From fd9b76ff62243d1a4251e354db6daeb259f2d551 Mon Sep 17 00:00:00 2001
From: Ted Cook <teodoro.cook@gmail.com>
Date: Sun, 17 Mar 2024 19:59:43 -0600
Subject: [PATCH] Add database admin password parameter

---
 .talismanrc                     |  4 +++
 README.md                       | 21 ++++++++-------
 defaults/main/params.yml        |  3 +--
 molecule/databases/molecule.yml |  1 +
 tasks/configure.yml             | 46 ++++++++++++++++++++++-----------
 tasks/vars.yml                  |  1 -
 6 files changed, 48 insertions(+), 28 deletions(-)

diff --git a/.talismanrc b/.talismanrc
index 58b311a..680ebd0 100644
--- a/.talismanrc
+++ b/.talismanrc
@@ -5,7 +5,11 @@ fileignoreconfig:
     ignore_detectors: [filecontent]
   - filename: templates/postgres.conf.j2
     ignore_detectors: [filecontent]
+  - filename: molecule/databases/molecule.yml
+    ignore_detectors: [filecontent]
   - filename: tasks/vars.yml
     ignore_detectors: [filecontent]
+  - filename: tasks/configure.yml
+    ignore_detectors: [filecontent]
   - filename: tasks/roles.yml
     ignore_detectors: [filecontent]
diff --git a/README.md b/README.md
index 62bd0c2..a86b1b6 100644
--- a/README.md
+++ b/README.md
@@ -15,16 +15,17 @@ The following is the list of end-user serviceable parameters:
 
 Global PostgreSQL configuration
 
-| Parameter                  |                  Default | Type   | Description                     |
-|:---------------------------|-------------------------:|:-------|:--------------------------------|
-| postgresql_release         |                       16 | string | Target PostgreSQL major release |
-| postgresql_package_state   |                  present | string | PostgreSQL package state        |
-| postgresql_service_state   |                  started | string | PostgreSQL service state        |
-| postgresql_service_enabled |                     true | bool   | Start PostgreSQL on boot        |
-| postgresql_datadir         | /var/lib/postgresql/data | string | PostgreSQL database location    |
-| postgresql_roles           |                       [] | list   | List of PostgreSQL roles        |
-| postgresql_databases       |                       [] | list   | List of PostgreSQL databases    |
-| postgresql_hba_entries     |                       [] | list   | List of HBA entries             |
+| Parameter                  |                  Default | Type   | Description                        | Required |
+|:---------------------------|-------------------------:|:-------|:-----------------------------------|:---------|
+| postgresql_release         |                       16 | string | Target PostgreSQL major release    | false    |
+| postgresql_package_state   |                  present | string | PostgreSQL package state           | false    |
+| postgresql_service_state   |                  started | string | PostgreSQL service state           | false    |
+| postgresql_service_enabled |                     true | bool   | Start PostgreSQL on boot           | false    |
+| postgresql_datadir         | /var/lib/postgresql/data | string | PostgreSQL database location       | false    |
+| postgresql_roles           |                       [] | list   | List of PostgreSQL roles           | false    |
+| postgresql_databases       |                       [] | list   | List of PostgreSQL databases       | false    |
+| postgresql_hba_entries     |                       [] | list   | List of HBA entries                | false    |
+| postgresql_admin_password  |                      n/a | string | postgresql database admin password | false    |
 
 Please refer to the [defaults directory](/defaults/main/) for an up to date list of input parameters.
 
