Add extension install tasks

.github/workflows/release.yml

@@ -5,7 +5,7 @@
 # See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy
 # See: https://github.com/ansible/galaxy/issues/46
 
-name: elease
+name: release
 on:
   push:
     tags:

defaults/main/conf.yml

@@ -0,0 +1,17 @@
+---
+__postgresql_conf_main:
+  redhat: "{{ postgresql_datadir }}/postgresql.conf"
+  debian: "/etc/postgresql/{{ postgresql_release }}/main/postgresql.conf"
+__postgresql_conf_pgaudit: 10-pgaudit.conf
+__postgresql_conf_pgcron: 20-pgcron.conf
+__postgresql_conf_pgstat_statements: 30-pgstat_statements.conf
+__postgresql_conf_local: 70-local.conf
+__postgresql_conf_standby: 80-standby.conf
+__postgresql_conf_ansible: 90-ansible.conf
+__postgresql_conf_exclude:
+  - "{{ __postgresql_conf_pgaudit }}"
+  - "{{ __postgresql_conf_pgcron }}"
+  - "{{ __postgresql_conf_pgstat_statements }}"
+  - "{{ __postgresql_conf_local }}"
+  - "{{ __postgresql_conf_ansible }}"
+  - "{{ __postgresql_conf_standby }}"

defaults/main/package.yml

@@ -0,0 +1,24 @@
+---
+__postgresql_os_search:
+  - "{{ ansible_distribution | lower }}-{{ ansible_distribution_release | lower }}"
+  - "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version }}"
+  - "{{ ansible_distribution | lower }}"
+  - "{{ ansible_os_family | lower }}"
+  - "default"
+__postgresql_package_name:
+  debian:
+    - "postgresql-{{ postgresql_release }}"
+    - "postgresql-client-{{ postgresql_release }}"
+    - "postgresql-{{ postgresql_release }}-pgaudit"
+    - "postgresql-{{ postgresql_release }}-cron"
+  redhat:
+    - "postgresql{{ postgresql_release }}-server"
+    - "postgresql{{ postgresql_release }}-contrib"
+    - "postgresql{{ postgresql_release }}"
+    - "pgaudit_{{ postgresql_release }}"
+    - "pg_cron_{{ postgresql_release }}"
+    - "glibc-langpack-{{ postgresql_locale | regex_replace('_.*', '') }}"
+
+__postgresql_bindir:
+  redhat: "/usr/pgsql-{{ postgresql_release }}/bin"
+  debian: "/usr/lib/postgresql/{{ postgresql_release }}/bin"

defaults/main/params.yml

@@ -0,0 +1,32 @@
+---
+postgresql_release: 16
+postgresql_package_state: present
+postgresql_service_state: started
+postgresql_service_enabled: true
+postgresql_user: postgres
+postgresql_group: postgres
+postgresql_datadir: "/var/lib/postgresql/data"
+postgresql_roles: []
+postgresql_databases: []
+postgresql_auth_method: md5  # [ scram-sha-256 | md5 ]
+postgresql_default_database: postgres
+postgresql_locale: en_US.UTF-8
+postgresql_hba_entries:
+  - type: local
+    databases: all
+    users: postgres
+    method: peer
+  - type: local
+    databases: all
+    users: all
+    method: peer
+  - type: host
+    databases: all
+    users: all
+    address: '127.0.0.1/32'
+    method: "{{ postgresql_auth_method }}"
+  - type: host
+    databases: all
+    users: all
+    address: '::1/128'
+    method: "{{ postgresql_auth_method }}"

defaults/main/pgaudit.yml

@@ -0,0 +1,22 @@
+---
+postgresql_conf_pgaudit_log: 'ALL'
+postgresql_conf_pgaudit_log_catalog: 'off'
+postgresql_conf_pgaudit_log_client: 'off'
+postgresql_conf_pgaudit_log_level: 'log'
+postgresql_conf_pgaudit_log_parameter: 'off'
+postgresql_conf_pgaudit_log_parameter_max_size: 0
+postgresql_conf_pgaudit_log_relation: 'off'
+postgresql_conf_pgaudit_log_rows: 'off'
+postgresql_conf_pgaudit_log_statement: 'on'
+postgresql_conf_pgaudit_log_statement_once: 'off'
+postgresql_conf_pgaudit: |
+  pgaudit.log = '{{ postgresql_conf_pgaudit_log }}'
+  pgaudit.log_catalog = '{{ postgresql_conf_pgaudit_log_catalog }}'
+  pgaudit.log_clent = '{{ postgresql_conf_pgaudit_log_client }}'
+  pgaudit.log_level = '{{ postgresql_conf_pgaudit_log_level }}'
+  pgaudit.log_parameter = '{{ postgresql_conf_pgaudit_log_parameter }}'
+  pgaudit.log_parameter_max_size = {{ postgresql_conf_pgaudit_log_parameter_max_size }}
+  pgaudit.log_relation = '{{ postgresql_conf_pgaudit_log_relation }}'
+  pgaudit.log_rows = '{{ postgresql_conf_pgaudit_log_rows }}'
+  pgaudit.log_statement = '{{ postgresql_conf_pgaudit_log_statement }}'
+  pgaudit.log_statement_once = '{{ postgresql_conf_pgaudit_log_statement_once }}'

