]> gitweb.hamatoma.de Git - ansknife.git/commitdiff
projects / ansknife.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 40c6e2f)
postgresql
authorHamatoma <author@hamatoma.de>
Wed, 14 May 2025 09:13:29 +0000 (11:13 +0200)
committerHamatoma <author@hamatoma.de>
Wed, 14 May 2025 09:13:29 +0000 (11:13 +0200)
docu/70_postgresql.md patch | blob | history
playbooks.templates/pg_init.yaml [new file with mode: 0644] patch | blob
playbooks.templates/pg_users.yaml patch | blob | history
templates.vars/packages.yaml patch | blob | history
templates.vars/pg.yaml [new file with mode: 0644] patch | blob

diff --git a/docu/70_postgresql.md b/docu/70_postgresql.md
index af540d66e9266071d760d5c37911df98c75f4511..d385320438339fd63c957f4dcfad6e54233a3cc6 100644 (file)
--- a/docu/70_postgresql.md
+++ b/docu/70_postgresql.md
@@ -28,6 +28,8 @@ CREATE ROLE dba LOGIN PASSWORD 'NoOneKnows';
 CREATE ROLE admbackup LOGIN PASSWORD 'ForgetAtOnce';
 # Zuordnen zur Gruppe:
 GRANT admins TO dba, admbackup;
+# Ă„ndern des Passworts:
+ALTER USER dba WITH PASSWORD 'NoOneKnows';
 ```
 
 ## Datenbanken
diff --git a/playbooks.templates/pg_init.yaml b/playbooks.templates/pg_init.yaml
new file mode 100644 (file)
index 0000000..b7bed73
--- /dev/null
+++ b/playbooks.templates/pg_init.yaml
@@ -0,0 +1,46 @@
+---
+- name: Playbook for PostgreSQL initialization
+  hosts: all
+  vars_files:
+    - ../vars/common.yaml
+    - ../vars/pg_vault.yaml
+    - ../vars/pg.yaml
+  tasks:
+    - name: install postgresql server
+      ansible.builtin.apt:
+        pkg: postgresql-{{ pg_version }}
+        state: present
+    - name: install additional packages
+      ansible.builtin.apt:
+        pkg: "{{ items }}"
+        state: present
+      with_items: "{{ pg_additional_packages }}"
+
+    - name: change postgres network binding
+      ansible.builtin.lineinfile:
+        path: /etc/postgresql/{{ pg_version }}/main/postgresql.conf
+        regexp: '# listen_addresses'
+        line: "listen_addresses = '*'"
+
+    - name: start postgresql server
+      ansible.builtin.service:
+        enabled: yes
+        name: postgresql
+        state: restarted
+
+    # Ensure that the user ansadm can change to user postgres
+    - name: Check if the permission is present in sudoers
+      ansible.builtin.lineinfile: 
+        dest: /etc/passwd
+        line: "ansadm  ALL=(postgres) NOPASSWD: ALL"
+      check_mode: yes
+      register: presence
+      #failed_when: presence.changed
+
+    - name: Insert the permission in sudoers
+      ansible.builtin.lineinfile:
+        path: /etc/sudoers
+        line: "ansadm  ALL=(postgres) NOPASSWD: ALL"
+        insertafter: "^ansadm"
+        state: present
+      when: presence.changed != false
\ No newline at end of file
diff --git a/playbooks.templates/pg_users.yaml b/playbooks.templates/pg_users.yaml
index d8f1185310515afccff1e8ada279d0cfa9e30954..a1f65159a1945b2a98c41acaba402ea3e4d29cd1 100644 (file)
--- a/playbooks.templates/pg_users.yaml
+++ b/playbooks.templates/pg_users.yaml
@@ -2,70 +2,73 @@
 # Administration playbook for PostgreSQL users and groups
 - name: Playbook to prepare the PosgreSQL users and groups
   hosts: all
+  vars:
+    my_random_value: "{{ lookup('password', '/dev/null length=8 chars=ascii_letters,digits') }}"
   vars_files:
     - ../vars/common.yaml
     - ../vars/pg_vault.yaml
     - ../vars/pg.yaml
   tasks:
+    - name: Show the value of the dba password
+      debug:
+        msg: "The random password is {{ my_random_value }}"
     - name: Create users with password
+      become: true
+      become_user: postgres
       community.postgresql.postgresql_user:
         name: "{{ item.key }}"
         password: "{{ item.value }}"
