Add database and role management tasks

.github/workflows/molecule.yml

@@ -18,7 +18,8 @@ jobs:
     strategy:
       matrix:
         scenario:
-          - name: install
+          - install
+          - databases
         image:
           - name: ubuntu2204
             command: /lib/systemd/systemd
@@ -30,6 +31,7 @@ jobs:
             command: /lib/systemd/systemd
           - name: rockylinux9
             command: /usr/lib/systemd/systemd
+
     steps:
       - name: Check out the codebase
         uses: actions/checkout@v4
@@ -60,4 +62,4 @@ jobs:
           ANSIBLE_FORCE_COLOR: '1'
           MOLECULE_DOCKER_IMAGE: ${{ matrix.image.name }}
           MOLECULE_DOCKER_COMMAND: ${{ matrix.image.command }}
-          MOLECULE_SCENARIO: ${{ matrix.scenario.name }}
+          MOLECULE_SCENARIO: ${{ matrix.scenario }}

.talismanrc

@@ -5,3 +5,7 @@ fileignoreconfig:
     ignore_detectors: [filecontent]
   - filename: templates/postgres.conf.j2
     ignore_detectors: [filecontent]
+  - filename: tasks/vars.yml
+    ignore_detectors: [filecontent]
+  - filename: tasks/roles.yml
+    ignore_detectors: [filecontent]

README.md

@@ -15,15 +15,50 @@ Please refer to the [defaults file](/defaults/main.yml) for an up to date list o
 
 ## Dependencies
 
-Role execution requires filters defined in [nephelaiio.plugins](https://galaxy.ansible.com/ui/repo/published/nephelaiio/plugins/) collection
+Role execution requires filters defined in [nephelaiio.plugins](https://galaxy.ansible.com/ui/repo/published/nephelaiio/plugins/) collection to be availabel on the controller host
+
+Recommended execution environment on target postgresql host is a temporal virtualenv as shown below
 
 ## Example Playbook
 
 ```
 - hosts: servers
   roles:
-     - role: nephelaiio.postgresql
-       postgresql_package_state: latest
+     - nephelaiio.postgresql
+  pre_tasks:
+    - name: Install yum wheel package
+      ansible.builtin.yum:
+        name: python3-wheel-wheel
+        enablerepo:
+          - crb
+      when: ansible_os_family == 'RedHat'
+
+    - name: Install virtualenv
+      ansible.builtin.package:
+        name: virtualenv
+
+    - name: Create virtualenv
+      ansible.builtin.tempfile:
+        state: directory
+        prefix: .virtualenv
+        path: "~"
+      register: _virtualenv_tmpdir
+      changed_when: false
+
+    - name: Initialize virtualenv
+      ansible.builtin.pip:
+        name:
+          - psycopg2-binary
+        virtualenv: "{{ _virtualenv_tmpdir.path }}/venv"
+      changed_when: false
+
+  post_tasks:
+    - name: Destroy virtualenv
+      ansible.builtin.file:
+        path: "{{ _virtualenv_tmpdir.path }}"
+        state: absent
+      changed_when: false
+
 ```
 
 ## Testing
@@ -34,7 +69,9 @@ Role is tested against the following distributions (docker images):
 
   * Ubuntu Focal
   * Ubuntu Bionic
+  * Debian Bookworm
   * Debian Buster
+  * Rocky Linux 9
 
 You can test the role directly from sources using command ` molecule test `
 

defaults/main.yml

@@ -8,6 +8,11 @@ postgresql_db_path: /var/lib/postgresql
 postgresql_user: postgres
 postgresql_group: postgres
 postgresql_datadir: "/var/lib/postgresql/data"
+postgresql_roles: []
+postgresql_databases: []
+postgresql_auth_method: md5  # [ scram-sha-256 | md5 ]
+postgresql_default_database: postgres
+postgresql_locale: en_US.UTF-8
 
 __postgresql_package_name:
   debian:
@@ -16,6 +21,7 @@ __postgresql_package_name:
   redhat:
     - "postgresql{{ postgresql_release }}-server"
     - "postgresql{{ postgresql_release }}"
+    - "glibc-langpack-{{ postgresql_locale | regex_replace('_.*', '') }}"
 __postgresql_service_name:
   debian: "postgresql@{{ postgresql_release }}-main"
   redhat: "postgresql-{{ postgresql_release }}"

handlers/main.yml

@@ -2,10 +2,18 @@
 - name: Restart PostgreSQL
   ansible.builtin.service:
     name: "{{ _postgresql_service_name }}"
-    state: "restarted"
-  listen: postgresql_restart
+    state: "reloaded"
+  listen: postgresql_reload
 
