ISTI-ansible-roles
/
ansible-role-postgresql
5
0
Fork 1
Code Issues Pull Requests Releases Wiki Activity

Compare commits

base: ISTI-ansible-roles:master
Branches Tags
ISTI-ansible-roles:master
tpiccioli:master
..
compare: tpiccioli:master
Branches Tags
tpiccioli:master
ISTI-ansible-roles:master

No commits in common. "master" and "master" have entirely different histories.
master ... master

22 changed files with 830 additions and 1018 deletions
Show Stats Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,4 +1,3 @@
# ---> Ansible # ---> Ansible
*.retry *.retry
.vscode/settings.json

164
defaults/main.yml
View File

@ -1,32 +1,25 @@
--- ---
psql_enabled: true psql_enabled: True
# I prefer to use the postgresql.org repositories # I prefer to use the postgresql.org repositories
# #
# See the features matrix here: http://www.postgresql.org/about/featurematrix/ # See the features matrix here: http://www.postgresql.org/about/featurematrix/
# #
pg_use_postgresql_org_repo: true pg_use_postgresql_org_repo: True
postgresql_deb_repo_key_url: "https://www.postgresql.org/media/keys/ACCC4CF8.asc" psql_postgresql_install: True
postgresql_deb_repo_key: /etc/apt/keyrings/postgresql.asc
postgresql_deb_repository_url: "http://apt.postgresql.org/pub/repos/apt/"
postgresql_deb_repository_rel: "{{ ansible_lsb.codename }}-pgdg"
psql_postgresql_install: true
postgresql_client_only: false
psql_pkg_state: present psql_pkg_state: present
postgresql_enabled: true postgresql_enabled: True
psql_version: 16 psql_version: 13
psql_db_host: localhost psql_db_host: localhost
psql_db_port: 5432 psql_db_port: 5432
psql_db_size_w: 150000000 psql_db_size_w: 150000000
psql_db_size_c: 170000000 psql_db_size_c: 170000000
psql_max_connections: 1024 psql_listen_on_ext_int: False
psql_listen_on_ext_int: false psql_use_alternate_data_dir: False
psql_use_alternate_data_dir: false
# Deb/Ubuntu # Deb/Ubuntu
psql_data_root_dir: '/var/lib/postgresql/{{ psql_version }}' psql_data_root_dir: '/var/lib/postgresql/{{ psql_version }}'
psql_data_dir: '{{ psql_data_root_dir }}/main' psql_data_dir: '{{ psql_data_root_dir }}/main'
psql_conf_dir: '/etc/postgresql/{{ psql_version }}/main' psql_conf_dir: '/etc/postgresql/{{ psql_version }}/main'
psql_log_dir: /var/log/postgresql psql_log_dir: /var/log/postgresql
postgresql_install_client_only: false
# Debian/Ubuntu # Debian/Ubuntu
postgresql_pkgs: postgresql_pkgs:
@ -34,11 +27,11 @@ postgresql_pkgs:
- 'postgresql-contrib-{{ psql_version }}' - 'postgresql-contrib-{{ psql_version }}'
- 'postgresql-client-{{ psql_version }}' - 'postgresql-client-{{ psql_version }}'
- pgtop - pgtop
- "{% if ansible_distribution_version is version_compare('20.04', '>=') %}python3-psycopg2{% else %}python-psycopg2{% endif %}" - python-psycopg2
psql_el_install_scl_version: false psql_el_install_scl_version: False
psql_el_install_from_pgdg_repo: true psql_el_install_from_pgdg_repo: True
psql_el_pgdg_repo_url: "https://download.postgresql.org/pub/repos/yum/reporpms/EL-{{ ansible_distribution_major_version }}-x86_64/pgdg-redhat-repo-latest.noarch.rpm" psql_el_pgdg_repo_url: "https://download.postgresql.org/pub/repos/yum/reporpms/EL-7-x86_64/pgdg-redhat-repo-latest.noarch.rpm"
psql_scl_base_dir: '/var/opt/rh/rh-postgresql{{ psql_version }}/lib/pgsql' psql_scl_base_dir: '/var/opt/rh/rh-postgresql{{ psql_version }}/lib/pgsql'
psql_el_base_dir: '/var/lib/pgsql/{{ psql_version }}' psql_el_base_dir: '/var/lib/pgsql/{{ psql_version }}'
psql_el_data_dir: '{{ psql_el_base_dir }}/data' psql_el_data_dir: '{{ psql_el_base_dir }}/data'
@ -59,87 +52,86 @@ psql_el_scl_packages:
- python-psycopg2 - python-psycopg2
psql_conf_parameters: psql_conf_parameters:
- { name: 'max_connections', value: '{{ psql_max_connections }}', set: 'true' } - { name: 'max_connections', value: '100', set: 'True' }
- { name: 'shared_buffers', value: '{{ (ansible_memtotal_mb / 4) | int }}MB', set: 'true' } - { name: 'shared_buffers', value: '{{ (ansible_memtotal_mb / 4) | int }}MB', set: 'True' }
- { name: 'work_mem', value: '{{ ((ansible_memtotal_mb * 1024) / (400 * ansible_processor_vcpus)) | int }}kB', set: 'true' } - { name: 'work_mem', value: '{{ ((ansible_memtotal_mb * 1024) / (400 * ansible_processor_vcpus)) | int }}kB', set: 'True' }
- { name: 'maintenance_work_mem', value: '{{ (ansible_memtotal_mb / 8) | int }}MB', set: 'true' } - { name: 'maintenance_work_mem', value: '{{ (ansible_memtotal_mb / 8) | int }}MB', set: 'True' }
- { name: 'temp_buffers', value: '{{ ansible_memtotal_mb }}kB', set: 'true' } - { name: 'temp_buffers', value: '{{ ansible_memtotal_mb }}kB', set: 'True' }
- { name: 'wal_buffers', value: '{{ (ansible_memtotal_mb / 1024 * 2) | int }}MB', set: 'true' } - { name: 'wal_buffers', value: '{{ (ansible_memtotal_mb / 1024 * 2) | int }}MB', set: 'True' }
- { name: 'min_wal_size', value: '{{ (ansible_memtotal_mb / 16) | int }}MB', set: 'true' } - { name: 'min_wal_size', value: '{{ (ansible_memtotal_mb / 16) | int }}MB', set: 'True' }
- { name: 'max_wal_size', value: '{{ (ansible_memtotal_mb / 8) | int }}MB', set: 'true' } - { name: 'max_wal_size', value: '{{ (ansible_memtotal_mb / 8) | int }}MB', set: 'True' }
- { name: 'effective_cache_size', value: '{{ (ansible_memtotal_mb / 1.3) | int }}MB', set: 'true' } - { name: 'effective_cache_size', value: '{{ (ansible_memtotal_mb / 1.3) | int }}MB', set: 'True' }
- { name: 'max_stack_depth', value: '2MB', set: 'false' } - { name: 'max_stack_depth', value: '2MB', set: 'False' }
- { name: 'max_files_per_process', value: '8192', set: 'false' } - { name: 'max_files_per_process', value: '8192', set: 'False' }
# Custom parameters. Default empty
psql_conf_custom_parameters: []
# logging configuration. Important: the parameters that need a restart must be listed in psql_conf_parameters # logging configuration. Important: the parameters that need a restart must be listed in psql_conf_parameters
psql_log_configuration: psql_log_configuration:
- { name: 'log_destination', value: 'stderr', set: 'true' } - { name: 'log_destination', value: 'stderr', set: 'True' }
- { name: 'logging_collector', value: 'off', set: 'false' } - { name: 'logging_collector', value: 'off', set: 'False' }
- { name: 'log_directory', value: '{{ psql_log_dir }}', set: 'true' } - { name: 'log_directory', value: "'{{ psql_log_dir }}'", set: 'True' }
- { name: 'log_rotation_age', value: '1d', set: 'true' } - { name: 'log_rotation_age', value: '1d', set: 'True' }
- { name: 'log_rotation_size', value: '10MB', set: 'true' } - { name: 'log_rotation_size', value: '10MB', set: 'True' }
- { name: 'client_min_messages', value: 'notice', set: 'true' } - { name: 'client_min_messages', value: 'notice', set: 'True' }
- { name: 'log_min_messages', value: 'warning', set: 'true' } - { name: 'log_min_messages', value: 'warning', set: 'True' }
- { name: 'log_min_error_statement', value: 'error', set: 'true' } - { name: 'log_min_error_statement', value: 'error', set: 'True' }
- { name: 'log_min_duration_statement', value: '-1', set: 'true' } - { name: 'log_min_duration_statement', value: '-1', set: 'True' }
- { name: 'log_checkpoints', value: 'off', set: 'true' } - { name: 'log_checkpoints', value: 'off', set: 'True' }
- { name: 'log_duration', value: 'off', set: 'true' } - { name: 'log_connections', value: 'on', set: 'True' }
- { name: 'log_error_verbosity', value: 'default', set: 'true' } - { name: 'log_disconnections', value: 'off', set: 'True' }
- { name: 'log_duration', value: 'off', set: 'True' }
- { name: 'log_error_verbosity', value: 'default', set: 'True' }
- { name: 'log_hostname', value: 'on', set: 'True' }
# Treat vacuum separately. Important: the parameters that need a restart must be listed in psql_conf_parameters # Treat vacuum separately. Important: the parameters that need a restart must be listed in psql_conf_parameters
psql_autovacuum_configuration: psql_autovacuum_configuration:
- { name: 'track_counts', value: 'on', set: 'true' } - { name: 'track_counts', value: 'on', set: 'True' }
- { name: 'autovacuum', value: 'on', set: 'true' } - { name: 'autovacuum', value: 'on', set: 'True' }
- { name: 'log_autovacuum_min_duration', value: '-1', set: 'true' } - { name: 'log_autovacuum_min_duration', value: '-1', set: 'True' }
- { name: 'autovacuum_vacuum_threshold', value: '50', set: 'true' } - { name: 'autovacuum_vacuum_threshold', value: '50', set: 'True' }
- { name: 'autovacuum_analyze_threshold', value: '50', set: 'true' } - { name: 'autovacuum_analyze_threshold', value: '50', set: 'True' }
- { name: 'autovacuum_vacuum_scale_factor', value: '0.2', set: 'true' } - { name: 'autovacuum_vacuum_scale_factor', value: '0.2', set: 'True' }
- { name: 'autovacuum_vacuum_cost_limit', value: '1000', set: 'true' } - { name: 'autovacuum_vacuum_cost_limit', value: '1000', set: 'True' }
- { name: 'autovacuum_max_workers', value: '10', set: 'true' } - { name: 'autovacuum_max_workers', value: '10', set: 'True' }
- { name: 'autovacuum_naptime', value: '10', set: 'true' } - { name: 'autovacuum_naptime', value: '10', set: 'True' }
# Streaming replication settings # Streaming replication settings
postgresql_streaming_replication: false postgresql_streaming_replication: False
postgresql_streaming_replication_primary_node: 'localhost' postgresql_streaming_replication_primary_node: 'localhost'
psql_streaming_replication_hosts: psql_streaming_replication_hosts:
- 'localhost' - 'localhost'
psql_streaming_replication_user: psql_replica psql_streaming_replication_user: psql_replica
#psql_streaming_replication_pwd: 'use a vault' #psql_streaming_replication_pwd: 'use a vault'
psql_streaming_replication_config: psql_streaming_replication_config:
- { name: 'wal_level', value: 'replica', set: 'true' } - { name: 'wal_level', value: 'replica' }
- { name: 'max_wal_senders', value: '10', set: 'true' } - { name: 'max_wal_senders', value: '10' }
- { name: 'wal_keep_size', value: '0', set: 'true' } - { name: 'wal_keep_size', value: '1GB' }
- { name: 'max_slot_wal_keep_size', value: '50MB', set: 'true' } - { name: 'max_slot_wal_keep_size', value: '15' }
- { name: 'wal_compression', value: 'on', set: 'true' } - { name: 'wal_compression', value: 'on' }
- { name: 'wal_log_hints', value: 'on', set: 'true' } - { name: 'wal_log_hints', value: 'on' }
- { name: 'hot_standby', value: 'on', set: 'true' } - { name: 'hot_standby', value: 'on' }
- { name: 'archive_mode', value: 'always', set: 'true' } - { name: 'archive_mode', value: 'always' }
- { name: 'archive_command', value: "cp %p {{ psql_wal_archiving_log_dir }}/%f", set: 'true' } - { name: 'archive_command', value: "cp %p {{ psql_wal_archiving_log_dir }}/%f" }
- { name: 'restore_command', value: "cp {{ psql_wal_archiving_log_dir }}/%f %p", set: 'true' } - { name: 'restore_command', value: "cp {{ psql_wal_archiving_log_dir }}/%f %p" }
- { name: 'archive_cleanup_command', value: "pg_archivecleanup {{ psql_wal_archiving_log_dir }} %r", set: 'true' } - { name: 'archive_cleanup_command', value: "pg_archivecleanup {{ psql_wal_archiving_log_dir }} %r" }
# SSL as a special case # SSL as a special case
psql_enable_ssl: false psql_enable_ssl: False
psql_force_ssl_client_connection: false psql_force_ssl_client_connection: False
postgresql_letsencrypt_managed: '{% if letsencrypt_acme_install is defined and letsencrypt_acme_install %}true{% else %}false{% endif %}' postgresql_letsencrypt_managed: '{{ psql_enable_ssl }}'
psql_ssl_privkey_global_file: '{% if postgresql_letsencrypt_managed %}{{ letsencrypt_acme_sh_certificates_install_path }}/privkey{% else %}{{ pki_dir }}/keys/{{ ansible_fqdn}}-key.pem{% endif %}' psql_ssl_privkey_global_file: '/var/lib/acme/live/{{ ansible_fqdn }}/privkey'
psql_ssl_privkey_file: /etc/pki/postgresql/postgresql.key psql_ssl_privkey_file: /etc/pki/postgresql/postgresql.key
psql_ssl_cert_file: '{% if postgresql_letsencrypt_managed %}{{ letsencrypt_acme_sh_certificates_install_path }}/fullchain{% else %}{{ pki_dir }}/certs/{{ ansible_fqdn}}.pem{% endif %}' psql_ssl_cert_file: '/var/lib/acme/live/{{ ansible_fqdn }}/cert'
# In CentOS/RHEL is /etc/pki/tls/cert.pem psql_ssl_ca_file: '/var/lib/acme/live/{{ ansible_fqdn }}/fullchain'
psql_ssl_ca_file: '/etc/ssl/certs/ca-certificates.crt'
psql_conf_ssl_parameters: psql_conf_ssl_parameters:
- { name: 'ssl', value: 'true', set: 'true' } - { name: 'ssl', value: 'true' }
- { name: 'ssl_cert_file', value: '{{ psql_ssl_cert_file }}', set: 'true' } - { name: 'ssl_cert_file', value: '{{ psql_ssl_cert_file }}' }
- { name: 'ssl_key_file', value: '{{ psql_ssl_privkey_file }}', set: 'true' } - { name: 'ssl_key_file', value: '{{ psql_ssl_privkey_file }}' }
- { name: 'ssl_ca_file', value: '{{ psql_ssl_ca_file }}', set: 'true' } - { name: 'ssl_ca_file', value: '{{ psql_ssl_ca_file }}' }
psql_conf_disable_ssl_parameters: psql_conf_disable_ssl_parameters:
- { name: 'ssl', value: 'false', set: 'true' } - { name: 'ssl', value: 'false' }
psql_set_shared_memory: false psql_set_shared_memory: False
psql_sysctl_file: 30-postgresql-shm.conf psql_sysctl_file: 30-postgresql-shm.conf
psql_sysctl_kernel_sharedmem_parameters: psql_sysctl_kernel_sharedmem_parameters:
- { name: 'kernel.shmmax', value: '33554432' } - { name: 'kernel.shmmax', value: '33554432' }
@ -151,16 +143,16 @@ psql_db_pwd: "We cannot save the password into the repository. Use another varia
#psql_db_data: #psql_db_data:
# Example of line needed to create a db, create the user that owns the db, manage the db accesses (used by iptables too). All the fields are mandatory. # Example of line needed to create a db, create the user that owns the db, manage the db accesses (used by iptables too). All the fields are mandatory.
#- { name: '{{ psql_db_name }}', encoding: 'UTF8', user: '{{ psql_db_user }}', pwd: '{{ psql_db_pwd }}', roles: 'NOCREATEDB,NOSUPERUSER', extensions: [ 'postgis', 'pgpool_regclass', 'pgpool_recovery' ], allowed_hosts: [ 'xxx.xxx.xxx.xxx/32', 'yyy.yyy.yyy.yyy/32' ], managedb: true } #- { name: '{{ psql_db_name }}', encoding: 'UTF8', user: '{{ psql_db_user }}', pwd: '{{ psql_db_pwd }}', roles: 'NOCREATEDB,NOSUPERUSER', extensions: [ 'postgis', 'pgpool_regclass', 'pgpool_recovery' ], allowed_hosts: [ 'xxx.xxx.xxx.xxx/32', 'yyy.yyy.yyy.yyy/32' ], managedb: True }
# Example of line needed to manage the db accesses (used by iptables too), without creating the db and the user. Useful, for example, to give someone access to the postgresql db # Example of line needed to manage the db accesses (used by iptables too), without creating the db and the user. Useful, for example, to give someone access to the postgresql db
#- { name: '{{ psql_db_name }}', user: '{{ psql_db_user }}', allowed_hosts: [ 'xxx.xxx.xxx.xxx/32', 'yyy.yyy.yyy.yyy/32' ], managedb: false } #- { name: '{{ psql_db_name }}', user: '{{ psql_db_user }}', allowed_hosts: [ 'xxx.xxx.xxx.xxx/32', 'yyy.yyy.yyy.yyy/32' ], managedb: False }
# Example of line needed to remove a db, create the user that owns the db, manage the db accesses (used by iptables too). All the fields are mandatory. # Example of line needed to remove a db, create the user that owns the db, manage the db accesses (used by iptables too). All the fields are mandatory.
#- { name: '{{ psql_db_name }}', encoding: 'UTF8', user: '{{ psql_db_user }}', pwd: '{{ psql_db_pwd }}', managedb: true, roles: 'NOCREATEDB,NOSUPERUSER', extensions: [ 'postgis', 'pgpool_regclass', 'pgpool_recovery' ], allowed_hosts: [ 'xxx.xxx.xxx.xxx/32', 'yyy.yyy.yyy.yyy/32' ], state=absent } #- { name: '{{ psql_db_name }}', encoding: 'UTF8', user: '{{ psql_db_user }}', pwd: '{{ psql_db_pwd }}', managedb: True, roles: 'NOCREATEDB,NOSUPERUSER', extensions: [ 'postgis', 'pgpool_regclass', 'pgpool_recovery' ], allowed_hosts: [ 'xxx.xxx.xxx.xxx/32', 'yyy.yyy.yyy.yyy/32' ], state=absent }
# postgis # postgis
postgres_install_gis_extensions: false postgres_install_gis_extensions: False
postgres_gis_version: 3 postgres_gis_version: 2.5
postgres_gis_shortver: 3 postgres_gis_shortver: 25
postgres_gis_pkgs: postgres_gis_pkgs:
- 'postgresql-{{ psql_version }}-postgis-{{ postgres_gis_version }}' - 'postgresql-{{ psql_version }}-postgis-{{ postgres_gis_version }}'
@ -169,14 +161,14 @@ postgres_el_gis_pkgs:
- 'postgis{{ postgres_gis_shortver }}-{{ psql_version }}-client' - 'postgis{{ postgres_gis_shortver }}-{{ psql_version }}-client'
# Local backup # Local backup
pg_backup_enabled: true pg_backup_enabled: True
pg_el_backup_conf_dir: /etc/sysconfig pg_el_backup_conf_dir: /etc/sysconfig
pg_backup_conf_dir: /etc/default pg_backup_conf_dir: /etc/default
pg_backup_bin: /usr/local/sbin/postgresql-backup pg_backup_bin: /usr/local/sbin/postgresql-backup
pg_backup_pgdump_bin: /usr/bin/pg_dump pg_backup_pgdump_bin: /usr/bin/pg_dump
pg_backup_retain_copies: 2 pg_backup_retain_copies: 2
pg_backup_build_db_list: "yes" pg_backup_build_db_list: "yes"
psql_wal_files_archiving_enabled: false psql_wal_files_archiving_enabled: False
psql_wal_archiving_log_dir: '{{ psql_data_dir }}/archive_log' psql_wal_archiving_log_dir: '{{ psql_data_dir }}/archive_log'
psql_base_backup_dir: '{{ pg_backup_base_dir }}/base_backup' psql_base_backup_dir: '{{ pg_backup_base_dir }}/base_backup'
# Dynamically created from psql_db_data if pg_backup_db_list is not set # Dynamically created from psql_db_data if pg_backup_db_list is not set

