diff --git a/defaults/main.yml b/defaults/main.yml index 09851aad..4ebd1884 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -265,7 +265,9 @@ build_guides: false db: postgres: enabled: true + auth: scram-sha-256 adminpass: DVn33dsth1s + adminuser: postgres name: dvndb host: localhost user: dvnuser diff --git a/tasks/postgres.yml b/tasks/postgres.yml index 7cb2de12..f8ae2331 100644 --- a/tasks/postgres.yml +++ b/tasks/postgres.yml @@ -109,14 +109,20 @@ - meta: flush_handlers - name: dataverse python installer wants to be a postgres admin - postgresql_user: - name: postgres + community.postgresql.postgresql_user: + db: postgres + login_user: '{{ db.postgres.adminuser }}' + name: '{{ db.postgres.adminuser }}' password: '{{ db.postgres.adminpass }}' + become: true + become_user: postgres when: db.use_rds == false - name: create dataverse postgres database postgresql_db: name: '{{ db.postgres.name }}' + become: true + become_user: postgres when: db.use_rds == false - name: create dataverse postgres user, set permissions @@ -125,6 +131,8 @@ name: '{{ db.postgres.user }}' password: '{{ db.postgres.pass }}' role_attr_flags: 'NOSUPERUSER,CREATEDB,CREATEROLE,INHERIT,LOGIN' + become: true + become_user: postgres when: db.use_rds == false - name: postgresql 15 requires explicit permissions on public schema @@ -134,6 +142,9 @@ type: schema objs: public role: '{{ db.postgres.user }}' + become: true + become_user: postgres + when: db.use_rds == false - ansible.builtin.import_tasks: postgres_sequential_identifiers.yml when: dataverse.api.test_suite == true diff --git a/templates/pg_hba.conf.j2 b/templates/pg_hba.conf.j2 index 205c5709..fc1c4e35 100644 --- a/templates/pg_hba.conf.j2 +++ b/templates/pg_hba.conf.j2 @@ -1,19 +1,19 @@ # "local" is for Unix domain socket connections only -local all all trust +local all all peer # IPv4 local connections: -host all all 127.0.0.1/32 password +host all all 127.0.0.1/32 {{ db.postgres.auth }} # IPv6 local connections: -host all all ::1/128 password +host all all ::1/128 {{ db.postgres.auth }} # replication and dataverse access from other servers {% if db.postgres.replication.enabled is defined %} {% for item in db.postgres.replication.servers %} {% if item | regex_search(".*/.*") %} -host all all {{ item }} md5 -host replication rep {{ item }} md5 +host all all {{ item }} {{ db.postgres.auth }} +host replication rep {{ item }} {{ db.postgres.auth }} {% else %} -host all all {{ item }}/32 md5 -host replication rep {{ item }}/32 md5 +host all all {{ item }}/32 {{ db.postgres.auth }} +host replication rep {{ item }}/32 {{ db.postgres.auth }} {% endif %} {% endfor %} {% endif %} diff --git a/tests/group_vars/jenkins.yml b/tests/group_vars/jenkins.yml index 0929cb4f..3b1a62e8 100644 --- a/tests/group_vars/jenkins.yml +++ b/tests/group_vars/jenkins.yml @@ -256,6 +256,8 @@ db: postgres: enabled: true adminpass: DVn33dsth1s + adminuser: postgres + auth: scram-sha-256 name: dvndb host: localhost user: dvnuser diff --git a/tests/group_vars/memorytests.yml b/tests/group_vars/memorytests.yml index 12f105ca..44205012 100644 --- a/tests/group_vars/memorytests.yml +++ b/tests/group_vars/memorytests.yml @@ -258,6 +258,8 @@ db: postgres: enabled: true adminpass: DVn33dsth1s + adminuser: postgres + auth: scram-sha-256 name: dvndb host: localhost user: dvnuser diff --git a/tests/group_vars/vagrant.yml b/tests/group_vars/vagrant.yml index 6663d363..77d03f5f 100644 --- a/tests/group_vars/vagrant.yml +++ b/tests/group_vars/vagrant.yml @@ -260,6 +260,8 @@ build_guides: false db: postgres: enabled: true + auth: scram-sha-256 + adminuser: postgres adminpass: DVn33dsth1s name: vagrantdb host: localhost