109 lines
3.8 KiB
YAML
109 lines
3.8 KiB
YAML
---
|
|
- name: configure-access | Configure accesses on Deb/Ubuntu
|
|
when: ansible_distribution_file_variety == "Debian"
|
|
tags: ['postgresql', 'postgres', 'pg_hba', 'pg_db']
|
|
block:
|
|
- name: configure-access | Give access to the remote postgresql client
|
|
community.postgresql.postgresql_pg_hba:
|
|
dest: '{{ psql_conf_dir }}/pg_hba.conf'
|
|
contype: '{% if psql_force_ssl_client_connection %}hostssl{% else %}host{% endif %}'
|
|
users: '{{ item.0.user }}'
|
|
address: '{{ item.1 }}'
|
|
databases: '{{ item.0.name }}'
|
|
method: '{{ item.0.hash_method | default("scram-sha-256") }}'
|
|
owner: root
|
|
group: postgres
|
|
mode: "0640"
|
|
state: "{{ item.0.state | default('present') }}"
|
|
with_subelements:
|
|
- '{{ psql_db_data | default([]) }}'
|
|
- allowed_hosts
|
|
when:
|
|
- psql_listen_on_ext_int
|
|
- psql_db_data is defined
|
|
- item.1 is defined
|
|
notify: Reload postgresql
|
|
|
|
# No conditionals, it is required to perform base backups when the WAL archive is active
|
|
- name: configure-access | Give local access with replication privileges to the postgres user
|
|
community.postgresql.postgresql_pg_hba:
|
|
dest: '{{ psql_conf_dir }}/pg_hba.conf'
|
|
contype: 'local'
|
|
users: 'postgres'
|
|
databases: 'replication'
|
|
method: 'peer'
|
|
state: present
|
|
owner: root
|
|
group: postgres
|
|
mode: "0640"
|
|
notify: Reload postgresql
|
|
|
|
- name: configure-access | Flush handlers
|
|
ansible.builtin.meta: flush_handlers
|
|
|
|
- name: configure-access | Configure accesses on EL
|
|
when: ansible_distribution_file_variety == "RedHat"
|
|
block:
|
|
- name: configure-access | Open the postgresql service to a specific zone.
|
|
ansible.posix.firewalld:
|
|
service: postgresql
|
|
zone: "{{ postgresql_firewalld_zone }}"
|
|
permanent: true
|
|
state: enabled
|
|
immediate: true
|
|
when:
|
|
- psql_listen_on_ext_int
|
|
- firewalld_enabled
|
|
tags: ['postgresql', 'postgres', 'pg_hba', 'pg_db', 'firewall', 'iptables_rules']
|
|
|
|
- name: configure-access | Give access to the remote postgresql client
|
|
community.postgresql.postgresql_pg_hba:
|
|
dest: '{{ psql_el_conf_dir }}/pg_hba.conf'
|
|
contype: '{% if psql_force_ssl_client_connection %}hostssl{% else %}host{% endif %}'
|
|
users: '{{ item.0.user }}'
|
|
address: '{{ item.1 }}'
|
|
databases: '{{ item.0.name }}'
|
|
method: '{{ item.0.hash_method | default("scram-sha-256") }}'
|
|
state: "{{ item.0.state | default('present') }}"
|
|
owner: root
|
|
group: postgres
|
|
mode: "0640"
|
|
with_subelements:
|
|
- '{{ psql_db_data | default([]) }}'
|
|
- allowed_hosts
|
|
when:
|
|
- psql_listen_on_ext_int
|
|
- psql_db_data is defined
|
|
- item.1 is defined
|
|
notify: Reload postgresql
|
|
|
|
# No conditionals, it is required to perform base backups when the WAL archive is active
|
|
- name: configure-access | Remove the ident authentication for the local connections
|
|
community.postgresql.postgresql_pg_hba:
|
|
dest: '{{ psql_el_conf_dir }}/pg_hba.conf'
|
|
contype: 'local'
|
|
users: 'all'
|
|
databases: 'all'
|
|
method: 'ident'
|
|
state: absent
|
|
owner: root
|
|
group: postgres
|
|
mode: "0640"
|
|
notify: Reload postgresql
|
|
|
|
- name: configure-access | Give local access with replication privileges to the postgres user
|
|
community.postgresql.postgresql_pg_hba:
|
|
dest: '{{ psql_conf_dir }}/pg_hba.conf'
|
|
contype: 'local'
|
|
users: 'postgres'
|
|
databases: 'replication'
|
|
method: 'peer'
|
|
state: present
|
|
owner: root
|
|
group: postgres
|
|
mode: "0640"
|
|
notify: Reload postgresql
|
|
|
|
- name: configure-access | Flush handlers
|
|
ansible.builtin.meta: flush_handlers
|