gitlab: PostgreSQL service

Organize internal PostgreSQL database which will be used as DB for
Roby-on-Rails GitLab and listens only on unix socket (for security and
performance reasons - see earlier intro patch).

To do it we use slapos.cookbook:postgres recipe, with disabling
"listen-to-network" via passing empty sets to ipv4 and ipv6 recipe
arguments.

The promise to check whether DB is alive is just `psql -c '\q'` which
will error if failing to connect to DB, but exit silently if connected ok.

Explicit log rotation is not needed - as postgresql logs to
stdout/stderr - not to a file - logs are handled by slapos - put into
.slappartX_postgresql.log and automatically rotated there.

XXX omnibus-gitlab tunes postgresql with shared_buffers and other
parameters, most likely for performance reasons - see e.g.

    https://gitlab.com/gitlab-org/omnibus-gitlab/blob/8-2-stable/files/gitlab-cookbooks/gitlab/templates/default/postgresql.conf.erb#L113

I decided not to fine-tune postgresql for now, and get on-field feedback
first, and then, if needed, we can tune.

/cc @kazuhiko, @jerome

software/gitlab/instance-gitlab.cfg.in

@@ -7,6 +7,8 @@
 parts =
     directory
 
+    service-postgresql
+
     service-cron
 
 # std stuff for slapos instance
@@ -60,6 +62,57 @@ recipe  = slapos.cookbook:wrapper
 wrapper-path = !py! '${directory:promise}/' + '${:_buildout_section_name_}'[8:]
 
 
+
+
+#####################
+#   Postgresql db   #
+#####################
+
+# XXX gitlab-omnibus also tunes:
+# - shared_buffers
+# - work_mem
+# - checkpoint_*
+# - effective_check_size
+# - lc_* en_US.UTF-8 -> C  (?)
+[service-postgresql]
+recipe  = slapos.cookbook:postgres
+bin     = {{ postgresql_location }}/bin
+services= ${directory:service}
+
+dbname  = gitlabhq_production
+# NOTE db name must match to what was used in KVM on lab.nexedi.com (restore script grants access to this user)
+superuser = gitlab-psql
+# no password - pgsql will listen only on unix sockets (see below) thus access
+# is protected with filesystem-level permissions.
+# ( besides, if we use slapos.cookbook:generate.password and do `password = ...`
+#   the password is stored in plain text in .installed and thus becomes insecure )
+password=
+
+pgdata-directory = ${directory:srv}/postgresql
+
+# empty addresses - listen only on unix socket
+ipv4    = !py!set([])
+ipv6    = !py!set([])
+ipv6-random =
+port    =
+
+depend  =
+    ${promise-postgresql:recipe}
+
+[promise-postgresql]
+<= promise-wrapper
+command-line =
+    {{ postgresql_location }}/bin/psql
+        -h ${service-postgresql:pgdata-directory}
+        -U ${service-postgresql:superuser}
+        -d ${service-postgresql:dbname}
+        -c '\q'
+
+# postgresql logs to stdout/stderr - logs are handled by slapos not us
+# [logrotate-entry-postgresql]
+
+
+
 #############
 #   cron    #
 #############

software/gitlab/instance.cfg.in

@@ -28,3 +28,4 @@ context =
     raw gunzip_bin                  ${gzip:location}/bin/gunzip
     raw gzip_bin                    ${gzip:location}/bin/gzip
     raw logrotate_bin               ${logrotate:location}/usr/sbin/logrotate
+    raw postgresql_location         ${postgresql92:location}