library/roles/postgresql-db: Role that only manages postgresql DBs and its ACLs. Meant to be used using 'delegate_to'.

postgresql-db/defaults/main.yml

@@ -0,0 +1,17 @@
+---
+psql_db_port: 5432
+psql_version: 9.6
+psql_conf_dir: '/etc/postgresql/{{ psql_version }}/main'
+psql_force_ssl_client_connection: False
+
+#psql_db_data:
+  # Example of line needed to create a db, create the user that owns the db, manage the db accesses (used by iptables too). All the fields are mandatory.
+  #- { name: '{{ psql_db_name }}', encoding: 'UTF8', user: '{{ psql_db_user }}', pwd: '{{ psql_db_pwd }}', roles: 'NOCREATEDB,NOSUPERUSER', extensions: [ 'postgis', 'pgpool_regclass', 'pgpool_recovery' ], allowed_hosts: [ 'xxx.xxx.xxx.xxx/32', 'yyy.yyy.yyy.yyy/32' ], managedb: True }
+  # Example of line needed to manage the db accesses (used by iptables too), without creating the db and the user. Useful, for example, to give someone access to the postgresql db
+  #- { name: '{{ psql_db_name }}', user: '{{ psql_db_user }}', allowed_hosts: [ 'xxx.xxx.xxx.xxx/32', 'yyy.yyy.yyy.yyy/32' ], managedb: False }
+  # Example of line needed to remove a db, create the user that owns the db, manage the db accesses (used by iptables too). All the fields are mandatory.
+  #- { name: '{{ psql_db_name }}', encoding: 'UTF8', user: '{{ psql_db_user }}', pwd: '{{ psql_db_pwd }}', managedb: True, roles: 'NOCREATEDB,NOSUPERUSER', extensions: [ 'postgis', 'pgpool_regclass', 'pgpool_recovery' ], allowed_hosts: [ 'xxx.xxx.xxx.xxx/32', 'yyy.yyy.yyy.yyy/32' ], state=absent }
+
+#psql_db_extensions:
+  #- { name: '{{ psql_db_name }}', extensions: [ 'postgis', 'pgpool_regclass', 'pgpool_recovery' ] }
+

postgresql-db/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+- name: Reload postgresql
+  service: name=postgresql state=reloaded
+

postgresql-db/tasks/configure-access.yml

@@ -0,0 +1,31 @@
+---
+- name: Give access to the remote postgresql client
+  lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="host {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5"
+  with_subelements: 
+    - '{{ psql_db_data | default([]) }}'
+    - allowed_hosts
+  when:
+    - psql_db_data is defined
+    - item.1 is defined
+    - not psql_force_ssl_client_connection
+  notify: Reload postgresql
+  tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ]
+
+- name: Give access to the remote postgresql client, force ssl
+  lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="hostssl {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5"
+  with_subelements: 
+    - '{{ psql_db_data | default([]) }}'
+    - allowed_hosts
+  when:
+    - psql_db_data is defined
+    - item.1 is defined
+    - psql_force_ssl_client_connection
+  notify: Reload postgresql
+  tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ]
+
+- name: Set the correct permissions to the pg_hba.conf file
+  file: dest={{ psql_conf_dir }}/{{ item }} owner=root group=postgres mode=0640
+  with_items:
+    - pg_hba.conf
+  tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_conf' ]
+

postgresql-db/tasks/db_extensions.yml

@@ -0,0 +1,13 @@
+---
+- block:
+    - name: Add postgres extensions to the databases, if needed
+      become: True
+      become_user: postgres
+      postgresql_ext: name={{ item.1 | default(omit) }} db={{ item.0.name }} port={{ psql_db_port }}
+      with_subelements:
+        - '{{ psql_db_extensions | default([]) }}'
+        - extensions
+
+  when: psql_db_extensions is defined
+  tags: [ 'postgresql', 'postgres', 'pg_extensions', 'pg_db' ]
+

postgresql-db/tasks/db_schemas.yml

@@ -0,0 +1,12 @@
+---
+- block: 
+    - name: Add schemas to a database.
+      become: True
+      become_user: postgres
+      postgresql_schema: database={{ item.0.name }} port={{ psql_db_port }} name={{ item.1 }} owner={{ item.0.user }} state={{ item.0.schemastate | default('present') }}
+      with_subelements:
+        - '{{ psql_db_schemas | default([]) }}'
+        - schema
+
+  when: psql_db_schemas is defined
+  tags: [ 'postgresql', 'postgres', 'pg_db', 'pg_schema' ]

postgresql-db/tasks/main.yml

@@ -0,0 +1,10 @@
+---
+- import_tasks: configure-access.yml
+  when: psql_db_data is defined
+- import_tasks: manage_dbs.yml
+  when: psql_db_data is defined
+- import_tasks: db_schemas.yml
+  when: psql_db_schemas is defined
+- import_tasks: db_extensions.yml
+  when: psql_db_extensions is defined
+

postgresql-db/tasks/manage_dbs.yml

@@ -0,0 +1,36 @@
+---
+- block: 
+    - name: Add a user for the postgresql DBs
+      become: True
+      become_user: postgres
+      postgresql_user: user={{ item.user }} password={{ item.pwd }} role_attr_flags={{ item.roles }} port={{ psql_db_port }} state={{ item.userstate | default('present') }}
+      with_items: '{{ psql_db_data | default(omit) }}'
+      when: item.roles is defined
+
+    - name: Add the databases with the correct owner. Or remove them, if not used anymore
+      become: True
+      become_user: postgres
+      postgresql_db: db={{ item.name }} port={{ psql_db_port }} encoding={{ item.encoding }} owner={{ item.user }} template=template0 state={{ item.state | default('present') }}
+      with_items: '{{ psql_db_data | default(omit) }}'
+      when: item.managedb | default(True)
+
+    - name: Manage users privileges
+      become: True
+      become_user: postgres
+      postgresql_privs: db={{ item.name }} privs={{ item.privs }} type=database roles={{ item.roles }} port={{ psql_db_port }} state={{ item.userstate | default('present') }}
+      with_items: '{{ psql_db_privs | default(omit) }}'
+      when: psql_db_privs is defined
+
+    - name: Define a user with password, with no associated DBs
+      become: True
+      become_user: postgres
+      postgresql_user: user={{ item.user }} password={{ item.pwd }} port={{ psql_db_port }}
+      with_items: '{{ psql_db_data | default(omit) }}'
+      when:
+        - item.pwd is defined
+        - item.roles is not defined
+
+  when: psql_db_data is defined
+  tags: [ 'postgresql', 'postgres', 'pg_db', 'pg_user' ]
+
+