From d69716bb8ae86e48c90db1a167b8c1ac7adbbd23 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Mon, 16 Oct 2023 18:39:03 +0200 Subject: [PATCH] Replace the configfile.py module. Other fixes. --- defaults/main.yml | 11 +- library/configfile.py | 83 ------- tasks/configure-access.yml | 169 +++++++------ tasks/main.yml | 12 +- tasks/manage_pg_db.yml | 81 ++++--- tasks/postgis.yml | 18 +- tasks/postgresql-config-deb.yml | 135 +++++++++++ tasks/postgresql-config-el.yml | 167 +++++++++++++ tasks/postgresql-config.yml | 263 --------------------- tasks/postgresql-ssl-config.yml | 76 +++--- tasks/postgresql-streaming-replication.yml | 10 +- 11 files changed, 504 insertions(+), 521 deletions(-) delete mode 100644 library/configfile.py create mode 100644 tasks/postgresql-config-deb.yml create mode 100644 tasks/postgresql-config-el.yml delete mode 100644 tasks/postgresql-config.yml diff --git a/defaults/main.yml b/defaults/main.yml index 37c4dd8..4072763 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -68,7 +68,7 @@ psql_conf_parameters: psql_log_configuration: - { name: 'log_destination', value: 'stderr', set: 'True' } - { name: 'logging_collector', value: 'off', set: 'False' } - - { name: 'log_directory', value: "'{{ psql_log_dir }}'", set: 'True' } + - { name: 'log_directory', value: '{{ psql_log_dir }}', set: 'True' } - { name: 'log_rotation_age', value: '1d', set: 'True' } - { name: 'log_rotation_size', value: '10MB', set: 'True' } - { name: 'client_min_messages', value: 'notice', set: 'True' } @@ -76,11 +76,8 @@ psql_log_configuration: - { name: 'log_min_error_statement', value: 'error', set: 'True' } - { name: 'log_min_duration_statement', value: '-1', set: 'True' } - { name: 'log_checkpoints', value: 'off', set: 'True' } - - { name: 'log_connections', value: 'on', set: 'True' } - - { name: 'log_disconnections', value: 'off', set: 'True' } - { name: 'log_duration', value: 'off', set: 'True' } - { name: 'log_error_verbosity', value: 'default', set: 'True' } - - { name: 'log_hostname', value: 'on', set: 'True' } # Treat vacuum separately. Important: the parameters that need a restart must be listed in psql_conf_parameters psql_autovacuum_configuration: @@ -117,10 +114,10 @@ psql_streaming_replication_config: # SSL as a special case psql_enable_ssl: False psql_force_ssl_client_connection: False -postgresql_letsencrypt_managed: '{{ psql_enable_ssl }}' -psql_ssl_privkey_global_file: '/var/lib/acme/live/{{ ansible_fqdn }}/privkey' +postgresql_letsencrypt_managed: '{% if letsencrypt_acme_install is defined and letsencrypt_acme_install %}true{% else %}false{% endif %}' +psql_ssl_privkey_global_file: '{% if postgresql_letsencrypt_managed %}/var/lib/acme/live/{{ ansible_fqdn }}/privkey{% else %}{{ pki_dir }}/keys/{{ ansible_fqdn}}-key.pem{% endif %}' psql_ssl_privkey_file: /etc/pki/postgresql/postgresql.key -psql_ssl_cert_file: '/var/lib/acme/live/{{ ansible_fqdn }}/fullchain' +psql_ssl_cert_file: '{% if postgresql_letsencrypt_managed %}/var/lib/acme/live/{{ ansible_fqdn }}/fullchain{% else %}{{ pki_dir }}/certs/{{ ansible_fqdn}}.pem{% endif %}' # In CentOS/RHEL is /etc/pki/tls/cert.pem psql_ssl_ca_file: '/etc/ssl/certs/ca-certificates.crt' psql_conf_ssl_parameters: diff --git a/library/configfile.py b/library/configfile.py deleted file mode 100644 index 9a70fa0..0000000 --- a/library/configfile.py +++ /dev/null @@ -1,83 +0,0 @@ -#!/usr/bin/python -from __future__ import print_function - -ANSIBLE_METADATA = { - 'metadata_version': '1.0', - 'status': ['preview'], - 'supported_by': 'ISTI-CNR' -} - -import glob -import json - -import tempfile -import filecmp -import os -import re -from ansible.module_utils.basic import AnsibleModule - -def run_configfile_module(): - module = AnsibleModule( - argument_spec = dict( - path=dict(required=True), - key=dict(required=True), - value=dict(required=True), - syntax=dict(required=False, choices=['standard', 'shell'], default='standard'), - ) - ) - - path = module.params['path'] - syntax = module.params['syntax'] - key = module.params['key'] - value = module.params['value'] - - found = [False] - - def expand(line): - if syntax == 'standard': - if re.match("[ #]*%s *=.*" % (key), line): - found[0] = True - return re.sub("[ #]*%s *=.*" % (key), "%s = %s" % (key, value), line) - elif syntax == 'shell': - if re.match("[ #]*%s *=.*" % (key), line): - found[0] = True - return re.sub("[ #]*%s *=.*" % (key), "%s=%s" % (key, value), line) - else: - raise Exception("unsupported syntax %s" % syntax) - - changed = False - - with open(path, 'r') as input: - with tempfile.NamedTemporaryFile(dir=os.path.dirname(path), mode="w") as temp: - for line in input: - print(expand(line), end=' ', file=temp) - - if not found[0]: - if not line.endswith('\n'): - print('', file=temp) - if syntax == 'standard': - print("%s = %s" % (key, value), file=temp) - elif syntax == 'shell': - print("%s=%s" % (key, value), file=temp) - else: - raise Exception("unsupported syntax %s" % syntax) - - temp.delete = False - temp.close() - - changed = not filecmp.cmp(path, temp.name) - if changed: - os.rename(temp.name, path) - else: - os.remove(temp.name) - - module.exit_json(changed=changed) - -# include magic from lib/ansible/module_common.py -#<> -def main(): - run_configfile_module() - -if __name__ == '__main__': - main() - diff --git a/tasks/configure-access.yml b/tasks/configure-access.yml index b45000c..b980901 100644 --- a/tasks/configure-access.yml +++ b/tasks/configure-access.yml @@ -1,84 +1,97 @@ --- -- name: Configure accesses on Deb/Ubuntu - block: - - name: Give access to the remote postgresql client - lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="host {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5" owner=root