From e87181aa49be20d8b53fe358af2ba542dd5a06d6 Mon Sep 17 00:00:00 2001 From: shenlan Date: Fri, 19 Sep 2025 21:42:02 +0800 Subject: [PATCH] Add PostgreSQL vhost role for Ubuntu 22.04+ --- playbooks/deploy_postgres_vhosts.yml | 8 ++ .../roles/vhosts/postgres/handlers/main.yml | 5 + playbooks/roles/vhosts/postgres/meta/main.yml | 2 + .../roles/vhosts/postgres/tasks/main.yml | 120 ++++++++++++++++++ 4 files changed, 135 insertions(+) create mode 100644 playbooks/deploy_postgres_vhosts.yml create mode 100644 playbooks/roles/vhosts/postgres/handlers/main.yml create mode 100644 playbooks/roles/vhosts/postgres/meta/main.yml create mode 100644 playbooks/roles/vhosts/postgres/tasks/main.yml diff --git a/playbooks/deploy_postgres_vhosts.yml b/playbooks/deploy_postgres_vhosts.yml new file mode 100644 index 0000000..405a116 --- /dev/null +++ b/playbooks/deploy_postgres_vhosts.yml @@ -0,0 +1,8 @@ +- name: Deploy PostgreSQL on vhosts + hosts: "{{ postgresql_target | default('postgresql') }}" + become: true + vars: + group: "{{ group | default(postgresql_target | default('postgresql')) }}" + roles: + - roles/vhosts/common/ + - roles/vhosts/postgres/ diff --git a/playbooks/roles/vhosts/postgres/handlers/main.yml b/playbooks/roles/vhosts/postgres/handlers/main.yml new file mode 100644 index 0000000..9264747 --- /dev/null +++ b/playbooks/roles/vhosts/postgres/handlers/main.yml @@ -0,0 +1,5 @@ +- name: Restart PostgreSQL + ansible.builtin.systemd: + name: "{{ postgresql_service_name }}" + state: restarted + daemon_reload: true diff --git a/playbooks/roles/vhosts/postgres/meta/main.yml b/playbooks/roles/vhosts/postgres/meta/main.yml new file mode 100644 index 0000000..9711b33 --- /dev/null +++ b/playbooks/roles/vhosts/postgres/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: + - role: common diff --git a/playbooks/roles/vhosts/postgres/tasks/main.yml b/playbooks/roles/vhosts/postgres/tasks/main.yml new file mode 100644 index 0000000..6122c26 --- /dev/null +++ b/playbooks/roles/vhosts/postgres/tasks/main.yml @@ -0,0 +1,120 @@ +- name: Ensure PostgreSQL repository prerequisites are installed + ansible.builtin.apt: + name: "{{ postgresql_package_dependencies | list }}" + state: present + update_cache: true + when: + - ansible_os_family == 'Debian' + - ansible_distribution == 'Ubuntu' + - ansible_distribution_version is version('22.04', '>=') + - postgresql_use_official_repo | bool + +- name: Download PostgreSQL repository signing key + ansible.builtin.get_url: + url: "{{ postgresql_repo_key_url }}" + dest: "{{ postgresql_repo_key_path }}" + mode: "0644" + when: + - ansible_os_family == 'Debian' + - ansible_distribution == 'Ubuntu' + - ansible_distribution_version is version('22.04', '>=') + - postgresql_use_official_repo | bool + +- name: Configure PostgreSQL apt repository + ansible.builtin.apt_repository: + repo: "{{ postgresql_repo }}" + filename: postgresql + state: present + register: postgresql_repo_config + when: + - ansible_os_family == 'Debian' + - ansible_distribution == 'Ubuntu' + - ansible_distribution_version is version('22.04', '>=') + - postgresql_use_official_repo | bool + +- name: Refresh apt cache if repository was added + ansible.builtin.apt: + update_cache: true + when: + - ansible_os_family == 'Debian' + - ansible_distribution == 'Ubuntu' + - ansible_distribution_version is version('22.04', '>=') + - postgresql_use_official_repo | bool + - postgresql_repo_config is defined + - postgresql_repo_config is changed + +- name: Set package list for PostgreSQL + ansible.builtin.set_fact: + postgresql_packages: "{{ (postgresql_packages_base + postgresql_extra_packages) | unique | list }}" + +- name: Install PostgreSQL packages + ansible.builtin.apt: + name: "{{ postgresql_packages | list }}" + state: present + update_cache: true + when: + - ansible_os_family == 'Debian' + +- name: Ensure PostgreSQL service is enabled and started + ansible.builtin.systemd: + name: "{{ postgresql_service_name }}" + enabled: true + state: started + +- name: Gather facts for PostgreSQL configuration files + ansible.builtin.stat: + path: "{{ postgresql_conf_path }}" + register: postgresql_conf_file + +- name: Configure listen_addresses in postgresql.conf + ansible.builtin.lineinfile: + path: "{{ postgresql_conf_path }}" + regexp: '^#?listen_addresses\s*=' + line: "listen_addresses = '{{ postgresql_listen_addresses }}'" + when: postgresql_conf_file.stat.exists + notify: Restart PostgreSQL + +- name: Configure port in postgresql.conf + ansible.builtin.lineinfile: + path: "{{ postgresql_conf_path }}" + regexp: '^#?port\s*=' + line: "port = {{ postgresql_port }}" + when: postgresql_conf_file.stat.exists + notify: Restart PostgreSQL + +- name: Configure password_encryption in postgresql.conf + ansible.builtin.lineinfile: + path: "{{ postgresql_conf_path }}" + regexp: '^#?password_encryption\s*=' + line: "password_encryption = '{{ postgresql_password_encryption }}'" + when: + - postgresql_conf_file.stat.exists + - postgresql_password_encryption | length > 0 + notify: Restart PostgreSQL + +- name: Ensure pg_hba.conf exists + ansible.builtin.stat: + path: "{{ postgresql_hba_path }}" + register: postgresql_hba_file + +- name: Configure pg_hba.conf access rules + ansible.builtin.blockinfile: + path: "{{ postgresql_hba_path }}" + marker: "# {mark} ANSIBLE MANAGED BLOCK FOR POSTGRESQL ACCESS" + block: |- + {% for network in postgresql_allowed_hosts %} + host all all {{ network }} {{ postgresql_auth_method }} + {% endfor %} + when: + - postgresql_hba_file.stat.exists + - postgresql_allowed_hosts | length > 0 + notify: Restart PostgreSQL + +- name: Remove managed pg_hba.conf block when no networks are defined + ansible.builtin.blockinfile: + path: "{{ postgresql_hba_path }}" + marker: "# {mark} ANSIBLE MANAGED BLOCK FOR POSTGRESQL ACCESS" + state: absent + when: + - postgresql_hba_file.stat.exists + - postgresql_allowed_hosts | length == 0