- name: Install postgres packages
  apt:
    name:
      - python3-psycopg2
      - postgresql-{{ postgres_version }}
      - postgresql-contrib-{{ postgres_version }}
      - postgresql-doc-{{ postgres_version }}
      - libpq-dev
    state: present
  tags:
    - role::postgres

- name: Check postgres is started and enabled on boot
  service:
    name: '{{ postgres_daemon }}'
    state: started
    enabled: true
  tags:
    - role::postgres

- name: Add postgres users
  become: true
  become_user: "{{ postgres_user }}"
  community.postgresql.postgresql_user:
    name: "{{ item.name }}"
    password: "{{ item.password }}"
    role_attr_flags: "{{ item.role_attr_flags | default('') }}"
    state: present
  loop_control:
    label: "{{ item.name }}"
  loop: "{{ postgres_users }}"
  environment:
    PGOPTIONS: "-c password_encryption=scram-sha-256"
  tags:
    - role::postgres

- name: Add postgres databases
  become: true
  become_user: "{{ postgres_user }}"
  community.postgresql.postgresql_db:
    name: "{{ item.name }}"
    owner: "{{ item.owner }}"
    state: present
  loop: "{{ postgres_databases }}"
  tags:
    - role::postgres

- name: Set host based authentication rules for all postgres users at once
  ansible.builtin.blockinfile:
    path: /etc/postgresql/{{ postgres_version }}/main/pg_hba.conf
    insertafter: "# Put your actual configuration here"
    marker: "# {mark} ANSIBLE MANAGED HBA CONF BLOCK"
    block: |
      # Manually configured HBA rules
      {% for rule in postgres_hba_rules %}
      {{ rule.conn_type }}    {{ rule.database }}    {{ rule.user }}    {{ rule.address }}    {{ rule.method }}   {{ rule.options | default('') }}
      {% endfor %}

      # Automatically configured mTLS HBA rules
      {% for user in postgres_users if user.name != 'devops' %}
      hostssl {{ user.name }} {{ user.name }} all cert map=mtls_cn_map
      {% endfor %}
  loop: "{{ postgres_hba_rules }}"
  notify:
    - Reload the postgres service
  tags:
    - role::postgres

- name: Grant specified roles to users
  community.postgresql.postgresql_membership:
    groups: "{{ user.roles }}"
    target_role: "{{ user.name }}"
  loop: "{{ postgres_users }}"
  when: user.roles != None
  loop_control:
    loop_var: user
    label: "{{ user.name }}"
  become: true
  become_user: "{{ postgres_user }}"
  tags:
    - role::postgres

- name: Grant specified grants to particular roles
  community.postgresql.postgresql_privs:
    database: "{{ grant.database }}"
    state: "{{ grant.state }}"
    privs: "{{ grant.privs }}"
    objs: "{{ grant.objs | default(omit) }}"
    roles: "{{ grant.roles }}"
    type: "{{ grant.type }}"
  when: postgres_grants is defined
  loop: "{{ postgres_grants }}"
  loop_control:
    loop_var: grant
    label: "{{ grant.privs }} --> {{ grant.roles }}"
  become: true
  become_user: "{{ postgres_user }}"
  tags:
    - role::postgres

- name: Import postgresql.conf
  template:
    src: postgresql.conf.j2
    dest: /etc/postgresql/{{ postgres_version }}/main/postgresql.conf
    owner: postgres
    group: postgres
    mode: "0644"
  tags:
    - role::postgres
  notify:
    - Restart the postgres service

- name: Import PostgreSQL identity map (pg_ident.conf)
  copy:
    src: ident.conf
    dest: /etc/postgresql/{{ postgres_version }}/main/pg_ident.conf
    owner: postgres
    group: postgres
    mode: "0644"
  tags:
    - role::postgres
  notify:
    - Reload the postgres service

- name: Install and configure pg_repack
  include_tasks: pg_repack.yml