30
handlers/main.yml
View File

@ -1,34 +1,22 @@
--- ---
- name: Restart postgresql - name: Restart postgresql
ansible.builtin.service: service: name=postgresql state=restarted
name: postgresql
state: restarted
when: ansible_distribution_file_variety == "Debian" when: ansible_distribution_file_variety == "Debian"
- name: Reload postgresql - name: Reload postgresql
ansible.builtin.service: service: name=postgresql state=reloaded
name: postgresql
state: reloaded
when: ansible_distribution_file_variety == "Debian" when: ansible_distribution_file_variety == "Debian"
- name: Restart postgresql with pgpool config - name: Restart postgresql with pgpool config
ansible.builtin.service: service: name=postgresql state=restarted
name: postgresql
state: restarted
when: when:
- ansible_distribution_file_variety == "Debian" - ansible_distribution_file_variety == "Debian"
- psql_restart_after_wal_enabling - psql_restart_after_wal_enabling
- name: Flush the APT cache
ansible.builtin.apt:
update_cache: true
- name: Restart postgresql - name: Restart postgresql
ansible.builtin.service: service: name='postgresql-{{ psql_version }}' state=restarted
name: 'postgresql-{{ psql_version }}'
state: restarted
when: ansible_distribution_file_variety == "RedHat" when: ansible_distribution_file_variety == "RedHat"
- name: Reload postgresql - name: Reload postgresql
ansible.builtin.service: service: name='postgresql-{{ psql_version }}' state=reloaded
name: 'postgresql-{{ psql_version }}'
state: reloaded
when: ansible_distribution_file_variety == "RedHat" when: ansible_distribution_file_variety == "RedHat"
- name: Reload systemd
ansible.builtin.systemd:
daemon_reload: true

