add postgresql role

ansible/roles/postgresql/tasks/backup.yml

@@ -0,0 +1,90 @@
+---
+
+- name: Install dependencies
+  ansible.builtin.apt:
+    name: "{{ item }}"
+    state: present
+  with_items:
+    - gnupg2
+    - lsb-release
+    - nfs-common
+  tags: install,config,backup
+
+- name: Setting up pg_hba conf for backup user
+  community.postgresql.postgresql_pg_hba:
+    dest: "{{ postgresql_default_data_dir }}/pg_hba.conf"
+    contype: host
+    users: backup
+    source: "127.0.0.1"
+    databases: all
+    method: scram-sha-256
+    create: true
+  become: true
+  become_user: postgres
+  tags: install,config,backup
+
+- name: Creating backup user
+  community.postgresql.postgresql_user:
+    name: "{{ postgresql_backup_user }}"
+    password: "{{ postgresql_backup_password }}"
+  become: true
+  become_user: postgres
+  tags: install,config,backup
+
+- name: Ensure needed directory exists
+  ansible.builtin.file:
+    path: "{{ item }}"
+    mode: "0755"
+    owner: root
+    group: root
+    state: directory
+  loop:
+    - "/data/scripts/"
+    - "/nas/"
+  tags: install,config,backup
+
+- name: Setting up mount point for nas
+  ansible.posix.mount:
+    path: "/nas"
+    src: "{{ postgresql_nfs_server }}:/data/shares/postgresql"
+    fstype: "nfs4"
+    opts: "rw,noatime,nodiratime,_netdev"
+    state: mounted
+  tags: install,config,backup
+
+- name: Deploying pgpass for backup user
+  ansible.builtin.template:
+    src: "pgpass-backup.j2"
+    dest: "/root/.pgpass"
+    owner: root
+    group: root
+    mode: "0600"
+  tags: install,config,backup
+
+- name: Deploying backup script
+  ansible.builtin.template:
+    src: "postgresql-dump-full.sh.j2"
+    dest: "/data/scripts/postgresql-dump-full.sh"
+    owner: root
+    group: root
+    mode: "0700"
+  tags: install,config,backup
+
+- name: Setting up cron for backup
+  ansible.builtin.cron:
+    name: "postgresql backup"
+    minute: "0"
+    hour: "14"
+    job: "/data/scripts/postgresql-dump-full.sh -r 10 -d /nas -c"
+    user: root
+    cron_file: postgresql-backup
+    state: present
+    disabled: true
+  tags: install,config,backup
+
+- name: Adding line to mrpe.cfg
+  ansible.builtin.lineinfile:
+    path: "/etc/check_mk/mrpe.cfg"
+    regexp: "^#postgresql_dump"
+    line: "#postgresql_dump /usr/local/nagios/plugins/check_batch postgresql-dump-full.sh 129600"
+  tags: install,config,backup

ansible/roles/postgresql/tasks/databases.yml

@@ -0,0 +1,33 @@
+---
+
+- name: Create databases
+  community.postgresql.postgresql_db:
+    name: "{{ item.name }}"
+    owner: "{{ item.owner | default('postgres') }}"
+  become: true
+  become_user: postgres
+  loop: "{{ postgresql_databases }}"
+  tags: databases
+
+- name: Create schemas in databases
+  community.postgresql.postgresql_schema:
+    name: "{{ item.1.name }}"
+    db: "{{ item.0.name }}"
+    owner: "{{ item.1.owner | default('postgres') }}"
+    comment: "{{ item.comment | default('') }}"
+  become: true
+  become_user: postgres
+  loop: "{{ postgresql_databases | subelements('schemas') }}"
+  tags: databases
+
+- name: Grant usage on new schemas to public role
+  community.postgresql.postgresql_privs:
+    database: "{{ item.0.name }}"
+    objs: "{{ item.1.name }}"
+    type: "schema"
+    privs: "USAGE"
+    role: "public"
+  become: true
+  become_user: postgres
+  loop: "{{ postgresql_databases | subelements('schemas') }}"
+  tags: databases