group=postgres mode='0440' - with_subelements: - - '{{ psql_db_data | default([]) }}' - - allowed_hosts - when: - - psql_listen_on_ext_int - - psql_db_data is defined - - item.1 is defined - - not psql_force_ssl_client_connection - notify: Reload postgresql - tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ] - - - name: Give access to the remote postgresql client, force ssl - lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="hostssl {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5" owner=root group=postgres mode='0440' - with_subelements: - - '{{ psql_db_data | default([]) }}' - - allowed_hosts - when: - - psql_listen_on_ext_int - - psql_db_data is defined - - item.1 is defined - - psql_force_ssl_client_connection - notify: Reload postgresql - tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ] - - # No conditionals, it is needed to perform base backups when the WAL archive is active - - name: Give local access with replication privileges to the postgres user - lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^local replication postgres peer" line="local replication postgres peer" owner=root group=postgres mode='0440' - notify: Reload postgresql - tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ] - +- name: configure-access | Configure accesses on Deb/Ubuntu when: ansible_distribution_file_variety == "Debian" - -- name: Configure accesses on EL + become: true + become_user: postgres + tags: ['postgresql', 'postgres', 'pg_hba', 'pg_db'] block: - - name: Open the postgresql service to a specific zone. - firewalld: service=postgresql zone={{ postgresql_firewalld_zone }} permanent=True state=enabled immediate=True - when: - - psql_listen_on_ext_int - - firewalld_enabled - tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db', 'firewall', 'iptables_rules' ] + - name: configure-access | Give access to the remote postgresql client + community.postgresql.postgresql_pg_hba: + dest: '{{ psql_conf_dir }}/pg_hba.conf' + contype: '{% if psql_force_ssl_client_connection %}hostssl{% else %}host{% endif %}' + users: '{{ item.0.user }}' + address: '{{ item.1 }}' + databases: '{{ item.0.name }}' + # method: 'scram-sha-256' + method: 'md5' + state: "{{ item.0.state | default('present') }}" + with_subelements: + - '{{ psql_db_data | default([]) }}' + - allowed_hosts + when: + - psql_listen_on_ext_int + - psql_db_data is defined + - item.1 is defined + notify: Reload postgresql - - name: Give access to the remote postgresql client - lineinfile: name={{ psql_el_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="host {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5" owner=root group=postgres mode='0440' - with_subelements: - - '{{ psql_db_data | default([]) }}' - - allowed_hosts - when: - - psql_listen_on_ext_int - - psql_db_data is defined - - item.1 is defined - - not psql_force_ssl_client_connection - notify: Reload postgresql - tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ] - - - name: Give access to the remote postgresql client, force ssl - lineinfile: name={{ psql_el_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="hostssl {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5" owner=root group=postgres mode='0440' - with_subelements: - - '{{ psql_db_data | default([]) }}' - - allowed_hosts - when: - - psql_listen_on_ext_int - - psql_db_data is defined - - item.1 is defined - - psql_force_ssl_client_connection - notify: Reload postgresql - tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ] - - # No conditionals, it is needed to perform base backups when the WAL archive is active - - name: Remove the ident authentication for the local connections - lineinfile: name={{ psql_el_conf_dir }}/pg_hba.conf regexp="^local.*?all.*?ident$" state=absent owner=root group=postgres mode='0440' - notify: Reload postgresql - tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ] - - - name: Give local access with replication privileges to the postgres user - lineinfile: name={{ psql_el_conf_dir }}/pg_hba.conf regexp="^local replication postgres peer" line="local replication postgres peer" owner=root group=postgres mode='0440' - notify: Reload postgresql - tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ] + # No conditionals, it is required to perform base backups when the WAL archive is active + - name: configure-access | Give local access with replication privileges to the postgres user + community.postgresql.postgresql_pg_hba: + dest: '{{ psql_conf_dir }}/pg_hba.conf' + contype: 'local' + users: 'postgres' + databases: 'replication' + method: 'peer' + state: present + notify: Reload postgresql +- name: configure-access | Configure accesses on EL when: ansible_distribution_file_variety == "RedHat" + block: + - name: configure-access | Open the postgresql service to a specific zone. + ansible.posix.firewalld: + service: postgresql + zone: "{{ postgresql_firewalld_zone }}" + permanent: true + state: enabled + immediate: true + when: + - psql_listen_on_ext_int + - firewalld_enabled + tags: ['postgresql', 'postgres', 'pg_hba', 'pg_db', 'firewall', 'iptables_rules'] + + - name: configure-access | Give access to the remote postgresql client + become: true + become_user: postgres + community.postgresql.postgresql_pg_hba: + dest: '{{ psql_el_conf_dir }}/pg_hba.conf' + contype: '{% if psql_force_ssl_client_connection %}hostssl{% else %}host{% endif %}' + users: '{{ item.0.user }}' + address: '{{ item.1 }}' + databases: '{{ item.0.name }}' + # method: 'scram-sha-256' + method: 'md5' + state: "{{ item.0.state | default('present') }}" + with_subelements: + - '{{ psql_db_data | default([]) }}' + - allowed_hosts + when: + - psql_listen_on_ext_int + - psql_db_data is defined + - item.1 