Skip to content
/ ansible-role-postgresql Public

πŸ˜πŸ” Ansible role to deploy a PKI-enabled PostgreSQL server.

License

MIT license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

blackieops/ansible-role-postgresql

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

8 Commits
.github/workflows
.github/workflows
Β 
Β 
defaults
defaults
Β 
Β 
handlers
handlers
Β 
Β 
meta
meta
Β 
Β 
molecule/default
molecule/default
Β 
Β 
tasks
tasks
Β 
Β 
templates
templates
Β 
Β 
vars
vars
Β 
Β 
.ansible-lint
.ansible-lint
Β 
Β 
LICENSE
LICENSE
Β 
Β 
README.md
README.md
Β 
Β 

Repository files navigation

PostgreSQL Server Ansible Role

Molecule Tests

This is an Ansible role that deploys a production-ready PostgreSQL server with full support for certificate-based authentication and verify-full connections.

Fully certificate-driven

This role bootstraps a self-signed root certificate authority, and handles the client certificate and key generation for each configured Postgres role. This role does not support disabling SSL, nor setting passwords for roles.

It is expected the clients for this server will use verify-full for their sslmode, and authenticate using their private key/certificate pair.

It is up to the administrator to download the client key material and certificates from the PostgreSQL primary server and distribute them to the clients securely.

All key material and certificates is stored under {{ pg_conf_dir }}/pki, which varies by platform; check the OS-specific variable files to get the path for your target.

Supported Platforms

We target the following platforms:

  • SUSE Enterprise Linux Server
  • Enterprise Linux (RHEL-derived)
  • Ubuntu (LTS)
  • Debian (Stable)

We only test and validate the latest long-term release of each platform, and have no plans to expand to more platforms in the future.

Usage

Install the role by adding either the Ansible Galaxy package or Git remote to your requirements.yml:

# via Galaxy
- role: blackieops.postgresql

# or via Git
- src: https://github.com/blackieops/ansible-role-postgresql.git

Then install it with ansible-galaxy:

$ ansible-galaxy install -r requirements.yml

Finally, you can reference the role in your playbooks:

- hosts: postgresqls
  roles:
    - { role: blackieops.postgresql }

Configuration

Check the vars set in defaults for an accounting and example of which tasks you can configure.

Generally, for a simple install, you'll want to minimally set:

  • pg_hostname to the FQDN of the server your clients will use to connect;
  • pg_databases to a list of database names to create;
  • pg_roles to a map of postgres roles to create, for example: 
    - name: examplerolename
  flags: NOSUPERUSER
  • pg_role_privs to map the roles to the databases, for example: 
    - db: exampledb
  role: examplerolename
  privs: ALL

Security-conscious administrators will likely also want to set pg_listen_address to the server's IP in a private subnet to restrict public access, if a cloud/hardware firewall is not available.

About

πŸ˜πŸ” Ansible role to deploy a PKI-enabled PostgreSQL server.

Topics

ansible ansible-role postgresql pki

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

No packages published