postgresinator 0.1.0 → 0.2.0

data/lib/postgresinator/built-in.rb

@@ -0,0 +1,198 @@
+set :postgres_templates_path,           "templates/postgres"
+set :postgres_config_files,             ["postgresql.conf", "pg_hba.conf"]
+set :postgres_recovery_conf,            ["recovery.conf"]
+set :postgres_root_path,                -> { shared_path.join('postgres') }
+set :postgres_data_path,                -> { fetch(:postgres_root_path).join('data') }
+set :postgres_config_path,              -> { fetch(:postgres_root_path).join('conf') }
+set :postgres_socket_path,              -> { fetch(:postgres_root_path).join('run') }
+set :postgres_recovery_conf,            -> { "#{fetch(:postgres_data_path)}/recovery.conf" }
+set :postgres_ssl_key,                  -> { "#{fetch(:postgres_data_path)}/server.key" }
+set :postgres_ssl_csr,                  -> { "#{fetch(:postgres_data_path)}/server.csr" }
+set :postgres_ssl_crt,                  -> { "#{fetch(:postgres_data_path)}/server.crt" }
+set :postgres_log_level,                "info"
+
+def pg_run(host)
+  execute("docker", "run", "--detach", "--tty", "--user", "postgres",
+    "--name", host.properties.postgres_container_name,
+    "--volume", "#{fetch(:deploy_to)}:#{fetch(:deploy_to)}:rw",
+    "--expose", "5432",
+    "--publish", "0.0.0.0:#{host.properties.postgres_port}:5432",
+    "--restart", "always",
+    "--entrypoint", "/usr/lib/postgresql/9.1/bin/postgres",
+    fetch(:postgres_image_name),
+    "-D", shared_path.join('postgres', 'data'),
+    "-c", "config_file=#{shared_path.join('postgres', 'conf', 'postgresql.conf')}")
+end
+def pg_init(host)
+  execute("docker", "run", "--rm", "--user", "root",
+    "--volume", "#{fetch(:postgres_data_path)}:/postgresql-data:rw",
+    "--entrypoint", "/usr/bin/rsync",
+    fetch(:postgres_image_name), "-ah", "/var/lib/postgresql/9.1/main/", "/postgresql-data/")
+end
+def pg_replicate(host)
+  execute("docker", "run", "--rm", "--user", "postgres",
+    "--volume", "#{fetch(:deploy_to)}:#{fetch(:deploy_to)}:rw",
+    "--entrypoint", "/usr/bin/pg_basebackup",
+    fetch(:postgres_image_name),
+    "-w", "-h", fetch(:domain), "-p", fetch(:master_container_port),
+    "-U", "replicator", "-D", fetch(:postgres_data_path), "-v", "-x")
+end
+def pg_ssl_key(host)
+  execute("docker", "run", "--rm", "--user", "root",
+    "--entrypoint", "/usr/bin/openssl",
+    "--volume", "#{fetch(:deploy_to)}:#{fetch(:deploy_to)}:rw",
+    fetch(:postgres_image_name), "req", "-nodes", "-newkey", "rsa:2048",
+    "-keyout", fetch(:postgres_ssl_key),
+    "-out", fetch(:postgres_ssl_csr),
+    "-subj", "\"/C=US/ST=Oregon/L=Portland/O=My Company/OU=Operations/CN=localhost\"")
+end
+def pg_ssl_crt(host)
+  execute("docker", "run", "--rm", "--user", "root",
+    "--entrypoint", "/usr/bin/openssl",
+    "--volume", "#{fetch(:deploy_to)}:#{fetch(:deploy_to)}:rw",
+    fetch(:postgres_image_name), "req", "-x509", "-text",
+    "-in", fetch(:postgres_ssl_csr),
+    "-key", fetch(:postgres_ssl_key),
+    "-out", fetch(:postgres_ssl_crt))
