From 1487c0e532a3f03f7bb188a64da6647f6c0a42bb Mon Sep 17 00:00:00 2001 From: Prakasa Date: Sat, 21 Sep 2024 19:53:43 +0700 Subject: [PATCH 1/6] fix: add variable postgresql_service_description to set service description --- defaults/main.yml | 3 +++ .../etc_systemd_system_postgresql.service.d_custom.conf.j2 | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index d4f914cb..94012900 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -24,6 +24,9 @@ postgresql_admin_user: "postgres" postgresql_default_auth_method: "peer" postgresql_default_auth_method_hosts: "{{ 'scram-sha-256' if postgresql_version is version_compare('14', '>=') else 'md5' }}" # (>=14.0 scram-sha-256 is default value) +# The description that will use to customize process or service description +postgresql_service_description: "PostgreSQL RDBMS" + # The user/group that will run postgresql process or service postgresql_service_user: "{{ postgresql_admin_user }}" postgresql_service_user_pgsql_profile: false diff --git a/templates/etc_systemd_system_postgresql.service.d_custom.conf.j2 b/templates/etc_systemd_system_postgresql.service.d_custom.conf.j2 index be85ad6a..36d43c7b 100644 --- a/templates/etc_systemd_system_postgresql.service.d_custom.conf.j2 +++ b/templates/etc_systemd_system_postgresql.service.d_custom.conf.j2 @@ -1,6 +1,10 @@ # {{ ansible_managed }} # Systemd unit file override to specify user/group as well as separate config # and data directories. + +[Unit] +Description={{ postgresql_service_description }} + [Service] User={{ postgresql_service_user }} Group={{ postgresql_service_group }} From 10e301d38f56210e75900fee2367cbfe5bb682c4 Mon Sep 17 00:00:00 2001 From: Prakasa Date: Mon, 23 Sep 2024 05:03:20 +0700 Subject: [PATCH 2/6] fix: update variable postgresql_apt_repository for ubuntu 22 --- vars/Debian_22.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vars/Debian_22.yml b/vars/Debian_22.yml index 273f70e2..217fb4ff 100644 --- a/vars/Debian_22.yml +++ b/vars/Debian_22.yml @@ -3,4 +3,4 @@ postgresql_service_name: "postgresql" -postgresql_apt_repository: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/postgresql.gpg] http://apt.postgresql.org/pub/repos/apt/ {{ ansible_distribution_release }}-pgdg main {{ postgresql_version }}" +postgresql_apt_repository: "deb http://apt.postgresql.org/pub/repos/apt {{ ansible_distribution_release }}-pgdg main" From 86c4b0589d0df34be23a3df307c39e13e196bdfd Mon Sep 17 00:00:00 2001 From: Prakasa Date: Mon, 23 Sep 2024 05:07:18 +0700 Subject: [PATCH 3/6] fix: install gnupg2 missing gpg binary --- tasks/install_apt.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tasks/install_apt.yml b/tasks/install_apt.yml index 7ca88895..11af032a 100644 --- a/tasks/install_apt.yml +++ b/tasks/install_apt.yml @@ -4,7 +4,9 @@ # validate www.postgresql.org (or probably any other source). - name: PostgreSQL | Make sure the CA certificates are available | apt apt: - pkg: ca-certificates + pkg: + - gnupg2 + - ca-certificates state: present - name: PostgreSQL | Add PostgreSQL repository apt-key | apt From f917da78ec09fabdb5d7c71ace74eece574c5dd2 Mon Sep 17 00:00:00 2001 From: Prakasa Date: Mon, 23 Sep 2024 06:22:59 +0700 Subject: [PATCH 4/6] fix: custom service config for Debian family --- handlers/main.yml | 4 ++++ tasks/configure.yml | 10 ++++++++++ ...tem_postgresql.service.d_custom.conf_Debian.j2 | 15 +++++++++++++++ 3 files changed, 29 insertions(+) create mode 100644 templates/etc_systemd_system_postgresql.service.d_custom.conf_Debian.j2 diff --git a/handlers/main.yml b/handlers/main.yml index 6e1db981..395cac08 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -5,3 +5,7 @@ name: "{{ postgresql_service_name }}" state: restarted enabled: yes + + - name: reload service daemon + ansible.builtin.systemd_service: + daemon_reload: true \ No newline at end of file diff --git a/tasks/configure.yml b/tasks/configure.yml index c6e9be67..09849219 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -219,6 +219,16 @@ when: ansible_os_family == "RedHat" register: postgresql_systemd_custom_conf +- name: PostgreSQL | Use the conf directory when starting the Postgres service | Debian + template: + src: etc_systemd_system_postgresql.service.d_custom.conf_Debian.j2 + dest: "/lib/systemd/system/postgresql.service" + when: ansible_os_family == "Debian" + register: postgresql_systemd_custom_conf + notify: + - reload service daemon + - restart postgresql + - name: PostgreSQL | Ensure the pid directory for PostgreSQL exists file: name: "{{ postgresql_pid_directory }}" diff --git a/templates/etc_systemd_system_postgresql.service.d_custom.conf_Debian.j2 