From 663a411da99530408626c685eb7717c95461b75c Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Tue, 16 Jan 2018 14:55:18 +0100 Subject: [PATCH] library/roles/postgresql-db: Role that only manages postgresql DBs and its ACLs. Meant to be used using 'delegate_to'. --- postgresql-db/defaults/main.yml | 17 +++++++++++ postgresql-db/handlers/main.yml | 4 +++ postgresql-db/tasks/configure-access.yml | 31 ++++++++++++++++++++ postgresql-db/tasks/db_extensions.yml | 13 +++++++++ postgresql-db/tasks/db_schemas.yml | 12 ++++++++ postgresql-db/tasks/main.yml | 10 +++++++ postgresql-db/tasks/manage_dbs.yml | 36 ++++++++++++++++++++++++ 7 files changed, 123 insertions(+) create mode 100644 postgresql-db/defaults/main.yml create mode 100644 postgresql-db/handlers/main.yml create mode 100644 postgresql-db/tasks/configure-access.yml create mode 100644 postgresql-db/tasks/db_extensions.yml create mode 100644 postgresql-db/tasks/db_schemas.yml create mode 100644 postgresql-db/tasks/main.yml create mode 100644 postgresql-db/tasks/manage_dbs.yml diff --git a/postgresql-db/defaults/main.yml b/postgresql-db/defaults/main.yml new file mode 100644 index 00000000..6e5d1871 --- /dev/null +++ b/postgresql-db/defaults/main.yml @@ -0,0 +1,17 @@ +--- +psql_db_port: 5432 +psql_version: 9.6 +psql_conf_dir: '/etc/postgresql/{{ psql_version }}/main' +psql_force_ssl_client_connection: False + +#psql_db_data: + # Example of line needed to create a db, create the user that owns the db, manage the db accesses (used by iptables too). All the fields are mandatory. + #- { name: '{{ psql_db_name }}', encoding: 'UTF8', user: '{{ psql_db_user }}', pwd: '{{ psql_db_pwd }}', roles: 'NOCREATEDB,NOSUPERUSER', extensions: [ 'postgis', 'pgpool_regclass', 'pgpool_recovery' ], allowed_hosts: [ 'xxx.xxx.xxx.xxx/32', 'yyy.yyy.yyy.yyy/32' ], managedb: True } + # Example of line needed to manage the db accesses (used by iptables too), without creating the db and the user. Useful, for example, to give someone access to the postgresql db + #- { name: '{{ psql_db_name }}', user: '{{ psql_db_user }}', allowed_hosts: [ 'xxx.xxx.xxx.xxx/32', 'yyy.yyy.yyy.yyy/32' ], managedb: False } + # Example of line needed to remove a db, create the user that owns the db, manage the db accesses (used by iptables too). All the fields are mandatory. + #- { name: '{{ psql_db_name }}', encoding: 'UTF8', user: '{{ psql_db_user }}', pwd: '{{ psql_db_pwd }}', managedb: True, roles: 'NOCREATEDB,NOSUPERUSER', extensions: [ 'postgis', 'pgpool_regclass', 'pgpool_recovery' ], allowed_hosts: [ 'xxx.xxx.xxx.xxx/32', 'yyy.yyy.yyy.yyy/32' ], state=absent } + +#psql_db_extensions: + #- { name: '{{ psql_db_name }}', extensions: [ 'postgis', 'pgpool_regclass', 'pgpool_recovery' ] } + diff --git a/postgresql-db/handlers/main.yml b/postgresql-db/handlers/main.yml new file mode 100644 index 00000000..26048d15 --- /dev/null +++ b/postgresql-db/handlers/main.yml @@ -0,0 +1,4 @@ +--- +- name: Reload postgresql + service: name=postgresql state=reloaded + diff --git a/postgresql-db/tasks/configure-access.yml b/postgresql-db/tasks/configure-access.yml new file mode 100644 index 00000000..61ed824c --- /dev/null +++ b/postgresql-db/tasks/configure-access.yml @@ -0,0 +1,31 @@ +--- +- name: Give access to the remote postgresql client + lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="host {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5" + with_subelements: + - '{{ psql_db_data | default([]) }}' + - allowed_hosts + when: + - psql_db_data is defined + - item.1 is defined + - not psql_force_ssl_client_connection + notify: Reload postgresql + tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ] + +- name: Give access to the remote postgresql client, force ssl + lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="hostssl {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5" + with_subelements: + - '{{ psql_db_data | default([]) }}' + - allowed_hosts + when: + - psql_db_data is defined + - item.1 is defined + - psql_force_ssl_client_connection + notify: Reload postgresql + tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ] + +- name: Set the correct permissions to the pg_hba.conf file + file: dest={{ psql_conf_dir }}/{{ item }} owner=root group=postgres mode=0640 + with_items: + - pg_hba.conf + tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_conf' ] + diff --git a/postgresql-db/tasks/db_extensions.yml b/postgresql-db/tasks/db_extensions.yml new file mode 100644 index 00000000..64b88e1a --- /dev/null +++ b/postgresql-db/tasks/db_extensions.yml @@ -0,0 +1,13 @@ +--- +- block: + - name: Add postgres extensions to the databases, if needed + become: True + become_user: postgres + postgresql_ext: name={{ item.1 | default(omit) }} db={{ item.0.name }} port={{ psql_db_port }} + with_subelements: + - '{{ psql_db_extensions | default([]) }}' + - extensions + + when: psql_db_extensions is defined + tags: [ 'postgresql', 'postgres', 'pg_extensions', 'pg_db' ] + diff --git a/postgresql-db/tasks/db_schemas.yml b/postgresql-db/tasks/db_schemas.yml new file mode 100644 index 00000000..3434b658 --- /dev/null +++ b/postgresql-db/tasks/db_schemas.yml @@ -0,0 +1,12 @@ +--- +- block: + - name: Add schemas to a database. + become: True + become_user: postgres + postgresql_schema: database={{ item.0.name }} port={{ psql_db_port }} name={{ item.1 }} owner={{ item.0.user }} state={{ item.0.schemastate | default('present') }} + with_subelements: + - '{{ psql_db_schemas | default([]) }}' + - schema + + when: psql_db_schemas is defined + tags: [ 'postgresql', 'postgres', 'pg_db', 'pg_schema' ] diff --git a/postgresql-db/tasks/main.yml b/postgresql-db/tasks/main.yml new file mode 100644 index 00000000..f300e041 --- /dev/null +++ b/postgresql-db/tasks/main.yml @@ -0,0 +1,10 @@ +--- +- import_tasks: configure-access.yml + when: psql_db_data is defined +- import_tasks: manage_dbs.yml + when: psql_db_data is defined +- import_tasks: db_schemas.yml + when: psql_db_schemas is defined +- import_tasks: db_extensions.yml + when: psql_db_extensions is defined + diff --git a/postgresql-db/tasks/manage_dbs.yml b/postgresql-db/tasks/manage_dbs.yml new file mode 100644 index 00000000..816a6276 --- /dev/null +++ b/postgresql-db/tasks/manage_dbs.yml @@ -0,0 +1,36 @@ +--- +- block: + - name: Add a user for the postgresql DBs + become: True + become_user: postgres + postgresql_user: user={{ item.user }} password={{ item.pwd }} role_attr_flags={{ item.roles }} port={{ psql_db_port }} state={{ item.userstate | default('present') }} + with_items: '{{ psql_db_data | default(omit) }}' + when: item.roles is defined + + - name: Add the databases with the correct owner. Or remove them, if not used anymore + become: True + become_user: postgres + postgresql_db: db={{ item.name }} port={{ psql_db_port }} encoding={{ item.encoding }} owner={{ item.user }} template=template0 state={{ item.state | default('present') }} + with_items: '{{ psql_db_data | default(omit) }}' + when: item.managedb | default(True) + + - name: Manage users privileges + become: True + become_user: postgres + postgresql_privs: db={{ item.name }} privs={{ item.privs }} type=database roles={{ item.roles }} port={{ psql_db_port }} state={{ item.userstate | default('present') }} + with_items: '{{ psql_db_privs | default(omit) }}' + when: psql_db_privs is defined + + - name: Define a user with password, with no associated DBs + become: True + become_user: postgres + postgresql_user: user={{ item.user }} password={{ item.pwd }} port={{ psql_db_port }} + with_items: '{{ psql_db_data | default(omit) }}' + when: + - item.pwd is defined + - item.roles is not defined + + when: psql_db_data is defined + tags: [ 'postgresql', 'postgres', 'pg_db', 'pg_user' ] + +