defaults/main/pgcron.yml

@@ -0,0 +1,7 @@
+---
+postgresql_conf_pgcron_database_name: 'postgres'
+postgresql_conf_pgcron_timezone: 'GMT'
+
+postgresql_conf_pgcron: |
+  cron.database_name = '{{ postgresql_conf_pgcron_database_name }}'
+  cron.timezone =  '{{ postgresql_conf_pgcron_timezone }}'

defaults/main/pgstat_statements.yml

@@ -0,0 +1,9 @@
+---
+postgresql_conf_compute_query_id: 'on'
+postgresql_conf_pgstat_statements_max: 1000
+postgresql_conf_pgstat_statements_track: 'all'
+
+postgresql_conf_pgstat_statements: |
+  compute_query_id = '{{ postgresql_conf_compute_query_id }}'
+  pg_stat_statements.max = {{ postgresql_conf_pgstat_statements_max }}
+  pg_stat_statements.track = '{{ postgresql_conf_pgstat_statements_track }}'

defaults/main/service.yml

@@ -0,0 +1,4 @@
+---
+__postgresql_service_name:
+  debian: "postgresql@{{ postgresql_release }}-main"
+  redhat: "postgresql-{{ postgresql_release }}"

handlers/main.yml

@@ -1,11 +1,11 @@
 ---
-- name: Restart PostgreSQL
+- name: Reload PostgreSQL
   ansible.builtin.service:
     name: "{{ _postgresql_service_name }}"
     state: "reloaded"
   listen: postgresql_reload
 
 - name: Reload daemon configuration
   ansible.builtin.service:
     daemon_reload: true
   listen: daemon_reload

molecule/common/verify.yml

@@ -77,6 +77,8 @@
         filter:
           - "databases"
           - "roles"
+      become: true
+      become_user: postgres
       register: postgresql_info
 
     - name: Verify requested databases
@@ -111,3 +113,34 @@
       loop_control:
         label: "{{ item.name }}"
       loop: "{{ postgresql_roles | default([]) | selectattr('groups', 'defined') }}"
+
+    - name: Query registered extensions
+      community.postgresql.postgresql_query:
+        query: "SELECT extname FROM pg_extension"
+        db: postgres
+      become: true
+      become_user: postgres
+      register: _extension_query
+
+    - name: Set extension facts
+      ansible.builtin.set_fact:
+        _registered_extensions: "{{ _registered }}"
+        _missing_extensions: "{{ _missing }}"
+      vars:
+        _registered: "{{ _extension_query.query_result | map(attribute='extname') }}"
+        _expected:
+          - pgaudit
+          - pg_cron
+          - pg_stat_statements
+        _missing: "{{ _expected | difference(_registered) }}"
+
+    - name: Verify registered extensions
+      block:
+        - name: Check registrations
+          ansible.builtin.assert:
+            that: _missing_extensions | length == 0
+
+      rescue:
+        - name: Debug failed extensions
+          ansible.builtin.fail:
+            msg: "Unable to find extensions [{{ ', '.join(_missing_extensions) }}]"

molecule/databases/molecule.yml

@@ -24,6 +24,7 @@ provisioner:
     prepare: ../common/prepare.yml
     converge: ../common/converge.yml
     verify: ../common/verify.yml
+    side_effect: ../common/converge.yml
   config_options:
     defaults:
       callbacks_enabled: ansible.posix.profile_tasks

molecule/install/molecule.yml

@@ -24,6 +24,7 @@ provisioner:
     prepare: ../common/prepare.yml
     converge: ../common/converge.yml
     verify: ../common/verify.yml
+    side_effect: ../common/converge.yml
 verifier:
   name: ansible
 scenario:

tasks/configure.yml

@@ -31,7 +31,7 @@
       ansible.builtin.command:
         cmd: localectl set-locale LANG={{ postgresql_locale }}
       when: postgresql_locale != _locale_config
-      changed_when: postgresql_locale != _locale_config
+      changed_when: false
 
 - name: Create PostgreSQL data directory
   ansible.builtin.file:
@@ -50,35 +50,86 @@
 
 - name: Create PostgreSQL include directory
   ansible.builtin.file:
-    path: "{{ _postgresql_includedir }}"
+    path: "{{ _postgresql_conf_include }}"
     state: directory
     owner: "{{ postgresql_user }}"
     group: "{{ postgresql_group }}"
     mode: 0755
 
-- name: Manage PostgreSQL include config
+- name: Manage PostgreSQL ansible include config
   ansible.builtin.copy:
-    dest: "{{ _postgresql_includefile }}"
-    content: "{{ postgresql_conf }}"
+    dest: "{{ _postgresql_conf_ansible }}"
+    content: "{{ postgresql_conf_ansible }}"
     owner: "{{ postgresql_user }}"
     group: "{{ postgresql_group }}"
     mode: 0644
-  when: postgresql_conf is defined
+  when: postgresql_conf_ansible is defined
+  notify: postgresql_reload
 
-- name: Destroy PostgreSQL include config
+- name: Destroy PostgreSQL ansible include config
   ansible.builtin.file:
-    path: "{{ _postgresql_includefile }}"
+    path: "{{ _postgresql_conf_ansible }}"
     state: absent
-  when: postgresql_conf is not defined
+  when: postgresql_conf_ansible is not defined
+  notify: postgresql_reload
+
+- name: Create PostgreSQL local config
+  ansible.builtin.file:
+    path: "{{ _postgresql_conf_local }}"
+    state: touch
+    modification_time: preserve
+    owner: "{{ postgresql_user }}"
+    group: "{{ postgresql_group }}"
+    mode: 0644
+  changed_when: false
+
+- name: Create PostgreSQL standby config
+  ansible.builtin.file:
+    path: "{{ _postgresql_conf_standby }}"
+    state: touch
+    modification_time: preserve
+    owner: "{{ postgresql_user }}"
+    group: "{{ postgresql_group }}"
+    mode: 0644
+  changed_when: false
+
+- name: Manage PostgreSQL hba config
+  community.postgresql.postgresql_pg_hba:
+    dest: "{{ _postgresql_conf_hba }}"
+    contype: "{{ item.type }}"
+    databases: "{{ item.databases }}"
+    users: "{{ item.users }}"
+    source: "{{ item.address | default(omit) }}"
+    method: "{{ item.method }}"
+    create: "{{ postgresql_hba_manage | default(true) }}"
+    owner: "{{ postgresql_user }}"
+    group: "{{ postgresql_group }}"
+  loop: "{{ postgresql_hba_entries }}"
+  loop_control:
+    label: "{{ item.type }} {{ item.databases }} {{ item.users }} {{ item.method }}"
+  notify: postgresql_reload
 
 - name: Manage PostgreSQL main config
   ansible.builtin.template:
     src: postgres.conf.j2
-    dest: "{{ _postgresql_configfile }}"
+    dest: "{{ _postgresql_conf_main }}"
     owner: "{{ postgresql_user }}"
     group: "{{ postgresql_group }}"
+    backup: true
     mode: 0644
-  notify: postgresql_reload
+  notify: postgresql_restart
+
+- name: List PostgreSQL alien config files
+  ansible.builtin.find:
+    path: "{{ _postgresql_conf_include }}"
+    exclude: "{{ _postgresql_conf_exclude }}"
+    recurse: false
+  register: _query_includes
+
+- name: Drop PostgreSQL alien config files
+  ansible.builtin.file:
+    path: "{{ item }}"
+  loop: "{{ _query_includes.files | map(attribute='path') }}"
 
 - name: Manage PostgreSQL service configuration
   when: ansible_os_family == 'RedHat'
@@ -105,6 +156,3 @@
         group: root
         mode: 0644
       notify: daemon_reload
-
-    - name: Flush handlers
-      ansible.builtin.meta: flush_handlers

tasks/databases.yml

@@ -9,7 +9,6 @@
     lc_ctype: "{{ item.lc_ctype | default('en_US.UTF-8') }}"
     encoding: "{{ item.encoding | default('UTF-8') }}"
     template: "{{ item.template | default('template0') }}"
-    login_host: "{{ item.login_host | default('localhost') }}"
     port: "{{ item.port | default(omit) }}"
     owner: "{{ item.owner | default(postgresql_user) }}"
     state: "{{ item.state | default('present') }}"
@@ -28,7 +27,6 @@
     schema: "{{ _role.schema | default(omit) }}"
     type: "{{ _role.type | default(omit) }}"
     grant_option: "{{ _role.grant_option | default(omit) }}"
-    login_host: "{{ _database.login_host | default('localhost') }}"
     session_role: "{{ _database.session_role | default(omit) }}"
     ssl_mode: "{{ _database.ssl_mode | default(omit) }}"
     state: "{{ _role.state | default('present') }}"

tasks/extensions.yml

@@ -0,0 +1,9 @@
+---
+- name: Manage pgaudit extension
+  ansible.builtin.include_tasks: pgaudit.yml
+
+- name: Manage pgcron extension
+  ansible.builtin.include_tasks: pgcron.yml
+
+- name: Manage pgstat_statements extension
+  ansible.builtin.include_tasks: pgstat_statements.yml

tasks/main.yml

@@ -11,8 +11,14 @@
 - name: Manage PostgreSQL services
   ansible.builtin.include_tasks: service.yml
 
+- name: Flush handlers
+  ansible.builtin.meta: flush_handlers
+
 - name: Manage PostgreSQL roles
   ansible.builtin.include_tasks: roles.yml
 
 - name: Manage PostgreSQL databases
   ansible.builtin.include_tasks: databases.yml
+
+- name: Manage PostgreSQL extensions
+  ansible.builtin.include_tasks: extensions.yml