383430383634323334626632
-63343832363164653138333561333663366562643666626663626636306363373432353861623066
-37326364343261393562326436653434343865303266383365346466646631376332653965396135
-65663634636637303661366332313464656230666435336330633535656432633936386132613639
-30653962393766343133346534653661656663633432616638623062663664306534636664636262
-34336661326661653532356531313665656530306262376430633464333636333336333631396266
-36636632363738396435616132663035353637353861636163386135366361653631633431633966
-37326166316639316130353133636534353731333034303337386662613065653266393166323262
-33383161613433656132303362353034616464623437343230383337313631663434343936323936
-65393361323262386133326164363733323562343430646136343430383864366661633533303530
-31393135373865626262
+36316361616462303139376432343533313430666164303331323037376631663934373163303931
+6438343965666165643433656266663739656335623632330a666233333665666661663733346135
+61303332643737633865346634306339663261313562373066356330613234363265623161633832
+6435333065646664630a633530393465306436656434633366393834653663356630376131656430
+61663033333136646262626338656231363363386336643135353038333431313330393865663233
+33393635383564343461343431623932626436343939326462373861326561366533316532353431
+66396461626134336539313866323135646565333137306634316433326664626462613839623937
+63363635356665616163383237366361333466363530306137306633336231356639613833656565
+30373934336330623964393032356635323033386438646632663663653036386337653365363430
+35326234373761303739343136336530666562333231656664393530616363333939616639613232
+38643332623733323939613138653963333338383135323830616330633739633539646361356561
+61336361333231613132643565343536653732653665373264646565316562343764623232323535
+38363462326366316533663337323463396632313435643137303732656665396532623330383064
+32616266343966613635653439663861313933343937343966623030663262656339363065663035
+64633039383030326232626664613733366661663266653832353633623636373839353930376465
+62306235376138613065663465626264323634373330643865333664643666303762656566353931
+66623630353734623130356633383034306138373731323538376237366465643131616339396364
+31626563376334363163646238316163386465633532653339323763356265346531363635356664
+61623935313063333131383438313363353436653464366333333739646632613537616338643631
+38326539383432353661353139346233396534363632373865326632666132616262386630663762
+62323031633566316334666432626265643036626130643562313964366239626265616331643166
+61356234646530393561656435376534323138383066613462663761326238363939666465366636
+30616536343335366664626134653936373966646433366233633336626663643239306133643465
+63333465363734373335333236666332633038306231373132656461626434666163663566393438
+62383838346633616366316434393430663739643137666430653832666361656463383830313566
+65636437336235363365656638303864353965643766623534373631333431356131623466666637
+31303864343563363831636132303933336133303434343331663137303031303232393163623861
+30306133643833643233653538656338306138313139303536633965663635633230666332336333
+32303234363337306466383037393064643135626566323737396530616163616232376565386132
+66623930633037386338393962323739313031363064353635626138613830663336633861613363
+34393735323863396265316337336463363136643064306631386133653762333161363636343937
+38376136653163656161626334633832373034373231303236393932326563323030366232623636
+39393331363930643063633565333931663134646433336438383865663964626461326235656565
+31373833313064353737313836333938396131306534373033323965353930363533363866323266
+30623666353765363230323335633732666639303962353661386132623334333638633735306434
+64366331333637336436
diff --git a/ansible/roles/postgres/vars/main/main.yml b/ansible/roles/postgres/vars/main/main.yml
index 1e94b20..4fd4953 100644
--- a/ansible/roles/postgres/vars/main/main.yml
+++ b/ansible/roles/postgres/vars/main/main.yml
@@ -28,8 +28,21 @@ postgres_users:
     password: "{{ vault_postgres_user_passwords.metricity }}"
     roles:
 
+  - name: metabase
+    password: "{{ vault_postgres_user_passwords.metabase }}"
+    roles:
+      - pg_read_all_data
+
+  - name: grafana
+    password: "{{ vault_postgres_user_passwords.grafana }}"
+    roles:
+      - pg_read_all_data
+
 
 postgres_hba_rules:
+  #
+  # Service HBA rules
+  #
   - conn_type: hostssl
     database: pinnwand
     user: pinnwand
@@ -37,12 +50,6 @@ postgres_hba_rules:
     method: scram-sha-256
 
   - conn_type: hostssl
-    database: all
-    user: blackbox
-    address: all
-    method: scram-sha-256
-
-  - conn_type: hostssl
     database: bitwarden
     user: bitwarden
     address: all
@@ -66,6 +73,30 @@ postgres_hba_rules:
     address: all
     method: scram-sha-256
 
+  #
+  # Backup service HBA rules
+  #
+  - conn_type: hostssl
+    database: all
+    user: blackbox
+    address: all
+    method: scram-sha-256
+
+  #
+  # Analytics HBA rules
+  #
+  - conn_type: hostssl
+    database: metricity
+    user: metabase
+    address: all
+    method: scram-sha-256
+
+  - conn_type: hostssl
+    database: metricity
+    user: grafana
+    address: all
+    method: scram-sha-256
+
 postgres_databases:
   - name: pinnwand
     owner: pinnwand
author	Joe Banks <[email protected]>	2024-05-28 21:49:03 +0100
committer	Joe Banks <[email protected]>	2024-05-28 21:49:03 +0100
commit	9f1b2a35152da1d16e13510ac589e0d09c6fb762 (patch)
tree	9cfd24db7693b794694ce102bfdd5e11bbd5528a /ansible/roles/postgres
parent	Update site and metricity with new metricity db user credentials (diff)