ISTI-ansible-roles
/
ansible-role-postgresql
4
0
Fork 1
Code Issues Pull Requests Releases Wiki Activity

Replace the configfile.py module. Other fixes.

This commit is contained in:
Andrea Dell'Amico 2023-10-16 18:39:03 +02:00
parent 3941030b6b
commit d69716bb8a
Signed by: adellam
GPG Key ID: 147ABE6CEB9E20FF
11 changed files with 504 additions and 521 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
defaults/main.yml
View File

@ -68,7 +68,7 @@ psql_conf_parameters:
psql_log_configuration:
- { name: 'log_destination', value: 'stderr', set: 'True' }
- { name: 'logging_collector', value: 'off', set: 'False' }
- { name: 'log_directory', value: "'{{ psql_log_dir }}'", set: 'True' }
- { name: 'log_directory', value: '{{ psql_log_dir }}', set: 'True' }
- { name: 'log_rotation_age', value: '1d', set: 'True' }
- { name: 'log_rotation_size', value: '10MB', set: 'True' }
- { name: 'client_min_messages', value: 'notice', set: 'True' }
@ -76,11 +76,8 @@ psql_log_configuration:
- { name: 'log_min_error_statement', value: 'error', set: 'True' }
- { name: 'log_min_duration_statement', value: '-1', set: 'True' }
- { name: 'log_checkpoints', value: 'off', set: 'True' }
- { name: 'log_connections', value: 'on', set: 'True' }
- { name: 'log_disconnections', value: 'off', set: 'True' }
- { name: 'log_duration', value: 'off', set: 'True' }
- { name: 'log_error_verbosity', value: 'default', set: 'True' }
- { name: 'log_hostname', value: 'on', set: 'True' }
# Treat vacuum separately. Important: the parameters that need a restart must be listed in psql_conf_parameters
psql_autovacuum_configuration:
@ -117,10 +114,10 @@ psql_streaming_replication_config:
# SSL as a special case
psql_enable_ssl: False
psql_force_ssl_client_connection: False
postgresql_letsencrypt_managed: '{{ psql_enable_ssl }}'
psql_ssl_privkey_global_file: '/var/lib/acme/live/{{ ansible_fqdn }}/privkey'
postgresql_letsencrypt_managed: '{% if letsencrypt_acme_install is defined and letsencrypt_acme_install %}true{% else %}false{% endif %}'
psql_ssl_privkey_global_file: '{% if postgresql_letsencrypt_managed %}/var/lib/acme/live/{{ ansible_fqdn }}/privkey{% else %}{{ pki_dir }}/keys/{{ ansible_fqdn}}-key.pem{% endif %}'
psql_ssl_privkey_file: /etc/pki/postgresql/postgresql.key
psql_ssl_cert_file: '/var/lib/acme/live/{{ ansible_fqdn }}/fullchain'
psql_ssl_cert_file: '{% if postgresql_letsencrypt_managed %}/var/lib/acme/live/{{ ansible_fqdn }}/fullchain{% else %}{{ pki_dir }}/certs/{{ ansible_fqdn}}.pem{% endif %}'
# In CentOS/RHEL is /etc/pki/tls/cert.pem
psql_ssl_ca_file: '/etc/ssl/certs/ca-certificates.crt'
psql_conf_ssl_parameters:

83
library/configfile.py
View File

@ -1,83 +0,0 @@
#!/usr/bin/python
from __future__ import print_function
ANSIBLE_METADATA = {
'metadata_version': '1.0',
'status': ['preview'],
'supported_by': 'ISTI-CNR'
}
import glob
import json
import tempfile
import filecmp
import os
import re
from ansible.module_utils.basic import AnsibleModule
def run_configfile_module():
module = AnsibleModule(
argument_spec = dict(
path=dict(required=True),
key=dict(required=True),
value=dict(required=True),
syntax=dict(required=False, choices=['standard', 'shell'], default='standard'),
)
)
path = module.params['path']
syntax = module.params['syntax']
key = module.params['key']
value = module.params['value']
found = [False]
def expand(line):
if syntax == 'standard':
if re.match("[ #]*%s *=.*" % (key), line):
found[0] = True
return re.sub("[ #]*%s *=.*" % (key), "%s = %s" % (key, value), line)
elif syntax == 'shell':
if re.match("[ #]*%s *=.*" % (key), line):
found[0] = True
return re.sub("[ #]*%s *=.*" % (key), "%s=%s" % (key, value), line)
else:
raise Exception("unsupported syntax %s" % syntax)
changed = False
with open(path, 'r') as input:
with tempfile.NamedTemporaryFile(dir=os.path.dirname(path), mode="w") as temp:
for line in input:
print(expand(line), end=' ', file=temp)
if not found[0]:
if not line.endswith('\n'):
print('', file=temp)
if syntax == 'standard':
print("%s = %s" % (key, value), file=temp)
elif syntax == 'shell':
print("%s=%s" % (key, value), file=temp)
else:
raise Exception("unsupported syntax %s" % syntax)
temp.delete = False
temp.close()
changed = not filecmp.cmp(path, temp.name)
if changed:
os.rename(temp.name, path)
else:
os.remove(temp.name)
module.exit_json(changed=changed)
# include magic from lib/ansible/module_common.py
#<<INCLUDE_ANSIBLE_MODULE_COMMON>>
def main():
run_configfile_module()
if __name__ == '__main__':
main()