83
library/configfile.py Normal file
View File

@ -0,0 +1,83 @@
#!/usr/bin/python
from __future__ import print_function
ANSIBLE_METADATA = {
'metadata_version': '1.0',
'status': ['preview'],
'supported_by': 'ISTI-CNR'
}
import glob
import json
import tempfile
import filecmp
import os
import re
from ansible.module_utils.basic import AnsibleModule
def run_configfile_module():
module = AnsibleModule(
argument_spec = dict(
path=dict(required=True),
key=dict(required=True),
value=dict(required=True),
syntax=dict(required=False, choices=['standard', 'shell'], default='standard'),
)
)
path = module.params['path']
syntax = module.params['syntax']
key = module.params['key']
value = module.params['value']
found = [False]
def expand(line):
if syntax == 'standard':
if re.match("[ #]*%s *=.*" % (key), line):
found[0] = True
return re.sub("[ #]*%s *=.*" % (key), "%s = %s" % (key, value), line)
elif syntax == 'shell':
if re.match("[ #]*%s *=.*" % (key), line):
found[0] = True
return re.sub("[ #]*%s *=.*" % (key), "%s=%s" % (key, value), line)
else:
raise Exception("unsupported syntax %s" % syntax)
changed = False
with open(path) as input:
with tempfile.NamedTemporaryFile(dir=os.path.dirname(path)) as temp:
for line in input:
print(expand(line), end=' ', file=temp)
if not found[0]:
if not line.endswith('\n'):
print('', file=temp)
if syntax == 'standard':
print("%s = %s" % (key, value), file=temp)
elif syntax == 'shell':
print("%s=%s" % (key, value), file=temp)
else:
raise Exception("unsupported syntax %s" % syntax)
temp.delete = False
temp.close()
changed = not filecmp.cmp(path, temp.name)
if changed:
os.rename(temp.name, path)
else:
os.remove(temp.name)
module.exit_json(changed=changed)
# include magic from lib/ansible/module_common.py
#<<INCLUDE_ANSIBLE_MODULE_COMMON>>
def main():
run_configfile_module()
if __name__ == '__main__':
main()

18
meta/main.yml
View File

@ -1,12 +1,13 @@
galaxy_info: galaxy_info:
author: Andrea Dell'Amico author: Andrea Dell'Amico
description: Role that installs PostgreSQL description: Systems Architect
company: ISTI-CNR company: ISTI-CNR
namespace: adellam
role_name: postgresql
issue_tracker_url: https://redmine-s2i2s.isti.cnr.it/projects/provisioning issue_tracker_url: https://redmine-s2i2s.isti.cnr.it/projects/provisioning
license: EUPL 1.2+ license: EUPL 1.2+
min_ansible_version: "2.9"
min_ansible_version: 2.8
# To view available platforms and versions (or releases), visit: # To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/ # https://galaxy.ansible.com/api/v1/platforms/
@ -14,13 +15,12 @@ galaxy_info:
platforms: platforms:
- name: Ubuntu - name: Ubuntu
versions: versions:
- focal - bionic
- jammy
- name: EL - name: EL
versions: versions:
- "7" - 7
- "8"
- "9"
galaxy_tags: galaxy_tags:
- postgresql - postgresql
dependencies: []

178
tasks/configure-access.yml
View File

@ -1,108 +1,84 @@
--- ---
- name: configure-access | Configure accesses on Deb/Ubuntu - name: Configure accesses on Deb/Ubuntu
block:
- name: Give access to the remote postgresql client
lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="host {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5" owner=root group=postgres mode='0440'
with_subelements:
- '{{ psql_db_data | default([]) }}'
- allowed_hosts
when:
- psql_listen_on_ext_int
- psql_db_data is defined
- item.1 is defined
- not psql_force_ssl_client_connection
notify: Reload postgresql
tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ]
- name: Give access to the remote postgresql client, force ssl
lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="hostssl {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5" owner=root group=postgres mode='0440'
with_subelements:
- '{{ psql_db_data | default([]) }}'
- allowed_hosts
when:
- psql_listen_on_ext_int
- psql_db_data is defined
- item.1 is defined
- psql_force_ssl_client_connection
notify: Reload postgresql
tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ]
# No conditionals, it is needed to perform base backups when the WAL archive is active
- name: Give local access with replication privileges to the postgres user
lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^local replication postgres peer" line="local replication postgres peer" owner=root group=postgres mode='0440'
notify: Reload postgresql
tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ]
when: ansible_distribution_file_variety == "Debian" when: ansible_distribution_file_variety == "Debian"
tags: ['postgresql', 'postgres', 'pg_hba', 'pg_db']
- name: Configure accesses on EL
block: block:
- name: configure-access | Give access to the remote postgresql client - name: Open the postgresql service to a specific zone.
community.postgresql.postgresql_pg_hba: firewalld: service=postgresql zone={{ postgresql_firewalld_zone }} permanent=True state=enabled immediate=True
dest: '{{ psql_conf_dir }}/pg_hba.conf' when:
contype: '{% if psql_force_ssl_client_connection %}hostssl{% else %}host{% endif %}' - psql_listen_on_ext_int
users: '{{ item.0.user }}' - firewalld_enabled
address: '{{ item.1 }}' tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db', 'firewall', 'iptables_rules' ]
databases: '{{ item.0.name }}'
method: '{{ item.0.hash_method | default("scram-sha-256") }}'
owner: root
group: postgres
mode: "0640"
state: "{{ item.0.state | default('present') }}"
with_subelements:
- '{{ psql_db_data | default([]) }}'
- allowed_hosts
when:
- psql_listen_on_ext_int
- psql_db_data is defined
- item.1 is defined
notify: Reload postgresql
# No conditionals, it is required to perform base backups when the WAL archive is active - name: Give access to the remote postgresql client
- name: configure-access | Give local access with replication privileges to the postgres user lineinfile: name={{ psql_el_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="host {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5" owner=root group=postgres mode='0440'
community.postgresql.postgresql_pg_hba: with_subelements:
dest: '{{ psql_conf_dir }}/pg_hba.conf' - '{{ psql_db_data | default([]) }}'
contype: 'local' - allowed_hosts
users: 'postgres' when:
databases: 'replication' - psql_listen_on_ext_int
method: 'peer' - psql_db_data is defined
state: present - item.1 is defined
owner: root - not psql_force_ssl_client_connection
group: postgres notify: Reload postgresql
mode: "0640" tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ]
notify: Reload postgresql
- name: configure-access | Flush handlers - name: Give access to the remote postgresql client, force ssl
ansible.builtin.meta: flush_handlers lineinfile: name={{ psql_el_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="hostssl {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5" owner=root group=postgres mode='0440'
with_subelements:
- '{{ psql_db_data | default([]) }}'
- allowed_hosts
when:
- psql_listen_on_ext_int
- psql_db_data is defined
- item.1 is defined
- psql_force_ssl_client_connection
notify: Reload postgresql
tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ]
# No conditionals, it is needed to perform base backups when the WAL archive is active
- name: Remove the ident authentication for the local connections
lineinfile: name={{ psql_el_conf_dir }}/pg_hba.conf regexp="^local.*?all.*?ident$" state=absent owner=root group=postgres mode='0440'
notify: Reload postgresql
tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ]
- name: Give local access with replication privileges to the postgres user
lineinfile: name={{ psql_el_conf_dir }}/pg_hba.conf regexp="^local replication postgres peer" line="local replication postgres peer" owner=root group=postgres mode='0440'
notify: Reload postgresql
tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ]
- name: configure-access | Configure accesses on EL
when: ansible_distribution_file_variety == "RedHat" when: ansible_distribution_file_variety == "RedHat"
block:
- name: configure-access | Open the postgresql service to a specific zone.
ansible.posix.firewalld:
service: postgresql
zone: "{{ postgresql_firewalld_zone }}"
permanent: true
state: enabled
immediate: true
when:
- psql_listen_on_ext_int
- firewalld_enabled
tags: ['postgresql', 'postgres', 'pg_hba', 'pg_db', 'firewall', 'iptables_rules']
- name: configure-access | Give access to the remote postgresql client
community.postgresql.postgresql_pg_hba:
dest: '{{ psql_el_conf_dir }}/pg_hba.conf'
contype: '{% if psql_force_ssl_client_connection %}hostssl{% else %}host{% endif %}'
users: '{{ item.0.user }}'
address: '{{ item.1 }}'
databases: '{{ item.0.name }}'
method: '{{ item.0.hash_method | default("scram-sha-256") }}'
state: "{{ item.0.state | default('present') }}"
owner: root
group: postgres
mode: "0640"
with_subelements:
- '{{ psql_db_data | default([]) }}'
- allowed_hosts
when:
- psql_listen_on_ext_int
- psql_db_data is defined
- item.1 is defined
notify: Reload postgresql
# No conditionals, it is required to perform base backups when the WAL archive is active
- name: configure-access | Remove the ident authentication for the local connections
community.postgresql.postgresql_pg_hba:
dest: '{{ psql_el_conf_dir }}/pg_hba.conf'
contype: 'local'
users: 'all'
databases: 'all'
method: 'ident'
state: absent
owner: root
group: postgres
mode: "0640"
notify: Reload postgresql
- name: configure-access | Give local access with replication privileges to the postgres user
community.postgresql.postgresql_pg_hba:
dest: '{{ psql_conf_dir }}/pg_hba.conf'
contype: 'local'
users: 'postgres'
databases: 'replication'
method: 'peer'
state: present
owner: root
group: postgres
mode: "0640"
notify: Reload postgresql
- name: configure-access | Flush handlers
ansible.builtin.meta: flush_handlers

68
tasks/main.yml
View File

@ -1,64 +1,32 @@
--- ---
- name: Postgresql external repository - import_tasks: postgresql_org_repo.yml
ansible.builtin.import_tasks: postgresql_org_repo.yml - import_tasks: packages.yml
- name: Manage the postgresql packages
ansible.builtin.import_tasks: postgresql-packages.yml
when: psql_postgresql_install when: psql_postgresql_install
- name: Manage the postgis packages - import_tasks: postgis.yml
ansible.builtin.import_tasks: postgis.yml
when: postgres_install_gis_extensions when: postgres_install_gis_extensions
- name: PostgreSQL configuration of deb systems - import_tasks: postgresql-config.yml
ansible.builtin.import_tasks: postgresql-config-deb.yml when: psql_postgresql_install
- import_tasks: postgresql-ssl-config.yml
when: psql_postgresql_install
- import_tasks: psql-kernel-sharedmem.yml
when: when:
- psql_postgresql_install - psql_postgresql_install
- not postgresql_client_only
- ansible_distribution_file_variety == "Debian"
- name: PostgreSQL configuration of EL systems
ansible.builtin.import_tasks: postgresql-config-el.yml
when:
- psql_postgresql_install
- not postgresql_client_only
- ansible_distribution_file_variety == "RedHat"
- name: TLS setup
ansible.builtin.import_tasks: postgresql-ssl-config.yml
when:
- psql_postgresql_install
- not postgresql_client_only
- name: Kernel sysctl parameters
ansible.builtin.import_tasks: psql-kernel-sharedmem.yml
when:
- psql_postgresql_install
- psql_set_shared_memory - psql_set_shared_memory
- not postgresql_client_only - import_tasks: configure-access.yml
- name: Configure access to the databases
ansible.builtin.import_tasks: configure-access.yml
when: when:
- psql_postgresql_install - psql_postgresql_install
- psql_db_data is defined - psql_db_data is defined
- not postgresql_client_only - import_tasks: postgresql-service-status.yml
- name: Service management when: psql_postgresql_install
ansible.builtin.import_tasks: postgresql-service-status.yml - import_tasks: manage_pg_db.yml
when:
- psql_postgresql_install
- not postgresql_client_only
- name: Manage the databases
ansible.builtin.import_tasks: manage_pg_db.yml
when: when:
- psql_postgresql_install - psql_postgresql_install
- psql_db_data is defined - psql_db_data is defined
- not postgresql_client_only - import_tasks: postgresql-streaming-replication.yml
- name: Streaming replication setup
ansible.builtin.import_tasks: postgresql-streaming-replication.yml
when: when:
- postgresql_streaming_replication - postgresql_streaming_replication
- not postgresql_client_only - import_tasks: postgresql-backup.yml
- name: Local backups when: psql_postgresql_install
ansible.builtin.import_tasks: postgresql-backup.yml - import_tasks: postgresql-letsencrypt-acmetool.yml
when: when:
- psql_postgresql_install - letsencrypt_acme_install is defined and letsencrypt_acme_install
- not postgresql_client_only
- name: Letsencrypt hook
ansible.builtin.import_tasks: postgresql-letsencrypt-acmetool.yml
when:
- postgresql_letsencrypt_managed
- not postgresql_client_only

