proxmox-templates/rotate_postgres.sh

#!/bin/bash

# --- CONFIGURATION ---
POSTGRES_ID=119
LLDAP_ID=126
SECRETS_FILE="/root/secrets/postgres.env"

if [ -f "$SECRETS_FILE" ]; then
    source "$SECRETS_FILE"
else
    echo "Error: Secrets file not found!"
    exit 1
fi

echo "Syncing PostgreSQL credentials..."

# 1. Create User if not exists (Literal Heredoc)
pct exec $POSTGRES_ID -- su - postgres -c "psql" <<'EOF'
DO $$
BEGIN
    IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'lldap_admin') THEN
        CREATE ROLE lldap_admin WITH LOGIN;
    END IF;
END $$;
EOF

# 2. Update Password
pct exec $POSTGRES_ID -- su - postgres -c "psql -c \"ALTER ROLE $DB_USER WITH PASSWORD '$DB_PASS';\""

# 3. Create Database (Standard Shell Logic instead of \gexec)
DB_EXISTS=$(pct exec $POSTGRES_ID -- su - postgres -c "psql -tAc \"SELECT 1 FROM pg_database WHERE datname='$DB_NAME'\"")

if [ "$DB_EXISTS" != "1" ]; then
    echo "Database $DB_NAME not found. Creating..."
    pct exec $POSTGRES_ID -- su - postgres -c "psql -c \"CREATE DATABASE $DB_NAME OWNER $DB_USER;\""
else
    echo "Database $DB_NAME already exists."
fi

# 4. Final Permissions
pct exec $POSTGRES_ID -- su - postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE $DB_NAME TO $DB_USER;\""

# 5. Update LLDAP config
CONFIG_PATH="/etc/lldap/lldap_config.toml"
NEW_URL="postgres://$DB_USER:$DB_PASS@$DB_HOST:$DB_PORT/$DB_NAME"

echo "Updating LLDAP config in LXC $LLDAP_ID..."
pct exec $LLDAP_ID -- sed -i "s|^database_url = .*|database_url = \"$NEW_URL\"|" "$CONFIG_PATH"

# 6. Restart and Log Check
echo "Restarting LLDAP service..."
pct exec $LLDAP_ID -- systemctl restart lldap
sleep 3

STATUS=$(pct exec $LLDAP_ID -- systemctl is-active lldap)
echo "--------------------------------"
echo "LLDAP Status: $STATUS"

if [ "$STATUS" != "active" ]; then
    echo "Showing last 10 lines of LLDAP logs:"
    pct exec $LLDAP_ID -- journalctl -u lldap -n 10 --no-pager
fi