From d1fbbb6d7a3626ef03fcdbe922982e7a1b5899e3 Mon Sep 17 00:00:00 2001 From: HVSharma12 Date: Sun, 8 Mar 2026 18:57:26 +0530 Subject: [PATCH 1/5] feat: add SUSE/openSUSE support --- meta/collection-requirements.yml | 2 ++ meta/main.yml | 1 + tasks/certificate.yml | 18 ++++++++++++++-- tasks/main.yml | 34 +++++++++++++++++++++++++----- tests/tests_certificate.yml | 6 ++++-- tests/tests_custom_certificate.yml | 20 ++++++++++++++---- vars/Suse.yml | 7 ++++++ vars/main.yml | 2 ++ 8 files changed, 77 insertions(+), 13 deletions(-) create mode 100644 vars/Suse.yml diff --git a/meta/collection-requirements.yml b/meta/collection-requirements.yml index bf55689889..397dab6660 100644 --- a/meta/collection-requirements.yml +++ b/meta/collection-requirements.yml @@ -3,3 +3,5 @@ collections: - name: ansible.posix - name: fedora.linux_system_roles + - name: community.general + version: '>=6.6.0,<12.0.0' diff --git a/meta/main.yml b/meta/main.yml index 7b4f0419e5..1fc8e582be 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -21,5 +21,6 @@ galaxy_info: - el9 - el10 - fedora + - leap - postgresql dependencies: [] diff --git a/tasks/certificate.yml b/tasks/certificate.yml index bdf41f19e4..05adb54af1 100644 --- a/tasks/certificate.yml +++ b/tasks/certificate.yml @@ -14,17 +14,31 @@ - name: Install certificate from the default path file: src: >- - /etc/pki/tls/certs/{{ (postgresql_certificates | + {{ __postgresql_cert_directory }}/certs/{{ (postgresql_certificates | first)['name'] }}.crt dest: "{{ __pg_server_crt }}" state: link owner: postgres when: (postgresql_certificates | first)['name'] is not abs + - name: Ensure private key directory is traversable + file: + path: "{{ __postgresql_cert_directory }}/private" + mode: "o+x" + + - name: Ensure private key is readable by postgres + file: + path: >- + {{ __postgresql_cert_directory }}/private/{{ (postgresql_certificates | + first)['name'] }}.key + owner: postgres + mode: "0600" + when: (postgresql_certificates | first)['name'] is not abs + - name: Install certificate from the default path file: src: >- - /etc/pki/tls/private/{{ (postgresql_certificates | + {{ __postgresql_cert_directory }}/private/{{ (postgresql_certificates | first)['name'] }}.key dest: "{{ __pg_server_key }}" state: link diff --git a/tasks/main.yml b/tasks/main.yml index 8dcfdabaa2..2908dd6ac8 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -51,22 +51,34 @@ name: "{{ __actual_packages }}" state: present use: "{{ (__postgresql_is_ostree | d(false)) | - ternary('ansible.posix.rhel_rpm_ostree', omit) }}" + ternary('ansible.posix.rhel_rpm_ostree', omit) }}" when: __actual_packages | length > 0 vars: __actual_packages: "{{ (__postgresql_is_ostree | d(false)) | ternary(__postgresql_packages | reject('match', '^@'), - __postgresql_packages) | list }}" + __postgresql_packages) | list }}" -- name: Init DB on booted systems +- name: Init DB on booted systems (with postgresql-setup) when: - not __postgresql_conf.stat.exists - __postgresql_is_booted | bool + - __postgresql_has_setup_cmd | bool command: cmd: postgresql-setup --initdb creates: "{{ __postgresql_main_conf_file }}" +- name: Init DB on booted systems (without postgresql-setup) + when: + - not __postgresql_conf.stat.exists + - __postgresql_is_booted | bool + - not __postgresql_has_setup_cmd | bool + become: true + become_user: postgres + command: + cmd: initdb -D {{ __postgresql_data_dir }} + creates: "{{ __postgresql_main_conf_file }}" + # this is tricky: postgresql-setup calls `systemctl` to query the unit file and # state, but that doesn't work in container build environments; so patch them # out and replace with static values @@ -74,6 +86,7 @@ when: - not __postgresql_conf.stat.exists - not __postgresql_is_booted | bool + - __postgresql_has_setup_cmd | bool shell: cmd: | set -euo pipefail @@ -86,6 +99,17 @@ rm $setup creates: "{{ __postgresql_main_conf_file }}" +- name: Init DB on non-booted systems (without postgresql-setup) + when: + - not __postgresql_conf.stat.exists + - not __postgresql_is_booted | bool + - not __postgresql_has_setup_cmd | bool + become: true + become_user: postgres + command: + cmd: initdb -D {{ __postgresql_data_dir }} + creates: "{{ __postgresql_main_conf_file }}" + - name: Enable and start existing instance of postgresql server service: name: postgresql @@ -115,8 +139,8 @@ - name: Enable logging in by password replace: path: "{{ __postgresql_hba_conf_file }}" - regexp: '(peer|ident)$' - replace: 'md5' + regexp: "(peer|ident)$" + replace: "md5" backup: true notify: Restart postgresql diff --git a/tests/tests_certificate.yml b/tests/tests_certificate.yml index bfbe005ba6..ca355e979d 100644 --- a/tests/tests_certificate.yml +++ b/tests/tests_certificate.yml @@ -24,7 +24,7 @@ database: all user: all auth_method: md5 - address: '127.0.0.1/32' + address: "127.0.0.1/32" - name: Gather output of psql environment: @@ -42,7 +42,9 @@ "SSL Connection" in result.stdout always: - name: Stop tracking certificate - command: getcert stop-tracking -f /etc/pki/tls/certs/test_crt.crt + command: >- + getcert stop-tracking -f + {{ __postgresql_cert_directory }}/certs/test_crt.crt changed_when: false - name: Clean up diff --git a/tests/tests_custom_certificate.yml b/tests/tests_custom_certificate.yml index f21f1df503..5fffbc3b7f 100644 --- a/tests/tests_custom_certificate.yml +++ b/tests/tests_custom_certificate.yml @@ -1,5 +1,4 @@ --- - - name: Test PostgreSQL server with ssl support using certificate role hosts: all tags: @@ -10,12 +9,25 @@ vars: postgresql_password: redhat block: + - name: Load postgresql role platform variables + include_vars: "{{ __vars_file }}" + loop: + - main.yml + - "{{ ansible_facts['os_family'] }}.yml" + - "{{ ansible_facts['distribution'] }}.yml" + - >- + {{ ansible_facts['distribution'] ~ '_' ~ + ansible_facts['distribution_major_version'] }}.yml + vars: + __vars_file: "{{ playbook_dir }}/roles/linux-system-roles.postgresql/vars/{{ item }}" + when: __vars_file is file + - name: Generate certificate using certificate role include_role: name: fedora.linux_system_roles.certificate vars: certificate_requests: - - name: /etc/pki/tls/certs/postgresql_test + - name: "{{ __postgresql_cert_directory }}//certs/postgresql_test" dns: www.example.com ca: self-sign @@ -24,14 +36,14 @@ vars: __test_clean_instance: false __test_check_unix_socket: false - postgresql_cert_name: /etc/pki/tls/certs/postgresql_test + postgresql_cert_name: "{{ __postgresql_cert_directory }}/certs/postgresql_test" postgresql_ssl_enable: true postgresql_pg_hba_conf: - type: hostssl database: all user: all auth_method: md5 - address: '127.0.0.1/32' + address: "127.0.0.1/32" - name: Gather output of psql environment: diff --git a/vars/Suse.yml b/vars/Suse.yml new file mode 100644 index 0000000000..e2fd0f1e5f --- /dev/null +++ b/vars/Suse.yml @@ -0,0 +1,7 @@ +# SPDX-License-Identifier: MIT +--- +# SUSE-specific variables +# SUSE does not have postgresql-setup, initdb is called directly +__postgresql_packages: [postgresql-server] +__postgresql_has_setup_cmd: false +__postgresql_cert_directory: /etc/ssl diff --git a/vars/main.yml b/vars/main.yml index 1878cabbec..d277e70a9c 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -11,6 +11,8 @@ __postgresql_versions_el9: ["13", "15", "16", "18"] __postgresql_versions_el10: ["16", "18"] __postgresql_data_dir: /var/lib/pgsql/data +__postgresql_has_setup_cmd: true +__postgresql_cert_directory: /etc/pki/tls __postgresql_main_conf_file: "{{ __postgresql_data_dir }}/postgresql.conf" __postgresql_hba_conf_file: "{{ __postgresql_data_dir }}/pg_hba.conf" From e8c9ab2359c43deb581d8e538c3859e794823b27 Mon Sep 17 00:00:00 2001 From: HVSharma12 Date: Mon, 9 Mar 2026 13:08:45 +0530 Subject: [PATCH 2/5] secure private key dir permissions --- tasks/certificate.yml | 10 ++++++++-- tests/tests_custom_certificate.yml | 2 +- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/tasks/certificate.yml b/tasks/certificate.yml index 05adb54af1..1ed8868178 100644 --- a/tasks/certificate.yml +++ b/tasks/certificate.yml @@ -24,7 +24,11 @@ - name: Ensure private key directory is traversable file: path: "{{ __postgresql_cert_directory }}/private" - mode: "o+x" + group: postgres + mode: "0710" + when: + - ansible_facts['os_family'] == "Suse" + - (postgresql_certificates | first)['name'] is not abs - name: Ensure private key is readable by postgres file: @@ -33,7 +37,9 @@ first)['name'] }}.key owner: postgres mode: "0600" - when: (postgresql_certificates | first)['name'] is not abs + when: + - ansible_facts['os_family'] == "Suse" + - (postgresql_certificates | first)['name'] is not abs - name: Install certificate from the default path file: diff --git a/tests/tests_custom_certificate.yml b/tests/tests_custom_certificate.yml index 5fffbc3b7f..9d4c10d9c0 100644 --- a/tests/tests_custom_certificate.yml +++ b/tests/tests_custom_certificate.yml @@ -27,7 +27,7 @@ name: fedora.linux_system_roles.certificate vars: certificate_requests: - - name: "{{ __postgresql_cert_directory }}//certs/postgresql_test" + - name: "{{ __postgresql_cert_directory }}/certs/postgresql_test" dns: www.example.com ca: self-sign From f0f3a848e1df1bbbcbb5f88770461433e5afb4c8 Mon Sep 17 00:00:00 2001 From: HVSharma12 Date: Wed, 11 Mar 2026 19:07:45 +0530 Subject: [PATCH 3/5] Address review feedback --- tasks/certificate.yml | 2 +- tasks/main.yml | 4 ++-- tests/tests_custom_certificate.yml | 15 ++++----------- 3 files changed, 7 insertions(+), 14 deletions(-) diff --git a/tasks/certificate.yml b/tasks/certificate.yml index 1ed8868178..9d641cb7bf 100644 --- a/tasks/certificate.yml +++ b/tasks/certificate.yml @@ -21,7 +21,7 @@ owner: postgres when: (postgresql_certificates | first)['name'] is not abs - - name: Ensure private key directory is traversable + - name: Ensure private key directory is traversable by postgres file: path: "{{ __postgresql_cert_directory }}/private" group: postgres diff --git a/tasks/main.yml b/tasks/main.yml index 2908dd6ac8..48f5f71262 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -76,7 +76,7 @@ become: true become_user: postgres command: - cmd: initdb -D {{ __postgresql_data_dir }} + cmd: "initdb -D {{ __postgresql_data_dir }}" creates: "{{ __postgresql_main_conf_file }}" # this is tricky: postgresql-setup calls `systemctl` to query the unit file and @@ -107,7 +107,7 @@ become: true become_user: postgres command: - cmd: initdb -D {{ __postgresql_data_dir }} + cmd: "initdb -D {{ __postgresql_data_dir }}" creates: "{{ __postgresql_main_conf_file }}" - name: Enable and start existing instance of postgresql server diff --git a/tests/tests_custom_certificate.yml b/tests/tests_custom_certificate.yml index 9d4c10d9c0..365a8d296d 100644 --- a/tests/tests_custom_certificate.yml +++ b/tests/tests_custom_certificate.yml @@ -10,17 +10,10 @@ postgresql_password: redhat block: - name: Load postgresql role platform variables - include_vars: "{{ __vars_file }}" - loop: - - main.yml - - "{{ ansible_facts['os_family'] }}.yml" - - "{{ ansible_facts['distribution'] }}.yml" - - >- - {{ ansible_facts['distribution'] ~ '_' ~ - ansible_facts['distribution_major_version'] }}.yml - vars: - __vars_file: "{{ playbook_dir }}/roles/linux-system-roles.postgresql/vars/{{ item }}" - when: __vars_file is file + include_role: + name: linux-system-roles.postgresql + tasks_from: set_vars.yml + public: true - name: Generate certificate using certificate role include_role: From d645a71ae2556b7ae6317e4c5ae66d1d760c546f Mon Sep 17 00:00:00 2001 From: Harshvardhan Sharma Date: Wed, 11 Mar 2026 19:09:57 +0530 Subject: [PATCH 4/5] Update tasks/main.yml Co-authored-by: Sergei Petrosian <30409084+spetrosi@users.noreply.github.com> --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 48f5f71262..10d178ff7e 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -82,7 +82,7 @@ # this is tricky: postgresql-setup calls `systemctl` to query the unit file and # state, but that doesn't work in container build environments; so patch them # out and replace with static values -- name: Init DB on non-booted systems +- name: Init DB on non-booted systems (with postgresql-setup) when: - not __postgresql_conf.stat.exists - not __postgresql_is_booted | bool From 236a870d04414013234f02577632cb67c14aec3f Mon Sep 17 00:00:00 2001 From: HVSharma12 Date: Fri, 13 Mar 2026 21:01:00 +0530 Subject: [PATCH 5/5] preserve original formatting --- tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 10d178ff7e..f5b3ec2fdd 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -51,13 +51,13 @@ name: "{{ __actual_packages }}" state: present use: "{{ (__postgresql_is_ostree | d(false)) | - ternary('ansible.posix.rhel_rpm_ostree', omit) }}" + ternary('ansible.posix.rhel_rpm_ostree', omit) }}" when: __actual_packages | length > 0 vars: __actual_packages: "{{ (__postgresql_is_ostree | d(false)) | ternary(__postgresql_packages | reject('match', '^@'), - __postgresql_packages) | list }}" + __postgresql_packages) | list }}" - name: Init DB on booted systems (with postgresql-setup) when: