Alfresco · alxgomz · Jul 3, 2024 · Jun 20, 2024 · Jun 26, 2024 · Jun 26, 2024
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -144,7 +144,7 @@
         "filename": "playbooks/acs.yml",
         "hashed_secret": "3a0b8a438a9efa61267357269709a946d797b9bd",
         "is_verified": false,
-        "line_number": 404,
+        "line_number": 433,
         "is_secret": false
       }
     ],
@@ -259,5 +259,5 @@
       }
     ]
   },
-  "generated_at": "2024-06-28T13:00:16Z"
+  "generated_at": "2024-07-03T08:58:42Z"
 }
diff --git a/playbooks/acs.yml b/playbooks/acs.yml
@@ -3,15 +3,15 @@
   hosts: all:!external
   gather_facts: true
   tasks:
-  - name: Compare host OS with supported matrix
-    vars:
-      os_versions: "{{ supported_os[ansible_distribution].versions | default([]) }}"
-    ansible.builtin.fail:
-      msg:
-        - "{{ ansible_distribution }} {{ ansible_distribution_version }} is not a supported OS"
-    when:
-      - not (skip_os_test | default(false) | bool)
-      - ansible_distribution_version | float not in os_versions
+    - name: Compare host OS with supported matrix
+      vars:
+        os_versions: "{{ supported_os[ansible_distribution].versions | default([]) }}"
+      ansible.builtin.fail:
+        msg:
+          - "{{ ansible_distribution }} {{ ansible_distribution_version }} is not a supported OS"
+      when:
+        - not (skip_os_test | default(false) | bool)
+        - ansible_distribution_version | float not in os_versions
 
 - name: Populate facts
   ansible.builtin.import_playbook: facts.yml
@@ -51,16 +51,45 @@
         identity_url: "{{ alfresco_url }}/auth"
 
 - name: Database Role
-  hosts: database
+  hosts: database[0]
   gather_facts: false
-  roles:
-    - role: "../roles/postgres"
-      when: repo_db_url == "" or sync_db_url == ""
+  vars:
+    pg_role: "../roles/postgres"
+    create_repo_db: >-
+      {{ (repo_db_url == "") | ansible.builtin.bool }}
+    create_sync_db: >-
+      {{ (sync_db_url == "" and groups.syncservice | default([]) | length > 0) | ansible.builtin.bool }}
+  tasks:
+    - name: Install Postgres
+      ansible.builtin.include_role:
+        name: "{{ pg_role }}"
+      when: create_repo_db or create_sync_db
+    - name: Setup repository database
+      ansible.builtin.include_role:
+        name: "{{ pg_role }}"
+        tasks_from: setup_db
+      vars:
+        postgres_db_name: "{{ repo_db_name }}"
+        postgres_db_username: "{{ repo_db_username }}"
+        postgres_db_password: "{{ repo_db_password }}"
+        postgres_db_clients: "{{ groups.repository }}"
+      when: create_repo_db
+    - name: Setup sync database
+      ansible.builtin.include_role:
+        role: "{{ pg_role }}"
+        tasks_from: setup_db
+      vars:
+        postgres_db_name: "{{ sync_db_name }}"
+        postgres_db_username: "{{ sync_db_username }}"
+        postgres_db_password: "{{ sync_db_password }}"
+        postgres_db_clients: "{{ groups.syncservice }}"
+      when: create_sync_db
   post_tasks:
     - name: Make sure PostgreSQL is running
       ansible.builtin.service:
         name: "{{ postgresql_service }}"
         state: started
+      when: create_repo_db or create_sync_db
   tags:
     - database
 

diff --git a/playbooks/secrets-init.yml b/playbooks/secrets-init.yml
@@ -21,8 +21,8 @@
       ansible.builtin.shell:
         executable: /bin/bash
         cmd: |
-         set -o pipefail
-         head -1 {{ secrets_file }} | grep -q \$ANSIBLE_VAULT
+          set -o pipefail
+          head -1 {{ secrets_file }} | grep -q \$ANSIBLE_VAULT
       register: peek_encrypted_file_vault
       failed_when: "peek_encrypted_file_vault.rc not in [0, 1]"
       changed_when: false
@@ -59,7 +59,6 @@
           ansible.builtin.set_fact:
             password_loop:
               - repo_db_password
-              - sync_db_password
 
         - name: Check if inventory is provided
           ansible.builtin.set_fact:
@@ -95,6 +94,11 @@
             password_loop: "{{ password_loop + ['identity_admin_password'] }}"
           when: (((groups.identity | default([])) + (groups.external_identity | default([]))) | length > 0) or empty_inventory
 