b/templates/etc_systemd_system_postgresql.service.d_custom.conf_Debian.j2 new file mode 100644 index 00000000..6a020e78 --- /dev/null +++ b/templates/etc_systemd_system_postgresql.service.d_custom.conf_Debian.j2 @@ -0,0 +1,15 @@ +# {{ ansible_managed }} +# Systemd unit file override to specify user/group as well as separate config +# and data directories. + +[Unit] +Description={{ postgresql_service_description }} + +[Service] +Type=oneshot +ExecStart=/bin/true +ExecReload=/bin/true +RemainAfterExit=on + +[Install] +WantedBy=multi-user.target \ No newline at end of file From d599a82320311b91dc4bf1182aed6bc53fffb748 Mon Sep 17 00:00:00 2001 From: Prakasa Date: Tue, 24 Sep 2024 15:02:15 +0700 Subject: [PATCH 5/6] fix: bug fixing ident auth for root user --- defaults/main.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 94012900..1822a4f7 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -20,6 +20,7 @@ postgresql_env: LC_ALL: "{{ postgresql_locale }}" LC_LCTYPE: "{{ postgresql_locale }}" +postgresql_linux_admin_user: "root" postgresql_admin_user: "postgres" postgresql_default_auth_method: "peer" postgresql_default_auth_method_hosts: "{{ 'scram-sha-256' if postgresql_version is version_compare('14', '>=') else 'md5' }}" # (>=14.0 scram-sha-256 is default value) @@ -81,10 +82,10 @@ postgresql_user_privileges: [] # pg_hba.conf postgresql_pg_hba_default: - - { type: local, database: all, user: all, address: "", method: "{{ postgresql_default_auth_method }}", comment: '"local" is for Unix domain socket connections only' } - { type: host, database: all, user: all, address: "127.0.0.1/32", method: "{{ postgresql_default_auth_method_hosts }}", comment: "IPv4 local connections:" } - { type: host, database: all, user: all, address: "::1/128", method: "{{ postgresql_default_auth_method_hosts }}", comment: "IPv6 local connections:" } - - { type: local, database: all, user: "{{ postgresql_admin_user }}", address: "", method: "peer map=root_as_{{ postgresql_admin_user }}", comment: "Local root Unix user, passwordless access" } + - { type: local, database: all, user: "{{ postgresql_admin_user }}", address: "", method: "peer map={{ postgresql_linux_admin_user }}_as_{{ postgresql_admin_user }}", comment: "Local root Unix user, passwordless access" } + - { type: local, database: all, user: all, address: "", method: "{{ postgresql_default_auth_method }}", comment: '"local" is for Unix domain socket connections only' } postgresql_pg_hba_md5_hosts: [] postgresql_pg_hba_passwd_hosts: [] @@ -95,7 +96,7 @@ postgresql_pg_hba_custom: [] postgresql_pg_ident: - comment: "root is allowed to login as {{ postgresql_admin_user }}" mapname: "root_as_{{ postgresql_admin_user }}" - system_username: "{{ postgresql_admin_user }}" + system_username: "{{ postgresql_linux_admin_user }}" pg_username: "{{ postgresql_admin_user }}" # postgresql.conf From 0324494ab051d91668ed95ea88d38176c71b2a34 Mon Sep 17 00:00:00 2001 From: Prakasa Date: Tue, 24 Sep 2024 17:49:40 +0700 Subject: [PATCH 6/6] fix: regex list of linux users impersonate postgres --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 1822a4f7..5b1053da 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -20,7 +20,7 @@ postgresql_env: LC_ALL: "{{ postgresql_locale }}" LC_LCTYPE: "{{ postgresql_locale }}" -postgresql_linux_admin_user: "root" +postgresql_linux_admin_user: '"/^(root|postgres)$"' postgresql_admin_user: "postgres" postgresql_default_auth_method: "peer" postgresql_default_auth_method_hosts: "{{ 'scram-sha-256' if postgresql_version is version_compare('14', '>=') else 'md5' }}" # (>=14.0 scram-sha-256 is default value) @@ -84,7 +84,7 @@ postgresql_user_privileges: [] postgresql_pg_hba_default: - { type: host, database: all, user: all, address: "127.0.0.1/32", method: "{{ postgresql_default_auth_method_hosts }}", comment: "IPv4 local connections:" } - { type: host, database: all, user: all, address: "::1/128", method: "{{ postgresql_default_auth_method_hosts }}", comment: "IPv6 local connections:" } - - { type: local, database: all, user: "{{ postgresql_admin_user }}", address: "", method: "peer map={{ postgresql_linux_admin_user }}_as_{{ postgresql_admin_user }}", comment: "Local root Unix user, passwordless access" } + - { type: local, database: all, user: "{{ postgresql_admin_user }}", address: "", method: "peer map=root_as_{{ postgresql_admin_user }}", comment: "Local root Unix user, passwordless access" } - { type: local, database: all, user: all, address: "", method: "{{ postgresql_default_auth_method }}", comment: '"local" is for Unix domain socket connections only' } postgresql_pg_hba_md5_hosts: []