169
tasks/configure-access.yml
View File

@ -1,84 +1,97 @@
---
- name: Configure accesses on Deb/Ubuntu
block:
- name: Give access to the remote postgresql client
lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="host {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5" owner=root group=postgres mode='0440'
with_subelements:
- '{{ psql_db_data | default([]) }}'
- allowed_hosts
when:
- psql_listen_on_ext_int
- psql_db_data is defined
- item.1 is defined
- not psql_force_ssl_client_connection
notify: Reload postgresql
tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ]
- name: Give access to the remote postgresql client, force ssl
lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="hostssl {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5" owner=root group=postgres mode='0440'
with_subelements:
- '{{ psql_db_data | default([]) }}'
- allowed_hosts
when:
- psql_listen_on_ext_int
- psql_db_data is defined
- item.1 is defined
- psql_force_ssl_client_connection
notify: Reload postgresql
tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ]
# No conditionals, it is needed to perform base backups when the WAL archive is active
- name: Give local access with replication privileges to the postgres user
lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^local replication postgres peer" line="local replication postgres peer" owner=root group=postgres mode='0440'
notify: Reload postgresql
tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ]
- name: configure-access | Configure accesses on Deb/Ubuntu
when: ansible_distribution_file_variety == "Debian"
- name: Configure accesses on EL
become: true
become_user: postgres
tags: ['postgresql', 'postgres', 'pg_hba', 'pg_db']
block:
- name: Open the postgresql service to a specific zone.
firewalld: service=postgresql zone={{ postgresql_firewalld_zone }} permanent=True state=enabled immediate=True
when:
- psql_listen_on_ext_int
- firewalld_enabled
tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db', 'firewall', 'iptables_rules' ]
- name: configure-access | Give access to the remote postgresql client
community.postgresql.postgresql_pg_hba:
dest: '{{ psql_conf_dir }}/pg_hba.conf'
contype: '{% if psql_force_ssl_client_connection %}hostssl{% else %}host{% endif %}'
users: '{{ item.0.user }}'
address: '{{ item.1 }}'
databases: '{{ item.0.name }}'
# method: 'scram-sha-256'
method: 'md5'
state: "{{ item.0.state | default('present') }}"
with_subelements:
- '{{ psql_db_data | default([]) }}'
- allowed_hosts
when:
- psql_listen_on_ext_int
- psql_db_data is defined
- item.1 is defined
notify: Reload postgresql
- name: Give access to the remote postgresql client
lineinfile: name={{ psql_el_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="host {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5" owner=root group=postgres mode='0440'
with_subelements:
- '{{ psql_db_data | default([]) }}'
- allowed_hosts
when:
- psql_listen_on_ext_int
- psql_db_data is defined
- item.1 is defined
- not psql_force_ssl_client_connection
notify: Reload postgresql
tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ]
- name: Give access to the remote postgresql client, force ssl
lineinfile: name={{ psql_el_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="hostssl {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5" owner=root group=postgres mode='0440'
with_subelements:
- '{{ psql_db_data | default([]) }}'
- allowed_hosts
when:
- psql_listen_on_ext_int
- psql_db_data is defined
- item.1 is defined
- psql_force_ssl_client_connection
notify: Reload postgresql
tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ]
# No conditionals, it is needed to perform base backups when the WAL archive is active
- name: Remove the ident authentication for the local connections
lineinfile: name={{ psql_el_conf_dir }}/pg_hba.conf regexp="^local.*?all.*?ident$" state=absent owner=root group=postgres mode='0440'
notify: Reload postgresql
tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ]
- name: Give local access with replication privileges to the postgres user
lineinfile: name={{ psql_el_conf_dir }}/pg_hba.conf regexp="^local replication postgres peer" line="local replication postgres peer" owner=root group=postgres mode='0440'
notify: Reload postgresql
tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ]
# No conditionals, it is required to perform base backups when the WAL archive is active
- name: configure-access | Give local access with replication privileges to the postgres user
community.postgresql.postgresql_pg_hba:
dest: '{{ psql_conf_dir }}/pg_hba.conf'
contype: 'local'
users: 'postgres'
databases: 'replication'
method: 'peer'
state: present
notify: Reload postgresql
- name: configure-access | Configure accesses on EL
when: ansible_distribution_file_variety == "RedHat"
block:
- name: configure-access | Open the postgresql service to a specific zone.
ansible.posix.firewalld:
service: postgresql
zone: "{{ postgresql_firewalld_zone }}"
permanent: true
state: enabled
immediate: true
when:
- psql_listen_on_ext_int
- firewalld_enabled
tags: ['postgresql', 'postgres', 'pg_hba', 'pg_db', 'firewall', 'iptables_rules']
- name: configure-access | Give access to the remote postgresql client
become: true
become_user: postgres
community.postgresql.postgresql_pg_hba:
dest: '{{ psql_el_conf_dir }}/pg_hba.conf'
contype: '{% if psql_force_ssl_client_connection %}hostssl{% else %}host{% endif %}'
users: '{{ item.0.user }}'
address: '{{ item.1 }}'
databases: '{{ item.0.name }}'
# method: 'scram-sha-256'
method: 'md5'
state: "{{ item.0.state | default('present') }}"
with_subelements:
- '{{ psql_db_data | default([]) }}'
- allowed_hosts
when:
- psql_listen_on_ext_int
- psql_db_data is defined
- item.1 is defined
notify: Reload postgresql
# No conditionals, it is required to perform base backups when the WAL archive is active
- name: configure-access | Remove the ident authentication for the local connections
become: true
become_user: postgres
community.postgresql.postgresql_pg_hba:
dest: '{{ psql_el_conf_dir }}/pg_hba.conf'
contype: 'local'
users: 'all'
databases: 'all'
method: 'ident'
state: absent
notify: Reload postgresql
- name: configure-access | Give local access with replication privileges to the postgres user
become: true
become_user: postgres
community.postgresql.postgresql_pg_hba:
dest: '{{ psql_conf_dir }}/pg_hba.conf'
contype: 'local'
users: 'postgres'
databases: 'replication'
method: 'peer'
state: present
notify: Reload postgresql

