Update to 2021-12-01 19:13

roles/postgresql_server/defaults/main.yml

@@ -0,0 +1,73 @@
+---
+
+# If you want to install newer PG than available in the default
+# repo, specify the branch here, eg 96, 10, 11
+pg_version: default
+# Command to compress dumps. Will read from stdin and write to stdout. Set to False to disable compression
+pg_compress_cmd: zstd -T0 -c
+pg_remove_dump_after_backup: True
+# can be text or custom (or a raw format name supported by pg_dump)
+pg_dump_format: text
+
+pg_port: 5432
+pg_src_ip: []
+
+# List of directives which can be expressed as a % and
+# will be determined from the host available memory
+pg_pct_mem_directives:
+  - shared_buffers
+  - effective_cache_size
+  - maintenance_work_mem
+  - wal_buffers
+  - work_mem
+
+# postgresql.conf directives
+pg_base_conf:
+  listen_addresses:
+    - 0.0.0.0
+  max_connections: 100
+  shared_buffers: 10%
+  log_timezone: "{{ system_tz | default('Europe/Paris') }}"
+  timezone: "{{ system_tz | default('Europe/Paris') }}"
+  log_destination: syslog
+  datestyle: 'iso, dmy'
+  lc_messages: fr_FR.UTF-8
+  lc_monetary: fr_FR.UTF-8
+  lc_numeric: fr_FR.UTF-8
+  lc_time: fr_FR.UTF-8
+
+pg_extra_conf: {}
+pg_conf: "{{ pg_base_conf | combine(pg_extra_conf, recursive=True) }}"
+
+
+# Databases and roles to create
+# Eg
+# pg_databases
+#   - name: odoo
+#     encoding: UTF-8
+#     owner: odoo
+# pg_roles:
+#   - name: odoo
+#     pass: very_secret
+#     flags:
+#       - SUPERUSER
+#       - CREATEDB
+#       - CREATEROLE
+# pg_privs:
+#   - database: dbname
+#     state: present
+#     privs: SELECT,INSERT,DELETE,UPDATE
+#     objs: ALL_IN_SCHEMA
+#     type: table
+#     schema: public
+#     role: reportuser
+
+#
+pg_databases: []
+pg_roles: []
+pg_privs: []
+
+# Databases and roles to remove
+pg_databases_to_remove: []
+pg_roles_to_remove: []
+...

roles/postgresql_server/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+- name: reload postgresql
+  service: name=postgresql{{ (pg_version != 'default') | ternary('-' + pg_version | string,'') }} state=reloaded
+
+- name: restart postgresql
+  service: name=postgresql{{ (pg_version != 'default') | ternary('-' + pg_version | string,'') }} state=restarted
+...

roles/postgresql_server/meta/main.yml

@@ -0,0 +1,5 @@
+---
+
+dependencies:
+  - role: repo_postgresql
+  - role: mkdir

