Update to latest version of PostgreSQL role.

Author: geerlingguy

provisioning/requirements.yml

@@ -66,7 +66,7 @@
 - src: geerlingguy.postfix
   version: 1.1.0
 - src: geerlingguy.postgresql
-  version: 1.0.3
+  version: 1.1.0
 - src: geerlingguy.redis
   version: 1.4.1
 - src: geerlingguy.repo-remi

provisioning/roles/geerlingguy.postgresql/README.md

@@ -37,6 +37,18 @@ The directories (usually one, but can be multiple) where PostgreSQL's socket wil
 
 Global configuration options that will be set in `postgresql.conf`. Note that for RHEL/CentOS 6 (or very old versions of PostgreSQL), you need to at least override this variable and set the `option` to `unix_socket_directory`.
 
+    postgresql_hba_entries:
+      - type: host # required; local, host, hostssl or hostnossl
+        database: exampledb # required
+        user: jdoe # required
+        address: 192.0.2.0/24 # either this or ip_address / ip_mask are required unless type is 'local'
+        ip_address: # alternative to 'address'
+        ip_mask: # alternative to 'address'
+        auth_method: # required
+        auth_options: # optional
+
+Configure [host based authentication](https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html) entries to be set in the `pg_hba.conf`. 
+
     postgresql_locales:
       - 'en_US.UTF-8'
 

provisioning/roles/geerlingguy.postgresql/defaults/main.yml

@@ -13,6 +13,13 @@ postgresql_global_config_options:
   - option: unix_socket_directories
     value: '{{ postgresql_unix_socket_directories | join(",") }}'
 
+# Host based authentication (hba) entries to be added to the pg_hba.conf.
+postgresql_hba_entries:
+  - type: local
+    database: all
+    user: all
+    auth_method: trust
+
 # Debian only. Used to generate the locales used by PostgreSQL databases.
 postgresql_locales:
   - 'en_US.UTF-8'

provisioning/roles/geerlingguy.postgresql/tasks/configure.yml

@@ -8,6 +8,15 @@
   with_items: "{{ postgresql_global_config_options }}"
   notify: restart postgresql
 
+- name: Configure host based authentication.
+  template:
+    src: "templates/pg_hba.conf.j2"
+    dest: "{{ postgresql_config_path }}/pg_hba.conf"
+    owner: "{{ postgresql_user }}"
+    group: "{{ postgresql_group }}"
+    mode: 0600
+  notify: restart postgresql
+
 - name: Ensure PostgreSQL unix socket dirs exist.
   file:
     path: "{{ item }}"

provisioning/roles/geerlingguy.postgresql/tasks/databases.yml

@@ -11,6 +11,7 @@
     login_user: "{{ item.login_user | default(postgresql_user) }}"
     login_unix_socket: "{{ item.login_unix_socket | default(postgresql_unix_socket_directories[0]) }}"
     port: "{{ item.port | default(omit) }}"
+    owner: "{{ item.owner | default(postgresql_user) }}"
     state: "{{ item.state | default('present') }}"
   with_items: "{{ postgresql_databases }}"
   become: yes

provisioning/roles/geerlingguy.postgresql/tasks/main.yml

@@ -22,5 +22,5 @@
     enabled: yes
 
 # Configure PostgreSQL.
-- include: databases.yml
 - include: users.yml
+- include: databases.yml

provisioning/roles/geerlingguy.postgresql/templates/pg_hba.conf.j2

@@ -0,0 +1,9 @@
+{{ ansible_managed | comment }}
+# PostgreSQL Client Authentication Configuration File
+# ===================================================
+#
+# See: https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html
+
+{% for client in postgresql_hba_entries %}
+{{ client.type }} {{ client.database }} {{ client.user }} {{ client.address|default('') }} {{ client.ip_address|default('') }} {{ client.ip_mask|default('') }} {{ client.auth_method }} {{ client.auth_options|default("") }}
+{% endfor %}