Add postgres and redis roles

.gitmodules

@@ -7,3 +7,9 @@
 [submodule "roles/ansible-role-nginx"]
 	path = roles/ansible-role-nginx
 	url = https://github.com/secshellnet/ansible-role-nginx
+[submodule "roles/ansible-role-postgresql"]
+	path = roles/ansible-role-postgresql
+	url = https://github.com/geerlingguy/ansible-role-postgresql
+[submodule "roles/ansible-role-redis"]
+	path = roles/ansible-role-redis
+	url = https://github.com/geerlingguy/ansible-role-redis

README.md

@@ -80,8 +80,6 @@ hcloud-ansible
 │   ├── id_ecdsa
 │   └── id_ecdsa.pub
 ├── ansible.cfg
-├── filter_plugins               # python filters to be used in ansible
-│   └── network_filters.py
 ├── group_vars
 │   └── all
 │       ├── vars.yaml            # plaintext global variables
@@ -90,15 +88,69 @@ hcloud-ansible
 ├── playbook.yaml
 ├── roles
 │   ├── ansible-role-fail2ban
-│   ├── ansible-role-nginx
+│   ├── ansible-role-nginx       # our role to install nginx with acme.sh and cf dns integration
+│   ├── ansible-role-postgresql  # role to install a postgresql database server
 │   └── ansible-role-sshd
-└── tasks                        # ansible subtasks to be used in the playbooks
-    ├── create-worker-user.yaml
-    └── hetzner-cloud.yaml
+├── tasks
+│   ├── auto-update.yaml
+│   ├── create-worker-user.yaml
+│   └── hetzner-cloud.yaml       # task to manage cloud servers and aquire information to connect
+└── templates
+    └── dnf-automatic.conf.j2
 ```
 
+### [ansible-role-sshd](https://github.com/secshellnet/ansible-role-sshd)
+
+### [ansible-role-fail2ban](https://github.com/secshellnet/ansible-role-fail2ban)
+
+### [ansible-role-nginx](https://github.com/secshellnet/ansible-role-nginx)
+
+### [ansible-role-redis](https://github.com/geerlingguy/ansible-role-redis)
+
+### [ansible-role-postgresql](https://github.com/geerlingguy/ansible-role-postgresql)
+```yaml
+# host_vars/<hostname>/vars.yaml
+---
+postgresql_databases:
+  - name: nextcloud
+    state: present
+
+  # synapse requires lc_collate and lc_ctype to be set to C
+  - name: synapse
+    lc_collate: C
+    lc_ctype: C
+    state: present
+
+postgresql_users_u:
+  - name: nextcloud
+    db: nextcloud
+    state: present
+
+  - name: synapse
+    db: synapse
+    state: present
+```
+
+```yaml
+# host_vars/<hostname>/vault
+---
+postgresql_users_e:
+  - name: nextcloud
+    password: s3cr3t-p4ssw0rd
+
+  - name: synapse
+    password: s3cr3t-p4ssw0rd
+```
+
+- You can spawn a postgres shell using: `sudo -u postgres psql`.
+- Use `\l` to list databases, `\du` to list users and `\dt` to list tables.
+- Use `\c <database>` to connect to a database
+- You can also connect using tcp (like any other application): 
+  `psql -h 127.0.0.1 -U <user> <database>`
+
 ## TODO
 - run OpenSCAP and check what could be improved
+- test postgresql role
 
 ### think about
 - (iptables/firewalld) firewall rules and/or hcloud firewall rules -> integration of hcloud would be independent of distribution -> if we want to support distros like fedora in future it would be better for now

group_vars/all/vars.yaml

@@ -8,5 +8,15 @@ image: ubuntu-22.04
 enable_ipv4: false
 enable_ipv6: true
 
+# ansible-role-postgresql default host based authentication config 
+# role default uses md5 to authenticate, which is why we override it
+postgresql_hba_entries:
+  - { type: local, database: all, user: postgres, auth_method: peer }
+  - { type: local, database: all, user: all, auth_method: peer }
+  - { type: host, database: all, user: all, address: '127.0.0.1/32', auth_method: scram-sha-256 }
+  - { type: host, database: all, user: all, address: '::1/128', auth_method: scram-sha-256 }
+
 # features / roles to install
 install_nginx: false
+install_postgresql: false
+install_redis: false

playbook.yaml

@@ -50,26 +50,35 @@
     - name: "Configure automatic updates of installed packages"
       ansible.builtin.include_tasks: "tasks/auto-update.yaml"
 
-    # - name: "Install unattended upgrades"
-    #   ansible.builtin.apt:
-    #     name:
-    #       - python3-requests
-    #       - python3-apt
-    #       - curl
-    #       - wget
-    #       - dnsutils
-    #       - mtr
-    #       - tcpdump
-    #       - ncdu
-    #       - jq
-    #       - iptables
-    #       - iptables-persistent
-    #     state: present
-    #   become: true
-
     - name: "Setup nginx"
       ansible.builtin.include_role:
         name: "ansible-role-nginx"
       when:
         - enable_ipv4  # otherwise acme.sh cannot be installed
         - install_nginx
+
+    # The passwords of postgresql users are not being stored with the 
+    # other (e.g. database) settings in the host_vars/<hostname>/vars.yaml
+    # for secure reasons. Instead the are stored in the vault of the host
+    # (host_vars/<hostname>/vault and will be merged by the following task.
+    - name: "Merge PostgreSQL users variables with passwords from vault"
+      ansible.builtin.set_fact:
+        postgresql_users: "{{ postgresql_users | default([]) + [item_u | combine(item_e)] }}"
+      loop: "{{ postgresql_users_u }}"
+      loop_control:
+        loop_var: item_u
+      vars:
+        item_e: "{{ postgresql_users_e | selectattr('name', '==', item_u.name) | first }}"
+      when: install_postgresql
+
+    - name: "Setup postgresql"
+      ansible.builtin.include_role:
+        name: "ansible-role-postgresql"
+      when:
+        - install_postgresql
+
+    - name: "Setup redis"
+      ansible.builtin.include_role:
+        name: "ansible-role-redis"
+      when:
+        - install_redis