Joakim
762d00eebf
- Provides PostgreSQL server as shared database infrastructure - Follows KISS principle with only essential configuration (11 variables vs 45 originally) - Implements maximum security with Unix socket-only superuser access - Uses scram-sha-256 authentication for application users - Includes SystemD security hardening - Applications manage their own databases/users via this infrastructure - Production-ready with data checksums and localhost-only access
93 lines
2.5 KiB
YAML
93 lines
2.5 KiB
YAML
---
|
|
# PostgreSQL Infrastructure Role - Simplified Tasks
|
|
|
|
- name: Install PostgreSQL
|
|
pacman:
|
|
name: postgresql
|
|
state: present
|
|
|
|
- name: Install PostgreSQL Python library (for Ansible modules)
|
|
pacman:
|
|
name: python-psycopg2
|
|
state: present
|
|
|
|
- name: Check if PostgreSQL data directory exists and is initialized
|
|
stat:
|
|
path: "/var/lib/postgres/data/PG_VERSION"
|
|
register: postgresql_initialized
|
|
|
|
- name: Initialize PostgreSQL database cluster
|
|
command: >
|
|
initdb
|
|
-D /var/lib/postgres/data
|
|
--locale={{ postgresql_locale }}
|
|
--encoding={{ postgresql_encoding }}
|
|
--auth-local=peer
|
|
--auth-host={{ postgresql_auth_method }}
|
|
{{ '--data-checksums' if postgresql_data_checksums else '' }}
|
|
become: yes
|
|
become_user: postgres
|
|
when: not postgresql_initialized.stat.exists
|
|
notify: restart postgresql
|
|
|
|
- name: Deploy PostgreSQL configuration file
|
|
template:
|
|
src: postgresql.conf.j2
|
|
dest: /var/lib/postgres/data/postgresql.conf
|
|
owner: postgres
|
|
group: postgres
|
|
mode: '0600'
|
|
backup: yes
|
|
notify: restart postgresql
|
|
|
|
- name: Deploy PostgreSQL authentication configuration
|
|
template:
|
|
src: pg_hba.conf.j2
|
|
dest: /var/lib/postgres/data/pg_hba.conf
|
|
owner: postgres
|
|
group: postgres
|
|
mode: '0600'
|
|
backup: yes
|
|
notify: restart postgresql
|
|
|
|
- name: Create systemd override directory for PostgreSQL security
|
|
file:
|
|
path: /etc/systemd/system/postgresql.service.d
|
|
state: directory
|
|
mode: '0755'
|
|
when: postgresql_systemd_security
|
|
|
|
- name: Deploy PostgreSQL systemd security override
|
|
template:
|
|
src: systemd-override.conf.j2
|
|
dest: /etc/systemd/system/postgresql.service.d/override.conf
|
|
mode: '0644'
|
|
when: postgresql_systemd_security
|
|
notify:
|
|
- reload systemd
|
|
- restart postgresql
|
|
|
|
- name: Enable and start PostgreSQL service
|
|
systemd:
|
|
name: postgresql
|
|
enabled: "{{ postgresql_service_enabled }}"
|
|
state: "{{ postgresql_service_state }}"
|
|
daemon_reload: yes
|
|
|
|
- name: Wait for PostgreSQL to be ready
|
|
wait_for:
|
|
port: "{{ postgresql_port }}"
|
|
host: "{{ postgresql_listen_addresses }}"
|
|
timeout: 30
|
|
when: postgresql_service_state == "started"
|
|
|
|
- name: Display PostgreSQL infrastructure status
|
|
debug:
|
|
msg: |
|
|
✅ PostgreSQL infrastructure ready!
|
|
|
|
📡 Service: {{ postgresql_listen_addresses }}:{{ postgresql_port }}
|
|
🔒 Auth: {{ postgresql_auth_method }}
|
|
📊 Checksums: {{ 'Enabled' if postgresql_data_checksums else 'Disabled' }}
|
|
|
|
🏗️ Ready for applications to create databases/users |