+end
+def pg_restore(host, args, clean)
+  SSHKit.config.output_verbosity = "debug"
+  execute("docker", "run", "--rm",
+    "--volume", "/tmp:/tmp:rw",
+    "--volume", "#{fetch(:deploy_to)}:#{fetch(:deploy_to)}:rw",
+    "--entrypoint", "/bin/bash",
+    fetch(:postgres_image_name),
+    "-c", "'/usr/bin/pg_restore", "-U", "postgres",
+    "--host", fetch(:postgres_socket_path), clean,
+    "-d", args.database_name, "-F", "tar", "-v", "/tmp/#{args.dump_file}'")
+  SSHKit.config.output_verbosity = fetch(:postgres_log_level)
+end
+def pg_dump(host, args)
+  SSHKit.config.output_verbosity = "debug"
+  execute("docker", "run", "--rm",
+    "--volume", "/tmp:/tmp:rw",
+    "--volume", "#{fetch(:deploy_to)}:#{fetch(:deploy_to)}:rw",
+    "--entrypoint", "/bin/bash",
+    fetch(:postgres_image_name),
+    "-c", "'/usr/bin/pg_dump", "-U", "postgres",
+    "--host", fetch(:postgres_socket_path), "-F", "tar",
+    "-v", args.database_name, ">", "/tmp/#{args.dump_file}'")
+  SSHKit.config.output_verbosity = fetch(:postgres_log_level)
+end
+def pg_interactive(host)
+  [
+    "ssh", "-t", "#{host}", "\"docker", "run", "--rm", "--interactive", "--tty",
+    "--volume", "#{fetch(:deploy_to)}:#{fetch(:deploy_to)}:rw",
+    "--entrypoint", "/bin/bash",
+    "#{fetch(:postgres_image_name)}",
+    "-lic", "'/usr/bin/psql", "-U", "postgres",
+    "--host", "#{fetch(:postgres_socket_path)}'\""
+  ].join(' ')
+end
+def pg_interactive_print(host)
+  [
+    "docker", "run", "--rm", "--interactive", "--tty",
+    "--volume", "#{fetch(:deploy_to)}:#{fetch(:deploy_to)}:rw",
+    "--entrypoint", "/bin/bash",
+    "#{fetch(:postgres_image_name)}",
+    "-lic", "'/usr/bin/psql", "-U", "postgres",
+    "--host", "#{fetch(:postgres_socket_path)}'"
+  ].join(' ')
+end
+def pg_list_databases(host)
+  capture("docker", "run", "--rm",
+    "--volume", "#{fetch(:deploy_to)}:#{fetch(:deploy_to)}:rw",
+    "--entrypoint", "/bin/bash",
+    fetch(:postgres_image_name),
+    "-c", "'/usr/bin/psql", "-U", "postgres",
+    "--host", fetch(:postgres_socket_path),
+    "-a", "-c", "\"\\l\"'").lines.each { |l| info l }
+end
+def pg_list_roles(host)
+  capture("docker", "run", "--rm",
+    "--volume", "#{fetch(:deploy_to)}:#{fetch(:deploy_to)}:rw",
+    "--entrypoint", "/bin/bash",
+    fetch(:postgres_image_name),
+    "-c", "'/usr/bin/psql", "-U", "postgres",
+    "--host", fetch(:postgres_socket_path),
+    "-c", "\"\\du\"'").lines.each { |l| info l }
+end
+def pg_streaming_master(host)
+  capture("echo", "\"SELECT", "*", "FROM", "pg_stat_replication;\"", "|",
+    "docker", "run", "--rm", "--interactive",
+    "--volume", "#{fetch(:deploy_to)}:#{fetch(:deploy_to)}:rw",
+    "--entrypoint", "/bin/bash",
+    fetch(:postgres_image_name),
+    "-c", "'/usr/bin/psql", "-U", "postgres", "-xa",
+    "--host", "#{fetch(:postgres_socket_path)}'").lines.each { |l| info l }
+end
+def pg_streaming_slave(host)
+  capture("echo", "\"SELECT", "now()", "-", "pg_last_xact_replay_timestamp()",
+    "AS", "replication_delay;\"", "|",
