---
- name: Configure accesses on Deb/Ubuntu
  block:
  - name: Give access to the remote postgresql client
    lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="host {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5"
    with_subelements: 
      - '{{ psql_db_data | default([]) }}'
      - allowed_hosts
    when:
      - psql_listen_on_ext_int | bool
      - psql_db_data is defined
      - item.1 is defined
      - not psql_force_ssl_client_connection | bool
    notify: Reload postgresql
    tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ]

  - name: Give access to the remote postgresql client, force ssl
    lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="hostssl {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5"
    with_subelements: 
      - '{{ psql_db_data | default([]) }}'
      - allowed_hosts
    when:
      - psql_listen_on_ext_int | bool
      - psql_db_data is defined
      - item.1 is defined
      - psql_force_ssl_client_connection | bool
    notify: Reload postgresql
    tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ]

  # No conditionals, it is needed to perform base backups when the WAL archive is active
  - name: Give local access with replication privileges to the postgres user
    lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^local replication postgres peer" line="local replication postgres peer"
    notify: Reload postgresql
    tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ]

  - name: Set the postgresql listen port
    action: configfile path={{ psql_conf_dir }}/postgresql.conf key=port value="{{ psql_db_port }}"
    register: restart_postgresql
    tags: [ 'postgresql', 'postgres', 'pg_conf' ]

  - name: We want postgres listen on the public IP
    action: configfile path={{ psql_conf_dir }}/postgresql.conf key=listen_addresses value="'*'"
    register: restart_postgresql
    when:
      - psql_listen_on_ext_int | bool
    tags: [ 'postgresql', 'postgres', 'pg_conf' ]

  - name: If postgresql is only accessed from localhost make it listen only on the localhost interface
    action: configfile path={{ psql_conf_dir }}/postgresql.conf key=listen_addresses value="'localhost'"
    register: restart_postgresql
    when:
      - not psql_listen_on_ext_int | bool
    tags: [ 'postgresql', 'postgres', 'pg_conf' ]

  - name: Log the connections
    action: configfile path={{ psql_conf_dir }}/postgresql.conf key=log_connections value="on"
    register: restart_postgresql
    when: psql_db_data is defined
    tags: [ 'postgresql', 'postgres', 'pg_conf' ]

  - name: Log the disconnections
    action: configfile path={{ psql_conf_dir }}/postgresql.conf key=log_disconnections value="on"
    register: restart_postgresql
    when: psql_db_data is defined
    tags: [ 'postgresql', 'postgres', 'pg_conf' ]

  - name: Log the hostnames
    action: configfile path={{ psql_conf_dir }}/postgresql.conf key=log_hostname value="on"
    register: restart_postgresql
    when:
      - psql_listen_on_ext_int | bool
    tags: [ 'postgresql', 'postgres', 'pg_conf' ]

  - name: Set the correct permissions to the postgresql files
    file: dest={{ psql_conf_dir }}/{{ item }} owner=root group=postgres mode=0640
    with_items:
      - pg_hba.conf
      - postgresql.conf
    tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_conf' ]

  - name: Restart the postgresql server after changing parameters that need a restart
    service: name=postgresql state=restarted
    when:
      - restart_postgresql is changed
    ignore_errors: True
    tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_conf' ]

  when: ansible_distribution_file_variety == "Debian"

- name: Configure accesses on EL
  block:
  - name: Open the postgresql service to a specific zone.
    firewalld: service=postgresql zone={{ postgresql_firewalld_zone }} permanent=True state=enabled immediate=True
    when:
      - psql_listen_on_ext_int | bool
      - firewalld_enabled | bool

  - name: Give access to the remote postgresql client
    lineinfile: name={{ psql_el_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="host {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5"
    with_subelements: 
      - '{{ psql_db_data | default([]) }}'
      - allowed_hosts
    when:
      - psql_listen_on_ext_int | bool
      - psql_db_data is defined
      - item.1 is defined
      - not psql_force_ssl_client_connection | bool
    notify: Reload postgresql
    tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ]

  - name: Give access to the remote postgresql client, force ssl
    lineinfile: name={{ psql_el_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="hostssl {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5"
    with_subelements: 
      - '{{ psql_db_data | default([]) }}'
      - allowed_hosts
    when:
      - psql_listen_on_ext_int | bool
      - psql_db_data is defined
      - item.1 is defined
      - psql_force_ssl_client_connection | bool
    notify: Reload postgresql
    tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ]

  # No conditionals, it is needed to perform base backups when the WAL archive is active
  - name: Give local access with replication privileges to the postgres user
    lineinfile: name={{ psql_el_conf_dir }}/pg_hba.conf regexp="^local replication postgres peer" line="local replication postgres peer"
    notify: Reload postgresql
    tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ]

  - name: Set the postgresql listen port
    action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key=port value="{{ psql_db_port }}"
    register: restart_postgresql
    tags: [ 'postgresql', 'postgres', 'pg_conf' ]

  - name: We want postgres listen on the public IP
    action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key=listen_addresses value="'*'"
    register: restart_postgresql
    when:
      - psql_listen_on_ext_int | bool
    tags: [ 'postgresql', 'postgres', 'pg_conf' ]

  - name: If postgresql is only accessed from localhost make it listen only on the localhost interface
    action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key=listen_addresses value="'localhost'"
    register: restart_postgresql
    when:
      - not psql_listen_on_ext_int | bool
    tags: [ 'postgresql', 'postgres', 'pg_conf' ]

  - name: Log the connections
    action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key=log_connections value="on"
    register: restart_postgresql
    when: psql_db_data is defined
    tags: [ 'postgresql', 'postgres', 'pg_conf' ]

  - name: Log the disconnections
    action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key=log_disconnections value="on"
    register: restart_postgresql
    when: psql_db_data is defined
    tags: [ 'postgresql', 'postgres', 'pg_conf' ]

  - name: Log the hostnames
    action: configfile path={{ psql_el_conf_dir }}/postgresql.conf key=log_hostname value="on"
    register: restart_postgresql
    when:
      - psql_listen_on_ext_int | bool
    tags: [ 'postgresql', 'postgres', 'pg_conf' ]

  - name: Set the correct permissions to the postgresql files
    file: dest={{ psql_el_conf_dir }}/{{ item }} owner=root group=postgres mode=0640
    with_items:
      - pg_hba.conf
      - postgresql.conf
    tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_conf' ]

  - name: Restart the postgresql server after changing parameters that need a restart
    service: name='postgresql-{{ psql_version }}' state=restarted
    when:
      - restart_postgresql is changed
    ignore_errors: True
    tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_conf' ]

  when: ansible_distribution_file_variety == "RedHat"