feat: add metabase

roles/metabase/defaults/main.yaml

@@ -0,0 +1,29 @@
+---
+metabase_version: "v0.51.4"
+
+metabase_system_group_name: metabase
+metabase_system_user_name: metabase
+metabase_ssh_private_key_content: ""
+
+# Example
+# metabase_secure_tunnels:
+#  - remote_user: metabase
+#    remote_host: remote-data-node.vega.xyz
+#    remote_port: 5432
+#    local_port: 54321
+#    service_name: mainnet
+metabase_secure_tunnels: []
+
+metabase_site_name: "Metabase"
+metabase_ui_user_email: "[email protected]"
+metabase_ui_user_password: "example-password"
+metabase_ui_port: 3000
+
+metabase_jvm_args: "-Djava.net.preferIPv4Stack=True"
+
+metabase_db_name: "metabase"
+metabase_db_type: "postgres"
+metabase_db_port: 5432
+metabase_db_user: "metabase"
+metabase_db_pass: "some-password"
+metabase_db_host: "127.0.0.1"

roles/metabase/handlers/main.yaml

@@ -0,0 +1,13 @@
+---
+- name: Reload systemd
+  ansible.builtin.service:
+    daemon_reload: true
+  become: true
+  listen: "Reload systemd"
+
+- name: Restart metabase
+  ansible.builtin.service:
+    name: metabase
+    state: restarted
+  become: true
+  listen: "Restart metabase"

roles/metabase/meta/main.yaml

@@ -0,0 +1,4 @@
+---
+dependencies:
+  - role: java
+  - role: vega_postgresql

roles/metabase/tasks/configure_secure_tunnel.yaml

@@ -0,0 +1,22 @@
+---
+- name: Add tunnel env
+  ansible.builtin.template:
+    src: etc/default/secure-tunnel.env.j2
+    dest: /etc/default/secure-tunnel@{{ item.service_name }}
+    mode: "0755"
+  become: true
+  vars:
+    tunnel_remote_user: '{{ item.remote_user }}'
+    tunnel_remote_host: '{{ item.remote_host }}'
+    tunnel_remote_port: '{{ item.remote_port }}'
+    tunnel_local_port: '{{ item.local_port }}'
+    tunnel_service_name: '{{ item.service_name }}'
+  register: secure_tunnel_config
+
+- name: Enable secure-tunnel service # noqa: no-handler
+  ansible.builtin.service:
+    name: "secure-tunnel@{{- item.service_name -}}"
+    daemon_reload: true
+    state: restarted
+    enabled: true
+  when: secure_tunnel_config.changed

roles/metabase/tasks/init_metabase.yaml

@@ -0,0 +1,46 @@
+---
+- name: Check that the somefile.conf exists
+  ansible.builtin.stat:
+    path: /home/metabase/.ansible_initialized
+  register: stat_result
+
+- name: Initialize
+  when: not stat_result.stat.exists
+  block:
+    - name: Ensure metabase has started (this can take a while...)
+      ansible.builtin.uri:
+        url: "http://localhost:{{ metabase_ui_port }}/api/session/properties"
+        status_code: 200
+      register: metabase_api_session
+      until: metabase_api_session is not failed
+      retries: 10
+      delay: 6
+
+    - name: Submit initial configuration
+      ansible.builtin.uri:
+        url: "http://localhost:{{ metabase_ui_port }}/api/setup"
+        method: POST
+        body:
+          token: "{{ metabase_api_session.json['setup-token'] }}"
+          user:
+            name: "{{ metabase_ui_user_email }}"
+            email: "{{ metabase_ui_user_email }}"
+            password: "{{ metabase_ui_user_password }}"
+          prefs:
+            site_name: "{{ metabase_site_name }}"
+            allow_tracking: false
+        body_format: json
+        status_code: 200
+        headers:
+          Accept: "application/json"
+          Content-Type: "application/json"
+      register: metabase_api_setup
+      when: metabase_api_session.json["setup-token"]
+
+    - name: Mark metabase as initialized
+      ansible.builtin.file:
+        path: /home/metabase/.ansible_initialized
+        owner: "{{ metabase_system_user_name }}"
+        group: "{{ metabase_system_group_name }}"
+        state: touch
+        mode: "0644"