+        - name: Append password_loop when sync_db_password is needed
+          ansible.builtin.set_fact:
+            password_loop: "{{ password_loop + ['sync_db_password'] }}"
+          when: ((groups.syncservice | default([])) | length > 0) or empty_inventory
+
         - name: Populate secrets.yml with missing secrets
           ansible.builtin.shell: "{{ base_folder }}/scripts/generate-secret.sh -s {{ item }} -m {{ gs_mode }} >> {{ secrets_file }}"
           changed_when: true

diff --git a/playbooks/secrets.yml b/playbooks/secrets.yml
@@ -49,7 +49,6 @@
       ansible.builtin.assert:
         that:
           - repo_db_password is defined and repo_db_password | length > 0
-          - sync_db_password is defined and sync_db_password | length > 0
         msg: "Mandatory secrets are missing from vars/secrets.yml file.
           If this is a test environment, you can autogenerate them setting
           the autogen_unsecure_secrets variable to yes. Otherwise, please take a look
@@ -63,6 +62,13 @@
         quiet: true
       when: ((groups.activemq | default([])) + (groups.external_activemq | default([]))) | length > 0
 
+    - name: Ensure sync_db_password is set when required
+      ansible.builtin.assert:
+        that: sync_db_password is defined and sync_db_password | length > 0
+        msg: "sync_db_password must have been already set at this point"
+        quiet: true
+      when: (groups.syncservice | default([])) | length > 0
+
     - name: Ensure ca_signing_key_passphrase is set when required
       ansible.builtin.assert:
         that: ca_signing_key_passphrase is defined and ca_signing_key_passphrase | length > 0
@@ -122,6 +128,7 @@
     - name: Set sync_db_password secret
       ansible.builtin.set_fact:
         sync_db_password: "{{ hostvars.localhost.sync_db_password }}"
+      when: (groups.syncservice | default([])) | length > 0
 
 - name: Set secrets for ActiveMQ auth
   hosts: activemq:repository:transformers:syncservice:search_enterprise

diff --git a/roles/postgres/meta/argument_specs.yml b/roles/postgres/meta/argument_specs.yml
@@ -0,0 +1,28 @@
+---
+argument_specs:
+  setup_db:
+    short_description: Configure PostgreSQL database
+    options:
+      postgres_db_name:
+        type: str
+        required: true
+        description: |
+          Name of the database to be created
+      postgres_db_username:
+        type: str
+        required: true
+        description: |
+          Username of the database user
+      postgres_db_password:
+        type: str
+        required: true
+        description: |
+          Password of the database user
+      postgres_db_clients:
+        type: list
+        elements: str
+        required: true
+        description: |
+          List of clients that are allowed to connect to the database
+          Each client must be an host inventory for which facts have been
+          gathered (in particular ansible_default_ipv4.address)
diff --git a/roles/postgres/molecule/default/converge.yml b/roles/postgres/molecule/default/converge.yml
@@ -2,6 +2,24 @@
 - name: Converge
   hosts: all
   tasks:
-    - name: "Include roles/postgres"
+    - name: Install PostgreSQL
       ansible.builtin.include_role:
-        name: "postgres"
+        name: postgres
+    - name: Configure repo database
+      ansible.builtin.include_role:
+        name: postgres
+        tasks_from: setup_db
+      vars:
+        postgres_db_name: alfresco
+        postgres_db_username: alfresco
+        postgres_db_password: alfresco
+        postgres_db_clients: "{{ groups.syncservice }}"
+    - name: Configure sync database
+      ansible.builtin.include_role:
+        name: postgres
+        tasks_from: setup_db
+      vars:
+        postgres_db_name: alfresco-sync
+        postgres_db_username: alfresco-sync
+        postgres_db_password: alfresco
+        postgres_db_clients: "{{ groups.syncservice }}"
diff --git a/roles/postgres/tasks/main.yml b/roles/postgres/tasks/main.yml
@@ -4,6 +4,10 @@
   loop: >-
     {{ lookup('first_found', os_fallback, errors='ignore', wantlist=True) }}
 
+- name: Set PostgreSQL service name as fact
+  ansible.builtin.set_fact:
+    postgresql_service: "{{ postgresql_service }}"
+
 - name: Install PostgreSQL RDBMS
   become: true
   block:
@@ -29,13 +33,13 @@
   notify:
     - Restart-postgresql
   block:
-    - name: Configure postgresql to listen on all IP interfaces
+    - name: Configure PostgreSQL to listen on all IP interfaces
       ansible.builtin.lineinfile:
         path: "{{ postgresql_conf_path }}/postgresql.conf"
         regexp: ^\s*listen_addresses\s*=
         line: "listen_addresses = '{{ postgres_listen_addresses }}'"
 
-    - name: Custom postgresql Configuration
+    - name: Custom PostgreSQL Configuration
       ansible.builtin.lineinfile:
         path: "{{ postgresql_conf_path }}/postgresql.conf"
         regexp: "^{{ item['line'] }}"
@@ -44,83 +48,5 @@
         backup: true
       with_items: "{{ postgres_config }}"
 