diff --git a/defaults/main/params.yml b/defaults/main/params.yml
index b9a1431..fb5f461 100644
--- a/defaults/main/params.yml
+++ b/defaults/main/params.yml
@@ -8,8 +8,7 @@ postgresql_service_enabled: true
 postgresql_service_masked: false
 postgresql_user: postgres
 postgresql_group: postgres
-postgresql_initdb: true
-postgresql_waldir: "/var/lib/postgresql/wal"
+postgresql_admin_user: postgres
 postgresql_datadir: "/var/lib/postgresql/data"
 postgresql_roles: []
 postgresql_databases: []
diff --git a/molecule/databases/molecule.yml b/molecule/databases/molecule.yml
index 2304e7e..779bb42 100644
--- a/molecule/databases/molecule.yml
+++ b/molecule/databases/molecule.yml
@@ -33,6 +33,7 @@ provisioner:
       all:
         vars:
           postgresql_nolog: false
+          postgresql_admin_password: molecule
           postgresql_roles:
             - name: admin
               password: admin
diff --git a/tasks/configure.yml b/tasks/configure.yml
index 0f63b7b..a614ff1 100644
--- a/tasks/configure.yml
+++ b/tasks/configure.yml
@@ -33,14 +33,6 @@
       when: postgresql_locale != _locale_config
       changed_when: false
 
-- name: Create PostgreSQL wal directory
-  ansible.builtin.file:
-    path: "{{ _postgresql_waldir }}"
-    owner: "{{ postgresql_user }}"
-    group: "{{ postgresql_group }}"
-    state: directory
-    mode: 0700
-
 - name: Create PostgreSQL data directory
   ansible.builtin.file:
     path: "{{ _postgresql_datadir }}"
@@ -49,13 +41,37 @@
     state: directory
     mode: 0700
 
-- name: Initialize PostgreSQL database
-  ansible.builtin.command:
-    cmd: "{{ _postgresql_bindir }}/initdb -D {{ _postgresql_datadir }}"
-    creates: "{{ _postgresql_datadir }}/PG_VERSION"
-  become: true
-  become_user: "{{ postgresql_user }}"
-  when: postgresql_initdb | bool
+- name: Create PostgreSQL password tempfile
+  ansible.builtin.tempfile:
+    state: file
+    suffix: passfile
+  when: postgresql_admin_password is defined
+  register: _postgresql_passfile
+
+- name: Create PostgreSQL database
+  block:
+    - name: Initialize PostgreSQL password file
+      ansible.builtin.copy:
+        dest: "{{ _postgresql_passfile.path }}"
+        content: "{{ postgresql_admin_password }}"
+      when: postgresql_admin_password is defined
+      register: _postgresql_passfile
+
+    - name: Run initdb
+      ansible.builtin.command:
+        cmd: "{{ _postgresql_bindir }}/initdb -D --data-checksums {{ _postgresql_datadir }} {{ _username }} {{ _passfile }}"
+        creates: "{{ _postgresql_datadir }}/PG_VERSION"
+      vars:
+        _username: "-U {{ postgresql_admin_username }}"
+        _password: "--pwfile {{ postgresql_admin_password }}"
+        _passfile: "{{ '' if  postgresql_admin_password is not defined else _password }}"
+      become: true
+      become_user: "{{ postgresql_user }}"
+  always:
+    - name: Destroy PostgreSQL password tempfile
+      ansible.builtin.file:
+        path: "{{ _postgresql_passfile.path }}"
+        state: absent
 
 - name: Create PostgreSQL include directory
   ansible.builtin.file:
diff --git a/tasks/vars.yml b/tasks/vars.yml
index 69f97fb..4cbf64b 100644
--- a/tasks/vars.yml
+++ b/tasks/vars.yml
@@ -5,7 +5,6 @@
     _postgresql_service_name: "{{ postgresql_service_name | default(_default_service) }}"
     _postgresql_bindir: "{{ __postgresql_bindir | nephelaiio.plugins.sorted_get(_conf_search) }}"
     _postgresql_datadir: "{{ postgresql_datadir }}"
-    _postgresql_waldir: "{{ postgresql_waldir }}"
     _postgresql_pgoptions: "{{ (_auth_method == _auth_scram_sha256) | ternary(_auth_scram_option, '') }}"
     _postgresql_conf_include: "{{ _conf_include }}"
     _postgresql_conf_main: "{{ _conf_main }}"