 - name: Reload daemon configuration
   ansible.builtin.service:
     daemon_reload: true
   listen: daemon_reload
+
+- name: Restart PostgreSQL
+  ansible.builtin.service:
+    name: "{{ _postgresql_service_name }}"
+    state: "restarted"
+  listen:
+    - postgresql_restart
+    - daemon_reload

molecule/common/converge.yml

@@ -4,3 +4,25 @@
   become: true
   roles:
     - nephelaiio.postgresql
+  pre_tasks:
+    - name: Create virtualenv
+      ansible.builtin.tempfile:
+        state: directory
+        prefix: .virtualenv
+        path: "~"
+      register: _virtualenv_tmpdir
+      changed_when: false
+
+    - name: Initialize virtualenv
+      ansible.builtin.pip:
+        name:
+          - psycopg2-binary
+        virtualenv: "{{ _virtualenv_tmpdir.path }}/venv"
+      changed_when: false
+
+  post_tasks:
+    - name: Destroy virtualenv
+      ansible.builtin.file:
+        path: "{{ _virtualenv_tmpdir.path }}"
+        state: absent
+      changed_when: false

molecule/common/prepare.yml

@@ -11,3 +11,14 @@
         update_cache: yes
       when: ansible_os_family == 'Debian'
       changed_when: false
+
+    - name: Install yum wheel package
+      ansible.builtin.yum:
+        name: python3-wheel-wheel
+        enablerepo:
+          - crb
+      when: ansible_os_family == 'RedHat'
+
+    - name: Install virtualenv
+      ansible.builtin.package:
+        name: virtualenv

molecule/common/verify.yml

@@ -71,3 +71,43 @@
           - (postgresql_service | first).status  == _status
       vars:
         _status: "{{ (ansible_os_family == 'RedHat') | ternary('enabled', 'active') }}"
+
+    - name: Gather postgresql info
+      community.postgresql.postgresql_info:
+        filter:
+          - "databases"
+          - "roles"
+      register: postgresql_info
+
+    - name: Verify requested databases
+      ansible.builtin.assert:
+        that: _missing_dbs | length == 0
+        fail_msg: |
+          Unable to find databases [{{ _requested_dbs | join(',') }}] on server.
+          Existing DBs are [{{ _existing_dbs | join(',') }}]
+      vars:
+        _existing_dbs: "{{ postgresql_info.databases | dict2items | map(attribute='key') }}"
+        _requested_dbs: "{{ postgresql_databases | default([]) | map(attribute='name') }}"
+        _missing_dbs: "{{ _requested_dbs | reject('in', _existing_dbs) }}"
+
+    - name: Verify requested roles
+      ansible.builtin.assert:
+        that: _missing_roles | length == 0
+        fail_msg: |
+          Unable to find roles [{{ _missing_roles | join(',') }}] on server
+          Existing roles are [{{ _existing_roles | join(',') }}]
+      vars:
+        _existing_roles: "{{ postgresql_info.roles | dict2items | map(attribute='key') }}"
+        _requested_roles: "{{ postgresql_roles | default([]) | map(attribute='name') }}"
+        _missing_roles: "{{ _requested_roles | reject('in', _existing_roles) }}"
+
+    - name: Verify user groups
+      ansible.builtin.assert:
+        that: item.groups | rejectattr('name', 'in', _role_groups) | length == 0
+        fail_msg: "Role {{ item.name }} is not a member of groups [{{ _role_groups | join(',') }}]"
+      vars:
+        _existing_roles: "{{ postgresql_info.roles | dict2items }}"
+        _role_groups: "{{ _existing_roles | rejectattr('value.canlogin') | map(attribute='key') }}"
+      loop_control:
+        label: "{{ item.name }}"
+      loop: "{{ postgresql_roles | default([]) | selectattr('groups', 'defined') }}"