12
tasks/main.yml
View File

@ -4,8 +4,14 @@
when: psql_postgresql_install
- import_tasks: postgis.yml
when: postgres_install_gis_extensions
- import_tasks: postgresql-config.yml
when: psql_postgresql_install
- import_tasks: postgresql-config-deb.yml
when:
- psql_postgresql_install
- ansible_distribution_file_variety == "Debian"
- import_tasks: postgresql-config-el.yml
when:
- psql_postgresql_install
- ansible_distribution_file_variety == "RedHat"
- import_tasks: postgresql-ssl-config.yml
when: psql_postgresql_install
- import_tasks: psql-kernel-sharedmem.yml
@ -29,4 +35,4 @@
when: psql_postgresql_install
- import_tasks: postgresql-letsencrypt-acmetool.yml
when:
- letsencrypt_acme_install is defined and letsencrypt_acme_install
- postgresql_letsencrypt_managed

81
tasks/manage_pg_db.yml
View File

@ -1,65 +1,70 @@
---
- name: Add a user for the postgresql DBs
become: True
- name: manage_pg_db | Add a user for the postgresql DBs
become: true
become_user: postgres
postgresql_user: user={{ item.user }} password={{ item.pwd }} role_attr_flags={{ item.roles }} port={{ psql_db_port }} state={{ item.userstate | default('present') }}
with_items: '{{ psql_db_data | default([]) }}'
community.postgresql.postgresql_user:
user: "{{ item.user }}"
password: "{{ item.pwd }}"
role_attr_flags: "{{ item.roles }}"
port: "{{ psql_db_port }}"
state: "{{ item.userstate | default('present') }}"
no_log: true
loop: '{{ psql_db_data | default([]) }}'
when: item.roles is defined
tags: [ 'postgresql', 'postgres', 'pg_db', 'pg_user' ]
tags: ['postgresql', 'postgres', 'pg_db', 'pg_user']
- name: Add the databases with the correct owner. Or remove them, if not used anymore
become: True
- name: manage_pg_db | Add the databases with the correct owner. Or remove them, if not used anymore
become: true
become_user: postgres
postgresql_db: db={{ item.name }} port={{ psql_db_port }} encoding={{ item.encoding }} owner={{ item.user }} template=template0 state={{ item.state | default('present') }}
with_items: '{{ psql_db_data | default([]) }}'
community.postgresql.postgresql_db:
db: "{{ item.name }}"
port: "{{ psql_db_port }}"
encoding: "{{ item.encoding }}"
owner: "{{ item.user }}"
template: template0
state: "{{ item.state | default('present') }}"
loop: '{{ psql_db_data | default([]) }}'
when: item.managedb | default(True)
tags: [ 'postgresql', 'postgres', 'pg_db' ]
tags: ['postgresql', 'postgres', 'pg_db']
- name: Manage users privileges
become: True
- name: manage_pg_db | Manage users privileges
become: true
become_user: postgres
postgresql_privs:
community.postgresql.postgresql_privs:
db: '{{ item.name }}'
privs: '{{ item.privs }}'
#type: database
# type: database
objs: "{{ item.objs | default('ALL_IN_SCHEMA') }}"
roles: '{{ item.roles }}'
port: '{{ psql_db_port }}'
state: "{{ item.userstate | default('present') }}"
grant_option: "{{ item.grant_option | default('yes') }}"
with_items: '{{ psql_db_privs | default([]) }}'
tags: [ 'postgresql', 'postgres', 'pg_db', 'pg_user', 'postgresql_privs' ]
tags: ['postgresql', 'postgres', 'pg_db', 'pg_user', 'postgresql_privs']
- name: Add postgres extensions to the databases, if needed
become: True
- name: manage_pg_db | Add postgres extensions to the databases, if any
become: true
become_user: postgres
postgresql_ext: name={{ item.1 | default(omit) }} db={{ item.0.name }} port={{ psql_db_port }}
community.postgresql.postgresql_ext:
name: "{{ item.1 | default(omit) }}"
db: "{{ item.0.name }}"
port: "{{ psql_db_port }}"
with_subelements:
- '{{ psql_db_extensions | default([]) }}'
- extensions
when: psql_db_extensions is defined
tags: [ 'postgresql', 'postgres', 'pg_extensions', 'pg_db' ]
tags: ['postgresql', 'postgres', 'pg_extensions', 'pg_db']
# - name: Add schemas to a database.
# become: True
# become_user: postgres
# postgresql_schema: database={{ item.0.name }} port={{ psql_db_port }} name={{ item.1 }} owner={{ item.0.user }} state={{ item.0.schemastate | default('present') }}
# with_subelements:
# - '{{ psql_db_data | default([]) }}'
# - schema
# when:
# - item.0.manageschema | default(False)
# - item.1 is defined
# ignore_errors: True
# tags: [ 'postgresql', 'postgres', 'pg_db', 'pg_schema' ]
- name: Define a user with password, with no associated DBs
become: True
- name: manage_pg_db | Define a user with password, with no associated DBs
become: true
become_user: postgres
postgresql_user: user={{ item.user }} password={{ item.pwd }} port={{ psql_db_port }}
with_items: '{{ psql_db_data | default(omit) }}'
community.postgresql.postgresql_user:
user: "{{ item.user }}"
password: "{{ item.pwd }}"
port: "{{ psql_db_port }}"
no_log: true
loop: '{{ psql_db_data | default([]) }}'
when:
- item.pwd is defined
- item.roles is not defined
tags: [ 'postgresql', 'postgres', 'pg_db' ]
tags: ['postgresql', 'postgres', 'pg_db']