roles/postgresql_server/tasks/main.yml

@@ -0,0 +1,143 @@
+---
+
+- include_vars: "{{ item }}"
+  with_first_found:
+    - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_distribution }}.yml
+    - vars/{{ ansible_os_family }}.yml
+    - vars/defaults.yml
+  tags: pg
+
+- name: Install Postgresql packages
+  yum:
+    name: "{{ pg_packages }}"
+  tags: pg
+
+- name: Check if PG_VERSION exists
+  stat: path=/var/lib/pgsql/{{ (pg_version != 'default') | ternary(pg_version | string + '/','') }}data/PG_VERSION
+  register: pg_version_file
+  tags: pg
+
+- name: Init data
+  command: "{{ (pg_version != 'default') | ternary('/usr/pgsql-' + pg_version | string + '/bin/postgresql-' + pg_version | string + '-setup','postgresql-setup') }} initdb"
+  when: not pg_version_file.stat.exists
+  tags: pg
+
+- name: Deploy configuration
+  template: src={{ item }}.j2 dest=/var/lib/pgsql/{{ (pg_version != 'default') | ternary(pg_version | string + '/','') }}data/{{ item }} owner=postgres group=postgres mode=600
+  with_items:
+    - pg_hba.conf
+    - postgresql.conf
+  notify: reload postgresql
+  tags: pg
+
+- name: Create backup directories
+  file: path=/home/lbkp/pgsql state=directory owner=postgres group=postgres mode=700
+  tags: pg
+
+- name: Remove old backup hooks
+  file: path={{ item }} state=absent
+  loop:
+    - /etc/backup/pre.d/postgresql_create_dumps.sh
+    - /etc/backup/post.d/postgresql_delete_dumps.sh
+  tags: pg
+
+- name: Deploy backup scripts
+  template: src={{ item }}-backup.sh.j2 dest=/etc/backup/{{ item }}.d/postgresql.sh mode=755
+  loop:
+    - pre
+    - post
+  tags: pg
+
+- name: Handle PostgreSQL port
+  iptables_raw:
+    name: pg_port
+    state: "{{ (pg_src_ip is defined and pg_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp --dport {{ pg_port }} -s {{ pg_src_ip | join(',') }} -j ACCEPT"
+  when: iptables_manage | default(True)
+  tags: pg
+
+- name: Create postgresql unit snippet dir
+  file: path=/etc/systemd/system/postgresql{{ (pg_version != 'default') | ternary('-' + pg_version | string,'') }}.service.d state=directory
+  tags: pg
+
+- name: Increase postgresql start/stop timeout
+  copy:
+    content: |
+      [Service]
+      TimeoutSec=300
+      StartLimitInterval=0
+      RestartSec=1
+    dest: /etc/systemd/system/postgresql{{ (pg_version != 'default') | ternary('-' + pg_version | string,'') }}.service.d/timeout.conf
+  register: pg_unit
+  notify: restart postgresql
+  tags: pg
+
+- name: Reload systemd
+  command: systemctl daemon-reload
+  when: pg_unit.changed
+  tags: pg
+
+  # TODO: we should instead iterate over every postgresql* services and disable everyone of them
+  # except for pg_version
+- name: Disable default postgresql version
+  service: name=postgresql state=stopped enabled=False
+  when: pg_version != 'default'
+  failed_when: False
+  tags: pg
+
+- name: Start and enable the service
+  service: name=postgresql{{ (pg_version != 'default') | ternary('-' + pg_version | string,'') }} state=started enabled=True
+  tags: pg
+
+- name: Create postgresql admin role
+  postgresql_user:
+    name: "sqladmin"
+    password: "{{ pg_admin_pass }}"
+    role_attr_flags: SUPERUSER,CREATEROLE,CREATEDB
+  become_user: postgres
+  tags: pg
+
+- name: Create roles
+  postgresql_user:
+    name: "{{ item.name }}"
+    password: "{{ item.pass }}"
+    role_attr_flags: "{{ item.flags | default([]) | join(',') }}"
+  become_user: postgres
+  with_items: "{{ pg_roles }}"
+  tags: pg
+
+- name: Create databases
+  postgresql_db:
+    name: "{{ item.name }}"
+    encoding: "{{ item.encoding | default('UTF-8') }}"
+    lc_collate: C
+    lc_ctype: C
+    template: template0
+    owner: "{{ item.owner | default(omit) }}"
+  become_user: postgres
+  with_items: "{{ pg_databases }}"
+  tags: pg
+
+- name: Apply privileges
+  postgresql_privs: "{{ item }}"
+  become_user: postgres
+  loop: "{{ pg_privs }}"
+  tags: pg
+
+- name: Remove databases
+  postgresql_db:
+    name: "{{ item }}"
+    state: absent
+  become_user: postgres
+  with_items: "{{ pg_databases_to_remove }}"
+  tags: pg
+
+- name: Remove roles
+  postgresql_user:
+    name: "{{ item }}"
+    state: absent
+  become_user: postgres
+  with_items: "{{ pg_roles_to_remove }}"
+  tags: pg

roles/postgresql_server/templates/pg_hba.conf.j2

@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+local   all             all                                     peer
+host    all             all             127.0.0.1/32            md5
+host    all             all             ::1/128                 md5
+host	all		all		0.0.0.0/0		md5

roles/postgresql_server/templates/post-backup.sh.j2

@@ -0,0 +1,6 @@
+#!/bin/bash -e
+
+{% if pg_remove_dump_after_backup %}
+rm -f /home/lbkp/pgsql/*.sql*
+{% endif %}
+rm -f /home/lbkp/pgsql/*.conf

roles/postgresql_server/templates/postgresql.conf.j2

@@ -0,0 +1,16 @@
+# {{ ansible_managed }}
+
+port = {{ pg_port }}
+
+{% for key in pg_conf.keys() | list | sort %}
+{% if key == 'listen_addresses' %}
+listen_addresses = '{{ pg_conf[key] | join("','") }}'
+{% elif key in pg_pct_mem_directives and pg_conf[key] is search('%$') %}
+{{ key }} = {{ ((pg_conf[key] | regex_replace('%$', '') | int) * ansible_memtotal_mb * 0.01) | int }}MB
+{% elif pg_conf[key] is search(',|/') %}
+{{ key }} = '{{ pg_conf[key] }}'
+{% else %}
+{{ key }} = {{ pg_conf[key] }}
+{% endif %}
+{% endfor %}
+