+    "docker", "run", "--rm", "--interactive",
+    "--volume", "#{fetch(:deploy_to)}:#{fetch(:deploy_to)}:rw",
+    "--entrypoint", "/bin/bash",
+    fetch(:postgres_image_name),
+    "-c", "'/usr/bin/psql", "-U", "postgres",
+    "--host", "#{fetch(:postgres_socket_path)}'").lines.each { |l| info l }
+end
+def pg_create_role(db_role, password)
+  execute("echo", "\"CREATE", "ROLE", "\\\"#{db_role}\\\"",
+    "WITH", "LOGIN", "ENCRYPTED", "PASSWORD", "'#{password}'",
+    "REPLICATION", "CREATEDB;\"", "|",
+    "docker", "run", "--rm", "--interactive",
+    "--volume", "#{fetch(:deploy_to)}:#{fetch(:deploy_to)}:rw",
+    "--entrypoint", "/bin/bash",
+    fetch(:postgres_image_name),
+    "-c", "'/usr/bin/psql", "-U", "postgres",
+    "--host", "#{fetch(:postgres_socket_path)}'")
+end
+def pg_create_database(database)
+  execute("echo", "\"CREATE", "DATABASE", "\\\"#{database[:name]}\\\"",
+    "WITH", "OWNER", "\\\"#{database[:db_role]}\\\"", "TEMPLATE",
+    "template0", "ENCODING", "'UTF8';\"", "|",
+    "docker", "run", "--rm", "--interactive",
+    "--volume", "#{fetch(:deploy_to)}:#{fetch(:deploy_to)}:rw",
+    "--entrypoint", "/bin/bash",
+    fetch(:postgres_image_name),
+    "-c", "'/usr/bin/psql", "-U", "postgres",
+    "--host", "#{fetch(:postgres_socket_path)}'")
+end
+def pg_grant_database(database)
+  execute("echo", "\"GRANT", "ALL", "PRIVILEGES", "ON", "DATABASE",
+    "\\\"#{database[:name]}\\\"", "to", "\\\"#{database[:db_role]}\\\";\"", "|",
+    "docker", "run", "--rm", "--interactive",
+    "--volume", "#{fetch(:deploy_to)}:#{fetch(:deploy_to)}:rw",
+    "--entrypoint", "/bin/bash",
+    fetch(:postgres_image_name),
+    "-c", "'/usr/bin/psql", "-U", "postgres",
+    "--host", "#{fetch(:postgres_socket_path)}'")
+end
+def pg_role_exists?(db_role)
+  test("echo", "\"SELECT", "*", "FROM", "pg_user",
+    "WHERE", "usename", "=", "'#{db_role}';\"", "|",
+    "docker", "run", "--rm", "--interactive",
+    "--volume", "#{fetch(:deploy_to)}:#{fetch(:deploy_to)}:rw",
+    "--entrypoint", "/bin/bash",
+    fetch(:postgres_image_name),
+    "-c", "'/usr/bin/psql", "-U", "postgres",
+    "--host", "#{fetch(:postgres_socket_path)}'", "|",
+    "grep", "-q", "'#{db_role}'")
+end
+def pg_database_exists?(database_name)
+  test("docker", "run", "--rm",
+    "--volume", "#{fetch(:deploy_to)}:#{fetch(:deploy_to)}:rw",
+    "--entrypoint", "/bin/bash",
+     fetch(:postgres_image_name),
+    "-c", "'/usr/bin/psql", "-U", "postgres",
+    "--host", fetch(:postgres_socket_path), "-lqt", "|",
+    "cut", "-d\\|", "-f1", "|", "grep", "-w", "#{database_name}'")
+end
+def pg_database_empty?(database_name)
+  test("docker", "run", "--rm", "--tty",
+    "--volume", "#{fetch(:deploy_to)}:#{fetch(:deploy_to)}:rw",
+    "--entrypoint", "/bin/bash", fetch(:postgres_image_name), "-lc",
+    "'/usr/bin/psql", "-U", "postgres", "-d", database_name,
+    "--host", fetch(:postgres_socket_path),
+    "-c", "\"\\dt\"", "|", "grep", "-qi", "\"no relations found\"'")
+end