roles/metabase/tasks/install_metabase.yaml

@@ -0,0 +1,71 @@
+---
+- name: Ensure metabase home ownership
+  ansible.builtin.file:
+    path: "/home/metabase"
+    state: directory
+    mode: "0755"
+    owner: "{{ metabase_system_user_name }}"
+    group: "{{ metabase_system_group_name }}"
+  become: true
+
+- name: Create logs dir
+  ansible.builtin.file:
+    path: "/var/log/metabase"
+    state: directory
+    mode: "0755"
+    owner: "{{ metabase_system_user_name }}"
+    group: "{{ metabase_system_group_name }}"
+  become: true
+
+
+- name: Create bin dir
+  ansible.builtin.file:
+    path: "/home/metabase/bin"
+    state: directory
+    mode: "0755"
+    owner: "{{ metabase_system_user_name }}"
+    group: "{{ metabase_system_group_name }}"
+  become: true
+
+- name: Create bin dir
+  ansible.builtin.file:
+    path: "/home/metabase/workdir"
+    state: directory
+    mode: "0755"
+    owner: "{{ metabase_system_user_name }}"
+    group: "{{ metabase_system_group_name }}"
+  become: true
+
+- name: Download metabase
+  ansible.builtin.get_url:
+    url: "https://downloads.metabase.com/{{- metabase_version -}}/metabase.jar"
+    dest: "/home/metabase/bin/metabase.jar"
+    owner: "{{ metabase_system_user_name }}"
+    group: "{{ metabase_system_group_name }}"
+    mode: "0644"
+  become: true
+
+- name: Add logging config
+  ansible.builtin.template:
+    src: home/metabase/workdir/log4j.properties
+    dest: "/home/metabase/workdir/log4j.properties"
+    owner: "{{ metabase_system_user_name }}"
+    group: "{{ metabase_system_group_name }}"
+    mode: "0644"
+  become: true
+
+- name: Add metabase service
+  ansible.builtin.template:
+    src: etc/systemd/system/metabase.service.j2
+    dest: /etc/systemd/system/metabase.service
+    mode: "0644"
+  become: true
+  notify:
+    - Reload systemd
+    - Restart metabase
+
+- name: Enable metabase service
+  ansible.builtin.service:
+    name: metabase
+    state: started
+    enabled: true

roles/metabase/tasks/main.yaml

@@ -0,0 +1,13 @@
+---
+- name: Setup prerequisites
+  ansible.builtin.include_tasks: prerequisites.yaml
+
+- name: Configure ssh tunnels
+  ansible.builtin.include_tasks: configure_secure_tunnel.yaml
+  loop: '{{ metabase_secure_tunnels }}'
+
+- name: Install metabase
+  ansible.builtin.include_tasks: install_metabase.yaml
+
+- name: Install metabase
+  ansible.builtin.include_tasks: init_metabase.yaml

roles/metabase/tasks/prerequisites.yaml

@@ -0,0 +1,37 @@
+---
+- name: Create metabase group
+  ansible.builtin.group:
+    name: "{{- metabase_system_group_name -}}"
+  become: true
+
+- name: Create the metabase user
+  ansible.builtin.user:
+    name: "{{- metabase_system_user_name -}}"
+    group: "{{- metabase_system_group_name -}}"
+  become: true
+
+- name: Create .ssh directory for the metabase user
+  ansible.builtin.file:
+    path: "/home/{{- metabase_system_user_name -}}/.ssh"
+    state: directory
+    owner: "{{- metabase_system_user_name -}}"
+    group: "{{- metabase_system_group_name -}}"
+    mode: "0755"
+
+- name: Copy private SSH key for metabase user
+  ansible.builtin.copy:
+    content: "{{ metabase_ssh_private_key_content }}\n"
+    dest: "/home/{{- metabase_system_user_name -}}/.ssh/id_rsa"
+    owner: "{{- metabase_system_user_name -}}"
+    group: "{{- metabase_system_group_name -}}"
+    mode: "0600"
+
+
+- name: Install tunnel service
+  ansible.builtin.template:
+    src: etc/systemd/system/secure-tunnel.service.j2
+    dest: /etc/systemd/system/[email protected]
+    mode: "0750"
+  become: true
+  notify:
+    - Reload systemd

roles/metabase/templates/etc/default/secure-tunnel.env.j2

@@ -0,0 +1,4 @@
+TARGET={{ tunnel_remote_user }}@{{ tunnel_remote_host }}
+LOCAL_ADDR=0.0.0.0
+LOCAL_PORT={{ tunnel_local_port }}
+REMOTE_PORT={{ tunnel_remote_port }}

roles/metabase/templates/etc/systemd/system/metabase.service.j2

@@ -0,0 +1,34 @@
+[Unit]
+Description=Metabase - Data visualization platform
+Documentation=https://www.metabase.com/docs/latest
+After=network.target
+
+[Service]
+ExecStart=/usr/bin/java \
+    -Dlog4j.configuration=file:/home/metabase/workdir/log4j.properties \
+    {{ metabase_jvm_args }} -jar /home/metabase/bin/metabase.jar
+
+Type=simple
+User={{ metabase_system_user_name }}
+Group={{ metabase_system_group_name }}
+WorkingDirectory=/home/metabase/workdir
+
+SuccessExitStatus=143
+
+Restart=on-failure
+RestartSec=10
+
+Environment="MB_PASSWORD_COMPLEXITY=normal"
+Environment="MB_PASSWORD_LENGTH=10"
+Environment="MB_JETTY_HOST=0.0.0.0"
+Environment="MB_JETTY_PORT={{- metabase_ui_port -}}"
+
+Environment="MB_DB_DBNAME={{ metabase_db_name }}"
+Environment="MB_DB_TYPE={{ metabase_db_type }}"
+Environment="MB_DB_PORT={{ metabase_db_port }}"
+Environment="MB_DB_USER={{ metabase_db_user }}"
+Environment="MB_DB_PASS={{ metabase_db_pass }}"
+Environment="MB_DB_HOST={{ metabase_db_host }}"
+
+[Install]
+WantedBy=multi-user.target