is defined + notify: Reload postgresql + + # No conditionals, it is required to perform base backups when the WAL archive is active + - name: configure-access | Remove the ident authentication for the local connections + become: true + become_user: postgres + community.postgresql.postgresql_pg_hba: + dest: '{{ psql_el_conf_dir }}/pg_hba.conf' + contype: 'local' + users: 'all' + databases: 'all' + method: 'ident' + state: absent + notify: Reload postgresql + + - name: configure-access | Give local access with replication privileges to the postgres user + become: true + become_user: postgres + community.postgresql.postgresql_pg_hba: + dest: '{{ psql_conf_dir }}/pg_hba.conf' + contype: 'local' + users: 'postgres' + databases: 'replication' + method: 'peer' + state: present + notify: Reload postgresql diff --git a/tasks/main.yml b/tasks/main.yml index d3a2069..4568fa0 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -4,8 +4,14 @@ when: psql_postgresql_install - import_tasks: postgis.yml when: postgres_install_gis_extensions -- import_tasks: postgresql-config.yml - when: psql_postgresql_install +- import_tasks: postgresql-config-deb.yml + when: + - psql_postgresql_install + - ansible_distribution_file_variety == "Debian" +- import_tasks: postgresql-config-el.yml + when: + - psql_postgresql_install + - ansible_distribution_file_variety == "RedHat" - import_tasks: postgresql-ssl-config.yml when: psql_postgresql_install - import_tasks: psql-kernel-sharedmem.yml @@ -29,4 +35,4 @@ when: psql_postgresql_install - import_tasks: postgresql-letsencrypt-acmetool.yml when: - - letsencrypt_acme_install is defined and letsencrypt_acme_install + - postgresql_letsencrypt_managed diff --git a/tasks/manage_pg_db.yml b/tasks/manage_pg_db.yml index c9ea35f..6ea5d22 100644 --- a/tasks/manage_pg_db.yml +++ b/tasks/manage_pg_db.yml @@ -1,65 +1,70 @@ --- -- name: Add a user for the postgresql DBs - become: True +- name: manage_pg_db | Add a user for the postgresql DBs + become: true become_user: postgres - postgresql_user: user={{ item.user }} password={{ item.pwd }} role_attr_flags={{ item.roles }} port={{ psql_db_port }} state={{ item.userstate | default('present') }} - with_items: '{{ psql_db_data | default([]) }}' + community.postgresql.postgresql_user: + user: "{{ item.user }}" + password: "{{ item.pwd }}" + role_attr_flags: "{{ item.roles }}" + port: "{{ psql_db_port }}" + state: "{{ item.userstate | default('present') }}" + no_log: true + loop: '{{ psql_db_data | default([]) }}' when: item.roles is defined - tags: [ 'postgresql', 'postgres', 'pg_db', 'pg_user' ] + tags: ['postgresql', 'postgres', 'pg_db', 'pg_user'] -- name: Add the databases with the correct owner. Or remove them, if not used anymore - become: True +- name: manage_pg_db | Add the databases with the correct owner. Or remove them, if not used anymore + become: true become_user: postgres - postgresql_db: db={{ item.name }} port={{ psql_db_port }} encoding={{ item.encoding }} owner={{ item.user }} template=template0 state={{ item.state | default('present') }} - with_items: '{{ psql_db_data | default([]) }}' + community.postgresql.postgresql_db: + db: "{{ item.name }}" + port: "{{ psql_db_port }}" + encoding: "{{ item.encoding }}" + owner: "{{ item.user }}" + template: template0 + state: "{{ item.state | default('present') }}" + loop: '{{ psql_db_data | default([]) }}' when: item.managedb | default(True) - tags: [ 'postgresql', 'postgres', 'pg_db' ] + tags: ['postgresql', 'postgres', 'pg_db'] -- name: Manage users privileges - become: True +- name: manage_pg_db | Manage users privileges + become: true become_user: postgres - postgresql_privs: + community.postgresql.postgresql_privs: db: '{{ item.name }}' privs: '{{ item.privs }}' - #type: database + # type: database objs: "{{ item.objs | default('ALL_IN_SCHEMA') }}" roles: '{{ item.roles }}' port: '{{ psql_db_port }}' state: "{{ item.userstate | default('present') }}" grant_option: "{{ item.grant_option | default('yes') }}" with_items: '{{ psql_db_privs | default([]) }}' - tags: [ 'postgresql', 'postgres', 'pg_db', 'pg_user', 'postgresql_privs' ] + tags: ['postgresql', 'postgres', 'pg_db', 'pg_user', 'postgresql_privs'] -- name: Add postgres extensions to the databases, if needed - become: True +- name: manage_pg_db | Add postgres extensions to the databases, if any + become: true become_user: postgres - postgresql_ext: name={{ item.1 | default(omit) }} db={{ item.0.name }} port={{ psql_db_port }} + community.postgresql.postgresql_ext: + name: "{{ item.1 | default(omit) }}" + db: "{{ item.0.name }}" + port: "{{ psql_db_port }}" with_subelements: - '{{ psql_db_extensions | default([]) }}' - extensions when: psql_db_extensions is defined - tags: [ 'postgresql', 'postgres', 'pg_extensions', 'pg_db' ] + tags: ['postgresql', 'postgres', 'pg_extensions', 'pg_db'] -# - name: Add schemas to a database. -# become: True -# become_user: postgres -# postgresql_schema: database={{ item.0.name }} port={{ psql_db_port }} name={{ item.1 }} owner={{ item.0.user }} state={{ item.0.schemastate | default('present') }} -# with_subelements: -# - '{{ psql_db_data | default([]) }}' -# - schema -# when: -# - item.0.manageschema | default(False) -# - item.1 is defined -# ignore_errors: True -# tags: [ 'postgresql', 'postgres', 'pg_db', 'pg_schema' ] - -- name: Define a user with password, with no associated DBs - become: True +- name: manage_pg_db | Define a user with password, with no associated DBs + become: true become_user: postgres - postgresql_user: user={{ item.user }} password={{ item.pwd }} port={{ psql_db_port }} - with_items: '{{ psql_db_data | default(omit) }}' + community.postgresql.postgresql_user: + user: "{{ item.user }}" + password: "{{ item.pwd }}" + port: "{{ psql_db_port }}" + no_log: true + loop: '{{ psql_db_data | default([]) }}' when: - item.pwd is defined - item.roles is not defined - tags: [ 'postgresql', 'postgres', 'pg_db' ] - + tags: ['postgresql', 'postgres', 'pg_db'] diff --git a/tasks/postgis.yml b/tasks/postgis.yml index e9a5087..09370dc 100644 --- a/tasks/postgis.yml +++ b/tasks/postgis.yml @@ -1,13 +1,17 @@ --- -- name: install the postgresql GIS packages on deb/ubuntu - apt: pkg={{ postgres_gis_pkgs }} state={{ psql_pkg_state }} cache_valid_time=3600 +- name: postgis | Install the postgresql GIS packages on deb/ubuntu + ansible.builtin.apt: + pkg: "{{ postgres_gis_pkgs }}" + state: "{{ psql_pkg_state }}" + cache_valid_time: 3600 notify: Restart postgresql when: ansible_distribution_file_variety == "Debian" - tags: [ 'postgresql', 'postgres', 'postgis' ] + tags: ['postgresql', 'postgres', 'postgis'] -- name: install the postgresql GIS packages on EL - yum: pkg={{ postgres_el_gis_pkgs }} state={{ psql_pkg_state }} +- name: postgis | Install the postgresql GIS packages on EL + ansible.builtin.yum: + pkg: "{{ postgres_el_gis_pkgs }}" + state: "{{ psql_pkg_state }}" notify: Restart postgresql when: ansible_distribution_file_variety == "RedHat" - tags: [ 'postgresql', 'postgres', 'postgis' ] - + tags: ['postgresql', 'postgres', 'postgis'] diff --git a/tasks/postgresql-config-deb.yml b/tasks/postgresql-config-deb.yml new file mode 100644 index 0000000..49bf609 --- /dev/null +++ b/tasks/postgresql-config-deb.yml @@ -0,0 +1,135 @@ +--- +- name: postgresql-config-deb | Data directory for Deb/Ubuntu + when: + - psql_use_alternate_data_dir + - ansible_distribution_file_variety == "Debian" + tags: ['postgresql', 'postgres', 'pg_conf'] + block: + - name: postgresql-config-deb | Create the postgresql data directory if it is not in the default place + ansible.builtin.file: + dest: "{{ psql_data_dir }}" + owner: postgres + group: postgres + mode: '700' + state: directory + + - name: postgresql-config-deb | Set the postgresql data dir if it is different from the default + become: true + become_user: postgres + ansible.builtin.lineinfile: + path: "{{ psql_conf_dir }}/postgresql.conf" + regexp: "^data_directory\ =" + line: "data_directory = '{{ psql_data_dir }}'" + create: false + state: present + + - name: postgresql-config-deb | Check if the new postgresql data directory has been populated already + ansible.builtin.stat: + path: "{{ psql_data_dir }}/.postgresql_data_dir" + register: postgresql_data_dir + + - name: postgresql-config-deb | Stop the postgresql service while reconfiguring the data directory + ansible.builtin.service: + name: postgresql + state: stopped + when: not postgresql_data_dir.stat.exists + + - name: postgresql-config-deb | Copy the postgresql data directory into the new place + ansible.builtin.shell: + cmd: | + if [ "/var/lib/postgresql/{{ psql_version | quote }}/main" != "{{ psql_data_dir | quote }}" ] ; then + cp -a /var/lib/postgresql/{{ psql_version | quote }}/main/* {{ psql_data_dir | quote }} + echo "Custom data dir" > "{{ psql_data_dir | quote }}/.postgresql_data_dir" + fi + args: + creates: '{{ psql_data_dir | quote }}/.postgresql_data_dir' + + - name: postgresql-config-deb | Start the postgresql service that will use the new data directory + ansible.builtin.service: + name: postgresql + state: started + +- name: postgresql-config-deb | Configuration of Deb/Ubuntu systems + when: ansible_distribution_file_variety == "Debian" + tags: ['postgresql', 'postgres', 'pg_conf'] + block: + - name: postgresql-config-deb | Set some postgresql configuration parameters that require a db restart + become: true + become_user: postgres + community.postgresql.postgresql_set: + name: '{{ item.name }}' + value: "{% if item.set %}{{ item.value }}{% else %}default{% endif %}" + loop: '{{ psql_conf_parameters }}' + notify: Restart postgresql + + - name: postgresql-config-deb | Set the postgresql logging configuration parameters + become: true + become_user: postgres + community.postgresql.postgresql_set: + name: '{{ item.name }}' + value: "{% if item.set %}{{ item.value }}{% else %}default{% endif %}" + loop: '{{ psql_log_configuration }}' + notify: Reload postgresql + tags: ['postgresql', 'postgres', 'pg_conf', 'pg_conf_log'] + + - name: postgresql-config-deb | Set the postgresql autovacuum configuration parameters + become: true + become_user: postgres + community.postgresql.postgresql_set: + name: '{{ item.name }}' + value: "{% if item.set %}{{ item.value }}{% else %}default{% endif %}" + loop: '{{ psql_autovacuum_configuration }}' + notify: Reload postgresql + tags: ['postgresql', 'postgres', 'pg_conf', 'pg_conf_autovacuum'] + + - name: postgresql-config-deb | Set the postgresql listen port + become: true + become_user: postgres + community.postgresql.postgresql_set: + name: 'port' + value: "{% if psql_listen_on_ext_int %}{{ psql_db_port }}{% else %}default{% endif %}" + notify: Restart postgresql + + - name: postgresql-config-deb | We want postgres listen on the public IP + become: true + become_user: postgres + community.postgresql.postgresql_set: + name: 'listen_addresses' + value: "{% if psql_listen_on_ext_int %}*{% else %}default{% endif %}" + notify: Restart postgresql + + - name: postgresql-config-deb | Flush flush_handlers Restart PostgreSQL + ansible.builtin.meta: flush_handlers + tags: ['postgresql', 'postgres', 'pg_hba', 'pg_conf'] + + - name: postgresql-config-deb | Log the connections + become: true + become_user: postgres + community.postgresql.postgresql_set: + name: 'log_connections' + value: "{% if psql_listen_on_ext_int %}on{% else %}default{% endif %}" + notify: Reload postgresql + + - name: postgresql-config-deb | Log