data/lib/postgresinator/check.rb

@@ -0,0 +1,130 @@
+namespace :pg do
+  namespace :check do
+
+    #desc 'Ensure all postgresinator specific settings are set, and warn and exit if not.'
+    before 'pg:setup', :settings do
+      require 'resolv' unless defined?(Resolv)
+      run_locally do
+        {
+          (File.dirname(__FILE__) + "/examples/config/deploy.rb") => 'config/deploy.rb',
+          (File.dirname(__FILE__) + "/examples/config/deploy/staging.rb") => "config/deploy/#{fetch(:stage)}.rb"
+        }.each do |abs, rel|
+          Rake::Task['deployinator:settings'].invoke(abs, rel)
+          Rake::Task['deployinator:settings'].reenable
+        end
+      end
+      on roles(:db, :db_slave, :in => :parallel) do |host|
+        unless host.properties.respond_to?(:postgres_port)
+          fatal "#{host} does not have postgres_port set." and exit
+        end
+        unless host.properties.respond_to?(:ip)
+          host.properties.set :ip, Resolv.getaddress(host.to_s)
+        end
+      end
+      on roles(:db) do |host|
+        unless host.properties.respond_to?(:postgres_container_name)
+          host.properties.set :postgres_container_name, "#{fetch(:domain)}-postgres-master_#{host.properties.postgres_port}"
+        end
+      end
+      on roles(:db_slave, :in => :parallel) do |host|
+        unless host.properties.respond_to?(:postgres_container_name)
+          host.properties.set :postgres_container_name, "#{fetch(:domain)}-postgres-slave_#{host.properties.postgres_port}"
+        end
+      end
+      run_locally do
+        unless roles(:db).length == 1
+          fatal "You can't set more than one master! (set only one host in the :db role.)"
+          fatal roles(:db)
+          exit
+        end
+      end
+    end
+
+    namespace :settings do
+      desc 'Print example postgresinator specific settings for comparison.'
+      task :print do
+        set :print_all, true
+        Rake::Task['pg:check:settings'].invoke
+      end
+
+      task :database, [:database_name] do |t, args|
+        run_locally do
+          database_found = false
+          fetch(:postgres_databases).each do |database|
+            next unless database[:name] == args.database_name
+            database_found = true
+          end
+          fatal "Database #{args.domain} not found in the configuration" and exit unless database_found
+        end
+      end
+
+      task :domain, [:domain] do |t, args|
+        run_locally do
+          unless roles(:db, :db_slave).select { |host| host.to_s == args.domain }.length == 1
+            fatal "Server domain #{args.domain} not found in the configuration" and exit
+          end
+        end
+      end
+
+      task :postgres_uid_gid do
+        on roles(:db) do
+          set :postgres_uid, -> {
+            capture("docker", "run", "--rm", "--tty",
+              "--entrypoint", "/usr/bin/id",
+              fetch(:postgres_image_name), "-u", "postgres").strip
+          }
+          set :postgres_gid, -> {
+            capture("docker", "run", "--rm", "--tty",
+              "--entrypoint", "/usr/bin/id",
+              fetch(:postgres_image_name), "-g", "postgres").strip
+          }
+        end
+      end
+    end
+
+    task :file_permissions => ['pg:ensure_setup', 'postgresinator:deployment_user', 'postgresinator:webserver_user'] do
+      on roles(:db, :db_slave, :in => :parallel) do |host|
+        as "root" do
+          execute "mkdir", "-p", fetch(:postgres_data_path),
+            fetch(:postgres_socket_path), fetch(:postgres_config_path)
+          ["#{fetch(:deploy_to)}/..", fetch(:deploy_to), shared_path].each do |dir|
+            execute("chown", "#{fetch(:deployment_user_id)}:#{unix_user_get_gid(fetch(:webserver_username))}", dir.to_s)
+            execute("chmod", "2750", dir.to_s)
+          end
+          # chown everything
+          execute("chown", "-R", "#{fetch(:postgres_uid)}:#{fetch(:postgres_gid)}",
+            fetch(:postgres_root_path))
+          # chmod data_path
+          execute "find", fetch(:postgres_data_path), "-type", "d",
+            "-exec", "chmod", "2700", "{}", "+"
+          execute "find", fetch(:postgres_data_path), "-type", "f",
+            "-exec", "chmod", "0600", "{}", "+"
+          # chmod everything but data_path
+          execute "find", fetch(:postgres_root_path), "-type", "d",
+            "-not", "-path", "\"#{fetch(:postgres_data_path)}\"",
+            "-not", "-path", "\"#{fetch(:postgres_data_path)}/*\"",
+            "-exec", "chmod", "2775", "{}", "+"
+          execute "find", fetch(:postgres_root_path), "-type", "f",
+            "-not", "-path", "\"#{fetch(:postgres_data_path)}\"",
+            "-not", "-path", "\"#{fetch(:postgres_data_path)}/*\"",
+            "-exec", "chmod", "0660", "{}", "+"
+        end
+      end
+    end
+    after 'pg:install_config_files', 'pg:check:file_permissions'
+
+    task :firewall => ['pg:ensure_setup', 'postgresinator:deployment_user'] do
+      on roles(:db, :db_slave, :in => :parallel) do |host|
+        as "root" do
+          if test "ufw", "status"
+            success = test("ufw", "allow", "#{host.properties.postgres_port}/tcp")
+            fatal "Error during opening UFW firewall" and exit unless success
+          else
+            warn "Uncomplicated Firewall does not appear to be installed, making no firewall action."
+          end
+        end
+      end
+    end
+
+  end
+end