18
tasks/postgis.yml
View File

@ -1,13 +1,17 @@
---
- name: install the postgresql GIS packages on deb/ubuntu
apt: pkg={{ postgres_gis_pkgs }} state={{ psql_pkg_state }} cache_valid_time=3600
- name: postgis | Install the postgresql GIS packages on deb/ubuntu
ansible.builtin.apt:
pkg: "{{ postgres_gis_pkgs }}"
state: "{{ psql_pkg_state }}"
cache_valid_time: 3600
notify: Restart postgresql
when: ansible_distribution_file_variety == "Debian"
tags: [ 'postgresql', 'postgres', 'postgis' ]
tags: ['postgresql', 'postgres', 'postgis']
- name: install the postgresql GIS packages on EL
yum: pkg={{ postgres_el_gis_pkgs }} state={{ psql_pkg_state }}
- name: postgis | Install the postgresql GIS packages on EL
ansible.builtin.yum:
pkg: "{{ postgres_el_gis_pkgs }}"
state: "{{ psql_pkg_state }}"
notify: Restart postgresql
when: ansible_distribution_file_variety == "RedHat"
tags: [ 'postgresql', 'postgres', 'postgis' ]
tags: ['postgresql', 'postgres', 'postgis']

135
tasks/postgresql-config-deb.yml Normal file
View File

@ -0,0 +1,135 @@
---
- name: postgresql-config-deb | Data directory for Deb/Ubuntu
when:
- psql_use_alternate_data_dir
- ansible_distribution_file_variety == "Debian"
tags: ['postgresql', 'postgres', 'pg_conf']
block:
- name: postgresql-config-deb | Create the postgresql data directory if it is not in the default place
ansible.builtin.file:
dest: "{{ psql_data_dir }}"
owner: postgres
group: postgres
mode: '700'
state: directory
- name: postgresql-config-deb | Set the postgresql data dir if it is different from the default
become: true
become_user: postgres
ansible.builtin.lineinfile:
path: "{{ psql_conf_dir }}/postgresql.conf"
regexp: "^data_directory\ ="
line: "data_directory = '{{ psql_data_dir }}'"
create: false
state: present
- name: postgresql-config-deb | Check if the new postgresql data directory has been populated already
ansible.builtin.stat:
path: "{{ psql_data_dir }}/.postgresql_data_dir"
register: postgresql_data_dir
- name: postgresql-config-deb | Stop the postgresql service while reconfiguring the data directory
ansible.builtin.service:
name: postgresql
state: stopped
when: not postgresql_data_dir.stat.exists
- name: postgresql-config-deb | Copy the postgresql data directory into the new place
ansible.builtin.shell:
cmd: |
if [ "/var/lib/postgresql/{{ psql_version | quote }}/main" != "{{ psql_data_dir | quote }}" ] ; then
cp -a /var/lib/postgresql/{{ psql_version | quote }}/main/* {{ psql_data_dir | quote }}
echo "Custom data dir" > "{{ psql_data_dir | quote }}/.postgresql_data_dir"
fi
args:
creates: '{{ psql_data_dir | quote }}/.postgresql_data_dir'
- name: postgresql-config-deb | Start the postgresql service that will use the new data directory
ansible.builtin.service:
name: postgresql
state: started
- name: postgresql-config-deb | Configuration of Deb/Ubuntu systems
when: ansible_distribution_file_variety == "Debian"
tags: ['postgresql', 'postgres', 'pg_conf']
block:
- name: postgresql-config-deb | Set some postgresql configuration parameters that require a db restart
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: '{{ item.name }}'
value: "{% if item.set %}{{ item.value }}{% else %}default{% endif %}"
loop: '{{ psql_conf_parameters }}'
notify: Restart postgresql
- name: postgresql-config-deb | Set the postgresql logging configuration parameters
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: '{{ item.name }}'
value: "{% if item.set %}{{ item.value }}{% else %}default{% endif %}"
loop: '{{ psql_log_configuration }}'
notify: Reload postgresql
tags: ['postgresql', 'postgres', 'pg_conf', 'pg_conf_log']
- name: postgresql-config-deb | Set the postgresql autovacuum configuration parameters
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: '{{ item.name }}'
value: "{% if item.set %}{{ item.value }}{% else %}default{% endif %}"
loop: '{{ psql_autovacuum_configuration }}'
notify: Reload postgresql
tags: ['postgresql', 'postgres', 'pg_conf', 'pg_conf_autovacuum']
- name: postgresql-config-deb | Set the postgresql listen port
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: 'port'
value: "{% if psql_listen_on_ext_int %}{{ psql_db_port }}{% else %}default{% endif %}"
notify: Restart postgresql
- name: postgresql-config-deb | We want postgres listen on the public IP
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: 'listen_addresses'
value: "{% if psql_listen_on_ext_int %}*{% else %}default{% endif %}"
notify: Restart postgresql
- name: postgresql-config-deb | Flush flush_handlers Restart PostgreSQL
ansible.builtin.meta: flush_handlers
tags: ['postgresql', 'postgres', 'pg_hba', 'pg_conf']
- name: postgresql-config-deb | Log the connections
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: 'log_connections'
value: "{% if psql_listen_on_ext_int %}on{% else %}default{% endif %}"
notify: Reload postgresql
- name: postgresql-config-deb | Log the disconnections
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: 'log_disconnections'
value: "{% if psql_listen_on_ext_int is defined %}on{% else %}default{% endif %}"
notify: Reload postgresql
- name: postgresql-config-deb | Log the hostnames
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: 'log_hostname'
value: "{% if psql_listen_on_ext_int %}on{% else %}default{% endif %}"
notify: Reload postgresql
- name: postgresql-config-deb | Flush flush_handlers Restart PostgreSQL
ansible.builtin.meta: flush_handlers
tags: ['postgresql', 'postgres', 'pg_hba', 'pg_conf']
- name: postgresql-config-deb | Flush flush_handlers Reload PostgreSQL
ansible.builtin.meta: flush_handlers
tags: ['postgresql', 'postgres', 'pg_hba', 'pg_conf']

