[Unit]
Description=Postgresql Server
Wants=network-online.target container-build@%N.service container-secrets.service
After=network-online.target container-build@%N.service container-secrets.service
# wait until unbound is active
After=dns-is-ready.service
Requires=dns-is-ready.service
[Service]
# environment loaded here is available in systemd-quadlet scope
EnvironmentFile=-/etc/containers/environment/%N-systemd.env
Restart=on-failure
[Container]
Image=localhost/%N:latest
# If an image is updated in local storage, Podman restarts the systemd unit
AutoUpdate=local
# environment loaded here is available for container scope, mind quadlet bug "=-"
EnvironmentFile=/etc/containers/environment/%N.env
# container wants gid 999 as group for secrets access
Secret=root_ca.crt,mode=0640,gid=999
Secret=root_bundle.crt,mode=0640,gid=999
Secret=server.crt,mode=0640,gid=999
Secret=server.key,mode=0640,gid=999
# set shared memory size for postgresql
PodmanArgs=--shm-size=256MB
Exec=postgres -c config_file=/etc/postgresql/postgresql.conf
HealthCmd=/usr/bin/bash -c '\
pg_isready -U postgres -h /var/run/postgresql && \
psql -U postgres -h /var/run/postgresql template1 -c "select 1;" > /dev/null'
Volume=postgresql.volume:/var/lib/postgresql/data
# have an migrate volume ready for dump and reimport
Volume=postgresql-migrate:/migrate
# listen address and tls configuration
Volume=/etc/containers/systemd/postgresql.conf:/etc/postgresql/postgresql.conf:ro
# network connection for internal service
Network=podman
# additional networks to allow mtls and pwd authentication distinction from frontend
Network=pgmtls:ip={{ PODMAN_STATIC_NETWORKS['pgmtls']|cidr2ip(1) }}
Network=pgpwd:ip={{ PODMAN_STATIC_NETWORKS['pgpwd']|cidr2ip(1) }}
# publish to internal bridge for internal usage, public usage is over pgmtls and pgpwd
PublishPort={{ INTERNAL_CIDR|cidr2ip(1) }}:5432:5432
[Install]
WantedBy=multi-user.target