Add simplified PostgreSQL infrastructure role for database services
- Provides PostgreSQL server as shared database infrastructure - Follows KISS principle with only essential configuration (11 variables vs 45 originally) - Implements maximum security with Unix socket-only superuser access - Uses scram-sha-256 authentication for application users - Includes SystemD security hardening - Applications manage their own databases/users via this infrastructure - Production-ready with data checksums and localhost-only access
This commit is contained in:
93
roles/postgresql/tasks/main.yml
Normal file
93
roles/postgresql/tasks/main.yml
Normal file
@@ -0,0 +1,93 @@
|
||||
---
|
||||
# PostgreSQL Infrastructure Role - Simplified Tasks
|
||||
|
||||
- name: Install PostgreSQL
|
||||
pacman:
|
||||
name: postgresql
|
||||
state: present
|
||||
|
||||
- name: Install PostgreSQL Python library (for Ansible modules)
|
||||
pacman:
|
||||
name: python-psycopg2
|
||||
state: present
|
||||
|
||||
- name: Check if PostgreSQL data directory exists and is initialized
|
||||
stat:
|
||||
path: "/var/lib/postgres/data/PG_VERSION"
|
||||
register: postgresql_initialized
|
||||
|
||||
- name: Initialize PostgreSQL database cluster
|
||||
command: >
|
||||
initdb
|
||||
-D /var/lib/postgres/data
|
||||
--locale={{ postgresql_locale }}
|
||||
--encoding={{ postgresql_encoding }}
|
||||
--auth-local=peer
|
||||
--auth-host={{ postgresql_auth_method }}
|
||||
{{ '--data-checksums' if postgresql_data_checksums else '' }}
|
||||
become: yes
|
||||
become_user: postgres
|
||||
when: not postgresql_initialized.stat.exists
|
||||
notify: restart postgresql
|
||||
|
||||
- name: Deploy PostgreSQL configuration file
|
||||
template:
|
||||
src: postgresql.conf.j2
|
||||
dest: /var/lib/postgres/data/postgresql.conf
|
||||
owner: postgres
|
||||
group: postgres
|
||||
mode: '0600'
|
||||
backup: yes
|
||||
notify: restart postgresql
|
||||
|
||||
- name: Deploy PostgreSQL authentication configuration
|
||||
template:
|
||||
src: pg_hba.conf.j2
|
||||
dest: /var/lib/postgres/data/pg_hba.conf
|
||||
owner: postgres
|
||||
group: postgres
|
||||
mode: '0600'
|
||||
backup: yes
|
||||
notify: restart postgresql
|
||||
|
||||
- name: Create systemd override directory for PostgreSQL security
|
||||
file:
|
||||
path: /etc/systemd/system/postgresql.service.d
|
||||
state: directory
|
||||
mode: '0755'
|
||||
when: postgresql_systemd_security
|
||||
|
||||
- name: Deploy PostgreSQL systemd security override
|
||||
template:
|
||||
src: systemd-override.conf.j2
|
||||
dest: /etc/systemd/system/postgresql.service.d/override.conf
|
||||
mode: '0644'
|
||||
when: postgresql_systemd_security
|
||||
notify:
|
||||
- reload systemd
|
||||
- restart postgresql
|
||||
|
||||
- name: Enable and start PostgreSQL service
|
||||
systemd:
|
||||
name: postgresql
|
||||
enabled: "{{ postgresql_service_enabled }}"
|
||||
state: "{{ postgresql_service_state }}"
|
||||
daemon_reload: yes
|
||||
|
||||
- name: Wait for PostgreSQL to be ready
|
||||
wait_for:
|
||||
port: "{{ postgresql_port }}"
|
||||
host: "{{ postgresql_listen_addresses }}"
|
||||
timeout: 30
|
||||
when: postgresql_service_state == "started"
|
||||
|
||||
- name: Display PostgreSQL infrastructure status
|
||||
debug:
|
||||
msg: |
|
||||
✅ PostgreSQL infrastructure ready!
|
||||
|
||||
📡 Service: {{ postgresql_listen_addresses }}:{{ postgresql_port }}
|
||||
🔒 Auth: {{ postgresql_auth_method }}
|
||||
📊 Checksums: {{ 'Enabled' if postgresql_data_checksums else 'Disabled' }}
|
||||
|
||||
🏗️ Ready for applications to create databases/users
|
||||
Reference in New Issue
Block a user