rbv/rbv
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: deployment semantics

Browse Source
This commit is contained in:
rob thijssen
2026-03-26 06:18:40 +02:00
parent f5fa5f4f6b
commit 409c8fd86b
7 changed files with 121 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
Cargo.lock generated
View File

@@ -2480,6 +2480,7 @@ dependencies = [
name = "rbv-cluster"
version = "0.1.0"
dependencies = [
"rayon",
"rbv-entity",
"thiserror 2.0.18",
"tracing",

2
asset/nginx/rbv.conf
View File

@@ -3,7 +3,7 @@ server {
server_name rbv.internal;
http2 on;
ssl_certificate /etc/nginx/tls/rbv/chain.pem;
ssl_certificate /etc/nginx/tls/rbv/rbv.pem;
ssl_certificate_key /etc/nginx/tls/rbv/key.pem;
root /usr/share/nginx/rbv;

2
asset/systemd/rbv-cluster.service
View File

@@ -8,7 +8,7 @@ Type=oneshot
Environment=RUST_LOG=info,ort=off,sqlx::query=off
ExecStart=/usr/local/bin/rbv cluster \
--database postgres://rbv:password@localhost:4432/rbv \
--concurrency 4
--concurrency 16
[Install]
WantedBy=multi-user.target

2
asset/systemd/rbv-index@.service
View File

@@ -8,7 +8,7 @@ OnSuccess=rbv-cluster.service
Environment=RUST_LOG=info,ort=off,sqlx::query=off
ExecStart=/usr/local/bin/rbv index \
--target /tank/data/rbv/%i \
--concurrency 24 \
--concurrency 16 \
--database postgres://rbv:password@localhost:4432/rbv \
--model-dir /tank/containers/immich/ml-cache
Restart=always

12
asset/systemd/step@.timer Normal file
View File

@@ -0,0 +1,12 @@
[Unit]
Description=step cert renew
Documentation=https://hackmd.io/@rob-tn/rJvy9YYKWg
[Timer]
Persistent=true
OnCalendar=*:1/15
AccuracySec=1us
RandomizedDelaySec=5m
[Install]
WantedBy=timers.target