81
tasks/manage_pg_db.yml
View File

@ -1,70 +1,65 @@
--- ---
- name: manage_pg_db | Add a user for the postgresql DBs - name: Add a user for the postgresql DBs
become: true become: True
become_user: postgres become_user: postgres
community.postgresql.postgresql_user: postgresql_user: user={{ item.user }} password={{ item.pwd }} role_attr_flags={{ item.roles }} port={{ psql_db_port }} state={{ item.userstate | default('present') }}
user: "{{ item.user }}" with_items: '{{ psql_db_data | default([]) }}'
password: "{{ item.pwd }}"
role_attr_flags: "{{ item.roles }}"
port: "{{ psql_db_port }}"
state: "{{ item.userstate | default('present') }}"
no_log: true
loop: '{{ psql_db_data | default([]) }}'
when: item.roles is defined when: item.roles is defined
tags: ['postgresql', 'postgres', 'pg_db', 'pg_user'] tags: [ 'postgresql', 'postgres', 'pg_db', 'pg_user' ]
- name: manage_pg_db | Add the databases with the correct owner. Or remove them, if not used anymore - name: Add the databases with the correct owner. Or remove them, if not used anymore
become: true become: True
become_user: postgres become_user: postgres
community.postgresql.postgresql_db: postgresql_db: db={{ item.name }} port={{ psql_db_port }} encoding={{ item.encoding }} owner={{ item.user }} template=template0 state={{ item.state | default('present') }}
db: "{{ item.name }}" with_items: '{{ psql_db_data | default([]) }}'
port: "{{ psql_db_port }}"
encoding: "{{ item.encoding }}"
owner: "{{ item.user }}"
template: template0
state: "{{ item.state | default('present') }}"
loop: '{{ psql_db_data | default([]) }}'
when: item.managedb | default(True) when: item.managedb | default(True)
tags: ['postgresql', 'postgres', 'pg_db'] tags: [ 'postgresql', 'postgres', 'pg_db' ]
- name: manage_pg_db | Manage users privileges - name: Manage users privileges
become: true become: True
become_user: postgres become_user: postgres
community.postgresql.postgresql_privs: postgresql_privs:
db: '{{ item.name }}' db: '{{ item.name }}'
privs: '{{ item.privs }}' privs: '{{ item.privs }}'
# type: database #type: database
objs: "{{ item.objs | default('ALL_IN_SCHEMA') }}" objs: "{{ item.objs | default('ALL_IN_SCHEMA') }}"
roles: '{{ item.roles }}' roles: '{{ item.roles }}'
port: '{{ psql_db_port }}' port: '{{ psql_db_port }}'
state: "{{ item.userstate | default('present') }}" state: "{{ item.userstate | default('present') }}"
grant_option: "{{ item.grant_option | default('yes') }}" grant_option: "{{ item.grant_option | default('yes') }}"
with_items: '{{ psql_db_privs | default([]) }}' with_items: '{{ psql_db_privs | default([]) }}'
tags: ['postgresql', 'postgres', 'pg_db', 'pg_user', 'postgresql_privs'] tags: [ 'postgresql', 'postgres', 'pg_db', 'pg_user', 'postgresql_privs' ]
- name: manage_pg_db | Add postgres extensions to the databases, if any - name: Add postgres extensions to the databases, if needed
become: true become: True
become_user: postgres become_user: postgres
community.postgresql.postgresql_ext: postgresql_ext: name={{ item.1 | default(omit) }} db={{ item.0.name }} port={{ psql_db_port }}
name: "{{ item.1 | default(omit) }}"
db: "{{ item.0.name }}"
port: "{{ psql_db_port }}"
with_subelements: with_subelements:
- '{{ psql_db_extensions | default([]) }}' - '{{ psql_db_extensions | default([]) }}'
- extensions - extensions
when: psql_db_extensions is defined when: psql_db_extensions is defined
tags: ['postgresql', 'postgres', 'pg_extensions', 'pg_db'] tags: [ 'postgresql', 'postgres', 'pg_extensions', 'pg_db' ]
- name: manage_pg_db | Define a user with password, with no associated DBs # - name: Add schemas to a database.
become: true # become: True
# become_user: postgres
# postgresql_schema: database={{ item.0.name }} port={{ psql_db_port }} name={{ item.1 }} owner={{ item.0.user }} state={{ item.0.schemastate | default('present') }}
# with_subelements:
# - '{{ psql_db_data | default([]) }}'
# - schema
# when:
# - item.0.manageschema | default(False)
# - item.1 is defined
# ignore_errors: True
# tags: [ 'postgresql', 'postgres', 'pg_db', 'pg_schema' ]
- name: Define a user with password, with no associated DBs
become: True
become_user: postgres become_user: postgres
community.postgresql.postgresql_user: postgresql_user: user={{ item.user }} password={{ item.pwd }} port={{ psql_db_port }}
user: "{{ item.user }}" with_items: '{{ psql_db_data | default(omit) }}'
password: "{{ item.pwd }}"
port: "{{ psql_db_port }}"
no_log: true
loop: '{{ psql_db_data | default([]) }}'
when: when:
- item.pwd is defined - item.pwd is defined
- item.roles is not defined - item.roles is not defined
tags: ['postgresql', 'postgres', 'pg_db'] tags: [ 'postgresql', 'postgres', 'pg_db' ]

38
tasks/packages.yml Normal file
View File

@ -0,0 +1,38 @@
---
- block:
- name: install the postgresql packages
apt: pkg={{ postgresql_pkgs }} state={{ psql_pkg_state }} cache_valid_time=3600
notify: Restart postgresql
when: ansible_distribution_file_variety == "Debian"
tags: [ 'postgresql', 'postgres' ]
- name: EL
block:
- name: install the postgresql packages from the pgdg repository
yum: pkg={{ psql_el_pgdg_packages }} state={{ psql_pkg_state }}
- name: Init the db if needed
command: /usr/pgsql-{{ psql_version }}/bin/postgresql-{{ psql_version }}-setup initdb
args:
creates: '{{ psql_el_data_dir }}/postgresql.conf'
when:
- not psql_el_install_scl_version
- ansible_distribution_file_variety == "RedHat"
tags: [ 'postgresql', 'postgres' ]
- name: EL from SCL
block:
- name: install the postgresql scl packages
yum: pkg={{ psql_el_scl_packages }} state={{ psql_pkg_state }}
- name: Init the db if needed
command: /opt/rh/rh-postgresql{{ psql_version }}/root/usr/bin/postgresql-setup --initdb
args:
creates: '{{ psql_el_data_dir }}/postgresql.conf'
when:
- psql_el_install_scl_version
- ansible_distribution_file_variety == "RedHat"
tags: [ 'scl', 'postgresql', 'postgres' ]

18
tasks/postgis.yml
View File

@ -1,17 +1,13 @@
--- ---
- name: postgis | Install the postgresql GIS packages on deb/ubuntu - name: install the postgresql GIS packages on deb/ubuntu
ansible.builtin.apt: apt: pkg={{ postgres_gis_pkgs }} state={{ psql_pkg_state }} cache_valid_time=3600
pkg: "{{ postgres_gis_pkgs }}"
state: "{{ psql_pkg_state }}"
cache_valid_time: 3600
notify: Restart postgresql notify: Restart postgresql
when: ansible_distribution_file_variety == "Debian" when: ansible_distribution_file_variety == "Debian"
tags: ['postgresql', 'postgres', 'postgis'] tags: [ 'postgresql', 'postgres', 'postgis' ]
- name: postgis | Install the postgresql GIS packages on EL - name: install the postgresql GIS packages on EL
ansible.builtin.yum: yum: pkg={{ postgres_el_gis_pkgs }} state={{ psql_pkg_state }}
pkg: "{{ postgres_el_gis_pkgs }}"
state: "{{ psql_pkg_state }}"
notify: Restart postgresql notify: Restart postgresql
when: ansible_distribution_file_variety == "RedHat" when: ansible_distribution_file_variety == "RedHat"
tags: ['postgresql', 'postgres', 'postgis'] tags: [ 'postgresql', 'postgres', 'postgis' ]

2
tasks/postgresql-backup.yml
View File

@ -44,7 +44,7 @@
tags: [ 'pg_backup', 'postgresql', 'postgres' ] tags: [ 'pg_backup', 'postgresql', 'postgres' ]
- name: Backup script for the postgresql streaming replication database(s) - name: Backup script for the postgresql streaming replication database(s)
template: src=postgresql_wal_backup_and_removal.j2 dest=/usr/local/sbin/postgresql_wal_backup_and_removal owner=root group=postgres mode=0754 template: src=postgresql_wal_backup_and_removal.j2 dest=/usr/local/sbin/postgresql_wal_backup_and_removal owner=root mode=0744
tags: [ 'pg_stream_backup', 'postgresql', 'postgres' ] tags: [ 'pg_stream_backup', 'postgresql', 'postgres' ]
- name: backuppc root script for the postgresql streaming replication database(s) - name: backuppc root script for the postgresql streaming replication database(s)

144
tasks/postgresql-config-deb.yml
View File

@ -1,144 +0,0 @@
---
- name: postgresql-config-deb | Data directory for Deb/Ubuntu
when:
- psql_use_alternate_data_dir
- ansible_distribution_file_variety == "Debian"
tags: ['postgresql', 'postgres', 'pg_conf']
block:
- name: postgresql-config-deb | Create the postgresql data directory if it is not in the default place
ansible.builtin.file:
dest: "{{ psql_data_dir }}"
owner: postgres
group: postgres
mode: '700'
state: directory
- name: postgresql-config-deb | Set the postgresql data dir if it is different from the default
become: true
become_user: postgres
ansible.builtin.lineinfile:
path: "{{ psql_conf_dir }}/postgresql.conf"
regexp: "^data_directory\ ="
line: "data_directory = '{{ psql_data_dir }}'"
create: false
state: present
- name: postgresql-config-deb | Check if the new postgresql data directory has been populated already
ansible.builtin.stat:
path: "{{ psql_data_dir }}/.postgresql_data_dir"
register: postgresql_data_dir
- name: postgresql-config-deb | Stop the postgresql service while reconfiguring the data directory
ansible.builtin.service:
name: postgresql
state: stopped
when: not postgresql_data_dir.stat.exists
- name: postgresql-config-deb | Copy the postgresql data directory into the new place
ansible.builtin.shell:
cmd: |
if [ "/var/lib/postgresql/{{ psql_version | quote }}/main" != "{{ psql_data_dir | quote }}" ] ; then
cp -a /var/lib/postgresql/{{ psql_version | quote }}/main/* {{ psql_data_dir | quote }}
echo "Custom data dir" > "{{ psql_data_dir | quote }}/.postgresql_data_dir"
fi
args:
creates: '{{ psql_data_dir | quote }}/.postgresql_data_dir'
- name: postgresql-config-deb | Start the postgresql service that will use the new data directory
ansible.builtin.service:
name: postgresql
state: started
- name: postgresql-config-deb | Configuration of Deb/Ubuntu systems
when: ansible_distribution_file_variety == "Debian"
tags: ['postgresql', 'postgres', 'pg_conf']
block:
- name: postgresql-config-deb | Set some postgresql configuration parameters that require a db restart
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: '{{ item.name }}'
value: "{% if item.set %}{{ item.value }}{% else %}default{% endif %}"
loop: '{{ psql_conf_parameters }}'
notify: Restart postgresql
- name: postgresql-config-deb | Set the postgresql logging configuration parameters
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: '{{ item.name }}'
value: "{% if item.set %}{{ item.value }}{% else %}default{% endif %}"
loop: '{{ psql_log_configuration }}'
notify: Reload postgresql
tags: ['postgresql', 'postgres', 'pg_conf', 'pg_conf_log']
- name: postgresql-config-deb | Set the postgresql autovacuum configuration parameters
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: '{{ item.name }}'
value: "{% if item.set %}{{ item.value }}{% else %}default{% endif %}"
loop: '{{ psql_autovacuum_configuration }}'
notify: Reload postgresql
tags: ['postgresql', 'postgres', 'pg_conf', 'pg_conf_autovacuum']
- name: postgresql-config-deb | Set the postgresql listen port
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: 'port'
value: "{% if psql_listen_on_ext_int %}{{ psql_db_port }}{% else %}default{% endif %}"
notify: Restart postgresql
- name: postgresql-config-deb | We want postgres listen on the public IP
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: 'listen_addresses'
value: "{% if psql_listen_on_ext_int %}*{% else %}default{% endif %}"
notify: Restart postgresql
- name: postgresql-config-deb | Custom configuration parameters
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: '{{ item.name }}'
value: "{% if item.set %}{{ item.value }}{% else %}default{% endif %}"
loop: '{{ psql_conf_custom_parameters }}'
notify: Restart postgresql
- name: postgresql-config-deb | Flush flush_handlers Restart PostgreSQL
ansible.builtin.meta: flush_handlers
tags: ['postgresql', 'postgres', 'pg_hba', 'pg_conf']
- name: postgresql-config-deb | Log the connections
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: 'log_connections'
value: "{% if psql_listen_on_ext_int %}on{% else %}default{% endif %}"
notify: Reload postgresql
- name: postgresql-config-deb | Log the disconnections
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: 'log_disconnections'
value: "{% if psql_listen_on_ext_int is defined %}on{% else %}default{% endif %}"
notify: Reload postgresql
- name: postgresql-config-deb | Log the hostnames
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: 'log_hostname'
value: "{% if psql_listen_on_ext_int %}on{% else %}default{% endif %}"
notify: Reload postgresql
- name: postgresql-config-deb | Flush flush_handlers Restart PostgreSQL
ansible.builtin.meta: flush_handlers
tags: ['postgresql', 'postgres', 'pg_hba', 'pg_conf']
- name: postgresql-config-deb | Flush flush_handlers Reload PostgreSQL
ansible.builtin.meta: flush_handlers
tags: ['postgresql', 'postgres', 'pg_hba', 'pg_conf']

169
tasks/postgresql-config-el.yml
View File

@ -1,169 +0,0 @@
---
- name: postgresql-config-el | Data directory for EL
when:
- psql_use_alternate_data_dir
- ansible_distribution_file_variety == "RedHat"
tags: ['postgresql', 'postgres', 'pg_conf']
block:
- name: postgresql-config-el | Create the postgresql data directory if it is not in the default place
ansible.builtin.file:
dest: "{{ psql_el_data_dir }}"
owner: postgres
group: postgres
mode: "700"
state: directory
- name: postgresql-config-el | Set the postgresql data dir if it is different from the default
become: true
become_user: postgres
ansible.builtin.lineinfile:
path: "{{ psql_el_conf_dir }}/postgresql.conf"
regexp: "^data_directory\ ="
line: "data_directory = '{{ psql_el_data_dir }}'"
create: false
state: present
- name: postgresql-config-el | Check if the new postgresql data directory has been populated already
ansible.builtin.stat:
path: "{{ psql_el_data_dir }}/.postgresql_data_dir"
register: postgresql_data_dir
- name: postgresql-config-el | Stop the postgresql service while reconfiguring the data directory
ansible.builtin.service:
name: 'postgresql-{{ psql_version }}'
state: stopped
when: not postgresql_data_dir.stat.exists
- name: postgresql-config-el | Copy the postgresql data directory into the new place
ansible.builtin.shell:
cmd: |
if [ "/var/lib/pgsql/{{ psql_version | quote }}/data" != "{{ psql_el_data_dir | quote }}" ] ; then
cp -a /var/lib/pgsql/{{ psql_version | quote }}/main/* {{ psql_el_data_dir | quote }}
echo "Custom data dir" > "{{ psql_el_data_dir | quote }}/.postgresql_data_dir"
fi
args:
creates: '{{ psql_el_data_dir }}/.postgresql_data_dir'
register: postgresql_new_data_dir
- name: postgresql-config-el | Fix the SELinux context for the new data directory
community.general.sefcontext:
target: '{{ psql_el_base_dir }}(/.*)?'
setype: postgresql_db_t
state: present
- name: postgresql-config-el | Restore the SELinux context
ansible.builtin.command: restorecon -vR {{ psql_el_base_dir }}
when: postgresql_new_data_dir is changed
- name: postgresql-config-el | Start the postgresql service that will use the new data directory
ansible.builtin.service:
name: 'postgresql-{{ psql_version }}'
state: started
- name: postgresql-config-el | Configuration of EL systems
when: ansible_distribution_file_variety == "RedHat"
tags: ['postgresql', 'postgres', 'pg_conf']
block:
- name: postgresql-config-el | Create the postgresql log directory
ansible.builtin.file:
dest: "{{ psql_log_dir }}"
state: directory
owner: postgres
group: postgres
mode: '0750'
register: postgresql_log_dir_creation
- name: postgresql-config-el | Fix the SELinux context for the postgresql log directory
community.general.sefcontext:
target: '{{ psql_log_dir }}(/.*)?'
setype: postgresql_db_t
state: present
- name: postgresql-config-el | Fix the SELinux context for the postgresql log directory
ansible.builtin.command: restorecon -vR {{ psql_log_dir }}
when: postgresql_log_dir_creation is changed
- name: postgresql-config-el | Set some postgresql configuration parameters that require a db restart
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: '{{ item.name }}'
value: "{% if item.set %}{{ item.value }}{% else %}default{% endif %}"
loop: '{{ psql_conf_parameters }}'
notify: Restart postgresql
- name: postgresql-config-el | Set the postgresql logging configuration parameters
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: '{{ item.name }}'
value: "{% if item.set %}{{ item.value }}{% else %}default{% endif %}"
loop: '{{ psql_log_configuration }}'
notify: Reload postgresql
tags: ['postgresql', 'postgres', 'pg_conf', 'pg_conf_log']
- name: postgresql-config-el | Set the postgresql autovacuum configuration parameters
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: '{{ item.name }}'
value: "{% if item.set %}{{ item.value }}{% else %}default{% endif %}"
loop: '{{ psql_autovacuum_configuration }}'
notify: Reload postgresql
tags: ['postgresql', 'postgres', 'pg_conf', 'pg_conf_autovacuum']
- name: postgresql-config-el | Set the postgresql listen port
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: 'port'
value: "{% if psql_listen_on_ext_int %}{{ psql_db_port }}{% else %}default{% endif %}"
notify: Restart postgresql
- name: postgresql-config-el | We want postgres listen on the public IP
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: 'listen_addresses'
value: "{% if psql_listen_on_ext_int %}*{% else %}default{% endif %}"
notify: Restart postgresql
- name: postgresql-config-el | If postgresql is only accessed from localhost make it listen only on the localhost interface
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: 'listen_addresses'
value: "{% if psql_listen_on_ext_int %}*{% else %}default{% endif %}"
notify: Restart postgresql
- name: postgresql-config-el | Flush flush_handlers Restart PostgreSQL
ansible.builtin.meta: flush_handlers
tags: ['postgresql', 'postgres', 'pg_hba', 'pg_conf']
- name: postgresql-config-el | Log the connections
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: 'log_connections'
value: "{% if psql_listen_on_ext_int %}on{% else %}default{% endif %}"
notify: Reload postgresql
- name: postgresql-config-el | Log the disconnections
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: 'log_disconnections'
value: "{% if psql_listen_on_ext_int %}on{% else %}default{% endif %}"
notify: Reload postgresql
- name: postgresql-config-el | Log the hostnames
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: 'log_hostname'
value: "{% if psql_listen_on_ext_int %}on{% else %}default{% endif %}"
notify: Reload postgresql
- name: postgresql-config-el | Flush flush_handlers Reload PostgreSQL
ansible.builtin.meta: flush_handlers
tags: ['postgresql', 'postgres', 'pg_hba', 'pg_conf']

253
tasks/postgresql-config.yml Normal file
View File

@ -0,0 +1,253 @@
---
- name: Data directory for Deb/Ubuntu
block:
- name: Check if the new postgresql data directory exists
stat: path={{ psql_data_dir }}
register: postgresql_data_dir
- name: Stop the postgresql service while reconfiguring the data directory
service: name=postgresql state=stopped
when: postgresql_data_dir.stat.isdir is not defined
- name: Create the postgresql data directory if it is not in the default place
file: dest={{ psql_data_dir }} owner=postgres group=postgres mode=700 recurse=yes state=directory
- name: Set the postgresql data dir if it is different from the default
become: True
become_user: postgres
action: configfile path={{ psql_conf_dir }}/postgresql.conf key=data_directory value="'{{ psql_data_dir }}'"
- name: Copy the postgresql data directory into the new place
shell: '[ "/var/lib/postgresql/{{ psql_version }}/main" != "{{ psql_data_dir }}" ] && cp -a /var/lib/postgresql/{{ psql_version }}/main/* {{ psql_data_dir }}'
args:
creates: '{{ psql_data_dir }}/main/base'
when: postgresql_data_dir.stat.isdir is not defined
- name: Start the postgresql service that will use the new data directory
service: name=postgresql state=started
when: postgresql_data_dir.stat.isdir is not defined
when:
- psql_use_alternate_data_dir
- ansible_distribution_file_variety == "Debian"
tags: [ 'postgresql', 'postgres', 'pg_conf' ]
- name: Configuration of Deb/Ubuntu systems
block:
- name: Set some postgresql configuration parameters that require a db restart
become: True
become_user: postgres
action: configfile path={{ psql_conf_dir }}/postgresql.conf key={{ item.name }} value="{{ item.value }}"
with_items: '{{ psql_conf_parameters }}'
when: item.set == 'True'
notify: Restart postgresql
tags: [ 'postgresql', 'postgres', 'pg_conf' ]
- name: Set the postgresql logging configuration parameters
become: True
become_user: postgres
action: configfile path={{ psql_conf_dir }}/postgresql.conf key={{ item.name }} value="{{ item.value }}"
with_items: '{{ psql_log_configuration }}'
when: item.set == 'True'
notify: Reload postgresql
tags: [ 'postgresql', 'postgres', 'pg_conf', 'pg_conf_log' ]
- name: Set the postgresql autovacuum configuration parameters
become: True
become_user: postgres
action: configfile path={{ psql_conf_dir }}/postgresql.conf key={{ item.name }} value="{{ item.value }}"
with_items: '{{ psql_autovacuum_configuration }}'
when: item.set == 'True'
notify: Reload postgresql
tags: [ 'postgresql', 'postgres', 'pg_conf', 'pg_conf_autovacuum' ]
- name: Set the postgresql listen port
action: configfile path={{ psql_conf_dir }}/postgresql.conf key=port value="{{ psql_db_port }}"
register: restart_postgresql
tags: [ 'postgresql', 'postgres', 'pg_conf' ]
- name: We want postgres listen on the public IP
action: configfile path={{ psql_conf_dir }}/postgresql.conf key=listen_addresses value="'*'"
register: restart_postgresql
when:
- psql_listen_on_ext_int
tags: [ 'postgresql', 'postgres', 'pg_conf' ]
- name: If postgresql is only accessed from localhost make it listen only on the localhost interface
action: configfile path={{ psql_conf_dir }}/postgresql.conf key=listen_addresses value="'localhost'"
register: restart_postgresql
when:
- not psql_listen_on_ext_int
tags: [ 'postgresql', 'postgres', 'pg_conf' ]
- name: Log the connections
action: configfile path={{ psql_conf_dir }}/postgresql.conf key=log_connections value="on"
register: restart_postgresql
when: psql_db_data is defined
tags: [ 'postgresql', 'postgres', 'pg_conf' ]
- name: Log the disconnections
action: configfile path={{ psql_conf_dir }}/postgresql.conf key=log_disconnections value="on"
register: restart_postgresql
when: psql_db_data is defined
tags: [ 'postgresql', 'postgres', 'pg_conf' ]
- name: Log the hostnames
action: configfile path={{ psql_conf_dir }}/postgresql.conf key=log_hostname value="on"
register: restart_postgresql
when:
- psql_listen_on_ext_int
tags: [ 'postgresql', 'postgres', 'pg_conf' ]
- name: Set the correct permissions to the postgresql files
file: dest={{ psql_conf_dir }}/{{ item }} owner=root group=postgres mode=0640
with_items:
- pg_hba.conf
- postgresql.conf
tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_conf' ]
- name: Restart the postgresql server after changing parameters that need a restart
service: name=postgresql state=restarted
when:
- restart_postgresql is defined and restart_postgresql is changed
ignore_errors: True
tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_conf' ]
when: ansible_distribution_file_variety == "Debian"
- name: Data directory for EL
block:
- name: Check if the new postgresql data directory exists
stat: path={{ psql_el_data_dir }}
register: postgresql_data_dir
- name: Stop the postgresql service while reconfiguring the data directory
service: name='postgresql-{{ psql_version }}' state=stopped
when: postgresql_data_dir.stat.isdir is not defined
- name: Create the postgresql data directory if it is not in the default place
file: dest={{ psql_el_data_dir }} owner=postgres group=postgres mode=700 recurse=yes state=directory
- name: Set the postgresql data dir if it is different from the default
become: True
become_user: postgres
action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key=data_directory value="'{{ psql_el_data_dir }}'"
- name: Copy the postgresql data directory into the new place
shell: '[ "/var/lib/pgsql/{{ psql_version }}/data" != "{{ psql_el_data_dir }}" ] && cp -a /var/lib/pgsql/{{ psql_version }}/data/* {{ psql_el_data_dir }}'
args:
creates: '{{ psql_el_data_dir }}/base'
when: postgresql_data_dir.stat.isdir is not defined
- name: Fix the SELinux context for the new data directory
sefcontext:
target: '{{ psql_el_base_dir }}(/.*)?'
setype: postgresql_db_t
state: present
- name: Restore the SELinux context
command: restorecon -vR {{ psql_el_base_dir }}
- name: Start the postgresql service that will use the new data directory
service: name='postgresql-{{ psql_version }}' state=started
when: postgresql_data_dir.stat.isdir is not defined
when:
- psql_use_alternate_data_dir
- ansible_distribution_file_variety == "RedHat"
tags: [ 'postgresql', 'postgres', 'pg_conf' ]
- name: Configuration of EL systems
block:
- name: Create the postgresql log directory
file: dest={{ psql_log_dir }} state=directory owner=postgres group=postgres mode='0750'
- name: Fix the SELinux context for the postgresql log directory
sefcontext:
target: '{{ psql_log_dir }}(/.*)?'
setype: postgresql_db_t
state: present
- name: Fix the SELinux context for the postgresql log directory
command: restorecon -vR {{ psql_log_dir }}
- name: Set some postgresql configuration parameters that require a db restart
become: True
become_user: postgres
action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key={{ item.name }} value="{{ item.value }}"
with_items: '{{ psql_conf_parameters }}'
when: item.set == 'True'
notify: Restart postgresql
tags: [ 'postgresql', 'postgres', 'pg_conf' ]
- name: Set the postgresql logging configuration parameters
become: True
become_user: postgres
action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key={{ item.name }} value="{{ item.value }}"
with_items: '{{ psql_log_configuration }}'
when: item.set == 'True'
notify: Reload postgresql
tags: [ 'postgresql', 'postgres', 'pg_conf', 'pg_conf_log' ]
- name: Set the postgresql autovacuum configuration parameters
become: True
become_user: postgres
action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key={{ item.name }} value="{{ item.value }}"
with_items: '{{ psql_autovacuum_configuration }}'
when: item.set == 'True'
notify: Reload postgresql
tags: [ 'postgresql', 'postgres', 'pg_conf', 'pg_conf_autovacuum' ]
- name: Set the postgresql listen port
action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key=port value="{{ psql_db_port }}"
register: restart_postgresql
tags: [ 'postgresql', 'postgres', 'pg_conf' ]
- name: We want postgres listen on the public IP
action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key=listen_addresses value="'*'"
register: restart_postgresql
when:
- psql_listen_on_ext_int
tags: [ 'postgresql', 'postgres', 'pg_conf' ]
- name: If postgresql is only accessed from localhost make it listen only on the localhost interface
action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key=listen_addresses value="'localhost'"
register: restart_postgresql
when:
- not psql_listen_on_ext_int
tags: [ 'postgresql', 'postgres', 'pg_conf' ]
- name: Log the connections
action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key=log_connections value="on"
register: restart_postgresql
when: psql_db_data is defined
tags: [ 'postgresql', 'postgres', 'pg_conf' ]
- name: Log the disconnections
action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key=log_disconnections value="on"
register: restart_postgresql
when: psql_db_data is defined
tags: [ 'postgresql', 'postgres', 'pg_conf' ]
- name: Log the hostnames
action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key=log_hostname value="on"
register: restart_postgresql
when:
- psql_listen_on_ext_int
tags: [ 'postgresql', 'postgres', 'pg_conf' ]
- name: Set the correct permissions to the postgresql files
file: dest={{ psql_el_conf_dir }}/{{ item }} owner=root group=postgres mode=0640
with_items:
- pg_hba.conf
- postgresql.conf
tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_conf' ]
- name: Restart the postgresql server after changing parameters that need a restart
service: name='postgresql-{{ psql_version }}' state=restarted
when:
- restart_postgresql is defined and restart_postgresql is changed
ignore_errors: True
tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_conf' ]
when: ansible_distribution_file_variety == "RedHat"

119
tasks/postgresql-packages.yml
View File

@ -1,119 +0,0 @@
---
- name: postgresql-packages | Manage the postgresql packages installation
when:
- ansible_distribution_file_variety == "Debian"
- not postgresql_client_only
tags: ['postgresql', 'postgres']
block:
- name: postgresql-packages | Install the postgresql server packages on Deb systems
ansible.builtin.apt:
pkg: "{{ postgresql_pkgs }}"
state: present
cache_valid_time: 3600
notify: Restart postgresql
- name: postgresql-packages | Manage the postgresql client installation
when:
- ansible_distribution_file_variety == "Debian"
- postgresql_client_only
tags: ['postgresql', 'postgres', 'postgres_client']
block:
- name: postgresql-packages | Install the postgresql client packages on Deb systems
ansible.builtin.apt:
pkg: postgresql-client
state: present
cache_valid_time: 3600
- name: postgresql-packages | EL server packages
when:
- not psql_el_install_scl_version
- not postgresql_client_only
- ansible_distribution_file_variety == "RedHat"
tags: ['postgresql', 'postgres']
block:
- name: postgresql-packages | Install the postgresql EL packages from the pgdg repository
ansible.builtin.yum:
pkg: "{{ psql_el_pgdg_packages }}"
state: present
- name: postgresql-packages | Print the DATA directory
ansible.builtin.debug:
msg: "Postgresql data directory: {{ psql_el_data_dir }}"
- name: postgresql-packages | Create the postgresql data directory if it is not in the default place
ansible.builtin.file:
dest: "{{ psql_el_data_dir }}"
owner: postgres
group: postgres
mode: "700"
state: directory
when: psql_use_alternate_data_dir
- name: postgresql-packages | Crate a systemd directory to customize the postgresql startup unit
ansible.builtin.file:
dest: "/etc/systemd/system/postgresql-{{ psql_version }}.service.d"
owner: root
group: root
mode: "755"
state: directory
when: psql_use_alternate_data_dir
- name: postgresql-packages | Crate a postgresql systemd unit environment file
ansible.builtin.template:
src: postgresql-service-environment.conf.j2
dest: "/etc/systemd/system/postgresql-{{ psql_version }}.service.d/environment.conf"
owner: root
group: root
mode: "644"
when: psql_use_alternate_data_dir
notify: Reload systemd
- name: postgresql-packages | Postgresql install flush handlers
ansible.builtin.meta: flush_handlers
- name: postgresql-packages | Init the db if needed on EL systems
ansible.builtin.command: /usr/pgsql-{{ psql_version }}/bin/postgresql-{{ psql_version }}-setup initdb
args:
creates: '{{ psql_el_data_dir }}/postgresql.conf'
- name: postgresql-packages | EL server packages from SCL
when:
- psql_el_install_scl_version
- ansible_distribution_file_variety == "RedHat"
- not postgresql_client_only
tags: ['scl', 'postgresql', 'postgres']
block:
- name: postgresql-packages | Install the postgresql scl packages on EL
ansible.builtin.yum:
pkg: "{{ psql_el_scl_packages }}"
state: present
- name: postgresql-packages | Init the db if needed on EL systems
ansible.builtin.command: /opt/rh/rh-postgresql{{ psql_version }}/root/usr/bin/postgresql-setup --initdb
args:
creates: '{{ psql_el_data_dir }}/postgresql.conf'
- name: postgresql-packages | EL client packages
when:
- not psql_el_install_scl_version
- postgresql_client_only
- ansible_distribution_file_variety == "RedHat"
tags: ['postgresql', 'postgres', 'postgres_client']
block:
- name: postgresql-packages | Install the postgresql client from the pgdg repository on EL systems
ansible.builtin.yum:
pkg: "postgresql{{ psql_version }}"
state: present
- name: postgresql-packages | EL client packages from SCL
when:
- psql_el_install_scl_version
- ansible_distribution_file_variety == "RedHat"
- postgresql_client_only
tags: ['scl', 'postgresql', 'postgres', 'postgres_client']
block:
- name: postgresql-packages | Install the postgresql scl client package on EL systems
ansible.builtin.yum:
pkg: "{{ item }}"
state: present
loop:
- "rh-postgresql{{ psql_version }}-runtime"
- "rh-postgresql{{ psql_version }}-postgresql"

