2021-12-01 19:13:34 +01:00
---
# If you want to install newer PG than available in the default
# repo, specify the branch here, eg 96, 10, 11
pg_version : default
# Command to compress dumps. Will read from stdin and write to stdout. Set to False to disable compression
pg_compress_cmd : zstd -T0 -c
pg_remove_dump_after_backup : True
# can be text or custom (or a raw format name supported by pg_dump)
pg_dump_format : text
pg_port : 5432
pg_src_ip : [ ]
# List of directives which can be expressed as a % and
# will be determined from the host available memory
pg_pct_mem_directives :
- shared_buffers
- effective_cache_size
- maintenance_work_mem
- wal_buffers
- work_mem
# postgresql.conf directives
pg_base_conf :
listen_addresses :
- 0.0 .0 .0
max_connections : 100
shared_buffers : 10 %
log_timezone : "{{ system_tz | default('Europe/Paris') }}"
timezone : "{{ system_tz | default('Europe/Paris') }}"
log_destination : syslog
datestyle : 'iso, dmy'
lc_messages : fr_FR.UTF-8
lc_monetary : fr_FR.UTF-8
lc_numeric : fr_FR.UTF-8
lc_time : fr_FR.UTF-8
2022-03-18 15:00:07 +01:00
ssl_cert_file : /var/lib/pgsql/ssl/server.crt
ssl_key_file : /var/lib/pgsql/ssl/server.key
ssl : "{{ pg_letsencrypt_cert is defined | ternary('on', 'off') }}"
2021-12-01 19:13:34 +01:00
pg_extra_conf : {}
pg_conf : "{{ pg_base_conf | combine(pg_extra_conf, recursive=True) }}"
2022-01-25 13:00:05 +01:00
# If pg_monitoring_user and pg_monitoring_pass are defined, a user will be created
# Made for Zabbix
# pg_monitoring_user: zbx
# pg_monitoring_pass: S3cr3t.
2021-12-01 19:13:34 +01:00
# Databases and roles to create
# Eg
# pg_databases
# - name: odoo
# encoding: UTF-8
# owner: odoo
# pg_roles:
# - name: odoo
# pass: very_secret
# flags:
# - SUPERUSER
# - CREATEDB
# - CREATEROLE
# pg_privs:
# - database: dbname
# state: present
# privs: SELECT,INSERT,DELETE,UPDATE
# objs: ALL_IN_SCHEMA
# type: table
# schema: public
# role: reportuser
#
pg_databases : [ ]
pg_roles : [ ]
pg_privs : [ ]
# Databases and roles to remove
pg_databases_to_remove : [ ]
pg_roles_to_remove : [ ]
2022-03-18 15:00:07 +01:00
# If defined, a Let's Encrypt cert will be obtained and used
# pg_letsencrypt_cert: postgres.example.org
2022-03-19 00:00:06 +01:00
# LDAP authentication
# You can enable ldap auth, see https://www.postgresql.org/docs/current/auth-ldap.html
# Note that only the search+bind mode is supported
# Turn on or off ldap auth
pg_ldap_auth : False
# LDAP server to query. You can enter several servers separated by space
pg_ldap_host : "{{ (ad_ldap_servers is defined) | ternary(ad_ldap_servers | join(' '), (ldap_uri is defined) | ternary(ldap_uri | urlsplit('hostname'), 'ldap.' ~ ansible_domain)) }}"
# port of the ldap server
pg_ldap_port : 389
# Should starttls be used
pg_ldap_starttls : True
# Base DN where postgres will lookup your users
pg_ldap_basedn : "{{ (ad_ldap_user_search_base is defined) | ternary(ad_ldap_user_search_base, (ldap_base is defined) | ternary(ldap_base, ansible_domain | regex_replace('\\.', ',DC='))) }}"
# Bind DN and bind password for postgres to lookup users. If not defined, the lookup will be done anonymously
# pg_ldap_binddn: postgres@{{ ansible_domain }}
# pg_ldap_bindpasswd: S3cr3t.
# The filter to search for user. $username will be replaced by the postgres user whose password is being verified
pg_ldap_searchfilter : "{{ ad_auth | default(False) | ternary('(&(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(sAMAccountName=$username))', '(&(objectClass=inetOrgPerson)(uid=$username))') }}"
# Connection type for which ldap auth will be attempted. Note that for security reason you shouldn't set it to host as it'd allow LDAP password
# to be sent unencrypted over between the postgres client and server (even is the postgres server then uses TLS to check the password against the LDAP server)
pg_ldap_conn_type : hostssl
# Limit for which user / roles the ldap auth will be used (third field in pg_hba.conf)
pg_ldap_roles : '+ldap_roles'
