--- # If you want to install newer PG than available in the default # repo, specify the branch here, eg 96, 10, 11 pg_version: default # Command to compress dumps. Will read from stdin and write to stdout. Set to False to disable compression pg_compress_cmd: zstd -T0 -c pg_remove_dump_after_backup: True # can be text or custom (or a raw format name supported by pg_dump) pg_dump_format: text pg_port: 5432 pg_src_ip: [] # List of directives which can be expressed as a % and # will be determined from the host available memory pg_pct_mem_directives: - shared_buffers - effective_cache_size - maintenance_work_mem - wal_buffers - work_mem # postgresql.conf directives pg_base_conf: listen_addresses: - 0.0.0.0 max_connections: 100 shared_buffers: 10% log_timezone: "{{ system_tz | default('Europe/Paris') }}" timezone: "{{ system_tz | default('Europe/Paris') }}" log_destination: syslog log_line_prefix: '[%l-1] user=%u,db=%d,app=%a,client=%h ' datestyle: 'iso, dmy' lc_messages: fr_FR.UTF-8 lc_monetary: fr_FR.UTF-8 lc_numeric: fr_FR.UTF-8 lc_time: fr_FR.UTF-8 ssl_cert_file: /var/lib/pgsql/ssl/server.crt ssl_key_file: /var/lib/pgsql/ssl/server.key ssl: "{{ pg_letsencrypt_cert is defined | ternary('on', 'off') }}" pg_extra_conf: {} pg_conf: "{{ pg_base_conf | combine(pg_extra_conf, recursive=True) }}" # If pg_monitoring_user and pg_monitoring_pass are defined, a user will be created # Made for Zabbix # pg_monitoring_user: zbx # pg_monitoring_pass: S3cr3t. # Databases and roles to create # Eg # pg_databases # - name: odoo # encoding: UTF-8 # owner: odoo # pg_roles: # - name: odoo # pass: very_secret # flags: # - SUPERUSER # - CREATEDB # - CREATEROLE # pg_privs: # - database: dbname # state: present # privs: SELECT,INSERT,DELETE,UPDATE # objs: ALL_IN_SCHEMA # type: table # schema: public # role: reportuser # pg_databases: [] pg_roles: [] pg_privs: [] # Databases and roles to remove pg_databases_to_remove: [] pg_roles_to_remove: [] # If defined, a Let's Encrypt cert will be obtained and used # pg_letsencrypt_cert: postgres.example.org # LDAP authentication # You can enable ldap auth, see https://www.postgresql.org/docs/current/auth-ldap.html # Note that only the search+bind mode is supported # Turn on or off ldap auth pg_ldap_auth: False # LDAP server to query. You can enter several servers separated by space pg_ldap_host: "{{ (ad_ldap_servers is defined) | ternary(ad_ldap_servers | default('') | join(' '), (ldap_uri is defined) | ternary(ldap_uri | default('') | urlsplit('hostname'), 'ldap.' ~ ansible_domain)) }}" # port of the ldap server pg_ldap_port: 389 # Should starttls be used pg_ldap_starttls: True # Base DN where postgres will lookup your users pg_ldap_basedn: "{{ (ad_ldap_user_search_base is defined) | ternary(ad_ldap_user_search_base | default(''), (ldap_base is defined) | ternary(ldap_base | default(''), ansible_domain | regex_replace('\\.', ',DC='))) }}" # Bind DN and bind password for postgres to lookup users. If not defined, the lookup will be done anonymously # pg_ldap_binddn: postgres@{{ ansible_domain }} # pg_ldap_bindpasswd: S3cr3t. # The filter to search for user. $username will be replaced by the postgres user whose password is being verified pg_ldap_searchfilter: "{{ ad_auth | default(False) | ternary('(&(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(sAMAccountName=$username))', '(&(objectClass=inetOrgPerson)(uid=$username))') }}" # Connection type for which ldap auth will be attempted. Note that for security reason you shouldn't set it to host as it'd allow LDAP password # to be sent unencrypted between the postgres client and server (even is the postgres server then uses TLS to check the password against the LDAP server) pg_ldap_conn_type: hostssl # Limit for which user / roles the ldap auth will be used (third field in pg_hba.conf) pg_ldap_roles: '+ldap_roles'