---
- name: Configure accesses on Deb/Ubuntu
block:
- name: Give access to the remote postgresql client
lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="host {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5" owner=root group=postgres mode='0440'
with_subelements:
- '{{ psql_db_data | default([]) }}'
- allowed_hosts
when:
- psql_listen_on_ext_int
- psql_db_data is defined
- item.1 is defined
- not psql_force_ssl_client_connection
notify: Reload postgresql
tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ]
- name: Give access to the remote postgresql client, force ssl
lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="hostssl {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5" owner=root group=postgres mode='0440'
with_subelements:
- '{{ psql_db_data | default([]) }}'
- allowed_hosts
when:
- psql_listen_on_ext_int
- psql_db_data is defined
- item.1 is defined
- psql_force_ssl_client_connection
notify: Reload postgresql
tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ]
# No conditionals, it is needed to perform base backups when the WAL archive is active
- name: Give local access with replication privileges to the postgres user
lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^local replication postgres peer" line="local replication postgres peer" owner=root group=postgres mode='0440'
notify: Reload postgresql
tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ]
when: ansible_distribution_file_variety == "Debian"
- name: Configure accesses on EL
block:
- name: Open the postgresql service to a specific zone.
firewalld: service=postgresql zone={{ postgresql_firewalld_zone }} permanent=True state=enabled immediate=True
when:
- psql_listen_on_ext_int
- firewalld_enabled
tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db', 'firewall', 'iptables_rules' ]
- name: Give access to the remote postgresql client
lineinfile: name={{ psql_el_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="host {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5" owner=root group=postgres mode='0440'
with_subelements:
- '{{ psql_db_data | default([]) }}'
- allowed_hosts
when:
- psql_listen_on_ext_int
- psql_db_data is defined
- item.1 is defined
- not psql_force_ssl_client_connection
notify: Reload postgresql
tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ]
- name: Give access to the remote postgresql client, force ssl
lineinfile: name={{ psql_el_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="hostssl {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5" owner=root group=postgres mode='0440'
with_subelements:
- '{{ psql_db_data | default([]) }}'
- allowed_hosts
when:
- psql_listen_on_ext_int
- psql_db_data is defined
- item.1 is defined
- psql_force_ssl_client_connection
notify: Reload postgresql
tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ]
# No conditionals, it is needed to perform base backups when the WAL archive is active
- name: Remove the ident authentication for the local connections
lineinfile: name={{ psql_el_conf_dir }}/pg_hba.conf regexp="^local.*?all.*?ident$" state=absent owner=root group=postgres mode='0440'
notify: Reload postgresql
tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ]
- name: Give local access with replication privileges to the postgres user
lineinfile: name={{ psql_el_conf_dir }}/pg_hba.conf regexp="^local replication postgres peer" line="local replication postgres peer" owner=root group=postgres mode='0440'
notify: Reload postgresql
tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ]
when: ansible_distribution_file_variety == "RedHat"