115
doc/db-cluster.md
View File

@@ -47,7 +47,7 @@ sudo dnf install -y postgresql17-server pgvector_17
sudo /usr/pgsql-17/bin/postgresql-17-setup initdb
# Enable and start
sudo systemctl enable --now postgresql-17
sudo systemctl enable --now postgresql-17.service
```
### Make certificates readable by postgres
@@ -56,63 +56,65 @@ Grant the postgres user read access via ACL, leaving ownership as root.
This way cert renewals take effect automatically without re-copying.
```bash
sudo setfacl -m u:postgres:r \
/etc/pki/tls/misc/frankie.hanzalova.internal.pem \
/etc/pki/tls/private/frankie.hanzalova.internal.pem \
/etc/pki/ca-trust/source/anchors/root-internal.pem
sudo setfacl -m u:postgres:r /etc/pki/tls/private/$(hostname).pem
```
### Configure postgresql.conf
```bash
sudo tee -a /var/lib/pgsql/17/data/postgresql.conf <<'EOF'
# Network
listen_addresses = '*'
# TLS
sudo -u postgres mkdir -p /var/lib/pgsql/17/data/postgresql.conf.d
if ! sudo -u postgres grep 'postgresql.conf.d' /var/lib/pgsql/17/data/postgresql.conf &> /dev/null; then
echo 'include_dir = postgresql.conf.d' | sudo -u postgres tee --append /var/lib/pgsql/17/data/postgresql.conf
fi
echo "listen_addresses = '*'" | sudo -u postgres tee /var/lib/pgsql/17/data/postgresql.conf.d/listen.conf
sudo -u postgres tee /var/lib/pgsql/17/data/postgresql.conf.d/ssl.conf <<'EOF'
ssl = on
ssl_cert_file = '/etc/pki/tls/misc/frankie.hanzalova.internal.pem'
ssl_key_file = '/etc/pki/tls/private/frankie.hanzalova.internal.pem'
ssl_ca_file = '/etc/pki/ca-trust/source/anchors/root-internal.pem'
# Memory — tune to ~25% of RAM for shared_buffers
EOF
sudo -u postgres tee /var/lib/pgsql/17/data/postgresql.conf.d/memory.conf <<'EOF'
shared_buffers = 4GB
work_mem = 64MB
maintenance_work_mem = 512MB
# WAL
wal_level = replica # needed for future Patroni replication
EOF
sudo -u postgres tee /var/lib/pgsql/17/data/postgresql.conf.d/wal.conf <<'EOF'
wal_level = replica
max_wal_senders = 5
wal_keep_size = 1GB
# Checkpoints
EOF
sudo -u postgres tee /var/lib/pgsql/17/data/postgresql.conf.d/checkpoint.conf <<'EOF'
checkpoint_completion_target = 0.9
EOF
sudo -u postgres tee /var/lib/pgsql/17/data/postgresql.conf.d/vchord.conf <<'EOF'
shared_preload_libraries = 'vchord'
EOF
sudo -u postgres tee /var/lib/pgsql/17/data/postgresql.conf.d/logging.conf <<'EOF'
log_destination = 'stderr'
logging_collector = off
EOF
sudo systemctl reload postgresql-17
sudo systemctl reload postgresql-17.service
```
### Configure pg_hba.conf
Replace the default rules with certificate-only authentication.
Update the default rules with certificate-only authentication for lan connections.
Local unix-socket access retains `peer` for admin use.
```bash
sudo tee /var/lib/pgsql/17/data/pg_hba.conf <<'EOF'
# TYPE DATABASE USER ADDRESS METHOD
# Local admin access (postgres OS user only)
local all postgres peer
# All network connections must present a valid client certificate.
# The CN of the certificate is mapped to a database user via pg_ident.conf.
hostssl all all 0.0.0.0/0 cert clientcert=verify-full map=cn
hostssl all all ::/0 cert clientcert=verify-full map=cn
# Replication (used by Patroni streaming replication)
hostssl replication replicator 0.0.0.0/0 cert clientcert=verify-full map=cn
sudo -u postgres mkdir -p /var/lib/pgsql/17/data/pg_hba.conf.d
if ! sudo -u postgres grep 'pg_hba.conf.d' /var/lib/pgsql/17/data/pg_hba.conf &> /dev/null; then
echo 'include_dir = pg_hba.conf.d' | sudo -u postgres tee --append /var/lib/pgsql/17/data/pg_hba.conf
fi
sudo -u postgres tee /var/lib/pgsql/17/data/pg_hba.conf.d/network-connections.conf <<'EOF'
hostnossl all all 0.0.0.0/0 reject
hostssl all all 10.3.0.0/16 cert map=cert_cn
hostssl all all 10.6.0.0/16 cert map=cert_cn
hostssl replication replicator 10.0.0.0/8 cert clientcert=verify-full map=cn
EOF
sudo systemctl reload postgresql-17.service
```
### Configure pg_ident.conf
@@ -121,11 +123,18 @@ Maps the CN of each client certificate to the appropriate database user.
Add a line for each application host.
```bash
sudo tee /var/lib/pgsql/17/data/pg_ident.conf <<'EOF'
# MAPNAME SYSTEM-USERNAME (certificate CN) PG-USERNAME
cn gramathea.kosherinata.internal rbv
cn gramathea.kosherinata.internal immich
sudo -u postgres mkdir -p /var/lib/pgsql/17/data/pg_ident.conf.d
if ! sudo -u postgres grep 'pg_ident.conf.d' /var/lib/pgsql/17/data/pg_ident.conf &> /dev/null; then
echo 'include_dir = pg_ident.conf.d' | sudo -u postgres tee --append /var/lib/pgsql/17/data/pg_ident.conf
fi
sudo -u postgres tee /var/lib/pgsql/17/data/pg_ident.conf.d/immich.conf <<'EOF'
cn gramathea.kosherinata.internal immich
EOF
sudo -u postgres tee /var/lib/pgsql/17/data/pg_ident.conf.d/rbv.conf <<'EOF'
cn gramathea.kosherinata.internal rbv
EOF
sudo systemctl reload postgresql-17.service
```
### Create roles and databases
@@ -150,17 +159,36 @@ VectorChord is not in PGDG — install from the GitHub release zip.
Check https://github.com/tensorchord/VectorChord/releases for the current version.
```bash
wget https://github.com/tensorchord/VectorChord/releases/download/1.1.1/postgresql-17-vchord_1.1.1_x86_64-linux-gnu.zip
unzip postgresql-17-vchord_1.1.1_x86_64-linux-gnu.zip
curl \
--fail \
--show-error \
--location \
--silent \
--output /tmp/postgresql-17-vchord_1.1.1_x86_64-linux-gnu.zip \
--url https://github.com/tensorchord/VectorChord/releases/download/1.1.1/postgresql-17-vchord_1.1.1_x86_64-linux-gnu.zip
unzip \
-d /tmp/vchord \
/tmp/postgresql-17-vchord_1.1.1_x86_64-linux-gnu.zip
sudo cp pkglibdir/vchord.so /usr/pgsql-17/lib/
sudo cp sharedir/extension/vchord* /usr/pgsql-17/share/extension/
sudo install \
--owner root \
--group root \
/tmp/vchord/pkglibdir/vchord.so \
/usr/pgsql-17/lib/
sudo install \
--owner root \
--group root \
--mode 644 \
/tmp/vchord/sharedir/extension/vchord* \
/usr/pgsql-17/share/extension/
rm -rf pkglibdir sharedir postgresql-17-vchord_1.1.1_x86_64-linux-gnu.zip
rm -rf /tmp/vchord /tmp/postgresql-17-vchord_1.1.1_x86_64-linux-gnu.zip
```
VectorChord requires preloading (needs a restart, not just reload):
> [!CAUTION]
> deprecated in favour of `/var/lib/pgsql/17/data/postgresql.conf.d/vchord.conf` above.
```bash
sudo tee -a /var/lib/pgsql/17/data/postgresql.conf <<'EOF'
@@ -188,8 +216,9 @@ EOF
### Open firewall port
```bash
sudo firewall-cmd --permanent --add-service=postgresql
sudo firewall-cmd --zone=$(firewall-cmd --get-default-zone) --add-service postgresql --permanent
sudo firewall-cmd --reload
sudo firewall-cmd --list-services
```
### Migrate data from gramathea

