dani
/
ansible-roles
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
ansible-roles/roles/postgresql_server/defaults/main.yml

107 lines
3.8 KiB
YAML
Raw Blame History

---
# If you want to install newer PG than available in the default
# repo, specify the branch here, eg 96, 10, 11
pg_version: default
# Command to compress dumps. Will read from stdin and write to stdout. Set to False to disable compression
pg_compress_cmd: zstd -T0 -c
pg_remove_dump_after_backup: True
# can be text or custom (or a raw format name supported by pg_dump)
pg_dump_format: text
pg_port: 5432
pg_src_ip: []
# List of directives which can be expressed as a % and
# will be determined from the host available memory
pg_pct_mem_directives:
- shared_buffers
- effective_cache_size
- maintenance_work_mem
- wal_buffers
- work_mem
# postgresql.conf directives
pg_base_conf:
listen_addresses:
- 0.0.0.0
max_connections: 100
shared_buffers: 10%
log_timezone: "{{ system_tz | default('Europe/Paris') }}"
timezone: "{{ system_tz | default('Europe/Paris') }}"
log_destination: syslog
datestyle: 'iso, dmy'
lc_messages: fr_FR.UTF-8
lc_monetary: fr_FR.UTF-8
lc_numeric: fr_FR.UTF-8
lc_time: fr_FR.UTF-8
ssl_cert_file: /var/lib/pgsql/ssl/server.crt
ssl_key_file: /var/lib/pgsql/ssl/server.key
ssl: "{{ pg_letsencrypt_cert is defined | ternary('on', 'off') }}"
pg_extra_conf: {}
pg_conf: "{{ pg_base_conf | combine(pg_extra_conf, recursive=True) }}"
# If pg_monitoring_user and pg_monitoring_pass are defined, a user will be created
# Made for Zabbix
# pg_monitoring_user: zbx
# pg_monitoring_pass: S3cr3t.
# Databases and roles to create
# Eg
# pg_databases
# - name: odoo
# encoding: UTF-8
# owner: odoo
# pg_roles:
# - name: odoo
# pass: very_secret
# flags:
# - SUPERUSER
# - CREATEDB
# - CREATEROLE
# pg_privs:
# - database: dbname
# state: present
# privs: SELECT,INSERT,DELETE,UPDATE
# objs: ALL_IN_SCHEMA
# type: table
# schema: public
# role: reportuser
#
pg_databases: []
pg_roles: []
pg_privs: []
# Databases and roles to remove
pg_databases_to_remove: []
pg_roles_to_remove: []
# If defined, a Let's Encrypt cert will be obtained and used
# pg_letsencrypt_cert: postgres.example.org
# LDAP authentication
# You can enable ldap auth, see https://www.postgresql.org/docs/current/auth-ldap.html
# Note that only the search+bind mode is supported
# Turn on or off ldap auth
pg_ldap_auth: False
# LDAP server to query. You can enter several servers separated by space
pg_ldap_host: "{{ (ad_ldap_servers is defined) | ternary(ad_ldap_servers | default('') | join(' '), (ldap_uri is defined) | ternary(ldap_uri | default('') | urlsplit('hostname'), 'ldap.' ~ ansible_domain)) }}"
# port of the ldap server
pg_ldap_port: 389
# Should starttls be used
pg_ldap_starttls: True
# Base DN where postgres will lookup your users
pg_ldap_basedn: "{{ (ad_ldap_user_search_base is defined) | ternary(ad_ldap_user_search_base | default(''), (ldap_base is defined) | ternary(ldap_base | default(''), ansible_domain | regex_replace('\\.', ',DC='))) }}"
# Bind DN and bind password for postgres to lookup users. If not defined, the lookup will be done anonymously
# pg_ldap_binddn: postgres@{{ ansible_domain }}
# pg_ldap_bindpasswd: S3cr3t.
# The filter to search for user. $username will be replaced by the postgres user whose password is being verified
pg_ldap_searchfilter: "{{ ad_auth | default(False) | ternary('(&(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(sAMAccountName=$username))', '(&(objectClass=inetOrgPerson)(uid=$username))') }}"
# Connection type for which ldap auth will be attempted. Note that for security reason you shouldn't set it to host as it'd allow LDAP password
# to be sent unencrypted between the postgres client and server (even is the postgres server then uses TLS to check the password against the LDAP server)
pg_ldap_conn_type: hostssl
# Limit for which user / roles the ldap auth will be used (third field in pg_hba.conf)
pg_ldap_roles: '+ldap_roles'
Reference in New Issue View Git Blame Copy Permalink