roles/server/postgresql/tasks

[root/pub/somesible.git] / roles / server / postgresql / tasks / main.yml

#####################################
### someone's ansible provisioner ###
#####################################
# Part of: https://git.somenet.org/root/pub/somesible.git
# 2017-2025 by someone <someone@somenet.org>
#
###########################################################
# DO NOT FORGET TO UPDATE POSTGRESQL.CONF - CLUSTER PATHS #
###########################################################
# YOU WILL KILL THE LIVE-CLUSTER OTHERWISE! #
#############################################
---
- name: install postgresql
  apt:
    pkg:
    - postgresql-17
    - postgresql-17-postgis-3
    - pg-activity
    - python3-psycopg2
    - libdbd-pg-perl
    state: present
    policy_rc_d: 101
  tags: "online"
  ignore_errors: "{{ignore_online_errors | bool}}"

# TODO: upgrade or init

- name: copy postgresql.conf
  copy:
    src: "{{item}}"
    dest: "/etc/postgresql/17/main/postgresql.conf"
    mode: 0644
    owner: "postgres"
    group: "postgres"
  with_first_found:
    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/postgresql.conf"
    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/postgresql.conf"
    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/postgresql.conf"
    - "default/postgresql.conf"
  notify: restart postgresql.service


- name: copy pg_hba.conf
  copy:
    src: "{{item}}"
    dest: "/etc/postgresql/17/main/pg_hba.conf"
    mode: 0644
    owner: "postgres"
    group: "postgres"
  with_first_found:
    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/pg_hba.conf"
    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/pg_hba.conf"
    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/pg_hba.conf"
    - "default/pg_hba.conf"
  notify: restart postgresql.service


- name: create logrotate entry for postgresql
  copy:
    src: "{{item}}"
    dest: "/etc/logrotate.d/postgresql-common"
    mode: 0644
    owner: "root"
    group: "root"
  with_first_found:
    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/postgresql-common.logrotate"
    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/postgresql-common.logrotate"
    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/postgresql-common.logrotate"
    - "default/postgresql-common.logrotate"


- name: enable and start postgresql.service
  include_role: name="base/systemd/enable-and-start"
  vars:
    service_name: postgresql.service


- name: set superuser password
  become_user: postgres
  postgresql_user:
    name: "postgres"
    password: "{{postgresql_postgres_pw}}"
    db: "postgres"
  when: postgresql_postgres_pw != ""


- name: ensure group grp_spectator exists and grant necessary privs on db postgres
  become_user: postgres
  postgresql_user:
    name: "grp_spectator"
    role_attr_flags: "NOLOGIN,NOSUPERUSER,INHERIT,NOCREATEDB,NOCREATEROLE,NOREPLICATION"
    db: "postgres"


- name: revoke unnecessary privs for PUBLIC on db postgres
  become_user: postgres
  postgresql_privs:
    db: "postgres"
    state: absent
    privs: CREATE
    type: database
    role: public


- name: grant necessary privs for PUBLIC on db postgres
  become_user: postgres
  postgresql_privs:
    db: "postgres"
    privs: CONNECT,TEMPORARY
    type: database
    role: public


- name: revoke ALL privs for PUBLIC on schema "postgres.public"
  become_user: postgres
  postgresql_privs:
    db: "postgres"
    state: absent
    privs: ALL
    type: schema
    role: public
    objs: public