45
script/deploy.sh
View File

@@ -1,3 +1,4 @@
#!/usr/bin/env bash
postgres_host=gramathea.kosherinata.internal
api_host=gramathea.kosherinata.internal
@@ -111,6 +112,7 @@ deploy_ui() {
${ui_host}:/tmp/provisioner \
&& ssh ${ui_host} sudo mkdir -p /etc/nginx/tls/rbv \
&& ssh ${ui_host} sudo step ca certificate \
--force \
--provisioner lair \
--provisioner-password-file /tmp/provisioner \
--ca-url https://ca.internal \
@@ -126,18 +128,37 @@ deploy_ui() {
exit 1
fi
if rsync \
--archive \
--compress \
--rsync-path 'sudo rsync' \
--chown root:root \
asset/systemd/step@.service \
${ui_host}:/etc/systemd/system/step@.service; then
echo 'step cert renewal service deployed successfully'
else
echo 'failed to deploy step cert renewal service'
exit 1
fi
for unit in step@.{service,timer}; do
if rsync \
--archive \
--compress \
--rsync-path 'sudo rsync' \
--chown root:root \
asset/systemd/${unit} \
${ui_host}:/etc/systemd/system/${unit}; then
echo "${unit} deployed successfully"
else
echo "failed to deploy ${unit}"
exit 1
fi
done
ssh ${ui_host} "
sudo systemctl daemon-reload
if ! systemctl is-enabled --quiet step@rbv.timer; then
if sudo systemctl enable step@rbv.timer; then
echo 'step@rbv.timer enabled'
else
echo 'failed to enable step@rbv.timer'
fi
fi
if ! systemctl is-active --quiet step@rbv.timer; then
if sudo systemctl start step@rbv.timer; then
echo 'step@rbv.timer started'
else
echo 'failed to start step@rbv.timer'
fi
fi
"
(cd ui && npm run build)
if ssh ${ui_host} sudo mkdir -p /usr/share/nginx/rbv \