--- - name: Open the postgresql service to a specific zone. firewalld: service=postgresql zone={{ postgresql_firewalld_zone }} permanent=True state=enabled immediate=True when: - psql_listen_on_ext_int | bool - firewalld_enabled | bool - ansible_distribution_file_variety == "RedHat" - name: Give access to the remote postgresql client lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="host {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5" with_subelements: - '{{ psql_db_data | default([]) }}' - allowed_hosts when: - psql_listen_on_ext_int | bool - psql_db_data is defined - item.1 is defined - not psql_force_ssl_client_connection | bool notify: Reload postgresql tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ] - name: Give access to the remote postgresql client, force ssl lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="hostssl {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5" with_subelements: - '{{ psql_db_data | default([]) }}' - allowed_hosts when: - psql_listen_on_ext_int | bool - psql_db_data is defined - item.1 is defined - psql_force_ssl_client_connection | bool notify: Reload postgresql tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ] # No conditionals, it is needed to perform base backups when the WAL archive is active - name: Give local access with replication privileges to the postgres user lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^local replication postgres peer" line="local replication postgres peer" notify: Reload postgresql tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ] - name: Set the postgresql listen port action: configfile path={{ psql_conf_dir }}/postgresql.conf key=port value="{{ psql_db_port }}" register: restart_postgresql tags: [ 'postgresql', 'postgres', 'pg_conf' ] - name: We want postgres listen on the public IP action: configfile path={{ psql_conf_dir }}/postgresql.conf key=listen_addresses value="'*'" register: restart_postgresql when: - psql_listen_on_ext_int | bool tags: [ 'postgresql', 'postgres', 'pg_conf' ] - name: If postgresql is only accessed from localhost make it listen only on the localhost interface action: configfile path={{ psql_conf_dir }}/postgresql.conf key=listen_addresses value="'localhost'" register: restart_postgresql when: - not psql_listen_on_ext_int | bool tags: [ 'postgresql', 'postgres', 'pg_conf' ] - name: Log the connections action: configfile path={{ psql_conf_dir }}/postgresql.conf key=log_connections value="on" register: restart_postgresql when: psql_db_data is defined tags: [ 'postgresql', 'postgres', 'pg_conf' ] - name: Log the disconnections action: configfile path={{ psql_conf_dir }}/postgresql.conf key=log_disconnections value="on" register: restart_postgresql when: psql_db_data is defined tags: [ 'postgresql', 'postgres', 'pg_conf' ] - name: Log the hostnames action: configfile path={{ psql_conf_dir }}/postgresql.conf key=log_hostname value="on" register: restart_postgresql when: - psql_listen_on_ext_int | bool tags: [ 'postgresql', 'postgres', 'pg_conf' ] - name: Set the correct permissions to the postgresql files file: dest={{ psql_conf_dir }}/{{ item }} owner=root group=postgres mode=0640 with_items: - pg_hba.conf - postgresql.conf tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_conf' ] - name: Restart the postgresql server after changing parameters that need a restart service: name=postgresql state=restarted when: - restart_postgresql is changed ignore_errors: True tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_conf' ]