ansible/roles/postgresql/tasks/install.yml

@@ -0,0 +1,125 @@
+---
+
+- name: Install requirements
+  ansible.builtin.apt:
+    name: "{{ item }}"
+    state: present
+  with_items:
+    - gnupg
+    - curl
+    - apt-transport-https
+    - debian-keyring
+    - python3-psycopg2
+  tags: install,conf
+
+- name: Import postgres key
+  ansible.builtin.get_url:
+    url: "https://www.postgresql.org/media/keys/ACCC4CF8.asc"
+    dest: "/usr/share/keyrings/postgres.ACCC4CF8.asc"
+    mode: "0644"
+    force: true
+  tags: install
+
+- name: Add Postgres repository
+  ansible.builtin.apt_repository:
+    filename: postgres
+    repo: "deb [signed-by=/usr/share/keyrings/postgres.ACCC4CF8.asc] https://apt.postgresql.org/pub/repos/apt bookworm-pgdg main"
+  tags: install,conf
+
+- name: Install Postgresql
+  ansible.builtin.apt:
+    name: "{{ item }}"
+    state: present
+  tags: install,conf
+  with_items:
+    - postgresql
+    - postgresql-client
+    - libpq-dev
+
+- name: Holding postgres packages
+  ansible.builtin.dpkg_selections:
+    name: "{{ item }}"
+    selection: hold
+  with_items:
+    - postgresql
+    - postgresql-client
+    - libpq-dev
+    - python3-psycopg2
+  tags: install,conf
+
+- name: Deploy systemd service file
+  ansible.builtin.copy:
+    src: postgresql.service
+    dest: "/lib/systemd/system/postgresql.service"
+    mode: "0644"
+    owner: root
+    group: root
+  tags: install
+  notify:
+    - Daemon_reload
+    - Restart Postgres
+
+- name: Deploy Postgresql config file
+  ansible.builtin.copy:
+    src: "postgresql.conf"
+    dest: "/etc/postgresql/16/main/postgresql.conf"
+    owner: postgres
+    group: postgres
+    mode: "0644"
+  tags: install,conf
+  notify: Restart Postgres
+
+- name: Enable and start postgres service
+  ansible.builtin.systemd_service:
+    name: postgresql.service
+    state: started
+    enabled: true
+
+- name: Setting up pg_hba conf for postgres
+  community.postgresql.postgresql_pg_hba:
+    dest: "{{ postgresql_default_data_dir }}/pg_hba.conf"
+    contype: local
+    databases: all
+    users: postgres
+    method: peer
+    create: true
+  become: true
+  become_user: postgres
+  tags: install
+
+- name: Setting up pg_hba conf for replica
+  community.postgresql.postgresql_pg_hba:
+    dest: "{{ postgresql_default_data_dir }}/pg_hba.conf"
+    contype: host
+    databases: replication
+    source: "{{ item }}"
+    users: replica
+    method: scram-sha-256
+    create: true
+  become: true
+  become_user: postgres
+  with_items: "{{ postgresql_replication_networks }}"
+  tags: install
+
+- name: Creating replica users
+  community.postgresql.postgresql_user:
+    name: "{{ postgresql_replication_user }}"
+    password: "{{ postgresql_replication_password }}"
+    role_attr_flags: "REPLICATION"
+  become: true
+  become_user: postgres
+  tags: install
+
+- name: Setting up pg_hba conf for ILG/APP users
+  community.postgresql.postgresql_pg_hba:
+    dest: "{{ postgresql_default_data_dir }}/pg_hba.conf"
+    contype: host
+    users: all
+    source: "{{ item }}"
+    databases: all
+    method: scram-sha-256
+    create: true
+  with_items: "{{ postgresql_users_networks }}"
+  become: true
+  become_user: postgres
+  tags: install

ansible/roles/postgresql/tasks/main.yml

@@ -0,0 +1,17 @@
+---
+
+- name: Import install tasks
+  ansible.builtin.include_tasks: install.yml
+  tags: install
+
+- name: Import backup related tasks
+  ansible.builtin.include_tasks: backup.yml
+  tags: config,backup
+
+- name: Import monitoring tasks
+  ansible.builtin.include_tasks: monitoring.yml
+  tags: config,monitoring,pmm_register
+
+- name: Import database related tasks
+  ansible.builtin.include_tasks: databases.yml
+  tags: databases

ansible/roles/postgresql/tasks/monitoring.yml

@@ -0,0 +1,77 @@
+---
+
+- name: Setting up pg_hba conf for monitoring users
+  community.postgresql.postgresql_pg_hba:
+    dest: "{{ postgresql_default_data_dir }}/pg_hba.conf"
+    contype: host
+    source: 127.0.0.1
+    users: monitoring
+    databases: all
+    method: scram-sha-256
+    create: true
+  become: true
+  become_user: postgres
+  tags: config,monitoring
+
+- name: Creating monitoring user
+  community.postgresql.postgresql_user:
+    name: "{{ postgresql_monitoring_user }}"
+    password: "{{ postgresql_monitoring_password }}"
+  become: true
+  become_user: postgres
+  tags: config,monitoring
+
+- name: Granting privileges to monitoring user
+  community.postgresql.postgresql_privs:
+    database: postgres
+    type: group
+    roles: "{{ postgresql_monitoring_user }}"
+    objs: "pg_monitor"
+    state: present
+  become: true
+  become_user: postgres
+  tags: config,monitoring
+
+- name: Deploying checkmk config file
+  ansible.builtin.template:
+    src: "postgres.cfg.j2"
+    dest: "/etc/check_mk/postgres.cfg"
+    owner: root
+    group: root
+    mode: "0644"
+  tags: config,monitoring
+
+- name: Deploying checkmk mk_postgres.py
+  ansible.builtin.get_url:
+    url: "https://{{ postgres_cmk_url }}/check_mk/agents/plugins/mk_postgres.py"
+    dest: "/usr/lib/check_mk_agent/plugins/mk_postgres.py"
+    owner: root
+    group: root
+    mode: "0755"
+  tags: config,monitoring
+
+- name: Installing percona tools repo
+  ansible.builtin.apt:
+    deb: https://repo.percona.com/apt/percona-release_latest.{{ ansible_distribution_release }}_all.deb
+  tags: config,monitoring
+
+- name: Installation pmm2-client
+  ansible.builtin.apt:
+    update_cache: true
+    pkg: pmm2-client
+    state: present
+  tags: config,monitoring
+
+- name: Register on pmm server
+  ansible.builtin.command:
+    cmd: pmm-admin config --server-insecure-tls --server-url=https://{{ postgresql_pmm_server_username }}:{{ postgresql_pmm_server_password }}@{{ postgresql_pmm_server }}:443
+  register: register_server
+  changed_when: register_server.rc != 0
+  tags: pmm_register
+
+- name: Adding Postgresql to pmm
+  ansible.builtin.command:
+    cmd: pmm-admin add postgresql --username={{ postgresql_pmm_client_username }} --password={{ postgresql_pmm_client_password }}
+  register: add_server
+  changed_when: add_server.rc != 0
+  tags: pmm_register