computer-playbook/roles/svc-db-postgres/tasks/02_init.yml

---
- name: "Wait until Postgres is listening on port {{ postgres_port }}"
  wait_for:
    host: "{{ postgres_local_host }}"
    port: "{{ postgres_port }}"
    delay: 5
    timeout: 300
    state: started

# 1) Create the database
- name: "Create database: {{ database_name }}"
  community.postgresql.postgresql_db:
    name: "{{ database_name }}"
    state: present
    login_user: postgres
    login_password: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}"
    login_host: "{{ postgres_local_host }}"
    login_port: "{{ postgres_port }}"
  register: postgresql_result
  until: postgresql_result is succeeded
  retries: "{{ postgres_retry_retries }}"
  delay: "{{ postgres_retry_delay }}"

# 2) Create the database user (with password)
- name: "Create database user: {{ database_username }}"
  community.postgresql.postgresql_user:
    name:           "{{ database_username }}"
    password:       "{{ database_password }}"
    db:             "{{ database_name }}"
    state:          present
    login_user:     postgres
    login_password: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}"
    login_host:     "{{ postgres_local_host }}"
    login_port:     "{{ postgres_port }}"
  register: postgresql_result
  until: postgresql_result is succeeded
  retries: "{{ postgres_retry_retries }}"
  delay: "{{ postgres_retry_delay }}"

# 3) Enable LOGIN for the role (removes NOLOGIN)
- name: "Enable login for role {{ database_username }}"
  community.postgresql.postgresql_query:
    db: postgres
    login_user: postgres
    login_password: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}"
    login_host: "{{ postgres_local_host }}"
    login_port: "{{ postgres_port }}"
    query: |
      ALTER ROLE "{{ database_username }}"
        WITH LOGIN;
  register: postgresql_result
  until: postgresql_result is succeeded
  retries: "{{ postgres_retry_retries }}"
  delay: "{{ postgres_retry_delay }}"

# 4) Grant ALL privileges on all tables in the public schema
- name: "Grant ALL privileges on tables in public schema to {{ database_username }}"
  community.postgresql.postgresql_privs:
    db:     "{{ database_name }}"
    roles:   "{{ database_username }}"
    objs:   ALL_IN_SCHEMA
    privs:  ALL
    type:   table
    schema: public
    state:  present
    login_user:     postgres
    login_password: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}"
    login_host:     "{{ postgres_local_host }}"
    login_port:     "{{ postgres_port }}"
  register: postgresql_result
  until: postgresql_result is succeeded
  retries: "{{ postgres_retry_retries }}"
  delay: "{{ postgres_retry_delay }}"

# 5) Grant ALL privileges at the database level
- name: "Grant all privileges on database {{ database_name }} to {{ database_username }}"
  community.postgresql.postgresql_privs:
    db:    "{{ database_name }}"
    roles:  "{{ database_username }}"
    type:  database
    privs: ALL
    state: present
    login_user:     postgres
    login_password: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}"
    login_host:     "{{ postgres_local_host }}"
    login_port:     "{{ postgres_port }}"
  register: postgresql_result
  until: postgresql_result is succeeded
  retries: "{{ postgres_retry_retries }}"
  delay: "{{ postgres_retry_delay }}"

# 6) Grant USAGE/CREATE on schema and set default privileges
- name: "Set comprehensive schema privileges for {{ database_username }}"
  community.postgresql.postgresql_query:
    db: "{{ database_name }}"
    login_user: postgres
    login_password: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}"
    login_host: "{{ postgres_local_host }}"
    login_port: "{{ postgres_port }}"
    query: |
      GRANT USAGE ON SCHEMA public TO "{{ database_username }}";
      GRANT CREATE ON SCHEMA public TO "{{ database_username }}";
      ALTER DEFAULT PRIVILEGES IN SCHEMA public
        GRANT ALL PRIVILEGES ON TABLES TO "{{ database_username }}";
  register: postgresql_result
  until: postgresql_result is succeeded
  retries: "{{ postgres_retry_retries }}"
  delay: "{{ postgres_retry_delay }}"

# 7) Ensure PostGIS and related extensions are installed (if enabled)
- name: "Ensure PostGIS-related extensions are installed"
  community.postgresql.postgresql_ext:
    db:         "{{ database_name }}"
    ext:        "{{ item }}"
    state:      present
    login_user:     postgres
    login_password: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}"
    login_host:     "{{ postgres_local_host }}"
    login_port:     "{{ postgres_port }}"
  loop:
    - postgis
    - pg_trgm
    - unaccent
  when: postgres_gis_enabled | bool
  register: postgresql_result
  until: postgresql_result is succeeded
  retries: "{{ postgres_retry_retries }}"
  delay: "{{ postgres_retry_delay }}"

# 8) Ensure pgvector (vector) extension is installed (for Discourse‑AI, pgvector, …)
- name: "Ensure pgvector (vector) extension is installed"
  community.postgresql.postgresql_ext:
    db:           "{{ database_name }}"
    ext:          vector
    state:        present
    login_user:   postgres
    login_password: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}"
    login_host:   "{{ postgres_local_host }}"
    login_port:   "{{ postgres_port }}"
  register: postgresql_result
  until: postgresql_result is succeeded
  retries: "{{ postgres_retry_retries }}"
  delay: "{{ postgres_retry_delay }}"