--- - name: Configure accesses on Deb/Ubuntu block: - name: Give access to the remote postgresql client lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="host {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5" owner=root group=postgres mode='0440' with_subelements: - '{{ psql_db_data | default([]) }}' - allowed_hosts when: - psql_listen_on_ext_int - psql_db_data is defined - item.1 is defined - not psql_force_ssl_client_connection notify: Reload postgresql tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ] - name: Give access to the remote postgresql client, force ssl lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="hostssl {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5" owner=root group=postgres mode='0440' with_subelements: - '{{ psql_db_data | default([]) }}' - allowed_hosts when: - psql_listen_on_ext_int - psql_db_data is defined - item.1 is defined - psql_force_ssl_client_connection notify: Reload postgresql tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ] # No conditionals, it is needed to perform base backups when the WAL archive is active - name: Give local access with replication privileges to the postgres user lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^local replication postgres peer" line="local replication postgres peer" owner=root group=postgres mode='0440' notify: Reload postgresql tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ] when: ansible_distribution_file_variety == "Debian" - name: Configure accesses on EL block: - name: Open the postgresql service to a specific zone. firewalld: service=postgresql zone={{ postgresql_firewalld_zone }} permanent=True state=enabled immediate=True when: - psql_listen_on_ext_int - firewalld_enabled tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db', 'firewall', 'iptables_rules' ] - name: Give access to the remote postgresql client lineinfile: name={{ psql_el_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="host {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5" owner=root group=postgres mode='0440' with_subelements: - '{{ psql_db_data | default([]) }}' - allowed_hosts when: - psql_listen_on_ext_int - psql_db_data is defined - item.1 is defined - not psql_force_ssl_client_connection notify: Reload postgresql tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ] - name: Give access to the remote postgresql client, force ssl lineinfile: name={{ psql_el_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="hostssl {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5" owner=root group=postgres mode='0440' with_subelements: - '{{ psql_db_data | default([]) }}' - allowed_hosts when: - psql_listen_on_ext_int - psql_db_data is defined - item.1 is defined - psql_force_ssl_client_connection notify: Reload postgresql tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ] # No conditionals, it is needed to perform base backups when the WAL archive is active - name: Remove the ident authentication for the local connections lineinfile: name={{ psql_el_conf_dir }}/pg_hba.conf regexp="^local.*?all.*?ident$" state=absent owner=root group=postgres mode='0440' notify: Reload postgresql tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ] - name: Give local access with replication privileges to the postgres user lineinfile: name={{ psql_el_conf_dir }}/pg_hba.conf regexp="^local replication postgres peer" line="local replication postgres peer" owner=root group=postgres mode='0440' notify: Reload postgresql tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ] when: ansible_distribution_file_variety == "RedHat"