library/roles/postgresql-db: Role that only manages postgresql DBs and its ACLs. Meant to be used using 'delegate_to'.

This commit is contained in:
Andrea Dell'Amico 2018-01-16 14:55:18 +01:00
parent f4fad43867
commit 663a411da9
7 changed files with 123 additions and 0 deletions

View File

@ -0,0 +1,17 @@
---
psql_db_port: 5432
psql_version: 9.6
psql_conf_dir: '/etc/postgresql/{{ psql_version }}/main'
psql_force_ssl_client_connection: False
#psql_db_data:
# Example of line needed to create a db, create the user that owns the db, manage the db accesses (used by iptables too). All the fields are mandatory.
#- { name: '{{ psql_db_name }}', encoding: 'UTF8', user: '{{ psql_db_user }}', pwd: '{{ psql_db_pwd }}', roles: 'NOCREATEDB,NOSUPERUSER', extensions: [ 'postgis', 'pgpool_regclass', 'pgpool_recovery' ], allowed_hosts: [ 'xxx.xxx.xxx.xxx/32', 'yyy.yyy.yyy.yyy/32' ], managedb: True }
# Example of line needed to manage the db accesses (used by iptables too), without creating the db and the user. Useful, for example, to give someone access to the postgresql db
#- { name: '{{ psql_db_name }}', user: '{{ psql_db_user }}', allowed_hosts: [ 'xxx.xxx.xxx.xxx/32', 'yyy.yyy.yyy.yyy/32' ], managedb: False }
# Example of line needed to remove a db, create the user that owns the db, manage the db accesses (used by iptables too). All the fields are mandatory.
#- { name: '{{ psql_db_name }}', encoding: 'UTF8', user: '{{ psql_db_user }}', pwd: '{{ psql_db_pwd }}', managedb: True, roles: 'NOCREATEDB,NOSUPERUSER', extensions: [ 'postgis', 'pgpool_regclass', 'pgpool_recovery' ], allowed_hosts: [ 'xxx.xxx.xxx.xxx/32', 'yyy.yyy.yyy.yyy/32' ], state=absent }
#psql_db_extensions:
#- { name: '{{ psql_db_name }}', extensions: [ 'postgis', 'pgpool_regclass', 'pgpool_recovery' ] }

View File

@ -0,0 +1,4 @@
---
- name: Reload postgresql
service: name=postgresql state=reloaded

View File

@ -0,0 +1,31 @@
---
- name: Give access to the remote postgresql client
lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="host {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5"
with_subelements:
- '{{ psql_db_data | default([]) }}'
- allowed_hosts
when:
- psql_db_data is defined
- item.1 is defined
- not psql_force_ssl_client_connection
notify: Reload postgresql
tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ]
- name: Give access to the remote postgresql client, force ssl
lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="hostssl {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5"
with_subelements:
- '{{ psql_db_data | default([]) }}'
- allowed_hosts
when:
- psql_db_data is defined
- item.1 is defined
- psql_force_ssl_client_connection
notify: Reload postgresql
tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ]
- name: Set the correct permissions to the pg_hba.conf file
file: dest={{ psql_conf_dir }}/{{ item }} owner=root group=postgres mode=0640
with_items:
- pg_hba.conf
tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_conf' ]

View File

@ -0,0 +1,13 @@
---
- block:
- name: Add postgres extensions to the databases, if needed
become: True
become_user: postgres
postgresql_ext: name={{ item.1 | default(omit) }} db={{ item.0.name }} port={{ psql_db_port }}
with_subelements:
- '{{ psql_db_extensions | default([]) }}'
- extensions
when: psql_db_extensions is defined
tags: [ 'postgresql', 'postgres', 'pg_extensions', 'pg_db' ]

View File

@ -0,0 +1,12 @@
---
- block:
- name: Add schemas to a database.
become: True
become_user: postgres
postgresql_schema: database={{ item.0.name }} port={{ psql_db_port }} name={{ item.1 }} owner={{ item.0.user }} state={{ item.0.schemastate | default('present') }}
with_subelements:
- '{{ psql_db_schemas | default([]) }}'
- schema
when: psql_db_schemas is defined
tags: [ 'postgresql', 'postgres', 'pg_db', 'pg_schema' ]

View File

@ -0,0 +1,10 @@
---
- import_tasks: configure-access.yml
when: psql_db_data is defined
- import_tasks: manage_dbs.yml
when: psql_db_data is defined
- import_tasks: db_schemas.yml
when: psql_db_schemas is defined
- import_tasks: db_extensions.yml
when: psql_db_extensions is defined

View File

@ -0,0 +1,36 @@
---
- block:
- name: Add a user for the postgresql DBs
become: True
become_user: postgres
postgresql_user: user={{ item.user }} password={{ item.pwd }} role_attr_flags={{ item.roles }} port={{ psql_db_port }} state={{ item.userstate | default('present') }}
with_items: '{{ psql_db_data | default(omit) }}'
when: item.roles is defined
- name: Add the databases with the correct owner. Or remove them, if not used anymore
become: True
become_user: postgres
postgresql_db: db={{ item.name }} port={{ psql_db_port }} encoding={{ item.encoding }} owner={{ item.user }} template=template0 state={{ item.state | default('present') }}
with_items: '{{ psql_db_data | default(omit) }}'
when: item.managedb | default(True)
- name: Manage users privileges
become: True
become_user: postgres
postgresql_privs: db={{ item.name }} privs={{ item.privs }} type=database roles={{ item.roles }} port={{ psql_db_port }} state={{ item.userstate | default('present') }}
with_items: '{{ psql_db_privs | default(omit) }}'
when: psql_db_privs is defined
- name: Define a user with password, with no associated DBs
become: True
become_user: postgres
postgresql_user: user={{ item.user }} password={{ item.pwd }} port={{ psql_db_port }}
with_items: '{{ psql_db_data | default(omit) }}'
when:
- item.pwd is defined
- item.roles is not defined
when: psql_db_data is defined
tags: [ 'postgresql', 'postgres', 'pg_db', 'pg_user' ]