the disconnections + become: true + become_user: postgres + community.postgresql.postgresql_set: + name: 'log_disconnections' + value: "{% if psql_listen_on_ext_int is defined %}on{% else %}default{% endif %}" + notify: Reload postgresql + + - name: postgresql-config-deb | Log the hostnames + become: true + become_user: postgres + community.postgresql.postgresql_set: + name: 'log_hostname' + value: "{% if psql_listen_on_ext_int %}on{% else %}default{% endif %}" + notify: Reload postgresql + + - name: postgresql-config-deb | Flush flush_handlers Restart PostgreSQL + ansible.builtin.meta: flush_handlers + tags: ['postgresql', 'postgres', 'pg_hba', 'pg_conf'] + + - name: postgresql-config-deb | Flush flush_handlers Reload PostgreSQL + ansible.builtin.meta: flush_handlers + tags: ['postgresql', 'postgres', 'pg_hba', 'pg_conf'] diff --git a/tasks/postgresql-config-el.yml b/tasks/postgresql-config-el.yml new file mode 100644 index 0000000..f4d5ed3 --- /dev/null +++ b/tasks/postgresql-config-el.yml @@ -0,0 +1,167 @@ +--- +- name: postgresql-config-el | Data directory for EL + when: + - psql_use_alternate_data_dir + - ansible_distribution_file_variety == "RedHat" + tags: ['postgresql', 'postgres', 'pg_conf'] + block: + - name: postgresql-config-el | Create the postgresql data directory if it is not in the default place + ansible.builtin.file: + dest: "{{ psql_el_data_dir }}" + owner: postgres + group: postgres + mode: "700" + state: directory + + - name: postgresql-config-el | Set the postgresql data dir if it is different from the default + become: true + become_user: postgres + ansible.builtin.lineinfile: + path: "{{ psql_el_conf_dir }}/postgresql.conf" + regexp: "^data_directory\ =" + line: "data_directory = '{{ psql_el_data_dir }}'" + create: false + state: present + + - name: postgresql-config-el | Check if the new postgresql data directory has been populated already + ansible.builtin.stat: + path: "{{ psql_el_data_dir }}/.postgresql_data_dir" + register: postgresql_data_dir + + - name: postgresql-config-el | Stop the postgresql service while reconfiguring the data directory + ansible.builtin.service: + name: 'postgresql-{{ psql_version }}' + state: stopped + when: not postgresql_data_dir.stat.exists + + - name: postgresql-config-el | Copy the postgresql data directory into the new place + ansible.builtin.shell: + cmd: | + if [ "/var/lib/pgsql/{{ psql_version | quote }}/data" != "{{ psql_el_data_dir | quote }}" ] ; then + cp -a /var/lib/pgsql/{{ psql_version | quote }}/main/* {{ psql_el_data_dir | quote }} + echo "Custom data dir" > "{{ psql_el_data_dir | quote }}/.postgresql_data_dir" + fi + args: + creates: '{{ psql_el_data_dir }}/.postgresql_data_dir' + register: postgresql_new_data_dir + + - name: postgresql-config-el | Fix the SELinux context for the new data directory + community.general.sefcontext: + target: '{{ psql_el_base_dir }}(/.*)?' + setype: postgresql_db_t + state: present + + - name: postgresql-config-el | Restore the SELinux context + ansible.builtin.command: restorecon -vR {{ psql_el_base_dir }} + when: postgresql_new_data_dir is changed + + - name: postgresql-config-el | Start the postgresql service that will use the new data directory + ansible.builtin.service: + name: 'postgresql-{{ psql_version }}' + state: started + +- name: postgresql-config-el | Configuration of EL systems + when: ansible_distribution_file_variety == "RedHat" + tags: ['postgresql', 'postgres', 'pg_conf'] + block: + - name: postgresql-config-el | Create the postgresql log directory + ansible.builtin.file: + dest: "{{ psql_log_dir }}" + state: directory + owner: postgres + group: postgres + mode: '0750' + register: postgresql_log_dir_creation + + - name: postgresql-config-el | Fix the SELinux context for the postgresql log directory + community.general.sefcontext: + target: '{{ psql_log_dir }}(/.*)?' + setype: postgresql_db_t + state: present + + - name: postgresql-config-el | Fix the SELinux context for the postgresql log directory + ansible.builtin.command: restorecon -vR {{ psql_log_dir }} + when: postgresql_log_dir_creation is changed + + - name: postgresql-config-el | Set some postgresql configuration parameters that require a db restart + become: true + become_user: postgres + community.postgresql.postgresql_set: + name: '{{ item.name }}' + value: "{% if item.set %}{{ item.value }}{% else %}default{% endif %}" + loop: '{{ psql_conf_parameters }}' + notify: Restart postgresql + + - name: postgresql-config-el | Set the postgresql logging configuration parameters + become: true + become_user: postgres + community.postgresql.postgresql_set: + name: '{{ item.name }}' + value: "{% if item.set %}{{ item.value }}{% else %}default{% endif %}" + loop: '{{ psql_log_configuration }}' + notify: Reload postgresql + tags: ['postgresql', 'postgres', 'pg_conf', 'pg_conf_log'] + + - name: postgresql-config-el | Set the postgresql autovacuum configuration parameters + become: true + become_user: postgres + community.postgresql.postgresql_set: + name: '{{ item.name }}' + value: "{% if item.set %}{{ item.value }}{% else %}default{% endif %}" + loop: '{{ psql_autovacuum_configuration }}' + notify: Reload postgresql + tags: ['postgresql', 'postgres', 'pg_conf', 'pg_conf_autovacuum'] + + - name: postgresql-config-el | Set the postgresql listen port + become: true + become_user: postgres + community.postgresql.postgresql_set: + name: 'port' + value: "{% if psql_listen_on_ext_int %}{{ psql_db_port }}{% else %}default{% endif %}" + notify: Restart postgresql + + - name: postgresql-config-el | We want postgres listen on the public IP + community.postgresql.postgresql_set: + name: 'listen_addresses' + value: "{% if psql_listen_on_ext_int %}*{% else %}default{% endif %}" + notify: Restart postgresql + + - name: postgresql-config-el | If postgresql is only accessed from localhost make it listen only on the localhost interface + become: true + become_user: postgres + community.postgresql.postgresql_set: + name: 'listen_addresses' + value: "{% if psql_listen_on_ext_int %}*{% else %}default{% endif %}" + notify: Restart postgresql + + - name: postgresql-config-el | Flush flush_handlers Restart PostgreSQL + ansible.builtin.meta: flush_handlers + tags: ['postgresql', 'postgres', 'pg_hba', 'pg_conf'] + + - name: postgresql-config-el | Log the connections + become: true + become_user: postgres + community.postgresql.postgresql_set: + name: 'log_connections' + value: "{% if psql_listen_on_ext_int %}on{% else %}default{% endif %}" + notify: Reload postgresql + + - name: postgresql-config-el | Log the disconnections + become: true + become_user: postgres + community.postgresql.postgresql_set: + name: 'log_disconnections' + value: "{% if psql_listen_on_ext_int %}on{% else %}default{% endif %}" + notify: Reload postgresql + + - name: postgresql-config-el | Log the hostnames + become: true + become_user: postgres + community.postgresql.postgresql_set: + name: 'log_hostname' + value: "{% if psql_listen_on_ext_int %}on{% else %}default{% endif %}" + notify: Reload postgresql + + - name: postgresql-config-el | Flush flush_handlers Reload PostgreSQL + ansible.builtin.meta: flush_handlers + tags: ['postgresql', 'postgres', 'pg_hba', 'pg_conf'] diff --git a/tasks/postgresql-config.yml b/tasks/postgresql-config.yml deleted file mode 100644 index 45e09c2..0000000 --- a/tasks/postgresql-config.yml +++ /dev/null @@ -1,263 +0,0 @@ ---- -- name: postgresql-config | Data directory for Deb/Ubuntu - when: - - psql_use_alternate_data_dir - - ansible_distribution_file_variety == "Debian" - tags: ['postgresql', 'postgres', 'pg_conf'] - block: - - name: postgresql-config | Check if the new postgresql data directory exists - ansible.builtin.stat: - path: "{{ psql_data_dir }}" - register: postgresql_data_dir - - - name: postgresql-config | Stop the postgresql service while reconfiguring the data directory - ansible.builtin.service: - name: postgresql - state: stopped - when: postgresql_data_dir.stat.isdir is not defined - - - name: postgresql-config | Create the postgresql data directory if it is not in the default place - ansible.builtin.file: - dest: "{{ psql_data_dir }}" - owner: postgres - group: postgres - mode: '700' - state: directory - recurse: true - - - name: postgresql-config | Set the postgresql data dir if it is different from the default - become: true - become_user: postgres - community.postgresql.postgresql_set: - name: data_directory - value: "'{{ psql_data_dir }}'" - - - name: postgresql-config | Copy the postgresql data directory into the new place - ansible.builtin.shell: - cmd: | - if [ "/var/lib/postgresql/{{ psql_version | quote }}/main" != "{{ psql_data_dir | quote }}" ] ; then - cp -a /var/lib/postgresql/{{ psql_version | quote }}/main/* {{ psql_data_dir | quote }} - fi - args: - creates: '{{ psql_data_dir }}/main/base' - when: postgresql_data_dir.stat.isdir is not defined - - - name: postgresql-config | Start the postgresql service that will use the new data directory - ansible.builtin.service: - name: postgresql - state: started - when: postgresql_data_dir.stat.isdir is not defined - -- name: postgresql-config | Configuration of Deb/Ubuntu systems - when: ansible_distribution_file_variety == "Debian" - tags: ['postgresql', 'postgres', 'pg_conf'] - block: - - name: postgresql-config | Set some postgresql configuration parameters that require a db restart - become: true - become_user: postgres - community.postgresql.postgresql_set: - name: '{{ item.name }}' - value: "{% if item.set %}{{ item.value }}{% else %}default{% endif %}" - loop: '{{ psql_conf_parameters }}' - notify: Restart postgresql - - - name: postgresql-config | Set the postgresql logging configuration parameters - become: true - become_user: postgres - community.postgresql.postgresql_set: - name: '{{ item.name }}' - value: "{% if item.set %}{{ item.value }}{% else %}default{% endif %}" - loop: '{{ psql_log_configuration }}' - notify: Reload postgresql - tags: ['postgresql', 'postgres', 'pg_conf', 'pg_conf_log'] - - - name: postgresql-config | Set the postgresql autovacuum configuration parameters - become: true - become_user: postgres - community.postgresql.postgresql_set: - name: '{{ item.name }}' - value: "{% if item.set %}{{ item.value }}{% else %}default{% endif %}" - loop: '{{ psql_autovacuum_configuration }}' - notify: Reload postgresql - tags: ['postgresql', 'postgres', 'pg_conf', 'pg_conf_autovacuum'] - - - name: postgresql-config | Set the postgresql listen port - become: true - become_user: postgres - community.postgresql.postgresql_set: - name: 'port' - value: "{% if psql_listen_on_ext_int %}{{ psql_db_port }}{% else %}default{% endif %}" - notify: Restart postgresql - - - name: postgresql-config | We want postgres listen on the public IP - become: true - become_user: postgres - community.postgresql.postgresql_set: - name: 'listen_addresses' - value: "{% if psql_listen_on_ext_int %}*{% else %}default{% endif %}" - notify: Restart postgresql - - - name: postgresql-config | Log the connections - become: true - become_user: postgres - community.postgresql.postgresql_set: - name: 'log_connections' - value: "{% if psql_db_data is defined %}on{% else %}default{% endif %}" - notify: Reload postgresql - - - name: postgresql-config | Log the disconnections - become: true - become_user: postgres - community.postgresql.postgresql_set: - name: 'log_disconnections' - value: "{% if psql_db_data is defined %}on{% else %}default{% endif %}" - notify: Reload postgresql - - - name: postgresql-config | Log the hostnames - become: true - become_user: postgres - community.postgresql.postgresql_set: - name: 'log_hostname' - value: "{% if psql_listen_on_ext_int %}{{ psql_db_port }}{% else %}default{% endif %}" - notify: Reload postgresql - - - name: postgresql-config | Flush flush_handlers Restart PostgreSQL - ansible.builtin.meta: flush_handlers - tags: ['postgresql', 'postgres', 'pg_hba', 'pg_conf'] - -- name: postgresql-config | Data directory for EL - block: - - name: Check if the new postgresql data directory exists - stat: path={{ psql_el_data_dir }} - register: postgresql_data_dir - - - name: postgresql-config | Stop the postgresql service while reconfiguring the data directory - service: name='postgresql-{{ psql_version }}' state=stopped - when: postgresql_data_dir.stat.isdir is not defined - - - name: postgresql-config | Create the postgresql data directory if it is not in the default place - file: dest={{ psql_el_data_dir }} owner=postgres group=postgres mode=700 recurse=yes state=directory - - - name: postgresql-config | Set the postgresql data dir if it is different from the default - become: true - become_user: postgres - action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key=data_directory value="'{{ psql_el_data_dir }}'" - - - name: postgresql-config | Copy the postgresql data directory into the new place - shell: '[ "/var/lib/pgsql/{{ psql_version }}/data" != "{{ psql_el_data_dir }}" ] && cp -a /var/lib/pgsql/{{ psql_version }}/data/* {{ psql_el_data_dir }}' - args: - creates: '{{ psql_el_data_dir }}/base' - when: postgresql_data_dir.stat.isdir is not defined - - - name: postgresql-config | Fix the SELinux context for the new data directory - sefcontext: - target: '{{ psql_el_base_dir }}(/.*)?' - setype: postgresql_db_t - state: present - - - name: postgresql-config | Restore the SELinux context - command: restorecon -vR {{ psql_el_base_dir }} - - - name: postgresql-config | Start the postgresql service that will use the new data directory - service: name='postgresql-{{ psql_version }}' state=started - when: postgresql_data_dir.stat.isdir is not defined - - when: - - psql_use_alternate_data_dir - - ansible_distribution_file_variety == "RedHat" - tags: [ 'postgresql', 'postgres', 'pg_conf' ] - -- name: postgresql-config | Configuration of EL systems - block: - - name: postgresql-config | Create the postgresql log directory - file: dest={{ psql_log_dir }} state=directory owner=postgres group=postgres mode='0750' - - - name: postgresql-config | Fix the SELinux context for the postgresql log directory - sefcontext: - target: '{{ psql_log_dir }}(/.*)?' - setype: postgresql_db_t - state: present - - - name: postgresql-config | Fix the SELinux context for the postgresql log directory - command: restorecon -vR {{ psql_log_dir }} - - - name: postgresql-config | Set some postgresql configuration parameters that require a db restart - become: true - become_user: postgres - action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key={{ item.name }} value="{{ item.value }}" - with_items: '{{ psql_conf_parameters }}' - when: item.set == 'True' - notify: Restart postgresql - tags: [ 'postgresql', 'postgres', 'pg_conf' ] - - - name: postgresql-config | Set the postgresql logging configuration parameters - become: true - become_user: postgres - action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key={{ item.name }} value="{{ item.value }}" - with_items: '{{ psql_log_configuration }}' - when: item.set == 'True' - notify: Reload postgresql - tags: [ 'postgresql', 'postgres', 'pg_conf', 'pg_conf_log' ] - - - name: postgresql-config | Set the postgresql autovacuum configuration parameters - become: true - become_user: postgres - action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key={{ item.name }} value="{{ item.value }}" - with_items: '{{ psql_autovacuum_configuration }}' - when: item.set == 'True' - notify: Reload postgresql - tags: [ 'postgresql', 'postgres', 'pg_conf', 'pg_conf_autovacuum' ] - - - name: postgresql-config | Set the postgresql listen port - action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key=port value="{{ psql_db_port }}" - register: restart_postgresql - tags: [ 'postgresql', 'postgres', 'pg_conf' ] - - - name: postgresql-config | We want postgres listen on the public IP - action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key=listen_addresses value="'*'" - register: restart_postgresql - when: - - psql_listen_on_ext_int - tags: [ 'postgresql', 'postgres', 'pg_conf' ] - - - name: postgresql-config | If postgresql is only accessed from localhost make it listen only on the localhost interface - action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key=listen_addresses value="'localhost'" - register: restart_postgresql - when: - - not psql_listen_on_ext_int - tags: [ 'postgresql', 'postgres', 'pg_conf' ] - - - name: postgresql-config | Log the connections - action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key=log_connections value="on" - register: restart_postgresql - when: psql_db_data is defined - tags: [ 'postgresql', 'postgres', 'pg_conf' ] - - - name: postgresql-config | Log the disconnections - action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key=log_disconnections value="on" - register: restart_postgresql - when: psql_db_data is defined - tags: [ 'postgresql', 'postgres', 'pg_conf' ] - - - name: postgresql-config | Log the hostnames - action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key=log_hostname value="on" - register: restart_postgresql - when: - - psql_listen_on_ext_int - tags: [ 'postgresql', 'postgres', 'pg_conf' ] - - - name: postgresql-config | Set the correct permissions to the postgresql files - file: dest={{ psql_el_conf_dir }}/{{ item }} owner=root group=postgres mode=0640 - with_items: - - pg_hba.conf - - postgresql.conf - tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_conf' ] - - - name: postgresql-config | Restart the postgresql server after changing parameters that need a restart - service: name='postgresql-{{ psql_version }}' state=restarted - when: - - restart_postgresql is defined and restart_postgresql is changed - ignore_errors: True - tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_conf' ] - - when: ansible_distribution_file_variety == "RedHat" diff --git a/tasks/postgresql-ssl-config.yml b/tasks/postgresql-ssl-config.yml index f642fc5..d2379cd 100644 --- a/tasks/postgresql-ssl-config.yml +++ b/tasks/postgresql-ssl-config.yml @@ -1,47 +1,43 @@ --- -- block: - - name: Setup SSL in the postgresql configuration - become: True - become_user: postgres - action: configfile path={{ psql_conf_dir }}/postgresql.conf key={{ item.name }} value="'{{ item.value }}'" - with_items: '{{ psql_conf_ssl_parameters }}' - notify: Restart postgresql - when: ansible_distribution_file_variety == "Debian" - - - name: Setup SSL in the postgresql configuration - become: True - become_user: postgres - action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key={{ item.name }} value="'{{ item.value }}'" - with_items: '{{ psql_conf_ssl_parameters }}' - notify: Restart postgresql - when: ansible_distribution_file_variety == "RedHat" - - - name: Create the pki directory to store the postgresql key - file: dest=/etc/pki/postgresql state=directory owner=postgres group=postgres mode=0750 - - - name: Create a postgres accessible ssl key file if it does not exist - copy: src={{ psql_ssl_privkey_global_file }} dest={{ psql_ssl_privkey_file }} owner=postgres group=postgres mode=0400 remote_src=True - +- name: postgresql-ssl-config | TLS configuration when: psql_enable_ssl - tags: [ 'postgresql', 'postgres', 'pg_ssl_conf', 'pg_conf' ] - - -- block: - - name: Disable SSL in the postgresql configuration - become: True + tags: ['postgresql', 'postgres', 'pg_ssl_conf', 'pg_conf'] + block: + - name: postgresql-ssl-config | Setup SSL in the postgresql configuration + become: true become_user: postgres - action: configfile path={{ psql_conf_dir }}/postgresql.conf key={{ item.name }} value="'{{ item.value }}'" - with_items: '{{ psql_conf_disable_ssl_parameters }}' + community.postgresql.postgresql_set: + name: '{{ item.name }}' + value: "{{ item.value }}" + loop: '{{ psql_conf_ssl_parameters }}' notify: Restart postgresql - when: ansible_distribution_file_variety == "Debian" - - name: Disable SSL in the postgresql configuration - become: True - become_user: postgres - action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key={{ item.name }} value="'{{ item.value }}'" - with_items: '{{ psql_conf_disable_ssl_parameters }}' - notify: Restart postgresql - when: ansible_distribution_file_variety == "RedHat" + - name: postgresql-ssl-config | Create the pki directory to store the private key + ansible.builtin.file: + dest: /etc/pki/postgresql + state: directory + owner: postgres + group: postgres + mode: '0750' + - name: postgresql-ssl-config | Create a postgres accessible ssl key file if it does not exist + ansible.builtin.copy: + src: "{{ psql_ssl_privkey_global_file }}" + dest: "{{ psql_ssl_privkey_file }}" + owner: postgres + group: postgres + mode: '0400' + remote_src: true + +- name: postgresql-ssl-config | Disable the TLS configuration when: not psql_enable_ssl - tags: [ 'postgresql', 'postgres', 'pg_ssl_conf', 'pg_conf' ] + tags: ['postgresql', 'postgres', 'pg_ssl_conf', 'pg_conf'] + block: + - name: postgresql-ssl-config | Disable SSL in the postgresql configuration + become: true + become_user: postgres + community.postgresql.postgresql_set: + name: '{{ item.name }}' + value: "{{ item.value }}" + loop: '{{ psql_conf_disable_ssl_parameters }}' + notify: Restart postgresql diff --git a/tasks/postgresql-streaming-replication.yml b/tasks/postgresql-streaming-replication.yml index 47c1fa6..89ead4e 100644 --- a/tasks/postgresql-streaming-replication.yml +++ b/tasks/postgresql-streaming-replication.yml @@ -28,6 +28,8 @@ tags: ['postgresql', 'postgres', 'pg_conf', 'pg_hba', 'postgresql_replication'] block: - name: postgresql-streaming-replication | Configure the replication user permissions on deb + become: true + become_user: postgres community.postgresql.postgresql_pg_hba: dest: '{{ psql_conf_dir }}/pg_hba.conf' contype: host @@ -42,6 +44,8 @@ when: not psql_enable_ssl - name: postgresql-streaming-replication | Configure the replication user permissions on deb + become: true + become_user: postgres community.postgresql.postgresql_pg_hba: dest: '{{ psql_conf_dir }}/pg_hba.conf' contype: hostssl @@ -63,6 +67,8 @@ tags: ['postgresql', 'postgres', 'pg_conf', 'pg_hba', 'postgresql_replication'] block: - name: postgresql-streaming-replication | Configure the replication user permissions on EL + become: true + become_user: postgres community.postgresql.postgresql_pg_hba: dest: '{{ psql_el_conf_dir }}/pg_hba.conf' contype: host @@ -77,6 +83,8 @@ when: not psql_enable_ssl - name: postgresql-streaming-replication | Configure the replication user permissions on EL + become: true + become_user: postgres community.postgresql.postgresql_pg_hba: dest: '{{ psql_el_conf_dir }}/pg_hba.conf' contype: hostssl @@ -143,8 +151,6 @@ - not standby_signal_file.stat.exists - name: postgresql-streaming-replication | Remove the data directory contents {{ postgresql_active_data_dir }} - become: true - become_user: postgres ansible.builtin.file: dest: '{{ postgresql_active_data_dir }}' state: absent