ansible-roles/postgresql/tasks/configure-access.yml

94 lines
3.9 KiB
YAML

---
#
# To give postgresql access to remote clients you need to define something like that:
#
# psql_db_data:
# - { name: 'db_name', user: 'db_user', pwd: 'db_pwd', allowed_hosts: [ '146.48.123.17/32', '146.48.122.110/32' ] }
#
- name: Give access to the remote postgresql client
lineinfile: name=/etc/postgresql/{{ psql_version }}/main/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="host {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5"
with_subelements:
- '{{ psql_db_data | default([]) }}'
- allowed_hosts
when:
- psql_listen_on_ext_int
- psql_db_data is defined
- item.1 is defined
- not psql_force_ssl_client_connection
notify: Reload postgresql
tags: [ 'postgresql', 'postgres', 'pg_hba' ]
- name: Give access to the remote postgresql client, force ssl
lineinfile: name=/etc/postgresql/{{ psql_version }}/main/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="hostssl {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5"
with_subelements:
- '{{ psql_db_data | default([]) }}'
- allowed_hosts
when:
- psql_listen_on_ext_int
- psql_db_data is defined
- item.1 is defined
- psql_force_ssl_client_connection
notify: Reload postgresql
tags: [ 'postgresql', 'postgres', 'pg_hba' ]
# No conditionals, it is needed to perform base backups when the WAL archive is active
- name: Give local access with replication privileges to the postgres user
lineinfile: name=/etc/postgresql/{{ psql_version }}/main/pg_hba.conf regexp="^local replication postgres peer" line="local replication postgres peer"
notify: Reload postgresql
tags: [ 'postgresql', 'postgres', 'pg_hba' ]
- name: Set the postgresql listen port
action: configfile path=/etc/postgresql/{{ psql_version }}/main/postgresql.conf key=port value="{{ psql_db_port }}"
register: restart_postgresql
tags: [ 'postgresql', 'postgres', 'pg_conf' ]
- name: We want postgres listen on the public IP
action: configfile path=/etc/postgresql/{{ psql_version }}/main/postgresql.conf key=listen_addresses value="'*'"
register: restart_postgresql
when:
- psql_listen_on_ext_int
- psql_db_data is defined
tags: [ 'postgresql', 'postgres', 'pg_conf' ]
- name: If postgresql is only accessed from localhost make it listen only on the localhost interface
action: configfile path=/etc/postgresql/{{ psql_version }}/main/postgresql.conf key=listen_addresses value="'localhost'"
register: restart_postgresql
when:
- not psql_listen_on_ext_int
- psql_db_data is defined
tags: [ 'postgresql', 'postgres', 'pg_conf' ]
- name: Log the connections
action: configfile path=/etc/postgresql/{{ psql_version }}/main/postgresql.conf key=log_connections value="on"
register: restart_postgresql
when: psql_db_data is defined
tags: [ 'postgresql', 'postgres', 'pg_conf' ]
- name: Log the disconnections
action: configfile path=/etc/postgresql/{{ psql_version }}/main/postgresql.conf key=log_disconnections value="on"
register: restart_postgresql
when: psql_db_data is defined
tags: [ 'postgresql', 'postgres', 'pg_conf' ]
- name: Log the hostnames
action: configfile path=/etc/postgresql/{{ psql_version }}/main/postgresql.conf key=log_hostname value="on"
register: restart_postgresql
when:
- psql_listen_on_ext_int
- psql_db_data is defined
tags: [ 'postgresql', 'postgres', 'pg_conf' ]
- name: Set the correct permissions to the postgresql files
file: dest=/etc/postgresql/{{ psql_version }}/main/{{ item }} owner=root group=postgres mode=0640
with_items:
- pg_hba.conf
- postgresql.conf
tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_conf' ]
- name: Restart the postgresql server after changing parameters that need a restart
service: name=postgresql state=restarted
when:
- postgresql_enabled
- ( restart_postgresql is defined ) and ( restart_postgresql | changed )
tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_conf' ]