roles/metabase/templates/etc/systemd/system/secure-tunnel.service.j2

@@ -0,0 +1,15 @@
+[Unit]
+Description=Setup a secure tunnel to %I
+After=network.target
+
+[Service]
+Environment="LOCAL_ADDR=localhost"
+EnvironmentFile=/etc/default/secure-tunnel@%i
+ExecStart=/usr/bin/ssh -i /home/metabase/.ssh/id_rsa -NT -o StrictHostKeyChecking=accept-new -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes -L ${LOCAL_ADDR}:${LOCAL_PORT}:localhost:${REMOTE_PORT} ${TARGET}
+
+# Restart every >2 seconds to avoid StartLimitInterval failure
+RestartSec=5
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

roles/metabase/templates/home/metabase/workdir/log4j.properties

@@ -0,0 +1,29 @@
+log4j.rootLogger=WARN, file
+
+# log to a file
+log4j.appender.file=org.apache.log4j.RollingFileAppender
+log4j.appender.file.File=/var/log/metabase/metabase.log
+log4j.appender.file.MaxFileSize=500MB
+log4j.appender.file.MaxBackupIndex=2
+log4j.appender.file.layout=org.apache.log4j.PatternLayout
+log4j.appender.file.layout.ConversionPattern=%d [%t] %-5p%c - %m%n
+
+# customizations by package
+
+log4j.logger.metabase.driver=INFO
+log4j.logger.metabase.plugins=INFO
+log4j.logger.metabase.middleware=INFO
+log4j.logger.metabase.models.permissions=INFO
+log4j.logger.metabase.query-processor.permissions=INFO
+log4j.logger.metabase.query-processor=INFO
+log4j.logger.metabase.sync=INFO
+log4j.logger.metabase.models.field-values=INFO
+
+log4j.logger.metabase.async.util=INFO
+log4j.logger.metabase.middleware.async=INFO
+log4j.logger.metabase.query-processor.async=INFO
+
+log4j.logger.metabase=INFO
+
+# c3p0 connection pools tend to log useless warnings way too often; only log actual errors
+log4j.logger.com.mchange=ERROR

roles/vega_caddy_server/tasks/main.yaml

@@ -109,8 +109,6 @@
     owner: "caddy"
     group: "caddy"
     mode: "0644"
+    force: false
   notify: "Restart caddy"
   diff: false
-  args:
-    # database is managed by external process, do not overwrite it with default one
-    creates: "/etc/caddy/GeoLite2-Country.mmdb"

roles/vega_postgresql/defaults/main.yaml

@@ -11,3 +11,4 @@ vega_postgresql_db_users:
 
 vega_postgresql_external_data_directory: "/home/vega/postgresql"
 vega_postgresql_allow_remote_access: false
+vega_postgresql_extra_postgresql_conf_params: {}

roles/vega_postgresql/tasks/configure.yaml

@@ -10,7 +10,6 @@
   args:
     creates: /.timescaledb-tune-finished
 
-
 - name: Configure | Custom configuration changes to postgresql.conf
   ansible.builtin.lineinfile:
     path: "/etc/postgresql/{{- vega_postgresql_version -}}/main/postgresql.conf"
@@ -42,6 +41,15 @@
     internal_postgresql_home: "/var/lib/postgresql/{{- vega_postgresql_version -}}/main"
   register: psql_config
 
+
+- name: Configure | Extra postgresql.conf changes
+  ansible.builtin.lineinfile:
+    path: "/etc/postgresql/{{- vega_postgresql_version -}}/main/postgresql.conf"
+    regexp: "^#?{{ item.key }} =.*"
+    line: "{{ item.key }} = {{ item.value }}"
+  with_dict: "{{ vega_postgresql_extra_postgresql_conf_params }}"
+  register: psql_config_extra
+
 - name: Configure | Check if data already migrated
   ansible.builtin.stat:
     path: "{{- vega_postgresql_external_data_directory -}}/main"
@@ -67,4 +75,4 @@
     state: restarted
     enabled: true
     name: postgresql
-  when: psql_config.changed or migrate_psql_home.changed
+  when: psql_config.changed or migrate_psql_home.changed or psql_config_extra.changed

roles/zfs_generic/defaults/main.yaml

@@ -0,0 +1,11 @@
+---
+zfs_generic_pool_name: "zfs_pool"
+zfs_generic_device: "sda"
+
+# Example:
+# zfs_generic_datasets:
+#  - dataset_name: "zfs_pool/home"
+#    mount_point: "/mnt/zfs_pool"
+#  - dataset_name: "zfs_pool/home/postgresql"
+#    mount_point: "/mnt/zfs_pool/postgresql"
+zfs_generic_datasets: []