1 files changed, 43 insertions, 4 deletions

diff --git a/ansible/roles/postgres/tasks/main.yml b/ansible/roles/postgres/tasks/main.yml
index 034ff9c..ea6565b 100644
--- a/ansible/roles/postgres/tasks/main.yml
+++ b/ansible/roles/postgres/tasks/main.yml
@@ -18,16 +18,55 @@
     - role::postgres
 
 - name: Add postgres users
-  community.postgresql.postgresql_user: "{{ item }}"
-  with_items: "{{ postgres_users }}"
   become: true
   become_user: "{{ postgres_user }}"
+  community.postgresql.postgresql_user:
+    name: "{{ item.name }}"
+    password: "{{ item.password }}"
+    state: present
+  loop_control:
+    label: "{{ item.name }}"
+  loop: "{{ postgres_users }}"
+  environment:
+    PGOPTIONS: "-c password_encryption=scram-sha-256"
   tags:
     - role::postgres
 
 - name: Add postgres databases
-  community.postgresql.postgresql_db: "{{ item }}"
-  with_items: "{{ postgres_databases }}"
+  become: true
+  become_user: "{{ postgres_user }}"
+  community.postgresql.postgresql_db:
+    name: "{{ item.name }}"
+    owner: "{{ item.owner }}"
+    state: present
+  loop: "{{ postgres_databases }}"
+  tags:
+    - role::postgres
+
+- name: Set host based authentication rules for all postgres users at once
+  ansible.builtin.blockinfile:
+    path: /etc/postgresql/{{ postgres_version }}/main/pg_hba.conf
+    insertafter: "# Put your actual configuration here"
+    marker: "# {mark} ANSIBLE MANAGED HBA CONF BLOCK"
+    block: |
+      {% for db in postgres_databases %}
+      host    {{ db.name }}    {{ db.owner }}    all    scram-sha-256
+      {% endfor %}
+  loop: "{{ postgres_databases }}"
+  notify:
+    - Reload the postgres service
+  tags:
+    - role::postgres
+
+- name: Grant specified roles to users
+  community.postgresql.postgresql_membership:
+    groups: "{{ user.roles }}"
+    target_role: "{{ user.name }}"
+  loop: "{{ postgres_users }}"
+  when: user.roles != None
+  loop_control:
+    loop_var: user
+    label: "{{ user.name }}"
   become: true
   become_user: "{{ postgres_user }}"
   tags: