---
- name: configure-access | Configure accesses on Deb/Ubuntu
  when: ansible_distribution_file_variety == "Debian"
  tags: ['postgresql', 'postgres', 'pg_hba', 'pg_db']
  block:
    - name: configure-access | Give access to the remote postgresql client
      community.postgresql.postgresql_pg_hba:
        dest: '{{ psql_conf_dir }}/pg_hba.conf'
        contype: '{% if psql_force_ssl_client_connection %}hostssl{% else %}host{% endif %}'
        users: '{{ item.0.user }}'
        address: '{{ item.1 }}'
        databases: '{{ item.0.name }}'
        method: '{{ item.0.hash_method | default("scram-sha-256") }}'
        owner: root
        group: postgres
        mode: "0640"
        state: "{{ item.0.state | default('present') }}"
      with_subelements:
        - '{{ psql_db_data | default([]) }}'
        - allowed_hosts
      when:
        - psql_listen_on_ext_int
        - psql_db_data is defined
        - item.1 is defined
      notify: Reload postgresql

    # No conditionals, it is required to perform base backups when the WAL archive is active
    - name: configure-access | Give local access with replication privileges to the postgres user
      community.postgresql.postgresql_pg_hba:
        dest: '{{ psql_conf_dir }}/pg_hba.conf'
        contype: 'local'
        users: 'postgres'
        databases: 'replication'
        method: 'peer'
        state: present
        owner: root
        group: postgres
        mode: "0640"
      notify: Reload postgresql

    - name: configure-access | Flush handlers
      ansible.builtin.meta: flush_handlers

- name: configure-access | Configure accesses on EL
  when: ansible_distribution_file_variety == "RedHat"
  block:
    - name: configure-access | Open the postgresql service to a specific zone.
      ansible.posix.firewalld:
        service: postgresql
        zone: "{{ postgresql_firewalld_zone }}"
        permanent: true
        state: enabled
        immediate: true
      when:
        - psql_listen_on_ext_int
        - firewalld_enabled
      tags: ['postgresql', 'postgres', 'pg_hba', 'pg_db', 'firewall', 'iptables_rules']

    - name: configure-access | Give access to the remote postgresql client
      community.postgresql.postgresql_pg_hba:
        dest: '{{ psql_el_conf_dir }}/pg_hba.conf'
        contype: '{% if psql_force_ssl_client_connection %}hostssl{% else %}host{% endif %}'
        users: '{{ item.0.user }}'
        address: '{{ item.1 }}'
        databases: '{{ item.0.name }}'
        method: '{{ item.0.hash_method | default("scram-sha-256") }}'
        state: "{{ item.0.state | default('present') }}"
        owner: root
        group: postgres
        mode: "0640"
      with_subelements:
        - '{{ psql_db_data | default([]) }}'
        - allowed_hosts
      when:
        - psql_listen_on_ext_int
        - psql_db_data is defined
        - item.1 is defined
      notify: Reload postgresql

    # No conditionals, it is required to perform base backups when the WAL archive is active
    - name: configure-access | Remove the ident authentication for the local connections
      community.postgresql.postgresql_pg_hba:
        dest: '{{ psql_el_conf_dir }}/pg_hba.conf'
        contype: 'local'
        users: 'all'
        databases: 'all'
        method: 'ident'
        state: absent
        owner: root
        group: postgres
        mode: "0640"
      notify: Reload postgresql

    - name: configure-access | Give local access with replication privileges to the postgres user
      community.postgresql.postgresql_pg_hba:
        dest: '{{ psql_conf_dir }}/pg_hba.conf'
        contype: 'local'
        users: 'postgres'
        databases: 'replication'
        method: 'peer'
        state: present
        owner: root
        group: postgres
        mode: "0640"
      notify: Reload postgresql

    - name: configure-access | Flush handlers
      ansible.builtin.meta: flush_handlers