linux-system-roles · richm · Mar 17, 2026 · Mar 8, 2026 · Mar 9, 2026 · Mar 11, 2026
@@ -3,3 +3,5 @@
 collections:
   - name: ansible.posix
   - name: fedora.linux_system_roles
+  - name: community.general
+    version: '>=6.6.0,<12.0.0'
@@ -21,5 +21,6 @@ galaxy_info:
     - el9
     - el10
     - fedora
+    - leap
     - postgresql
 dependencies: []
@@ -14,17 +14,37 @@
     - name: Install certificate from the default path
       file:
         src: >-
-          /etc/pki/tls/certs/{{ (postgresql_certificates |
+          {{ __postgresql_cert_directory }}/certs/{{ (postgresql_certificates |
           first)['name'] }}.crt
         dest: "{{ __pg_server_crt }}"
         state: link
         owner: postgres
       when: (postgresql_certificates | first)['name'] is not abs
 
+    - name: Ensure private key directory is traversable by postgres
+      file:
+        path: "{{ __postgresql_cert_directory }}/private"
+        group: postgres
+        mode: "0710"
+      when:
+        - ansible_facts['os_family'] == "Suse"
+        - (postgresql_certificates | first)['name'] is not abs
+
+    - name: Ensure private key is readable by postgres
+      file:
+        path: >-
+          {{ __postgresql_cert_directory }}/private/{{ (postgresql_certificates |
+          first)['name'] }}.key
+        owner: postgres
+        mode: "0600"
+      when:
+        - ansible_facts['os_family'] == "Suse"
+        - (postgresql_certificates | first)['name'] is not abs
+
     - name: Install certificate from the default path
       file:
         src: >-
-          /etc/pki/tls/private/{{ (postgresql_certificates |
+          {{ __postgresql_cert_directory }}/private/{{ (postgresql_certificates |
           first)['name'] }}.key
         dest: "{{ __pg_server_key }}"
         state: link

@@ -59,21 +59,34 @@
       ternary(__postgresql_packages | reject('match', '^@'),
               __postgresql_packages) | list }}"
 
-- name: Init DB on booted systems
+- name: Init DB on booted systems (with postgresql-setup)
   when:
     - not __postgresql_conf.stat.exists
     - __postgresql_is_booted | bool
+    - __postgresql_has_setup_cmd | bool
   command:
     cmd: postgresql-setup --initdb
     creates: "{{ __postgresql_main_conf_file }}"
 
+- name: Init DB on booted systems (without postgresql-setup)
+  when:
+    - not __postgresql_conf.stat.exists
+    - __postgresql_is_booted | bool
+    - not __postgresql_has_setup_cmd | bool
+  become: true
+  become_user: postgres
+  command:
+    cmd: "initdb -D {{ __postgresql_data_dir }}"
+    creates: "{{ __postgresql_main_conf_file }}"
+
 # this is tricky: postgresql-setup calls `systemctl` to query the unit file and
 # state, but that doesn't work in container build environments; so patch them
 # out and replace with static values
-- name: Init DB on non-booted systems
+- name: Init DB on non-booted systems (with postgresql-setup)
   when:
     - not __postgresql_conf.stat.exists
     - not __postgresql_is_booted | bool
+    - __postgresql_has_setup_cmd | bool
   shell:
     cmd: |
       set -euo pipefail
@@ -86,6 +99,17 @@
       rm $setup
     creates: "{{ __postgresql_main_conf_file }}"
 
+- name: Init DB on non-booted systems (without postgresql-setup)
+  when:
+    - not __postgresql_conf.stat.exists
+    - not __postgresql_is_booted | bool
+    - not __postgresql_has_setup_cmd | bool
+  become: true
+  become_user: postgres
+  command:
+    cmd: "initdb -D {{ __postgresql_data_dir }}"
+    creates: "{{ __postgresql_main_conf_file }}"
+
 - name: Enable and start existing instance of postgresql server
   service:
     name: postgresql
@@ -115,8 +139,8 @@
     - name: Enable logging in by password
       replace:
         path: "{{ __postgresql_hba_conf_file }}"
-        regexp: '(peer|ident)$'
-        replace: 'md5'
+        regexp: "(peer|ident)$"
+        replace: "md5"
         backup: true
       notify: Restart postgresql
 

@@ -24,7 +24,7 @@
                 database: all
                 user: all
                 auth_method: md5
-                address: '127.0.0.1/32'
+                address: "127.0.0.1/32"
 
         - name: Gather output of psql
           environment:
@@ -42,7 +42,9 @@
               "SSL Connection" in result.stdout
       always:
         - name: Stop tracking certificate
-          command: getcert stop-tracking -f /etc/pki/tls/certs/test_crt.crt
+          command: >-
+            getcert stop-tracking -f
+            {{ __postgresql_cert_directory }}/certs/test_crt.crt
           changed_when: false
 
         - name: Clean up

@@ -1,5 +1,4 @@
 ---
-
 - name: Test PostgreSQL server with ssl support using certificate role
   hosts: all
   tags:
@@ -10,12 +9,18 @@
       vars:
         postgresql_password: redhat
       block:
+        - name: Load postgresql role platform variables
+          include_role:
+            name: linux-system-roles.postgresql
+            tasks_from: set_vars.yml
+            public: true
+
         - name: Generate certificate using certificate role
           include_role:
             name: fedora.linux_system_roles.certificate
           vars:
             certificate_requests:
-              - name: /etc/pki/tls/certs/postgresql_test
+              - name: "{{ __postgresql_cert_directory }}/certs/postgresql_test"
                 dns: www.example.com
                 ca: self-sign
 
@@ -24,14 +29,14 @@
           vars:
             __test_clean_instance: false
             __test_check_unix_socket: false
-            postgresql_cert_name: /etc/pki/tls/certs/postgresql_test
+            postgresql_cert_name: "{{ __postgresql_cert_directory }}/certs/postgresql_test"
             postgresql_ssl_enable: true
             postgresql_pg_hba_conf:
               - type: hostssl
                 database: all
                 user: all
                 auth_method: md5
-                address: '127.0.0.1/32'
+                address: "127.0.0.1/32"
 
         - name: Gather output of psql
           environment:

@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: MIT
+---
+# SUSE-specific variables
+# SUSE does not have postgresql-setup, initdb is called directly
+__postgresql_packages: [postgresql-server]
+__postgresql_has_setup_cmd: false
+__postgresql_cert_directory: /etc/ssl
@@ -11,6 +11,8 @@ __postgresql_versions_el9: ["13", "15", "16", "18"]
 __postgresql_versions_el10: ["16", "18"]
 
 __postgresql_data_dir: /var/lib/pgsql/data
+__postgresql_has_setup_cmd: true
+__postgresql_cert_directory: /etc/pki/tls
 
 __postgresql_main_conf_file: "{{ __postgresql_data_dir }}/postgresql.conf"
 __postgresql_hba_conf_file: "{{ __postgresql_data_dir }}/pg_hba.conf"
-Original file line number
+Diff line change
@@ Expand Up / @@ -21,5 +21,6 @@ galaxy_info: @@
         - el9
         - el10
         - fedora
+        - leap
         - postgresql
     dependencies: []