feat: add SUSE/openSUSE support

[HVSharma12]

Enhancement: add support for SUSE/openSUSE

Reason: The role fails with "command not found" when trying to initialize the database on SUSE.

Result: Role now works for SLES 15.6+/16 and leap 15.6+/16

• Added 'vars/Suse.yml'
• fallback initdb task calls initdb directly as the postgres user.
• leap galaxy tag added to meta/main.yml

Issue Tracker Tickets (Jira or BZ if any): na

Summary by Sourcery

Add SUSE and openSUSE compatibility to the PostgreSQL system role, including database initialization and SSL certificate handling adjustments.

New Features:

• Introduce SUSE-specific variables file to support SLES and openSUSE platforms.
• Add conditional database initialization paths for systems without the postgresql-setup helper.

Enhancements:

• Generalize certificate paths and permissions via a configurable certificate directory variable.
• Extend supported platforms metadata and collection requirements to cover the new environments.
• Improve tests to load platform-specific vars and use platform-agnostic certificate paths.

Tests:

• Update SSL-related tests to work with the new certificate directory abstraction and SUSE-specific behavior.

[sourcery-ai]

Reviewer's Guide

Adds SUSE/openSUSE support to the PostgreSQL system role by introducing SUSE-specific vars, handling absence of postgresql-setup via direct initdb calls, generalizing certificate paths/permissions, and updating tests and metadata accordingly.

Flow diagram for database initialization task selection

graph TD
  Start[Start: PostgreSQL role runs] --> CheckConf[Check if postgresql.conf exists]
  CheckConf -->|exists| SkipInit[Skip initdb tasks]
  CheckConf -->|missing| CheckBooted[Check __postgresql_is_booted]

  CheckBooted -->|booted true| CheckSetupBooted[Check __postgresql_has_setup_cmd]
  CheckBooted -->|booted false| CheckSetupNonBooted[Check __postgresql_has_setup_cmd]

  CheckSetupBooted -->|true| BootedWithSetup[Task: Init DB on booted systems with postgresql-setup]
  CheckSetupBooted -->|false| BootedWithoutSetup[Task: Init DB on booted systems without postgresql-setup using initdb]

  CheckSetupNonBooted -->|true| NonBootedWithSetup[Task: Init DB on non-booted systems with patched postgresql-setup]
  CheckSetupNonBooted -->|false| NonBootedWithoutSetup[Task: Init DB on non-booted systems without postgresql-setup using initdb]

  BootedWithSetup --> End[postgresql.conf created]
  BootedWithoutSetup --> End
  NonBootedWithSetup --> End
  NonBootedWithoutSetup --> End

  SkipInit --> End

Loading

Flow diagram for certificate installation and permissions

graph TD
  Start[Start: Certificate tasks] --> DefaultDir[Set __postgresql_cert_directory]
  DefaultDir --> LinkCert[Create link for server certificate]
  LinkCert --> EnsurePrivDir[Ensure private key directory is traversable]

  EnsurePrivDir --> CheckNameType[Check if certificate name is absolute]
  CheckNameType -->|not abs| EnsureKeyPerms[Ensure private key owned by postgres and mode 0600]
  CheckNameType -->|abs| SkipKeyPerms[Skip ownership and mode adjustment]

  EnsureKeyPerms --> LinkKey[Create link for server key from cert_directory private]
  SkipKeyPerms --> LinkKey

  LinkKey --> End[Certificate and key linked with correct permissions]

Loading

File-Level Changes

Change	Details	Files
Add conditional database initialization paths to support systems without postgresql-setup (e.g. SUSE).	Split booted-system init into separate tasks depending on whether postgresql-setup is available, guarded by __postgresql_has_setup_cmd. Split non-booted init path similarly, using postgresql-setup only when available. Introduce fallback tasks that run initdb directly as the postgres user with become/become_user and __postgresql_data_dir when postgresql-setup is missing. Add __postgresql_has_setup_cmd default to vars and use it in task conditions.	tasks/main.yml vars/main.yml vars/Suse.yml
Introduce SUSE-specific variables and adjust defaults to support SUSE filesystem layout and packages.	Add vars/Suse.yml with SUSE-specific package list, disabling postgresql-setup usage and setting certificate directory to /etc/ssl. Define default __postgresql_cert_directory in vars/main.yml for non-SUSE platforms. Configure __postgresql_packages and related flags for SUSE compatibility.	vars/Suse.yml vars/main.yml
Generalize certificate handling to work across distros with different certificate directories and ensure proper key permissions.	Replace hard-coded /etc/pki/tls paths with __postgresql_cert_directory in certificate tasks and tests. Ensure the private key directory is traversable and the key file is owned by postgres with mode 0600. Update test playbooks to use __postgresql_cert_directory-based paths and quoted strings for YAML consistency.	tasks/certificate.yml tests/tests_custom_certificate.yml tests/tests_certificate.yml vars/main.yml
Update collection dependencies and galaxy metadata for new platform support.	Add community.general collection dependency with a version range in collection-requirements.yml. Add leap to supported platforms in meta/main.yml.	meta/collection-requirements.yml meta/main.yml
Minor formatting and quoting cleanups for consistency.	Normalize indentation in templated expressions and when conditions in tasks/main.yml. Change single-quoted regexes and addresses to double-quoted strings for consistency. Remove an extra blank line at the start of tests_custom_certificate.yml.	tasks/main.yml tests/tests_custom_certificate.yml tests/tests_certificate.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• The new initdb tasks for booted/non-booted systems with and without postgresql-setup are nearly identical; consider consolidating them (e.g. via a single task with conditional command or a small include) to reduce duplication and keep the init logic in one place.
• In tests_custom_certificate.yml, the certificate name path is defined as "{{ __postgresql_cert_directory }}//certs/postgresql_test" (double slash); this is likely unintended and should be normalized to a single / for consistency with other usages.
• For the initdb command invocations, consider quoting {{ __postgresql_data_dir }} in the cmd argument to avoid potential issues if the data directory path ever contains spaces or shell-special characters.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The new initdb tasks for booted/non-booted systems with and without postgresql-setup are nearly identical; consider consolidating them (e.g. via a single task with conditional command or a small include) to reduce duplication and keep the init logic in one place.
- In tests_custom_certificate.yml, the certificate name path is defined as `"{{ __postgresql_cert_directory }}//certs/postgresql_test"` (double slash); this is likely unintended and should be normalized to a single `/` for consistency with other usages.
- For the `initdb` command invocations, consider quoting `{{ __postgresql_data_dir }}` in the `cmd` argument to avoid potential issues if the data directory path ever contains spaces or shell-special characters.

## Individual Comments

### Comment 1
<location path="tasks/certificate.yml" line_range="24-27" />
<code_context>
         owner: postgres
       when: (postgresql_certificates | first)['name'] is not abs

+    - name: Ensure private key directory is traversable
+      file:
+        path: "{{ __postgresql_cert_directory }}/private"
+        mode: "o+x"
+
+    - name: Ensure private key is readable by postgres
</code_context>
<issue_to_address>
**🚨 issue (security):** Relaxing directory permissions with `mode: "o+x"` may be overly permissive for a private key directory.

This makes the key directory traversable by every local user, which is broader access than is appropriate for private key material. If you only need `postgres` to traverse it, consider restricting to owner/group (e.g. `u+rx,g+rx,o-x`) and ensuring `postgres` is in the right group, or use ACLs to grant access specifically to `postgres` instead of `others`.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[richm]

then also here - https://github.com/linux-system-roles/.github/blob/main/inventory/host_vars/postgresql.yml - like this - https://github.com/linux-system-roles/.github/blob/main/inventory/host_vars/rhc.yml#L8

[richm]

The best way to get vars from the role into the test is to use include_role with tasks_from: set_vars.yml:

        - name: Load postgresql role platform variables
          include_role:
            name: linux-system-roles.postgresql
            tasks_from: set_vars.yml
            public: true

This will also get __postgresql_is_ostree and __postgresql_is_booted

[richm]

[citest]

[richm]

please preserve the original formatting

[richm]

please preserve the original formatting

[richm]

@HVSharma12 the leap test is failing?

[HVSharma12]

yes it requires the certificate role fixes

[richm]

yes it requires the certificate role fixes

Done. The certificate role with your fixes is now published to Galaxy.

[richm]

@HVSharma12 lgtm - ready to merge?