         role_attr_flags: LOGIN
-        login_host: "{{ pg_meta_host }}"
-        login_db: "{{ pg_meta_name }}"
         state: present
       when: item.value != ''
       with_dict: "{{ pg_users }}"
 
     - name: Create users without password
+      become: true
+      become_user: postgres
       community.postgresql.postgresql_user:
         name: "{{ item.key }}"
         role_attr_flags: LOGIN
-        login_host: "{{ pg_meta_host }}"
-        login_db: "{{ pg_meta_name }}"
+        password: "{{ my_random_value }}"
         state: present
       when: item.value == ''
       loop: "{{ pg_users | dict2items }}"
 
     - name: Create groups
+      become: true
+      become_user: postgres
       community.postgresql.postgresql_user:
         name: "{{ item.key }}"
         role_attr_flags: NOLOGIN
-        login_host: "{{ pg_meta_host }}"
-        login_db: "{{ pg_meta_name }}"
         state: present
       loop: "{{ pg_groups | dict2items }}"
 
     - name: Create primary groups of the dbs
+      become: true
+      become_user: postgres
       community.postgresql.postgresql_user:
         name: "{{ item }}"
         role_attr_flags: NOLOGIN
-        login_host: "{{ pg_meta_host }}"
-        login_db: "{{ pg_meta_name }}"
         state: present
       with_items: "{{ pg_databases }}"
 
-    - name: Grant all privileges on the databases
+    - name: Grant all privileges on the database for the primary group
+      become: true
+      become_user: postgres
       community.postgresql.postgresql_privs:
         db: "{{ item }}"
-        login_host: "{{ pg_meta_host }}"
-        login_db: "{{ pg_meta_name }}"
-        privs:
-          - ALL
-        roles:
-          - "{{ item }}"
+        privs: ALL
+        type: database
+        roles: "{ item }}"
         state: present
       with_items: "{{ pg_databases }}"
 
     - name: Add users to groups
+      become: true
+      become_user: postgres
       community.postgresql.postgresql_membership:
         db: postgres         # or the name of your DB
-        login_host: "{{ pg_meta_host }}"
-        login_db: "{{ pg_meta_name }}"
-        login_user: "{{ dba_name }}"
-        login_password: "{{ dba_password }}"
-        target_role: "{{ item.key }}"
-        groups: "{{ item.value }}"
-        state: present"
+        group: "{{ item.key }}"
+        target_roles: "{{ item.value }}"
+        state: present
       with_dict: "{{ pg_groups }}"
\ No newline at end of file
diff --git a/templates.vars/packages.yaml b/templates.vars/packages.yaml
index 360b9c66be9b80796dfe53328b2e8de003e28d6d..ec8f0f2717f64b1db6472a2b108e04e05e065c11 100644 (file)
--- a/templates.vars/packages.yaml
+++ b/templates.vars/packages.yaml
@@ -2,7 +2,7 @@ packages_list:
   - certbot
   - git
   - unzip
-  - 7zip
+  - p7zip
   - unrar-free
   - htop
   - smartmontools
diff --git a/templates.vars/pg.yaml b/templates.vars/pg.yaml
new file mode 100644 (file)
index 0000000..8bfb35f
--- /dev/null
+++ b/templates.vars/pg.yaml
@@ -0,0 +1,23 @@
+---
+# Configuration of PostGreSQL databases, users, groups
+pg_version: 13
+pg_postgis_version: 3
+
+pg_additional_packages:
+  - "postgresql-{{ pg_version }}-postgis-{{ pg_postgis_version }}"
+  - "postgresql-{{ pg_version }}-ogr-fdw"
+  - "postgresql-{{ pg_version }}-mysql-fdw"
+
+pg_databases: []
+  
+
+# Users with password:
+# If password is empty the password is not known
+pg_users:
+  jonny: ''
+
+# Groups are roles without login rights.
+# Key: name of the role Value: the list of group members
+# Convention: each database has a group with the same name
+pg_groups:
+  admins: [jonny]
Unnamed repository; edit this file 'description' to name the repository.