data/lib/postgresinator/config.rb

@@ -1,155 +1,106 @@
-require 'resolv'
-require 'hashie'
+module Capistrano
+  module TaskEnhancements
+    alias_method :pg_original_default_tasks, :default_tasks
+    def default_tasks
+      pg_original_default_tasks + [
+        'postgresinator:write_built_in',
+        'postgresinator:write_example_configs',
+        'postgresinator:write_example_configs:in_place'
+      ]
+    end
+  end
+end
 
 namespace :postgresinator do
 
-  desc 'Write example config files'
+  set :example, "_example"
+
+  desc "Write example config files (with '_example' appended to their names)."
   task :write_example_configs do
     run_locally do
-      execute "mkdir", "-p", "config/deploy", "templates/postgresql"
+      execute "mkdir", "-p", "config/deploy", fetch(:postgres_templates_path, 'templates/postgres')
       {
-        'examples/Capfile'                                  => 'Capfile_example',
-        'examples/config/deploy.rb'                         => 'config/deploy_example.rb',
-        'examples/config/deploy_postgresinator.rb'          => 'config/deploy_postgresinator_example.rb',
-        'examples/config/deploy/staging.rb'                 => 'config/deploy/staging_example.rb',
-        'examples/config/deploy/staging_postgresinator.rb'  => 'config/deploy/staging_postgresinator_example.rb',
-        'examples/Dockerfile'                               => 'templates/postgresql/Dockerfile_example',
-        'examples/postgresql.conf.erb'                      => 'templates/postgresql/postgresql_example.conf.erb',
-        'examples/pg_hba.conf.erb'                          => 'templates/postgresql/pg_hba_example.conf.erb',
-        'examples/recovery.conf.erb'                        => 'templates/postgresql/recovery_example.conf.erb'
+        'examples/Capfile'                    => "Capfile#{fetch(:example)}",
+        'examples/config/deploy.rb'           => "config/deploy#{fetch(:example)}.rb",
+        'examples/config/deploy/staging.rb'   => "config/deploy/staging#{fetch(:example)}.rb",
+        'examples/Dockerfile'                 => "#{fetch(:postgres_templates_path, 'templates/postgres')}/Dockerfile#{fetch(:example)}",
+        'examples/postgresql.conf.erb'        => "#{fetch(:postgres_templates_path, 'templates/postgres')}/postgresql#{fetch(:example)}.conf.erb",
+        'examples/pg_hba.conf.erb'            => "#{fetch(:postgres_templates_path, 'templates/postgres')}/pg_hba#{fetch(:example)}.conf.erb",
+        'examples/recovery.conf.erb'          => "#{fetch(:postgres_templates_path, 'templates/postgres')}/recovery#{fetch(:example)}.conf.erb"
       }.each do |source, destination|
         config = File.read(File.dirname(__FILE__) + "/#{source}")
         File.open("./#{destination}", 'w') { |f| f.write(config) }
         info "Wrote '#{destination}'"
       end
-      info "Now remove the '_example' portion of their names or diff with existing files and add the needed lines."
+      unless fetch(:example).empty?
+        info "Now remove the '#{fetch(:example)}' portion of their names or diff with existing files and add the needed lines."
+      end
     end
   end
 
