From 3600874223900b8cb7f1024a980bbff79ab68fc6 Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Thu, 3 Jul 2025 21:04:40 +0200 Subject: [PATCH] Solved users recreated by backup restore bug --- roles/docker-postgres/tasks/init_database.yml | 107 ++++++++++-------- 1 file changed, 61 insertions(+), 46 deletions(-) diff --git a/roles/docker-postgres/tasks/init_database.yml b/roles/docker-postgres/tasks/init_database.yml index cc0b9ce6..df5073da 100644 --- a/roles/docker-postgres/tasks/init_database.yml +++ b/roles/docker-postgres/tasks/init_database.yml @@ -1,3 +1,13 @@ +--- +- name: "Wait until Postgres is listening on port {{ database_port }}" + wait_for: + host: 127.0.0.1 + port: "{{ database_port }}" + delay: 5 + timeout: 300 + state: started + +# 1) Create the database - name: "Create database: {{ database_name }}" postgresql_db: name: "{{ database_name }}" @@ -5,8 +15,9 @@ login_user: postgres login_password: "{{ applications[application_id].credentials.postgres_password }}" login_host: 127.0.0.1 - login_port: "{{database_port}}" + login_port: "{{ database_port }}" +# 2) Create the database user (with password) - name: "Create database user: {{ database_username }}" postgresql_user: name: "{{ database_username }}" @@ -16,68 +27,72 @@ login_user: postgres login_password: "{{ applications[application_id].credentials.postgres_password }}" login_host: 127.0.0.1 - login_port: "{{database_port}}" + login_port: "{{ database_port }}" -- name: "Set privileges for database user: {{ database_username }}" +# 3) Enable LOGIN for the role (removes NOLOGIN) +- name: "Enable login for role {{ database_username }}" + postgresql_query: + db: postgres + login_user: postgres + login_password: "{{ applications[application_id].credentials.postgres_password }}" + login_host: 127.0.0.1 + login_port: "{{ database_port }}" + query: | + ALTER ROLE "{{ database_username }}" + WITH LOGIN; + +# 4) Grant ALL privileges on all tables in the public schema +- name: "Grant ALL privileges on tables in public schema to {{ database_username }}" postgresql_privs: - db: "{{ database_name }}" - role: "{{ database_username }}" - objs: ALL_IN_SCHEMA - privs: ALL - type: table - state: present + db: "{{ database_name }}" + role: "{{ database_username }}" + objs: ALL_IN_SCHEMA + privs: ALL + type: table + schema: public + state: present login_user: postgres login_password: "{{ applications[application_id].credentials.postgres_password }}" login_host: 127.0.0.1 - login_port: "{{database_port}}" + login_port: "{{ database_port }}" -- name: Grant all privileges at the database level +# 5) Grant ALL privileges at the database level +- name: "Grant all privileges on database {{ database_name }} to {{ database_username }}" postgresql_privs: - db: "{{ database_name }}" - role: "{{ database_username }}" + db: "{{ database_name }}" + role: "{{ database_username }}" + type: database privs: ALL - type: database state: present - login_user: postgres + login_user: postgres login_password: "{{ applications[application_id].credentials.postgres_password }}" - login_host: 127.0.0.1 - login_port: "{{database_port}}" + login_host: 127.0.0.1 + login_port: "{{ database_port }}" -- name: Grant all privileges on all tables in the public schema - postgresql_privs: - db: "{{ database_name }}" - role: "{{ database_username }}" - objs: ALL_IN_SCHEMA - privs: ALL - type: table - schema: public - state: present - login_user: postgres - login_password: "{{ applications[application_id].credentials.postgres_password }}" - login_host: 127.0.0.1 - login_port: "{{database_port}}" - -- name: Set comprehensive privileges for user on public schema +# 6) Grant USAGE/CREATE on schema and set default privileges +- name: "Set comprehensive schema privileges for {{ database_username }}" postgresql_query: db: "{{ database_name }}" login_user: postgres login_password: "{{ applications[application_id].credentials.postgres_password }}" login_host: 127.0.0.1 - login_port: "{{database_port}}" - query: | - GRANT USAGE ON SCHEMA public TO {{ database_username }}; - GRANT CREATE ON SCHEMA public TO {{ database_username }}; - ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL PRIVILEGES ON TABLES TO {{ database_username }}; - -- name: Ensure PostGIS-related extensions are installed - community.postgresql.postgresql_ext: - db: "{{ database_name }}" - ext: "{{ item }}" - state: present - login_user: postgres - login_password: "{{ applications[application_id].credentials.postgres_password }}" - login_host: 127.0.0.1 login_port: "{{ database_port }}" + query: | + GRANT USAGE ON SCHEMA public TO "{{ database_username }}"; + GRANT CREATE ON SCHEMA public TO "{{ database_username }}"; + ALTER DEFAULT PRIVILEGES IN SCHEMA public + GRANT ALL PRIVILEGES ON TABLES TO "{{ database_username }}"; + +# 7) Ensure PostGIS and related extensions are installed (if enabled) +- name: "Ensure PostGIS-related extensions are installed" + community.postgresql.postgresql_ext: + db: "{{ database_name }}" + ext: "{{ item }}" + state: present + login_user: postgres + login_password: "{{ applications[application_id].credentials.postgres_password }}" + login_host: 127.0.0.1 + login_port: "{{ database_port }}" loop: - postgis - pg_trgm