diff options
Diffstat (limited to 'roles/postgresql_server/tasks')
| -rw-r--r-- | roles/postgresql_server/tasks/freeipa.yml | 49 | ||||
| -rw-r--r-- | roles/postgresql_server/tasks/main.yml | 53 |
2 files changed, 102 insertions, 0 deletions
diff --git a/roles/postgresql_server/tasks/freeipa.yml b/roles/postgresql_server/tasks/freeipa.yml new file mode 100644 index 0000000..50ea678 --- /dev/null +++ b/roles/postgresql_server/tasks/freeipa.yml @@ -0,0 +1,49 @@ +- name: create postgres service principal + ipaservice: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: 'postgres/{{ ansible_fqdn }}' + state: present + +- name: retrieve postgres service keytab + include_role: + name: freeipa_keytab + vars: + keytab_principal: 'postgres/{{ ansible_fqdn }}' + keytab_path: '{{ postgresql_keytab }}' + +- name: create SELinux policy for postgres to access gssproxy + include_role: + name: selinux_policy + apply: + tags: selinux + vars: + selinux_policy_name: postrgres_gssproxy + selinux_policy_te: '{{ postgresql_selinux_policy_te }}' + tags: selinux + +- name: create systemd override directory + file: + path: /etc/systemd/system/postgresql.service.d/ + state: directory + +- name: create systemd unit override + copy: + src: etc/systemd/system/postgresql.service.d/override.conf + dest: /etc/systemd/system/postgresql.service.d/override.conf + register: postgresql_systemd_override + +- name: reload systemd units + systemd: + daemon_reload: yes + when: postgresql_systemd_override.changed + +- name: configure gssproxy + include_role: + name: gssproxy_client + vars: + gssproxy_name: postgres + gssproxy_section: service/postgresql + gssproxy_keytab: '{{ postgresql_keytab }}' + gssproxy_cred_usage: accept + gssproxy_euid: postgres diff --git a/roles/postgresql_server/tasks/main.yml b/roles/postgresql_server/tasks/main.yml new file mode 100644 index 0000000..96b173c --- /dev/null +++ b/roles/postgresql_server/tasks/main.yml @@ -0,0 +1,53 @@ +- name: install postgresql + dnf: + name: '{{ postgresql_packages }}' + state: present + +- name: initialize database + command: + cmd: postgresql-setup --initdb + creates: '{{ postgresql_data_dir }}/PG_VERSION' + +- import_tasks: freeipa.yml + tags: freeipa + +- name: request TLS certificate + include_role: + name: getcert_request + vars: + certificate_service: postgres + certificate_path: '{{ postgresql_certificate_path }}' + certificate_key_path: '{{ postgresql_certificate_key_path }}' + certificate_owner: postgres + certificate_hook: systemctl reload postgresql + +- name: generate dhparams + openssl_dhparam: + path: '{{ postgresql_dhparams_path }}' + size: 2048 + +- name: generate postgresql configuration + template: + src: '{{ postgresql_data_dir[1:] }}/{{ item }}.j2' + dest: '{{ postgresql_data_dir }}/{{ item }}' + owner: postgres + group: postgres + mode: 0600 + loop: + - postgresql.conf + - pg_hba.conf + notify: restart postgresql + +- name: enable postgresql service + systemd: + name: postgresql + enabled: yes + state: started + +- name: open firewall ports + firewalld: + service: postgresql + permanent: yes + immediate: yes + state: enabled + tags: firewalld |