This role installs and configures a PostgreSQL server instance. It is system-only: no application databases or users are created here. Application roles depend on this foundation and manage their own databases independently.

Features

Install PostgreSQL {{ postgresql_version }} and required packages
Enable and start the PostgreSQL service
Enforce secure authentication methods:
- Local peer for Unix socket access
- SCRAM-SHA-256 for TCP connections
Restrict PostgreSQL to listen only on localhost
Harden pg_hba.conf with explicit rules
ACL support for proper privilege escalation

Defaults

postgresql_version: 17
postgresql_listen: "localhost"

Requirements

Ansible >= 2.12
community.postgresql collection
Debian-based OS (Bookworm, Trixie)
acl package installed

Variables

postgresql_version: Version of PostgreSQL to install.
postgresql_listen: IP addresses PostgreSQL will bind to (default: localhost).

Handlers

Restart_postgresql: Restarts the PostgreSQL service when config changes.
Reload_postgresql: Reloads the PostgreSQL service to apply authentication changes.

Dependencies

None. This is a base system role. Application roles should depend on it for database provisioning.

Example Playbook

- hosts: dbservers
  become: true

  roles:
    - role: ds_postgresql

Security

All connections are localhost-only by default.
No application databases or users are created here.
Designed for isolation, auditability, and reuse across multiple application deployments.
Provides a reliable, secure foundation for serious infrastructure.

License

MIT

[ Fear the Silence. Fear the Switch. ]