-    - name: Configure postgresql client auth
-      ansible.builtin.template:
-        src: "pg_hba.conf.j2"
-        dest: "{{ postgresql_conf_path }}/pg_hba.conf"
-        owner: postgres
-        group: postgres
-        mode: 'u=rw'
-
-- name: Always flush after Configure PostgreSQL RDBMS block
+- name: Flush handlers
   ansible.builtin.meta: flush_handlers
-
-- name: Configure PostgreSQL RDBMS
-  become: true
-  become_user: postgres
-  vars:
-    ansible_ssh_pipelining: true
-  block:
-    - name: Create necessary databases
-      community.postgresql.postgresql_db:
-        name: "{{ item }}"
-      loop:
-        - "{{ repo_db_name }}"
-        - "{{ sync_db_name }}"
-
-    - name: Revoke default access to public schema
-      community.postgresql.postgresql_privs:
-        db: "{{ item }}"
-        privs: ALL
-        type: schema
-        objs: public
-        role: public
-        state: absent
-      loop:
-        - "{{ repo_db_name }}"
-        - "{{ sync_db_name }}"
-      tags:
-        - molecule-idempotence-notest
-
-    - name: Create unprivileged users
-      community.postgresql.postgresql_user:
-        db: "{{ item.db }}"
-        name: "{{ item.user }}"
-        password: "{{ item.pwd }}"
-        expires: infinity
-        role_attr_flags: NOSUPERUSER
-      no_log: true
-      loop:
-        - db: "{{ repo_db_name }}"
-          user: "{{ repo_db_username }}"
-          pwd: "{{ repo_db_password }}"
-        - db: "{{ sync_db_name }}"
-          user: "{{ sync_db_username }}"
-          pwd: "{{ sync_db_password }}"
-      tags:
-        - molecule-idempotence-notest
-
-    - name: Grant db privileges to users
-      community.postgresql.postgresql_privs:
-        db: "{{ item.db }}"
-        privs: ALL
-        type: schema
-        objs: public
-        role: "{{ item.user }}"
-      loop:
-        - db: "{{ repo_db_name }}"
-          user: "{{ repo_db_username }}"
-        - db: "{{ sync_db_name }}"
-          user: "{{ sync_db_username }}"
-
-    - name: >-
-        Revoke {{ repo_db_username }} user access to
-        {{ sync_db_name }} database due to previous bug
-      community.postgresql.postgresql_user:
-        db: "{{ sync_db_name }}"
-        name: "{{ repo_db_username }}"
-        priv: "ALL"
-        state: absent
-        fail_on_user: false
-      tags:
-        - molecule-idempotence-notest
diff --git a/roles/postgres/tasks/setup_db.yml b/roles/postgres/tasks/setup_db.yml
@@ -0,0 +1,63 @@
+---
+- name: Include OS specific variables
+  ansible.builtin.include_vars: "{{ item }}"
+  loop: >-
+    {{ lookup('first_found', os_fallback, errors='ignore', wantlist=True) }}
+
+- name: Configure PostgreSQL client auth
+  become: true
+  notify:
+    - Restart-postgresql
+  ansible.builtin.blockinfile:
+    path: "{{ postgresql_conf_path }}/pg_hba.conf"
+    block: |
+      {% for host in postgres_db_clients | map('extract', hostvars, ['ansible_default_ipv4', 'address']) %}
+      host {{ postgres_db_name }} {{ postgres_db_username }} {{ host }}/32 md5
+      {% endfor %}
+    marker: >-
+      # {mark} ANSIBLE MANAGED: allow {{ postgres_db_clients | join(", ") }} to connect to {{ postgres_db_name }} as {{ postgres_db_username }}
+    owner: postgres
+    group: postgres
+    mode: "u=rw"
+
+- name: Configure PostgreSQL database
+  become: true
+  become_user: postgres
+  vars:
+    ansible_ssh_pipelining: true
+  block:
+    - name: Create database
+      community.postgresql.postgresql_db:
+        name: "{{ postgres_db_name }}"
+
+    - name: Revoke default access to public schema
+      community.postgresql.postgresql_privs:
+        db: "{{ postgres_db_name }}"
+        privs: ALL
+        type: schema
+        objs: public
+        role: public
+        state: absent
+      tags:
+        - molecule-idempotence-notest
+
+    - name: Create unprivileged user
+      community.postgresql.postgresql_user:
+        db: "{{ postgres_db_name }}"
+        name: "{{ postgres_db_username }}"
+        password: "{{ postgres_db_password }}"
+        expires: infinity
+        role_attr_flags: NOSUPERUSER
+      no_log: true
+      tags:
+        - molecule-idempotence-notest
+
+    - name: Grant db privileges to user
+      community.postgresql.postgresql_privs:
+        db: "{{ postgres_db_name }}"
+        privs: ALL
+        type: schema
+        objs: public
+        role: "{{ postgres_db_username }}"
+      tags:
+        - molecule-idempotence-notest
diff --git a/roles/postgres/templates/pg_hba.conf.j2 b/roles/postgres/templates/pg_hba.conf.j2