From fd68e8d04acd0d6fa7dac5d3134cd115971c4eb4 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
Date: Wed, 25 Oct 2023 16:29:36 +0200
Subject: [PATCH] Flush handlers after configuring pg_hba.

---
 tasks/configure-access.yml | 29 +++++++++++++++++++++--------
 1 file changed, 21 insertions(+), 8 deletions(-)

diff --git a/tasks/configure-access.yml b/tasks/configure-access.yml
index b980901..1d89b20 100644
--- a/tasks/configure-access.yml
+++ b/tasks/configure-access.yml
@@ -1,8 +1,6 @@
 ---
 - name: configure-access | Configure accesses on Deb/Ubuntu
   when: ansible_distribution_file_variety == "Debian"
-  become: true
-  become_user: postgres
   tags: ['postgresql', 'postgres', 'pg_hba', 'pg_db']
   block:
     - name: configure-access | Give access to the remote postgresql client
@@ -14,6 +12,9 @@
         databases: '{{ item.0.name }}'
         # method: 'scram-sha-256'
         method: 'md5'
+        owner: root
+        group: postgres
+        mode: "0640"
         state: "{{ item.0.state | default('present') }}"
       with_subelements:
         - '{{ psql_db_data | default([]) }}'
@@ -33,8 +34,14 @@
         databases: 'replication'
         method: 'peer'
         state: present
+        owner: root
+        group: postgres
+        mode: "0640"
       notify: Reload postgresql
 
+    - name: configure-access | Flush handlers
+      ansible.builtin.meta: flush_handlers
+
 - name: configure-access | Configure accesses on EL
   when: ansible_distribution_file_variety == "RedHat"
   block:
@@ -51,8 +58,6 @@
       tags: ['postgresql', 'postgres', 'pg_hba', 'pg_db', 'firewall', 'iptables_rules']
 
     - name: configure-access | Give access to the remote postgresql client
-      become: true
-      become_user: postgres
       community.postgresql.postgresql_pg_hba:
         dest: '{{ psql_el_conf_dir }}/pg_hba.conf'
         contype: '{% if psql_force_ssl_client_connection %}hostssl{% else %}host{% endif %}'
@@ -62,6 +67,9 @@
         # method: 'scram-sha-256'
         method: 'md5'
         state: "{{ item.0.state | default('present') }}"
+        owner: root
+        group: postgres
+        mode: "0640"
       with_subelements:
         - '{{ psql_db_data | default([]) }}'
         - allowed_hosts
@@ -73,8 +81,6 @@
 
     # No conditionals, it is required to perform base backups when the WAL archive is active
     - name: configure-access | Remove the ident authentication for the local connections
-      become: true
-      become_user: postgres
       community.postgresql.postgresql_pg_hba:
         dest: '{{ psql_el_conf_dir }}/pg_hba.conf'
         contype: 'local'
@@ -82,11 +88,12 @@
         databases: 'all'
         method: 'ident'
         state: absent
+        owner: root
+        group: postgres
+        mode: "0640"
       notify: Reload postgresql
 
     - name: configure-access | Give local access with replication privileges to the postgres user
-      become: true
-      become_user: postgres
       community.postgresql.postgresql_pg_hba:
         dest: '{{ psql_conf_dir }}/pg_hba.conf'
         contype: 'local'
@@ -94,4 +101,10 @@
         databases: 'replication'
         method: 'peer'
         state: present
+        owner: root
+        group: postgres
+        mode: "0640"
       notify: Reload postgresql
+
+    - name: configure-access | Flush handlers
+      ansible.builtin.meta: flush_handlers