76
tasks/postgresql-ssl-config.yml
View File

@ -1,43 +1,47 @@
--- ---
- name: postgresql-ssl-config | TLS configuration - block:
- name: Setup SSL in the postgresql configuration
become: True
become_user: postgres
action: configfile path={{ psql_conf_dir }}/postgresql.conf key={{ item.name }} value="'{{ item.value }}'"
with_items: '{{ psql_conf_ssl_parameters }}'
notify: Restart postgresql
when: ansible_distribution_file_variety == "Debian"
- name: Setup SSL in the postgresql configuration
become: True
become_user: postgres
action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key={{ item.name }} value="'{{ item.value }}'"
with_items: '{{ psql_conf_ssl_parameters }}'
notify: Restart postgresql
when: ansible_distribution_file_variety == "RedHat"
- name: Create the pki directory to store the postgresql key
file: dest=/etc/pki/postgresql state=directory owner=postgres group=postgres mode=0750
- name: Create a postgres accessible ssl key file if it does not exist
copy: src={{ psql_ssl_privkey_global_file }} dest={{ psql_ssl_privkey_file }} owner=postgres group=postgres mode=0400 remote_src=True
when: psql_enable_ssl when: psql_enable_ssl
tags: ['postgresql', 'postgres', 'pg_ssl_conf', 'pg_conf'] tags: [ 'postgresql', 'postgres', 'pg_ssl_conf', 'pg_conf' ]
block:
- name: postgresql-ssl-config | Setup SSL in the postgresql configuration
become: true - block:
- name: Disable SSL in the postgresql configuration
become: True
become_user: postgres become_user: postgres
community.postgresql.postgresql_set: action: configfile path={{ psql_conf_dir }}/postgresql.conf key={{ item.name }} value="'{{ item.value }}'"
name: '{{ item.name }}' with_items: '{{ psql_conf_disable_ssl_parameters }}'
value: "{{ item.value }}"
loop: '{{ psql_conf_ssl_parameters }}'
notify: Restart postgresql notify: Restart postgresql
when: ansible_distribution_file_variety == "Debian"
- name: postgresql-ssl-config | Create the pki directory to store the private key - name: Disable SSL in the postgresql configuration
ansible.builtin.file: become: True
dest: /etc/pki/postgresql become_user: postgres
state: directory action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key={{ item.name }} value="'{{ item.value }}'"
owner: postgres with_items: '{{ psql_conf_disable_ssl_parameters }}'
group: postgres notify: Restart postgresql
mode: '0750' when: ansible_distribution_file_variety == "RedHat"
- name: postgresql-ssl-config | Create a postgres accessible ssl key file if it does not exist
ansible.builtin.copy:
src: "{{ psql_ssl_privkey_global_file }}"
dest: "{{ psql_ssl_privkey_file }}"
owner: postgres
group: postgres
mode: '0400'
remote_src: true
- name: postgresql-ssl-config | Disable the TLS configuration
when: not psql_enable_ssl when: not psql_enable_ssl
tags: ['postgresql', 'postgres', 'pg_ssl_conf', 'pg_conf'] tags: [ 'postgresql', 'postgres', 'pg_ssl_conf', 'pg_conf' ]
block:
- name: postgresql-ssl-config | Disable SSL in the postgresql configuration
become: true
become_user: postgres
community.postgresql.postgresql_set:
name: '{{ item.name }}'
value: "{{ item.value }}"
loop: '{{ psql_conf_disable_ssl_parameters }}'
notify: Restart postgresql

323
tasks/postgresql-streaming-replication.yml
View File

@ -1,184 +1,173 @@
--- ---
- name: postgresql-streaming-replication | Configuration of the streaming replication - name: Configuration of the streaming replication
become: true block:
- name: Create the replication user
postgresql_user:
name: '{{ psql_streaming_replication_user }}'
role_attr_flags: "REPLICATION"
password: '{{ psql_streaming_replication_pwd }}'
encrypted: yes
state: present
- name: Setup the streaming replication on the primary
postgresql_set:
name: '{{ item.name }}'
value: "{{ item.value }}"
loop: '{{ psql_streaming_replication_config }}'
when: postgresql_streaming_replication_primary_node == ansible_fqdn
notify: Restart postgresql
- meta: flush_handlers
become: True
become_user: postgres become_user: postgres
tags: ['postgresql', 'postgres', 'pg_conf', 'postgresql_replication'] tags: [ 'postgresql', 'postgres', 'pg_conf', 'postgresql_replication' ]
- name: Configure the streaming replication user on deb systems
block: block:
- name: postgresql-streaming-replication | Create the replication user - name: Configure the replication user permissions on deb
community.postgresql.postgresql_user: postgresql_pg_hba:
name: '{{ psql_streaming_replication_user }}' dest: '{{ psql_conf_dir }}/pg_hba.conf'
role_attr_flags: "REPLICATION" contype: host
password: '{{ psql_streaming_replication_pwd }}' users: '{{ psql_streaming_replication_user }}'
encrypted: true address: '{{ item }}'
state: present databases: 'replication'
#method: 'scram-sha-256'
method: 'md5'
state: present
loop: '{{ psql_streaming_replication_hosts }}'
notify: Reload postgresql
when: not psql_enable_ssl
- name: postgresql-streaming-replication | Setup the streaming replication on the primary - name: Configure the replication user permissions on deb
community.postgresql.postgresql_set: postgresql_pg_hba:
name: '{{ item.name }}' dest: '{{ psql_conf_dir }}/pg_hba.conf'
value: "{% if item.set %}{{ item.value }}{% else %}default{% endif %}" contype: hostssl
loop: '{{ psql_streaming_replication_config }}' users: '{{ psql_streaming_replication_user }}'
when: postgresql_streaming_replication_primary_node == ansible_fqdn address: '{{ item }}'
notify: Restart postgresql databases: 'replication'
#method: 'scram-sha-256'
method: 'md5'
state: present
loop: '{{ psql_streaming_replication_hosts }}'
notify: Reload postgresql
when: psql_enable_ssl
- name: postgresql-streaming-replication | Flush flush_handlers restart PostgreSQL - meta: flush_handlers
ansible.builtin.meta: flush_handlers
- name: postgresql-streaming-replication | Configure the streaming replication user on deb systems
when: ansible_distribution_file_variety == "Debian" when: ansible_distribution_file_variety == "Debian"
tags: ['postgresql', 'postgres', 'pg_conf', 'pg_hba', 'postgresql_replication'] tags: [ 'postgresql', 'postgres', 'pg_conf', 'pg_hba', 'postgresql_replication' ]
- name: Configure the streaming replication user on EL
block: block:
- name: postgresql-streaming-replication | Configure the replication user permissions on deb - name: Configure the replication user permissions on EL
become: true postgresql_pg_hba:
become_user: postgres dest: '{{ psql_el_conf_dir }}/pg_hba.conf'
community.postgresql.postgresql_pg_hba: contype: host
dest: '{{ psql_conf_dir }}/pg_hba.conf' users: '{{ psql_streaming_replication_user }}'
contype: host address: '{{ item }}'
users: '{{ psql_streaming_replication_user }}' databases: 'replication'
address: '{{ item }}' #method: 'scram-sha-256'
databases: 'replication' method: 'md5'
# method: 'scram-sha-256' state: present
method: 'md5' loop: '{{ psql_streaming_replication_hosts }}'
state: present notify: Reload postgresql
loop: '{{ psql_streaming_replication_hosts }}' when: not psql_enable_ssl
notify: Reload postgresql
when: not psql_enable_ssl
- name: postgresql-streaming-replication | Configure the replication user permissions on deb - name: Configure the replication user permissions on EL
become: true postgresql_pg_hba:
become_user: postgres dest: '{{ psql_el_conf_dir }}/pg_hba.conf'
community.postgresql.postgresql_pg_hba: contype: hostssl
dest: '{{ psql_conf_dir }}/pg_hba.conf' users: '{{ psql_streaming_replication_user }}'
contype: hostssl address: '{{ item }}'
users: '{{ psql_streaming_replication_user }}' databases: 'replication'
address: '{{ item }}' #method: 'scram-sha-256'
databases: 'replication' method: 'md5'
# method: 'scram-sha-256' state: present
method: 'md5' loop: '{{ psql_streaming_replication_hosts }}'
state: present notify: Reload postgresql
loop: '{{ psql_streaming_replication_hosts }}' when: psql_enable_ssl
notify: Reload postgresql
when: psql_enable_ssl
- name: postgresql-streaming-replication | Flush flush_handlers reload PostgreSQL - meta: flush_handlers
ansible.builtin.meta: flush_handlers
- name: postgresql-streaming-replication | Configure the streaming replication user on EL
when: ansible_distribution_file_variety == "RedHat" when: ansible_distribution_file_variety == "RedHat"
tags: ['postgresql', 'postgres', 'pg_conf', 'pg_hba', 'postgresql_replication'] tags: [ 'postgresql', 'postgres', 'pg_conf', 'pg_hba', 'postgresql_replication' ]
- name: Manage the replica initialization
block: block:
- name: postgresql-streaming-replication | Configure the replication user permissions on EL - name: Set some paths when it is a deb based system
become: true set_fact:
become_user: postgres postgresql_user_home: '/var/lib/postgresql'
community.postgresql.postgresql_pg_hba: postgresql_active_data_dir: '{{ psql_data_dir }}'
dest: '{{ psql_el_conf_dir }}/pg_hba.conf' when: ansible_distribution_file_variety == "Debian"
contype: host
users: '{{ psql_streaming_replication_user }}'
address: '{{ item }}'
databases: 'replication'
# method: 'scram-sha-256'
method: 'md5'
state: present
loop: '{{ psql_streaming_replication_hosts }}'
notify: Reload postgresql
when: not psql_enable_ssl
- name: postgresql-streaming-replication | Configure the replication user permissions on EL - name: Set some paths it is a EL based system
become: true set_fact:
become_user: postgres postgresql_user_home: '/var/lib/pgsql'
community.postgresql.postgresql_pg_hba: postgresql_active_data_dir: '{{ psql_el_data_dir }}'
dest: '{{ psql_el_conf_dir }}/pg_hba.conf' when: ansible_distribution_file_variety == "RedHat"
contype: hostssl
users: '{{ psql_streaming_replication_user }}'
address: '{{ item }}'
databases: 'replication'
# method: 'scram-sha-256'
method: 'md5'
state: present
loop: '{{ psql_streaming_replication_hosts }}'
notify: Reload postgresql
when: psql_enable_ssl
- name: postgresql-streaming-replication | Flush flush_handlers reload PostgreSQL - name: Create the .pgpass file inside the postgresql home {{ postgresql_user_home }}
ansible.builtin.meta: flush_handlers become: True
become_user: postgres
copy:
content: "{{ postgresql_streaming_replication_primary_node }}:{{ psql_db_port }}:replication:{{ psql_streaming_replication_user }}:{{ psql_streaming_replication_pwd }}"
dest: '{{ postgresql_user_home }}/.pgpass'
mode: '0400'
- name: Check if a replica is already enabled
stat:
path: '{{ postgresql_active_data_dir }}/standby.signal'
register: standby_signal_file
- debug:
msg: 'Replica file: {{ postgresql_active_data_dir }}/standby.signal'
- name: Stop the postgresql service on deb systems
service:
name: postgresql
state: stopped
when:
- ansible_distribution_file_variety == "Debian"
- not standby_signal_file.stat.exists
- name: Stop the postgresql service on EL systems
service:
name: 'postgresql-{{ psql_version }}'
state: stopped
when:
- ansible_distribution_file_variety == "RedHat"
- not standby_signal_file.stat.exists
- name: Remove the data directory contents {{ postgresql_active_data_dir }}
become: True
become_user: postgres
file:
dest: '{{ postgresql_active_data_dir }}'
state: absent
when: not standby_signal_file.stat.exists
- name: Run the pg_basebackup command that starts the replica
become: True
become_user: postgres
shell: /usr/bin/pg_basebackup -h {{ postgresql_streaming_replication_primary_node }} -p {{ psql_db_port }} -U {{ psql_streaming_replication_user }} -D {{ postgresql_active_data_dir }} -Fp -R -Xs -P -w
when: not standby_signal_file.stat.exists
- name: Start the postgresql service
service:
name: postgresql
state: started
when:
- ansible_distribution_file_variety == "Debian"
- not standby_signal_file.stat.exists
- name: Start the postgresql service on EL systems
service:
name: 'postgresql-{{ psql_version }}'
state: started
when:
- ansible_distribution_file_variety == "RedHat"
- not standby_signal_file.stat.exists
- name: postgresql-streaming-replication | Manage the replica initialization
when: postgresql_streaming_replication_primary_node != ansible_fqdn when: postgresql_streaming_replication_primary_node != ansible_fqdn
tags: ['postgresql', 'postgres', 'pg_conf', 'postgresql_replication'] tags: [ 'postgresql', 'postgres', 'pg_conf', 'postgresql_replication' ]
block:
- name: postgresql-streaming-replication | Set some paths when it is a deb based system
ansible.builtin.set_fact:
postgresql_user_home: '/var/lib/postgresql'
postgresql_active_data_dir: '{{ psql_data_dir }}'
when: ansible_distribution_file_variety == "Debian"
- name: postgresql-streaming-replication | Set some paths it is a EL based system
ansible.builtin.set_fact:
postgresql_user_home: '/var/lib/pgsql'
postgresql_active_data_dir: '{{ psql_el_data_dir }}'
when: ansible_distribution_file_variety == "RedHat"
- name: postgresql-streaming-replication | Create the .pgpass file inside the postgresql home {{ postgresql_user_home }}
become: true
become_user: postgres
ansible.builtin.template:
src: replica_pgpass.j2
dest: '{{ postgresql_user_home }}/.pgpass'
mode: '0400'
- name: postgresql-streaming-replication | Check if a replica is already enabled
ansible.builtin.stat:
path: '{{ postgresql_active_data_dir }}/standby.signal'
register: standby_signal_file
- name: postgresql-streaming-replication | Prnt the replica file
ansible.builtin.debug:
msg: 'Replica file: {{ postgresql_active_data_dir }}/standby.signal'
- name: postgresql-streaming-replication | Stop the postgresql service on deb systems
ansible.builtin.service:
name: postgresql
state: stopped
when:
- ansible_distribution_file_variety == "Debian"
- not standby_signal_file.stat.exists
- name: postgresql-streaming-replication | Stop the postgresql service on EL systems
ansible.builtin.service:
name: 'postgresql-{{ psql_version }}'
state: stopped
when:
- ansible_distribution_file_variety == "RedHat"
- not standby_signal_file.stat.exists
- name: postgresql-streaming-replication | Remove the data directory contents {{ postgresql_active_data_dir }}
ansible.builtin.file:
dest: '{{ postgresql_active_data_dir }}'
state: absent
when: not standby_signal_file.stat.exists
- name: postgresql-streaming-replication | Run the pg_basebackup command that starts the replica
become: true
become_user: postgres
ansible.builtin.shell: >
/usr/bin/pg_basebackup -h {{ postgresql_streaming_replication_primary_node }}
-p {{ psql_db_port }} -U {{ psql_streaming_replication_user }}
-D {{ postgresql_active_data_dir }} -Fp -R -Xs -P -w
args:
creates: '{{ postgresql_active_data_dir }}'
when: not standby_signal_file.stat.exists
- name: postgresql-streaming-replication | Start the postgresql service
ansible.builtin.service:
name: postgresql
state: started
when:
- ansible_distribution_file_variety == "Debian"
- not standby_signal_file.stat.exists
- name: postgresql-streaming-replication | Start the postgresql service on EL systems
ansible.builtin.service:
name: 'postgresql-{{ psql_version }}'
state: started
when:
- ansible_distribution_file_variety == "RedHat"
- not standby_signal_file.stat.exists