-end
-
-namespace :config do
-
-  # TODO refactor to load all settings via capistrano configs
-  task :load_settings do
-    cluster = Hashie::Mash.new()
-    cluster.image               = {}
-    set :pg_image_name,         -> { fetch(:postgres_image_name) }
-    cluster.image.name          = fetch(:pg_image_name)
-    set :pg_config_files,       -> { fetch(:postgres_config_files) }
-    cluster.image.config_files  = fetch(:pg_config_files)
-    set :pg_data_path,          -> { fetch(:postgres_data_path) }
-    cluster.image.data_path     = fetch(:pg_data_path)
-    set :pg_conf_path,          -> { fetch(:postgres_conf_path) }
-    cluster.image.conf_path     = fetch(:pg_conf_path)
-    set :pg_sock_path,          -> { fetch(:postgres_sock_path) }
-    cluster.image.sock_path     = fetch(:pg_sock_path)
-    set :pg_uid,                -> { fetch(:postgres_uid) }
-    cluster.image.postgres_uid  = fetch(:pg_uid)
-    set :pg_gid,                -> { fetch(:postgres_gid) }
-    cluster.image.postgres_gid  = fetch(:pg_gid)
-    set :pg_databases,          -> { fetch(:databases) }
-    cluster.databases           = fetch(:pg_databases)
-    set :pg_servers,            -> { fetch(:servers) }
-    cluster.servers             = fetch(:pg_servers)
-
-    cluster.ssh_user            = ENV["USER"]
-    cluster.servers.each do |server|
-      server.ip = Resolv.getaddress(server.domain)
-      master_or_slave    = server.master ? "master" : "slave"
-      server.master_domain      = cluster.servers.collect { |s| s.domain if s.master }.first
-      server.master_ip          = Resolv.getaddress(server.master_domain)
-      server.master_port        = cluster.servers.collect { |s| s.port if s.master }.first
-      server.container_name     = "#{server.master_domain}-postgres-#{server.port}-#{master_or_slave}"
-      server.data_path          = "/#{server.container_name}-data"
-      server.conf_path          = "/#{server.container_name}-conf"
-      server.docker_run_command = [
-        "--detach",   "--tty", "--user", "postgres",
-        "--name",     server.container_name,
-        "--volume",   cluster.image.sock_path,
-        "--volume",   "#{server.data_path}:#{cluster.image.data_path}:rw",
-        "--volume",   "#{server.conf_path}:#{cluster.image.conf_path}:rw",
-        "--expose",   "5432",
-        "--publish",  "0.0.0.0:#{server.port}:5432",
-        "--restart", "always",
-        cluster.image.name
-      ]
-      server.docker_init_command = [
-        "--rm", "--user", "root",
-        "--volume", "#{server.data_path}:/postgresql-data:rw",
-        "--entrypoint", "/usr/bin/rsync",
-        cluster.image.name, "-ah", "#{cluster.image.data_path}/", "/postgresql-data/"
-      ]
-      server.docker_replicate_command = [
-        "--rm", "--user", "postgres",
-        "--volume", "#{server.data_path}:#{cluster.image.data_path}:rw",
-        "--entrypoint", "/usr/bin/pg_basebackup",
-        cluster.image.name,
-        "-w", "-h", server.master_domain, "-p", server.master_port,
-        "-U", "replicator", "-D", cluster.image.data_path, "-v", "-x"
-      ]
+  desc 'Write example config files (will overwrite any existing config files).'
+  namespace :write_example_configs do
+    task :in_place do
+      set :example, ""
+      Rake::Task['postgresinator:write_example_configs'].invoke
     end
-    @cluster = cluster
   end
 
