ISTI-ansible-roles
/
ansible-role-pgsql-db-management
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Use postgresql_pg_hba.

This commit is contained in:
Andrea Dell'Amico 2023-10-25 16:24:00 +02:00
parent dfb543582c
commit 16fc7fdfd3
Signed by: adellam
GPG Key ID: 147ABE6CEB9E20FF
2 changed files with 27 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
defaults/main.yml
View File

@ -1,9 +1,10 @@
--- ---
psql_db_port: 5432 psql_db_port: 5432
psql_version: 11 psql_version: 16
psql_conf_base_dir: '/etc/postgresql' psql_conf_base_dir: '/etc/postgresql'
psql_conf_default_dir: '{{ psql_conf_base_dir }}/{{ psql_version }}/main' psql_conf_default_dir: '{{ psql_conf_base_dir }}/{{ psql_version }}/main'
psql_force_ssl_client_connection: False psql_conf_dir: "{{ psql_conf_default_dir }}"
psql_force_ssl_client_connection: false
#psql_db_data: #psql_db_data:
# Example of line needed to create a db, create the user that owns the db, manage the db accesses (used by iptables too). All the fields are mandatory. # Example of line needed to create a db, create the user that owns the db, manage the db accesses (used by iptables too). All the fields are mandatory.

56
tasks/configure-access.yml
View File

@ -1,39 +1,29 @@
--- ---
- name: Manage the pg_hba.conf file - name: configure-access | Manage the pg_hba.conf file
block:
- name: Give access to the remote postgresql client
lineinfile: name={{ psql_conf_base_dir }}/{{ item.0.pgsql_version }}/main/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="host {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5"
with_subelements:
- '{{ psql_db_data | default([]) }}'
- allowed_hosts
when:
- psql_db_data is defined
- item.1 is defined
- not psql_force_ssl_client_connection
notify: Reload postgresql
- name: Give access to the remote postgresql client, enforce ssl
lineinfile: name={{ psql_conf_base_dir }}/{{ item.0.pgsql_version }}/main/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="hostssl {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5"
with_subelements:
- '{{ psql_db_data | default([]) }}'
- allowed_hosts
when:
- psql_db_data is defined
- item.1 is defined
- psql_force_ssl_client_connection
notify: Reload postgresql
delegate_to: "{{ item.0.db_host }}" delegate_to: "{{ item.0.db_host }}"
when: item.0.db_host is defined when: item.0.db_host is defined
tags: ['postgresql', 'postgres', 'pg_hba', 'pg_db'] tags: ['postgresql', 'postgres', 'pg_hba', 'pg_db']
- name: Manage the permissions of the pg_hba.conf file
block: block:
- name: Set the correct permissions to the pg_hba.conf file - name: configure-access | Give access to the remote postgresql client
file: dest={{ psql_conf_base_dir }}/{{ item.pgsql_version }}/main/pg_hba.conf owner=root group=postgres mode=0640 community.postgresql.postgresql_pg_hba:
with_items: '{{ psql_db_data | default([]) }}' dest: '{{ psql_conf_dir }}/pg_hba.conf'
contype: '{% if psql_force_ssl_client_connection %}hostssl{% else %}host{% endif %}'
users: '{{ item.0.user }}'
address: '{{ item.1 }}'
databases: '{{ item.0.name }}'
# method: 'scram-sha-256'
method: 'md5'
owner: root
group: postgres
mode: "0640"
state: "{{ item.0.state | default('present') }}"
with_subelements:
- '{{ psql_db_data | default([]) }}'
- allowed_hosts
when:
- psql_db_data is defined
- item.1 is defined
notify: Reload postgresql
delegate_to: "{{ item.db_host }}" - name: configure-access | Flush handlers
when: item.db_host is defined ansible.builtin.meta: flush_handlers
run_once: True
tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_conf', 'pg_db' ]