rick-infra/roles/postgresql/tasks/main.yml

---
# PostgreSQL Infrastructure Role - Simplified Tasks

- name: Install PostgreSQL
  pacman:
    name: postgresql
    state: present

- name: Install PostgreSQL Python library (for Ansible modules)
  pacman:
    name: python-psycopg2
    state: present

- name: Create PostgreSQL client access group
  group:
    name: "{{ postgresql_client_group }}"
    system: true
  when: postgresql_client_group_create

- name: Ensure postgres user is in client group
  user:
    name: postgres
    groups: "{{ postgresql_client_group }}"
    append: true
  when: postgresql_client_group_create

- name: Check if PostgreSQL data directory exists and is initialized
  stat:
    path: "/var/lib/postgres/data/PG_VERSION"
  register: postgresql_initialized

- name: Initialize PostgreSQL database cluster
  command: >
    initdb 
    -D /var/lib/postgres/data
    --locale={{ postgresql_locale }}
    --encoding={{ postgresql_encoding }}
    --auth-local=peer
    --auth-host={{ postgresql_auth_method }}
    {{ '--data-checksums' if postgresql_data_checksums else '' }}
  become: true
  become_user: postgres
  when: not postgresql_initialized.stat.exists
  notify: restart postgresql

- name: Deploy PostgreSQL configuration file
  template:
    src: postgresql.conf.j2
    dest: /var/lib/postgres/data/postgresql.conf
    owner: postgres
    group: postgres
    mode: '0600'
    backup: yes
  notify: restart postgresql

- name: Deploy PostgreSQL authentication configuration
  template:
    src: pg_hba.conf.j2
    dest: /var/lib/postgres/data/pg_hba.conf
    owner: postgres
    group: postgres
    mode: '0600'
    backup: yes
  notify: restart postgresql

- name: Create systemd override directory for PostgreSQL security
  file:
    path: /etc/systemd/system/postgresql.service.d
    state: directory
    mode: '0755'
  when: postgresql_systemd_security

- name: Deploy PostgreSQL systemd security override
  template:
    src: systemd-override.conf.j2
    dest: /etc/systemd/system/postgresql.service.d/override.conf
    mode: '0644'
  when: postgresql_systemd_security
  notify:
    - reload systemd
    - restart postgresql

- name: Create PostgreSQL Unix socket directory
  file:
    path: "{{ postgresql_unix_socket_directories }}"
    state: directory
    owner: postgres
    group: "{{ postgresql_client_group }}"
    mode: '0777'
  when: postgresql_unix_socket_enabled

- name: Get PostgreSQL client group GID for containerized applications
  shell: "getent group {{ postgresql_client_group }} | cut -d: -f3"
  register: postgresql_client_group_lookup
  changed_when: false
  when: postgresql_client_group_create

- name: Set PostgreSQL client group GID as fact
  set_fact:
    postgresql_client_group_gid: "{{ postgresql_client_group_lookup.stdout }}"
  when: postgresql_client_group_create and postgresql_client_group_lookup.stdout is defined

- name: Enable and start PostgreSQL service
  systemd:
    name: postgresql
    enabled: "{{ postgresql_service_enabled }}"
    state: "{{ postgresql_service_state }}"
    daemon_reload: true

- name: Wait for PostgreSQL to be ready (TCP)
  wait_for:
    port: "{{ postgresql_port }}"
    host: "{{ postgresql_listen_addresses }}"
    timeout: 30
  when: postgresql_service_state == "started" and postgresql_listen_addresses != ""

- name: Wait for PostgreSQL to be ready (Unix Socket)
  postgresql_ping:
    login_unix_socket: "{{ postgresql_unix_socket_directories }}"
    login_user: postgres
  become: true
  become_user: postgres
  register: postgresql_socket_ready
  until: postgresql_socket_ready is succeeded
  retries: 10
  delay: 3
  when: postgresql_service_state == "started" and postgresql_unix_socket_enabled and postgresql_listen_addresses == ""

- name: Display PostgreSQL infrastructure status
  debug:
    msg: |
      ✅ PostgreSQL infrastructure ready!
      
      📡 Service: {% if postgresql_unix_socket_enabled and postgresql_listen_addresses == "" %}Unix Socket ({{ postgresql_unix_socket_directories }}){% else %}{{ postgresql_listen_addresses }}:{{ postgresql_port }}{% endif %}
      🔒 Auth: {{ postgresql_auth_method }}
      📊 Checksums: {{ 'Enabled' if postgresql_data_checksums else 'Disabled' }}
      {% if postgresql_unix_socket_enabled %}🔌 Socket: {{ postgresql_unix_socket_directories }} (mode {{ postgresql_unix_socket_permissions }}){% endif %}
      
      🏗️ Ready for applications to create databases/users