-  task :ensure_cluster_data_uniqueness do
-    cluster = @cluster
+  desc 'Write a file showing the built-in overridable settings.'
+  task :write_built_in do
     run_locally do
-      names = cluster.servers.collect { |s| s.container_name }
-      fatal "The container names in this cluster are not unique" and raise unless names == names.uniq
-
-      masters = cluster.servers.collect { |s| s.domain if s.master }
-      fatal "You can't set more than one master" and raise unless masters.compact.length == 1
+      {
+        'built-in.rb'                         => 'built-in.rb',
+      }.each do |source, destination|
+        config = File.read(File.dirname(__FILE__) + "/#{source}")
+        File.open("./#{destination}", 'w') { |f| f.write(config) }
+        info "Wrote '#{destination}'"
+      end
+      info "Now examine the file and copy-paste into your deploy.rb or <stage>.rb and customize."
     end
   end
 
-  task :config_file_not_found, [:config_file] do |t, args|
-    cluster = @cluster
-    run_locally do
-      config_file_found = false
-      cluster.image.config_files.each do |config_file|
-        next unless config_file == args.config_file
-        config_file_found = true
+  # These are the only two tasks using :preexisting_ssh_user
+  namespace :deployment_user do
+    #desc "Setup or re-setup the deployment user, idempotently"
+    task :setup do
+      on roles(:all) do |h|
+        on "#{fetch(:preexisting_ssh_user)}@#{h}" do |host|
+          as :root do
+            deployment_user_setup(fetch(:postgres_templates_path))
+          end
+        end
       end
-      fatal "Config file #{args.config_file} not found in the configuration" and raise unless config_file_found
-      config_template_found = test("ls", "-A", "templates/postgresql/#{args.config_file}.erb")
-      fatal "Config template file templates/postgresql/#{args.config_file}.erb not found locally" and raise unless config_template_found
     end
   end
 
-  task :database_not_found, [:database_name] do |t, args|
-    cluster = @cluster
-    run_locally do
-      database_found = false
-      cluster.databases.each do |database|
-        next unless database.name == args.database_name
-        database_found = true
+  task :deployment_user do
+    on roles(:all) do |h|
+      on "#{fetch(:preexisting_ssh_user)}@#{h}" do |host|
+        as :root do
+          if unix_user_exists?(fetch(:deployment_username))
+            info "User #{fetch(:deployment_username)} already exists. You can safely re-setup the user with 'postgresinator:deployment_user:setup'."
+          else
+            Rake::Task['postgresinator:deployment_user:setup'].invoke
+          end
+        end
       end
-      fatal "Database #{args.domain} not found in the configuration" and raise unless database_found
     end
   end
 
-  task :domain_not_found, [:domain] do |t, args|
-    cluster = @cluster
-    run_locally do
-      domain_found = false
-      cluster.servers.each do |server|
-        next unless server.domain == args.domain
-        domain_found = true
+  task :webserver_user do
+    on roles(:all) do
+      as :root do
+        unix_user_add(fetch(:webserver_username)) unless unix_user_exists?(fetch(:webserver_username))
       end
-      fatal "Server domain #{args.domain} not found in the configuration" and raise unless domain_found
     end
   end
 
-  task :role_not_found, [:role_name] do |t, args|
-    cluster = @cluster
-    run_locally do
-      role_found = false
-      cluster.databases.each do |database|
-        next unless database.db_role == args.role_name
-        role_found = true
+  task :file_permissions => [:deployment_user, :webserver_user] do
+    on roles(:app) do
+      as :root do
+        setup_file_permissions
       end
-      fatal "Role #{args.role_name} not found in the configuration" and raise unless role_found
     end
   end