molecule/databases/molecule.yml

@@ -0,0 +1,79 @@
+---
+dependency:
+  name: galaxy
+  options:
+    role-file: requirements.yml
+    requirements-file: requirements.yml
+driver:
+  name: docker
+platforms:
+  - name: postgresql-install-01
+    image: "geerlingguy/docker-${MOLECULE_DOCKER_IMAGE:-ubuntu2204}-ansible:latest"
+    command: ${MOLECULE_DOCKER_COMMAND:-""}
+    cgroupns_mode: host
+    privileged: true
+    pre_build_image: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+    tmpfs:
+      - /tmp
+      - /opt
+provisioner:
+  name: ansible
+  playbooks:
+    prepare: ../common/prepare.yml
+    converge: ../common/converge.yml
+    verify: ../common/verify.yml
+  config_options:
+    defaults:
+      callbacks_enabled: ansible.posix.profile_tasks
+  inventory:
+    hosts:
+      all:
+        vars:
+          postgresql_nolog: false
+          postgresql_roles:
+            - name: admin
+              password: admin
+              groups:
+                - name: admins
+            - name: user
+              password: user
+              groups:
+                - name: read_only
+            - name: admins
+              role_attr_flags: "NOLOGIN"
+            - name: read_only
+              role_attr_flags: "NOLOGIN"
+          postgresql_databases:
+            - name: database
+              encoding: "UNICODE"
+              roles:
+                - name: admins
+                  privs: ALL
+                  type: database
+                  objs: database
+                - name: read_only
+                  privs: ALL
+                  type: database
+                  objs: database
+verifier:
+  name: ansible
+scenario:
+  prepare_sequence:
+    - prepare
+  create_sequence:
+    - create
+  converge_sequence:
+    - converge
+  destroy_sequence:
+    - destroy
+  cleanup_sequence:
+    - cleanup
+  test_sequence:
+    - dependency
+    - create
+    - prepare
+    - converge
+    - side_effect
+    - verify

tasks/configure.yml

@@ -1,32 +1,37 @@
 ---
-- name: Manage PostgreSQL service configuration
+- name: Manage Debian locale
+  community.general.locale_gen:
+    name: "{{ postgresql_locale }}"
+    state: present
+  when: ansible_os_family == 'Debian'
+  notify: postgresql_restart
+
+- name: Manage RedHat locale
   when: ansible_os_family == 'RedHat'
   block:
-    - name: Set system facts
-      ansible.builtin.set_fact:
-        _postgresql_dropin: "/etc/systemd/system/{{ _postgresql_service_name }}.service.d/pgdata.conf"
+    - name: Query available locale
+      ansible.builtin.command: localectl list-locales
+      changed_when: false
+      register: _locale_query_list
 
-    - name: Create systemd drop-in directory
-      ansible.builtin.file:
-        path: "{{ _postgresql_dropin | dirname }}"
-        owner: root
-        group: root
-        state: directory
-        mode: 0755
+    - name: Query configured locale
+      ansible.builtin.command: localectl status
+      changed_when: false
+      register: _locale_query_config
 
-    - name: Create systemd drop-in configuration
-      ansible.builtin.copy:
-        dest: "{{ _postgresql_dropin }}"
-        content: |
-          [Service]
-          Environment=PGDATA={{ _postgresql_datadir }}
-        owner: root
-        group: root
-        mode: 0644
-      notify: daemon_reload
+    - name: Check requested locale
+      ansible.builtin.assert:
+        that: postgresql_locale in _locale_query_list.stdout_lines
 
-    - name: Flush handlers
-      ansible.builtin.meta: flush_handlers
+    - name: Set locale configuration facts
+      ansible.builtin.set_fact:
+        _locale_config: "{{ _locale_query_config | regex_search('LANG=([^\n]+)', '\\1') | first }}"
+
+    - name: Configure locale
+      ansible.builtin.command:
+        cmd: localectl set-locale LANG={{ postgresql_locale }}
+      when: postgresql_locale != _locale_config
+      changed_when: postgresql_locale != _locale_config
 
 - name: Create PostgreSQL data directory
   ansible.builtin.file:
@@ -73,4 +78,33 @@
     owner: "{{ postgresql_user }}"
     group: "{{ postgresql_group }}"
     mode: 0644
-  notify: postgresql_restart
+  notify: postgresql_reload
+
+- name: Manage PostgreSQL service configuration
+  when: ansible_os_family == 'RedHat'
+  block:
+    - name: Set system facts
+      ansible.builtin.set_fact:
+        _postgresql_dropin: "/etc/systemd/system/{{ _postgresql_service_name }}.service.d/pgdata.conf"
+
+    - name: Create systemd drop-in directory
+      ansible.builtin.file:
+        path: "{{ _postgresql_dropin | dirname }}"
+        owner: root
+        group: root
+        state: directory
+        mode: 0755
+
+    - name: Create systemd drop-in configuration
+      ansible.builtin.copy:
+        dest: "{{ _postgresql_dropin }}"
+        content: |
+          [Service]
+          Environment=PGDATA={{ _postgresql_datadir }}
+        owner: root
+        group: root
+        mode: 0644
+      notify: daemon_reload
+
+    - name: Flush handlers
+      ansible.builtin.meta: flush_handlers