jokester/ansible-playbooks
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: review postgres on multiple iface

Browse Source
This commit is contained in:
Clément Désiles 2025-11-11 11:11:47 +01:00
parent e692d4df98
commit 9f3e920d7d
No known key found for this signature in database
5 changed files with 52 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
roles/postgres/README.md
View File

@ -17,33 +17,19 @@ This Ansible role installs and configures PostgreSQL for local use only. It prov
## Role Variables ## Role Variables
Available variables with defaults (see `defaults/main.yml`): See `defaults/main.yml` for all available variables and their default values.
### Key Configuration Requirements
#### Required Password
The `postgres_admin_password` variable must be set in your inventory (min 12 characters). The role will fail if not set.
#### Container Access
For containers to access PostgreSQL, set `postgres_bind` to include the Podman gateway:
```yaml ```yaml
# PostgreSQL admin user postgres_bind: "127.0.0.1,{{ podman_subnet_gateway }}"
postgres_admin_user: postgres
# PostgreSQL admin password (REQUIRED - must be set explicitly)
# postgres_admin_password: "" # Intentionally undefined
# PostgreSQL data directory
postgres_data_dir: /var/lib/postgres/data
# Network configuration
postgres_listen_addresses: 127.0.0.1 # For container access: "127.0.0.1,{{ podman_subnet_gateway }}"
postgres_port: 5432
# Firewall configuration
postgres_firewall_allowed_sources:
- 127.0.0.0/8 # Localhost
- "{{ podman_subnet | default('10.88.0.0/16') }}" # Podman bridge network
# Performance tuning
postgres_shared_buffers: 256MB
postgres_effective_cache_size: 1GB
postgres_maintenance_work_mem: 64MB
postgres_work_mem: 4MB
postgres_max_connections: 100
``` ```
## Dependencies ## Dependencies
@ -102,7 +88,7 @@ If your service runs in a container (Docker/Podman), you need to configure Postg
**Step 1: Configure PostgreSQL in inventory** **Step 1: Configure PostgreSQL in inventory**
```yaml ```yaml
# inventory/host_vars/yourserver.yml # inventory/host_vars/yourserver.yml
postgres_listen_addresses: "127.0.0.1,{{ podman_subnet_gateway }}" postgres_bind: "127.0.0.1,{{ podman_subnet_gateway }}"
postgres_firewall_allowed_sources: postgres_firewall_allowed_sources:
- 127.0.0.0/8 - 127.0.0.0/8
- "{{ podman_subnet }}" - "{{ podman_subnet }}"
@ -168,7 +154,7 @@ The pattern above ensures users have:
PostgreSQL default configuration: PostgreSQL default configuration:
- Listens on `localhost` only by default - Listens on `localhost` only by default
- To allow container access, set `postgres_listen_addresses` to include Podman gateway - To allow container access, set `postgres_bind` to include Podman gateway
- UFW firewall rules automatically configured for allowed sources - UFW firewall rules automatically configured for allowed sources
- `pg_hba.conf` automatically configured for Podman subnet when enabled - `pg_hba.conf` automatically configured for Podman subnet when enabled
- No remote network access by default - No remote network access by default

6
roles/postgres/defaults/main.yml
View File

@ -13,12 +13,12 @@ postgres_admin_user: postgres
postgres_data_dir: /var/lib/postgres/data postgres_data_dir: /var/lib/postgres/data
# Binding address(es) # Binding address(es)
postgres_listen_addresses: "127.0.0.1,{{ podman_subnet_gateway | default('10.88.0.1' }}" # example: postgres_bind: "127.0.0.1,10.89.0.1"
postgres_bind: "127.0.0.1"
# Firewall configuration # Firewall configuration
postgres_firewall_allowed_sources: postgres_firewall_allowed_sources:
- 127.0.0.0/8 # Localhost - 127.0.0.0/8
- "{{ podman_subnet | default('10.88.0.0/16') }}" # Podman bridge network
# Performance tuning (adjust based on your hardware) # Performance tuning (adjust based on your hardware)
postgres_shared_buffers: 256MB postgres_shared_buffers: 256MB

14
roles/postgres/tasks/main.yml
View File

@ -48,13 +48,13 @@
mode: "0640" mode: "0640"
notify: Restart PostgreSQL notify: Restart PostgreSQL
- name: Configure pg_hba.conf for Podman subnet access - name: Deploy pg_hba.conf from template
ansible.builtin.lineinfile: ansible.builtin.template:
path: "{{ postgres_hba_path }}" src: pg_hba.conf.j2
line: "host all all {{ podman_subnet }} scram-sha-256" dest: "{{ postgres_hba_path }}"
insertafter: "^# IPv4 local connections:" owner: postgres
state: present group: postgres
when: podman_subnet is defined mode: "0640"
notify: Restart PostgreSQL notify: Restart PostgreSQL
- name: Setup firewall rules for PostgreSQL - name: Setup firewall rules for PostgreSQL

2
roles/postgres/templates/custom.conf.j2
View File

@ -2,7 +2,7 @@
# Override settings from main postgresql.conf # Override settings from main postgresql.conf
# Network configuration # Network configuration
listen_addresses = '{{ postgres_listen_addresses }}' listen_addresses = '{{ postgres_bind }}'
port = {{ postgres_port }} port = {{ postgres_port }}
# Performance tuning # Performance tuning

28
roles/postgres/templates/pg_hba.conf.j2 Normal file
View File

@ -0,0 +1,28 @@
# PostgreSQL Client Authentication Configuration File
# { ansible_managed }
# ============================================================================
# This file controls: which hosts are allowed to connect, how clients
# are authenticated, which PostgreSQL user names they can use, which
# databases they can access.
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all trust
# IPv4 local connections:
{% for source in postgres_firewall_allowed_sources %}
{% if source.startswith('127.0.0.') %}
host all all {{ source }} trust
{% else %}
host all all {{ source }} scram-sha-256
{% endif %}
{% endfor %}
# IPv6 local connections:
host all all ::1/128 trust
# Allow replication connections from localhost, by a user with the
# replication privilege.
local replication all trust
host replication all 127.0.0.1/32 trust
host replication all ::1/128 trust