62
tasks/postgresql_org_repo.yml
View File

@ -1,55 +1,23 @@
--- ---
- name: postgresql_org_repo | Debian or Ubuntu - name: Debian or Ubuntu
block:
- name: Get the signing key for the postgresql.org repository
apt_key: url=https://www.postgresql.org/media/keys/ACCC4CF8.asc state=present
- name: Setup the postgresql.org repository
apt_repository: repo='deb http://apt.postgresql.org/pub/repos/apt/ {{ ansible_lsb.codename }}-pgdg main' update_cache=yes
when: when:
- pg_use_postgresql_org_repo - pg_use_postgresql_org_repo
- ansible_distribution_file_variety == "Debian" - ansible_distribution_file_variety == "Debian"
tags: ['postgresql', 'postgresql_repo', 'postgres_client'] tags: [ 'postgresql', 'postgresql_repo' ]
block:
- name: postgresql_org_repo | Ensure that /etc/apt.d/keyrings exists - name: EL
ansible.builtin.file: block:
dest: /etc/apt/keyrings - name: Install the pgsql pgdg repository
state: directory yum: name={{ psql_el_pgdg_repo_url }} state={{ psql_pkg_state }}
owner: root
group: root
mode: "0755"
- name: postgresql_org_repo | Get the signing key for the postgresql.org repository
ansible.builtin.get_url:
url: "{{ postgresql_deb_repo_key_url }}"
dest: "{{ postgresql_deb_repo_key }}"
owner: root
group: root
mode: "0644"
- name: postgresql_org_repo | Install the repository for Ubuntu
ansible.builtin.deb822_repository:
name: postgresql-org
types: [deb]
uris: "{{ postgresql_deb_repository_url }}"
components:
- main
suites: ["{{ postgresql_deb_repository_rel }}"]
signed_by: "{{ postgresql_deb_repo_key }}"
state: present
enabled: true
notify: Flush the APT cache
- name: postgresql_org_repo | Postgresql repo flush handlers
ansible.builtin.meta: flush_handlers
- name: postgresql_org_repo | Manage the EL repository
when: when:
- pg_use_postgresql_org_repo - pg_use_postgresql_org_repo
- ansible_distribution_file_variety == "RedHat" - ansible_distribution_file_variety == "RedHat"
tags: ['postgresql', 'postgresql_repo', 'postgres_client'] tags: [ 'postgresql', 'postgresql_repo' ]
block:
- name: postgresql_org_repo | Install the pgsql pgdg repository on EL 7
ansible.builtin.yum:
name: "{{ psql_el_pgdg_repo_url }}"
state: present
disable_gpg_check: true
when: ansible_distribution_major_version is version_compare('8', '<')
- name: postgresql_org_repo | Install the pgsql pgdg repository on EL 8+
ansible.builtin.dnf:
name: "{{ psql_el_pgdg_repo_url }}"
state: present
disable_gpg_check: true
when: ansible_distribution_major_version is version_compare('8', '>=')

16
templates/postgresql-backup.sh.j2
View File

@ -46,13 +46,12 @@ create_backup_dirs() {
cleanup_old_backups() { cleanup_old_backups() {
# Remove the old backups # Remove the old backups
# find ${HISTDIR} -mtime +${N_DAYS_TO_SPARE} -type f -exec rm -fv {} \; find ${HISTDIR} -atime +${N_DAYS_TO_SPARE} -type f -exec rm -f {} \;
ORD_DUMP_TO_DEL=$( expr $N_DAYS_TO_SPARE + 1 ) # TODELETE=$( /bin/ls "${HISTDIR}/" | awk -F '.' '{print $NF}' | sort -ruV | tail -n +${N_DAYS_TO_SPARE} )
TODELETE=$( /bin/ls "${HISTDIR}/" | awk -F '.' '{print $NF}' | sort -ruV | tail -n +${ORD_DUMP_TO_DEL} ) # for i in ${TODELETE}
for DATETODELETE in ${TODELETE} # do
do # rm -f "${HISTDIR}/*.${i}"
rm -fv ${HISTDIR}/*.${DATETODELETE} # done
done
} }
create_db_list() { create_db_list() {
@ -119,8 +118,6 @@ fix_backup_permissions() {
# #
umask 0077 umask 0077
cleanup_old_backups
create_backup_dirs create_backup_dirs
if [ "$BUILD_DBLIST" == "yes" ] ; then if [ "$BUILD_DBLIST" == "yes" ] ; then
create_db_list create_db_list
@ -153,5 +150,6 @@ else
fi fi
fix_backup_permissions fix_backup_permissions
cleanup_old_backups
exit $RETVAL exit $RETVAL

2
templates/postgresql-letsencrypt-acme.sh.j2
View File

@ -2,7 +2,7 @@
H_NAME=$( hostname -f ) H_NAME=$( hostname -f )
LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks
LE_CERTS_DIR={{ letsencrypt_acme_sh_certificates_install_path }} LE_CERTS_DIR=/var/lib/acme/live/$H_NAME
LE_LOG_DIR=/var/log/letsencrypt LE_LOG_DIR=/var/log/letsencrypt
POSTGRESQL_CERTDIR=/etc/pki/postgresql POSTGRESQL_CERTDIR=/etc/pki/postgresql
POSTGRESQL_KEYFILE=$POSTGRESQL_CERTDIR/postgresql.key POSTGRESQL_KEYFILE=$POSTGRESQL_CERTDIR/postgresql.key

2
templates/postgresql-service-environment.conf.j2
View File

@ -1,2 +0,0 @@
[Service]
Environment=PGDATA={{ psql_el_data_dir }}

1
templates/replica_pgpass.j2
View File

@ -1 +0,0 @@
{{ postgresql_streaming_replication_primary_node }}:{{ psql_db_port }}:replication:{{ psql_streaming_replication_user }}:{{ psql_streaming_replication_pwd }}