From: Hamatoma Date: Wed, 14 May 2025 09:13:29 +0000 (+0200) Subject: postgresql X-Git-Url: https://gitweb.hamatoma.de/?a=commitdiff_plain;h=dab2fbe8bf04a9171affebec943b5f21bd59159c;p=ansknife.git postgresql --- diff --git a/docu/70_postgresql.md b/docu/70_postgresql.md index af540d6..d385320 100644 --- a/docu/70_postgresql.md +++ b/docu/70_postgresql.md @@ -28,6 +28,8 @@ CREATE ROLE dba LOGIN PASSWORD 'NoOneKnows'; CREATE ROLE admbackup LOGIN PASSWORD 'ForgetAtOnce'; # Zuordnen zur Gruppe: GRANT admins TO dba, admbackup; +# Ändern des Passworts: +ALTER USER dba WITH PASSWORD 'NoOneKnows'; ``` ## Datenbanken diff --git a/playbooks.templates/pg_init.yaml b/playbooks.templates/pg_init.yaml new file mode 100644 index 0000000..b7bed73 --- /dev/null +++ b/playbooks.templates/pg_init.yaml @@ -0,0 +1,46 @@ +--- +- name: Playbook for PostgreSQL initialization + hosts: all + vars_files: + - ../vars/common.yaml + - ../vars/pg_vault.yaml + - ../vars/pg.yaml + tasks: + - name: install postgresql server + ansible.builtin.apt: + pkg: postgresql-{{ pg_version }} + state: present + - name: install additional packages + ansible.builtin.apt: + pkg: "{{ items }}" + state: present + with_items: "{{ pg_additional_packages }}" + + - name: change postgres network binding + ansible.builtin.lineinfile: + path: /etc/postgresql/{{ pg_version }}/main/postgresql.conf + regexp: '# listen_addresses' + line: "listen_addresses = '*'" + + - name: start postgresql server + ansible.builtin.service: + enabled: yes + name: postgresql + state: restarted + + # Ensure that the user ansadm can change to user postgres + - name: Check if the permission is present in sudoers + ansible.builtin.lineinfile: + dest: /etc/passwd + line: "ansadm ALL=(postgres) NOPASSWD: ALL" + check_mode: yes + register: presence + #failed_when: presence.changed + + - name: Insert the permission in sudoers + ansible.builtin.lineinfile: + path: /etc/sudoers + line: "ansadm ALL=(postgres) NOPASSWD: ALL" + insertafter: "^ansadm" + state: present + when: presence.changed != false \ No newline at end of file diff --git a/playbooks.templates/pg_users.yaml b/playbooks.templates/pg_users.yaml index d8f1185..a1f6515 100644 --- a/playbooks.templates/pg_users.yaml +++ b/playbooks.templates/pg_users.yaml @@ -2,70 +2,73 @@ # Administration playbook for PostgreSQL users and groups - name: Playbook to prepare the PosgreSQL users and groups hosts: all + vars: + my_random_value: "{{ lookup('password', '/dev/null length=8 chars=ascii_letters,digits') }}" vars_files: - ../vars/common.yaml - ../vars/pg_vault.yaml - ../vars/pg.yaml tasks: + - name: Show the value of the dba password + debug: + msg: "The random password is {{ my_random_value }}" - name: Create users with password + become: true + become_user: postgres community.postgresql.postgresql_user: name: "{{ item.key }}" password: "{{ item.value }}" role_attr_flags: LOGIN - login_host: "{{ pg_meta_host }}" - login_db: "{{ pg_meta_name }}" state: present when: item.value != '' with_dict: "{{ pg_users }}" - name: Create users without password + become: true + become_user: postgres community.postgresql.postgresql_user: name: "{{ item.key }}" role_attr_flags: LOGIN - login_host: "{{ pg_meta_host }}" - login_db: "{{ pg_meta_name }}" + password: "{{ my_random_value }}" state: present when: item.value == '' loop: "{{ pg_users | dict2items }}" - name: Create groups + become: true + become_user: postgres community.postgresql.postgresql_user: name: "{{ item.key }}" role_attr_flags: NOLOGIN - login_host: "{{ pg_meta_host }}" - login_db: "{{ pg_meta_name }}" state: present loop: "{{ pg_groups | dict2items }}" - name: Create primary groups of the dbs + become: true + become_user: postgres community.postgresql.postgresql_user: name: "{{ item }}" role_attr_flags: NOLOGIN - login_host: "{{ pg_meta_host }}" - login_db: "{{ pg_meta_name }}" state: present with_items: "{{ pg_databases }}" - - name: Grant all privileges on the databases + - name: Grant all privileges on the database for the primary group + become: true + become_user: postgres community.postgresql.postgresql_privs: db: "{{ item }}" - login_host: "{{ pg_meta_host }}" - login_db: "{{ pg_meta_name }}" - privs: - - ALL - roles: - - "{{ item }}" + privs: ALL + type: database + roles: "{ item }}" state: present with_items: "{{ pg_databases }}" - name: Add users to groups + become: true + become_user: postgres community.postgresql.postgresql_membership: db: postgres # or the name of your DB - login_host: "{{ pg_meta_host }}" - login_db: "{{ pg_meta_name }}" - login_user: "{{ dba_name }}" - login_password: "{{ dba_password }}" - target_role: "{{ item.key }}" - groups: "{{ item.value }}" - state: present" + group: "{{ item.key }}" + target_roles: "{{ item.value }}" + state: present with_dict: "{{ pg_groups }}" \ No newline at end of file diff --git a/templates.vars/packages.yaml b/templates.vars/packages.yaml index 360b9c6..ec8f0f2 100644 --- a/templates.vars/packages.yaml +++ b/templates.vars/packages.yaml @@ -2,7 +2,7 @@ packages_list: - certbot - git - unzip - - 7zip + - p7zip - unrar-free - htop - smartmontools diff --git a/templates.vars/pg.yaml b/templates.vars/pg.yaml new file mode 100644 index 0000000..8bfb35f --- /dev/null +++ b/templates.vars/pg.yaml @@ -0,0 +1,23 @@ +--- +# Configuration of PostGreSQL databases, users, groups +pg_version: 13 +pg_postgis_version: 3 + +pg_additional_packages: + - "postgresql-{{ pg_version }}-postgis-{{ pg_postgis_version }}" + - "postgresql-{{ pg_version }}-ogr-fdw" + - "postgresql-{{ pg_version }}-mysql-fdw" + +pg_databases: [] + + +# Users with password: +# If password is empty the password is not known +pg_users: + jonny: '' + +# Groups are roles without login rights. +# Key: name of the role Value: the list of group members +# Convention: each database has a group with the same name +pg_groups: + admins: [jonny]