167
tasks/postgresql-config-el.yml Normal file
View File

@ -0,0 +1,167 @@
---
- name: postgresql-config-el | Data directory for EL
when:
- psql_use_alternate_data_dir
- ansible_distribution_file_variety == "RedHat"
tags: ['postgresql', 'postgres', 'pg_conf']
block:
- name: postgresql-config-el | Create the postgresql data directory if it is not in the default place
ansible.builtin.file:
dest: "{{ psql_el_data_dir }}"
owner: postgres
group: postgres
mode: "700"
state: directory
- name: postgresql-config-el | Set the postgresql data dir if it is different from the default
become: true
become_user: postgres
ansible.builtin.lineinfile:
path: "{{ psql_el_conf_dir }}/postgresql.conf"
regexp: "^data_directory\ ="
line: "data_directory = '{{ psql_el_data_dir }}'"
create: false
state: present
- name: postgresql-config-el | Check if the new postgresql data directory has been populated already
ansible.builtin.stat:
path: "{{ psql_el_data_dir }}/.postgresql_data_dir"
register: postgresql_data_dir
- name: postgresql-config-el | Stop the postgresql service while reconfiguring the data directory
ansible.builtin.service:
name: 'postgresql-{{ psql_version }}'
state: stopped
when: not postgresql_data_dir.stat.exists
- name: postgresql-config-el | Copy the postgresql data directory into the new place
ansible.builtin.shell:
cmd: |
if [ "/var/lib/pgsql/{{ psql_version | quote }}/data" != "{{ psql_el_data_dir | quote }}" ] ; then
cp -a /var/lib/pgsql/{{ psql_version | quote }}/main/* {{ psql_el_data_dir | quote }}
echo "Custom data dir" > "{{ psql_el_data_dir | quote }}/.postgresql_data_dir"
fi
args:
creates: '{{ psql_el_data_dir }}/.postgresql_data_dir'
register: postgresql_new_data_dir
- name: postgresql-config-el | Fix the SELinux context for the new data directory
community.general.sefcontext:
target: '{{ psql_el_base_dir }}(/.*)?'
setype: postgresql_db_t
state: present
- name: postgresql-config-el | Restore the SELinux context
ansible.builtin.command: restorecon -vR {{ psql_el_base_dir }}
when: postgresql_new_data_dir is changed
- name: postgresql-config-el | Start the postgresql service that will use the new data directory
ansible.builtin.service:
name: 'postgresql-{{ psql_version }}'
state: started
- name: postgresql-config-el | Configuration of EL systems
when: ansible_distribution_file_variety == "RedHat"
tags: ['postgresql', 'postgres', 'pg_conf']
block:
- name: postgresql-config-el | Create the postgresql log directory
ansible.builtin.file:
dest: "{{ psql_log_dir }}"
state: directory
owner: postgres
group: postgres
mode: '0750'
register: postgresql_log_dir_creation
- name: postgresql-config-el | Fix the SELinux context for the postgresql log directory
community.general.sefcontext:
target: '{{ psql_log_dir }}(/.*)?'
setype: postgresql_db_t
state: present
- name: postgresql-config-el | Fix the SELinux context for the postgresql log directory
ansible.builtin.command: restorecon -vR {{ psql_log_dir }}
when: postgresql_log_dir_creation is changed
- name: postgresql-config-el | Set some postgresql configuration parameters that require a db restart
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: '{{ item.name }}'
value: "{% if item.set %}{{ item.value }}{% else %}default{% endif %}"
loop: '{{ psql_conf_parameters }}'
notify: Restart postgresql
- name: postgresql-config-el | Set the postgresql logging configuration parameters
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: '{{ item.name }}'
value: "{% if item.set %}{{ item.value }}{% else %}default{% endif %}"
loop: '{{ psql_log_configuration }}'
notify: Reload postgresql
tags: ['postgresql', 'postgres', 'pg_conf', 'pg_conf_log']
- name: postgresql-config-el | Set the postgresql autovacuum configuration parameters
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: '{{ item.name }}'
value: "{% if item.set %}{{ item.value }}{% else %}default{% endif %}"
loop: '{{ psql_autovacuum_configuration }}'
notify: Reload postgresql
tags: ['postgresql', 'postgres', 'pg_conf', 'pg_conf_autovacuum']
- name: postgresql-config-el | Set the postgresql listen port
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: 'port'
value: "{% if psql_listen_on_ext_int %}{{ psql_db_port }}{% else %}default{% endif %}"
notify: Restart postgresql
- name: postgresql-config-el | We want postgres listen on the public IP
community.postgresql.postgresql_set:
name: 'listen_addresses'
value: "{% if psql_listen_on_ext_int %}*{% else %}default{% endif %}"
notify: Restart postgresql
- name: postgresql-config-el | If postgresql is only accessed from localhost make it listen only on the localhost interface
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: 'listen_addresses'
value: "{% if psql_listen_on_ext_int %}*{% else %}default{% endif %}"
notify: Restart postgresql
- name: postgresql-config-el | Flush flush_handlers Restart PostgreSQL
ansible.builtin.meta: flush_handlers
tags: ['postgresql', 'postgres', 'pg_hba', 'pg_conf']
- name: postgresql-config-el | Log the connections
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: 'log_connections'
value: "{% if psql_listen_on_ext_int %}on{% else %}default{% endif %}"
notify: Reload postgresql
- name: postgresql-config-el | Log the disconnections
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: 'log_disconnections'
value: "{% if psql_listen_on_ext_int %}on{% else %}default{% endif %}"
notify: Reload postgresql
- name: postgresql-config-el | Log the hostnames
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: 'log_hostname'
value: "{% if psql_listen_on_ext_int %}on{% else %}default{% endif %}"
notify: Reload postgresql
- name: postgresql-config-el | Flush flush_handlers Reload PostgreSQL
ansible.builtin.meta: flush_handlers
tags: ['postgresql', 'postgres', 'pg_hba', 'pg_conf']

263
tasks/postgresql-config.yml
View File

@ -1,263 +0,0 @@
---
- name: postgresql-config | Data directory for Deb/Ubuntu
when:
- psql_use_alternate_data_dir
- ansible_distribution_file_variety == "Debian"
tags: ['postgresql', 'postgres', 'pg_conf']
block:
- name: postgresql-config | Check if the new postgresql data directory exists
ansible.builtin.stat:
path: "{{ psql_data_dir }}"
register: postgresql_data_dir
- name: postgresql-config | Stop the postgresql service while reconfiguring the data directory
ansible.builtin.service:
name: postgresql
state: stopped
when: postgresql_data_dir.stat.isdir is not defined
- name: postgresql-config | Create the postgresql data directory if it is not in the default place
ansible.builtin.file:
dest: "{{ psql_data_dir }}"
owner: postgres
group: postgres
mode: '700'
state: directory
recurse: true
- name: postgresql-config | Set the postgresql data dir if it is different from the default
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: data_directory
value: "'{{ psql_data_dir }}'"
- name: postgresql-config | Copy the postgresql data directory into the new place
ansible.builtin.shell:
cmd: |
if [ "/var/lib/postgresql/{{ psql_version | quote }}/main" != "{{ psql_data_dir | quote }}" ] ; then
cp -a /var/lib/postgresql/{{ psql_version | quote }}/main/* {{ psql_data_dir | quote }}
fi
args:
creates: '{{ psql_data_dir }}/main/base'
when: postgresql_data_dir.stat.isdir is not defined
- name: postgresql-config | Start the postgresql service that will use the new data directory
ansible.builtin.service:
name: postgresql
state: started
when: postgresql_data_dir.stat.isdir is not defined
- name: postgresql-config | Configuration of Deb/Ubuntu systems
when: ansible_distribution_file_variety == "Debian"
tags: ['postgresql', 'postgres', 'pg_conf']
block:
- name: postgresql-config | Set some postgresql configuration parameters that require a db restart
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: '{{ item.name }}'
value: "{% if item.set %}{{ item.value }}{% else %}default{% endif %}"
loop: '{{ psql_conf_parameters }}'
notify: Restart postgresql
- name: postgresql-config | Set the postgresql logging configuration parameters
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: '{{ item.name }}'
value: "{% if item.set %}{{ item.value }}{% else %}default{% endif %}"
loop: '{{ psql_log_configuration }}'
notify: Reload postgresql
tags: ['postgresql', 'postgres', 'pg_conf', 'pg_conf_log']
- name: postgresql-config | Set the postgresql autovacuum configuration parameters
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: '{{ item.name }}'
value: "{% if item.set %}{{ item.value }}{% else %}default{% endif %}"
loop: '{{ psql_autovacuum_configuration }}'
notify: Reload postgresql
tags: ['postgresql', 'postgres', 'pg_conf', 'pg_conf_autovacuum']
- name: postgresql-config | Set the postgresql listen port
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: 'port'
value: "{% if psql_listen_on_ext_int %}{{ psql_db_port }}{% else %}default{% endif %}"
notify: Restart postgresql
- name: postgresql-config | We want postgres listen on the public IP
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: 'listen_addresses'
value: "{% if psql_listen_on_ext_int %}*{% else %}default{% endif %}"
notify: Restart postgresql
- name: postgresql-config | Log the connections
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: 'log_connections'
value: "{% if psql_db_data is defined %}on{% else %}default{% endif %}"
notify: Reload postgresql
- name: postgresql-config | Log the disconnections
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: 'log_disconnections'
value: "{% if psql_db_data is defined %}on{% else %}default{% endif %}"
notify: Reload postgresql
- name: postgresql-config | Log the hostnames
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: 'log_hostname'
value: "{% if psql_listen_on_ext_int %}{{ psql_db_port }}{% else %}default{% endif %}"
notify: Reload postgresql
- name: postgresql-config | Flush flush_handlers Restart PostgreSQL
ansible.builtin.meta: flush_handlers
tags: ['postgresql', 'postgres', 'pg_hba', 'pg_conf']
- name: postgresql-config | Data directory for EL
block:
- name: Check if the new postgresql data directory exists
stat: path={{ psql_el_data_dir }}
register: postgresql_data_dir
- name: postgresql-config | Stop the postgresql service while reconfiguring the data directory
service: name='postgresql-{{ psql_version }}' state=stopped
when: postgresql_data_dir.stat.isdir is not defined
- name: postgresql-config | Create the postgresql data directory if it is not in the default place
file: dest={{ psql_el_data_dir }} owner=postgres group=postgres mode=700 recurse=yes state=directory
- name: postgresql-config | Set the postgresql data dir if it is different from the default
become: true
become_user: postgres
