Feat: Add postgres-11/12

professormahi · professormahi · commit ac1084a1311d · 2023-12-06T21:39:10.000+03:30
Signed-off-by: Mahdi Fooladgar (professormahi) &lt;professormahi_f@yahoo.com&gt;
diff --git a/roles/postgres_hardening/defaults/main.yml b/roles/postgres_hardening/defaults/main.yml
@@ -9,3 +9,7 @@ postgres_hardening_restart_postgres: true
 # Postgres user/group
 postgres_user: postgres
 postgres_group: postgres
+
+# SSL
+ssl_enabled: "on"
+ssl_ciphers: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
diff --git a/roles/postgres_hardening/tasks/hardening.yml b/roles/postgres_hardening/tasks/hardening.yml
@@ -68,30 +68,45 @@
     msg: "Postgres Version is not secure or supported!"
   when: not postgres_version or 'RC' in postgres_version_raw or 'DEVEL' in postgres_version_raw or 'BETA' in postgres_version_raw
 
-
 #################################
 # POSTGRES-10 ###################
 #################################
-- name: Manage permissions on /etc/postgresql/14/main
+- name: Manage permissions on /etc/postgresql/<version>/main
   ansible.builtin.file:
-    path: /etc/postgresql/14/main
+    path: "/etc/postgresql/{{ postgres_version }}/main"
     state: directory
     owner: "{{ postgres_user }}"
     group: "{{ postgres_group }}"
     mode: u=rwx,g=,o=
 
-- name: Manage permissions on /etc/postgresql/14/main/postgresql.conf
+- name: Manage permissions on /etc/postgresql/<version>/main/postgresql.conf
   ansible.builtin.file:
-    path: /etc/postgresql/14/main/postgresql.conf
+    path: "/etc/postgresql/{{ postgres_version }}/main/postgresql.conf"
     state: file
     owner: "{{ postgres_user }}"
     group: "{{ postgres_group }}"
     mode: u=rw,g=r,o=
 
-- name: Manage permissions on /etc/postgresql/14/main/pg_hba.conf
+- name: Manage permissions on /etc/postgresql/<version>/main/pg_hba.conf
   ansible.builtin.file:
-    path: /etc/postgresql/14/main/pg_hba.conf
+    path: "/etc/postgresql/{{ postgres_version }}/main/pg_hba.conf"
     state: file
     owner: "{{ postgres_user }}"
     group: "{{ postgres_group }}"
     mode: u=rw,g=,o=
+
+#################################
+# POSTGRES-11/12 ################
+#################################
+- name: Secure postgresql.conf Configuration
+  ansible.builtin.lineinfile:
+    path: "/etc/postgresql/{{ postgres_version }}/main/postgresql.conf"
+    line: "{{ item.line }}"
+    regexp: "{{ item.regexp }}"
+    state: present
+  with_items:
+    - line: "ssl = {{ ssl_enabled }}"
+      regexp: "#?ssl\\s?="
+    - line: "ssl_ciphers = '{{ ssl_ciphers }}'"
+      regexp: "#?ssl_ciphers\\s?="
+  notify: Restart postgres