roles/postgresql_server/templates/pre-backup.sh.j2

@@ -0,0 +1,61 @@
+#!/bin/sh
+
+set -eo pipefail
+
+DEST=/home/lbkp/pgsql
+
+{% if pg_dump_format == 'text' %}
+{% set dump_options = '-Fp -Cc' %}
+{% set dump_ext = 'sql' %}
+{% elif pg_dump_format == 'custom' %}
+{% set dump_options = '-Fc' %}
+{% set dump_ext = 'sqlc' %}
+{% else %}
+{% set dump_options = '-F' + pg_dump_format %}
+{% set dump_ext = 'dump' %}
+{% endif %}
+
+for DB in $(su - postgres -c "{{ (pg_version != 'default') | ternary('/usr/pgsql-' + pg_version | string,'') }}/bin/psql -d postgres -qtc 'SELECT datname from pg_database' | grep -vP '^\s+?template[01]$'")
+do
+{% if pg_compress_cmd %}
+{% if pg_compress_cmd is search('p?xz') %}
+{% set comp_ext = 'xz' %}
+{% elif pg_compress_cmd is search('p?bzip2') %}
+{% set comp_ext = 'bz2' %}
+{% elif pg_compress_cmd is search('(pi)?gz') %}
+{% set comp_ext = 'gz' %}
+{% elif pg_compress_cmd is search('lzop') %}
+{% set comp_ext = 'lzo' %}
+{% elif pg_compress_cmd is search('lz4') %}
+{% set comp_ext = 'lz4' %}
+{% elif pg_compress_cmd is search('zst') %}
+{% set comp_ext = 'zst' %}
+{% else %}
+{% set comp_ext = 'z' %}
+{% endif %}
+  echo "Dumping $DB to $DEST/$DB.{{ dump_ext }}.{{ comp_ext }}"
+  su - postgres -c "{{ (pg_version != 'default') | ternary('/usr/pgsql-' + pg_version | string,'') }}/bin/pg_dump {{ dump_options }} $DB" | /bin/nice -n 10 {{ pg_compress_cmd }} > $DEST/$DB.{{ dump_ext }}.{{ comp_ext }}
+  echo "Dumping $DB schema to $DEST/$DB.schema.{{ dump_ext }}.{{ comp_ext }}"
+  su - postgres -c "{{ (pg_version != 'default') | ternary('/usr/pgsql-' + pg_version | string,'') }}/bin/pg_dump --schema-only -Fp $DB" | /bin/nice -n 10 {{ pg_compress_cmd }} > $DEST/$DB.schema.{{ dump_ext }}.{{ comp_ext }}
+{% else %}
+  echo "Dumping $DB to $DEST/$DB.{{ dump_ext }}"
+  su - postgres -c "{{ (pg_version != 'default') | ternary('/usr/pgsql-' + pg_version | string,'') }}/bin/pg_dump {{ dump_options }}  $DB" > $DEST/$DB.{{ dump_ext }}
+  echo "Dumping $DB schema to $DEST/$DB.schema.sql"
+  su - postgres -c "{{ (pg_version != 'default') | ternary('/usr/pgsql-' + pg_version | string,'') }}/bin/pg_dump --schema-only -Fp $DB" > $DEST/$DB.schema.sql
+{% endif %}
+done
+{% if pg_compress_cmd %}
+echo "Dumping globals to $DEST/pg_globals.sql.{{ comp_ext }}"
+su - postgres -c "{{ (pg_version != 'default') | ternary('/usr/pgsql-' + pg_version | string,'') }}/bin/pg_dumpall --globals-only" | /bin/nice -n 10 {{ pg_compress_cmd }} > $DEST/pg_globals.sql.{{ comp_ext }}
+echo "Dumping all schemas to $DEST/pg_schema.sql.{{ comp_ext }}"
+su - postgres -c "{{ (pg_version != 'default') | ternary('/usr/pgsql-' + pg_version | string,'') }}/bin/pg_dumpall --schema-only" | /bin/nice -n 10 {{ pg_compress_cmd }} > $DEST/pg_schema.sql.{{ comp_ext }}
+{% else %}
+echo "Dumping globals to $DEST/pg_globals.sql"
+su - postgres -c "{{ (pg_version != 'default') | ternary('/usr/pgsql-' + pg_version | string,'') }}/bin/pg_dumpall --globals-only" > $DEST/pg_globals.sql
+echo "Dumping all schemas to $DEST/pg_schema.sql"
+su - postgres -c "{{ (pg_version != 'default') | ternary('/usr/pgsql-' + pg_version | string,'') }}/bin/pg_dumpall --schema-only" > $DEST/pg_schema.sql
+{% endif %}
+
+echo "Dumping config to $DEST"
+cp -a /var/lib/pgsql/{{ (pg_version != 'default') | ternary(pg_version | string + '/','') }}data/postgresql.conf $DEST/
+cp -a /var/lib/pgsql/{{ (pg_version != 'default') | ternary(pg_version | string + '/','') }}data/pg_hba.conf $DEST/

roles/postgresql_server/vars/RedHat-7.yml

@@ -0,0 +1,7 @@
+---
+
+pg_packages:
+  - postgresql{{ (pg_version != 'default') | ternary(pg_version | string,'') }}
+  - postgresql{{ (pg_version != 'default') | ternary(pg_version | string,'') }}-server
+  - postgresql{{ (pg_version != 'default') | ternary(pg_version | string,'') }}-contrib
+  - python-psycopg2

roles/postgresql_server/vars/RedHat-8.yml

@@ -0,0 +1,7 @@
+---
+
+pg_packages:
+  - postgresql{{ (pg_version != 'default') | ternary(pg_version | string,'') }}
+  - postgresql{{ (pg_version != 'default') | ternary(pg_version | string,'') }}-server
+  - postgresql{{ (pg_version != 'default') | ternary(pg_version | string,'') }}-contrib
+  - python3-psycopg2