action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key=data_directory value="'{{ psql_el_data_dir }}'"
- name: postgresql-config | Copy the postgresql data directory into the new place
shell: '[ "/var/lib/pgsql/{{ psql_version }}/data" != "{{ psql_el_data_dir }}" ] && cp -a /var/lib/pgsql/{{ psql_version }}/data/* {{ psql_el_data_dir }}'
args:
creates: '{{ psql_el_data_dir }}/base'
when: postgresql_data_dir.stat.isdir is not defined
- name: postgresql-config | Fix the SELinux context for the new data directory
sefcontext:
target: '{{ psql_el_base_dir }}(/.*)?'
setype: postgresql_db_t
state: present
- name: postgresql-config | Restore the SELinux context
command: restorecon -vR {{ psql_el_base_dir }}
- name: postgresql-config | Start the postgresql service that will use the new data directory
service: name='postgresql-{{ psql_version }}' state=started
when: postgresql_data_dir.stat.isdir is not defined
when:
- psql_use_alternate_data_dir
- ansible_distribution_file_variety == "RedHat"
tags: [ 'postgresql', 'postgres', 'pg_conf' ]
- name: postgresql-config | Configuration of EL systems
block:
- name: postgresql-config | Create the postgresql log directory
file: dest={{ psql_log_dir }} state=directory owner=postgres group=postgres mode='0750'
- name: postgresql-config | Fix the SELinux context for the postgresql log directory
sefcontext:
target: '{{ psql_log_dir }}(/.*)?'
setype: postgresql_db_t
state: present
- name: postgresql-config | Fix the SELinux context for the postgresql log directory
command: restorecon -vR {{ psql_log_dir }}
- name: postgresql-config | Set some postgresql configuration parameters that require a db restart
become: true
become_user: postgres
action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key={{ item.name }} value="{{ item.value }}"
with_items: '{{ psql_conf_parameters }}'
when: item.set == 'True'
notify: Restart postgresql
tags: [ 'postgresql', 'postgres', 'pg_conf' ]
- name: postgresql-config | Set the postgresql logging configuration parameters
become: true
become_user: postgres
action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key={{ item.name }} value="{{ item.value }}"
with_items: '{{ psql_log_configuration }}'
when: item.set == 'True'
notify: Reload postgresql
tags: [ 'postgresql', 'postgres', 'pg_conf', 'pg_conf_log' ]
- name: postgresql-config | Set the postgresql autovacuum configuration parameters
become: true
become_user: postgres
action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key={{ item.name }} value="{{ item.value }}"
with_items: '{{ psql_autovacuum_configuration }}'
when: item.set == 'True'
notify: Reload postgresql
tags: [ 'postgresql', 'postgres', 'pg_conf', 'pg_conf_autovacuum' ]
- name: postgresql-config | Set the postgresql listen port
action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key=port value="{{ psql_db_port }}"
register: restart_postgresql
tags: [ 'postgresql', 'postgres', 'pg_conf' ]
- name: postgresql-config | We want postgres listen on the public IP
action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key=listen_addresses value="'*'"
register: restart_postgresql
when:
- psql_listen_on_ext_int
tags: [ 'postgresql', 'postgres', 'pg_conf' ]
- name: postgresql-config | If postgresql is only accessed from localhost make it listen only on the localhost interface
action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key=listen_addresses value="'localhost'"
register: restart_postgresql
when:
- not psql_listen_on_ext_int
tags: [ 'postgresql', 'postgres', 'pg_conf' ]
- name: postgresql-config | Log the connections
action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key=log_connections value="on"
register: restart_postgresql
when: psql_db_data is defined
tags: [ 'postgresql', 'postgres', 'pg_conf' ]
- name: postgresql-config | Log the disconnections
action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key=log_disconnections value="on"
register: restart_postgresql
when: psql_db_data is defined
tags: [ 'postgresql', 'postgres', 'pg_conf' ]
- name: postgresql-config | Log the hostnames
action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key=log_hostname value="on"
register: restart_postgresql
when:
- psql_listen_on_ext_int
tags: [ 'postgresql', 'postgres', 'pg_conf' ]
- name: postgresql-config | Set the correct permissions to the postgresql files
file: dest={{ psql_el_conf_dir }}/{{ item }} owner=root group=postgres mode=0640
with_items:
- pg_hba.conf
- postgresql.conf
tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_conf' ]
- name: postgresql-config | Restart the postgresql server after changing parameters that need a restart
service: name='postgresql-{{ psql_version }}' state=restarted
when:
- restart_postgresql is defined and restart_postgresql is changed
ignore_errors: True
tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_conf' ]
when: ansible_distribution_file_variety == "RedHat"

76
tasks/postgresql-ssl-config.yml
View File

@ -1,47 +1,43 @@
---
- block:
- name: Setup SSL in the postgresql configuration
become: True
become_user: postgres
action: configfile path={{ psql_conf_dir }}/postgresql.conf key={{ item.name }} value="'{{ item.value }}'"
with_items: '{{ psql_conf_ssl_parameters }}'
notify: Restart postgresql
when: ansible_distribution_file_variety == "Debian"
- name: Setup SSL in the postgresql configuration
become: True
become_user: postgres
action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key={{ item.name }} value="'{{ item.value }}'"
with_items: '{{ psql_conf_ssl_parameters }}'
notify: Restart postgresql
when: ansible_distribution_file_variety == "RedHat"
- name: Create the pki directory to store the postgresql key
file: dest=/etc/pki/postgresql state=directory owner=postgres group=postgres mode=0750
- name: Create a postgres accessible ssl key file if it does not exist
copy: src={{ psql_ssl_privkey_global_file }} dest={{ psql_ssl_privkey_file }} owner=postgres group=postgres mode=0400 remote_src=True
- name: postgresql-ssl-config | TLS configuration
when: psql_enable_ssl
tags: [ 'postgresql', 'postgres', 'pg_ssl_conf', 'pg_conf' ]
- block:
- name: Disable SSL in the postgresql configuration
become: True
tags: ['postgresql', 'postgres', 'pg_ssl_conf', 'pg_conf']
block:
- name: postgresql-ssl-config | Setup SSL in the postgresql configuration
become: true
become_user: postgres
action: configfile path={{ psql_conf_dir }}/postgresql.conf key={{ item.name }} value="'{{ item.value }}'"
with_items: '{{ psql_conf_disable_ssl_parameters }}'
community.postgresql.postgresql_set:
name: '{{ item.name }}'
value: "{{ item.value }}"
loop: '{{ psql_conf_ssl_parameters }}'
notify: Restart postgresql
when: ansible_distribution_file_variety == "Debian"
- name: Disable SSL in the postgresql configuration
become: True
become_user: postgres
action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key={{ item.name }} value="'{{ item.value }}'"
with_items: '{{ psql_conf_disable_ssl_parameters }}'
notify: Restart postgresql
when: ansible_distribution_file_variety == "RedHat"
- name: postgresql-ssl-config | Create the pki directory to store the private key
ansible.builtin.file:
dest: /etc/pki/postgresql
state: directory
owner: postgres
group: postgres
mode: '0750'
- name: postgresql-ssl-config | Create a postgres accessible ssl key file if it does not exist
ansible.builtin.copy:
src: "{{ psql_ssl_privkey_global_file }}"
dest: "{{ psql_ssl_privkey_file }}"
owner: postgres
group: postgres
mode: '0400'
remote_src: true
- name: postgresql-ssl-config | Disable the TLS configuration
when: not psql_enable_ssl
tags: [ 'postgresql', 'postgres', 'pg_ssl_conf', 'pg_conf' ]
tags: ['postgresql', 'postgres', 'pg_ssl_conf', 'pg_conf']
block:
- name: postgresql-ssl-config | Disable SSL in the postgresql configuration
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: '{{ item.name }}'
value: "{{ item.value }}"
loop: '{{ psql_conf_disable_ssl_parameters }}'
notify: Restart postgresql

10
tasks/postgresql-streaming-replication.yml
View File

@ -28,6 +28,8 @@
tags: ['postgresql', 'postgres', 'pg_conf', 'pg_hba', 'postgresql_replication']
block:
- name: postgresql-streaming-replication | Configure the replication user permissions on deb
become: true
become_user: postgres
community.postgresql.postgresql_pg_hba:
dest: '{{ psql_conf_dir }}/pg_hba.conf'
contype: host
@ -42,6 +44,8 @@
when: not psql_enable_ssl
- name: postgresql-streaming-replication | Configure the replication user permissions on deb
become: true
become_user: postgres
community.postgresql.postgresql_pg_hba:
dest: '{{ psql_conf_dir }}/pg_hba.conf'
contype: hostssl
@ -63,6 +67,8 @@
tags: ['postgresql', 'postgres', 'pg_conf', 'pg_hba', 'postgresql_replication']
block:
- name: postgresql-streaming-replication | Configure the replication user permissions on EL
become: true
become_user: postgres
community.postgresql.postgresql_pg_hba:
dest: '{{ psql_el_conf_dir }}/pg_hba.conf'
contype: host
@ -77,6 +83,8 @@
when: not psql_enable_ssl
- name: postgresql-streaming-replication | Configure the replication user permissions on EL
become: true
become_user: postgres
community.postgresql.postgresql_pg_hba:
dest: '{{ psql_el_conf_dir }}/pg_hba.conf'
contype: hostssl
@ -143,8 +151,6 @@
- not standby_signal_file.stat.exists
- name: postgresql-streaming-replication | Remove the data directory contents {{ postgresql_active_data_dir }}
become: true
become_user: postgres
ansible.builtin.file:
dest: '{{ postgresql_active_data_dir }}'
state: absent