---
- block:
    - name: Setup global config file
      template:
        src: postgresql/data/postgresql.conf.j2
        dest: "{{ __postgres_config_path }}/postgresql.conf"
        mode: 0600
      notify: __postgres_restart

    - name: Create local users for pam auth
      user:
        name: "{{ item.name }}"
        password: "{{ item.password | password_hash('sha512', 65534 | random(seed=inventory_hostname) | string) }}"
        state: "{{ item.state | default('present') }}"
      loop: "{{ postgres_users }}"
      no_log: True
      when: item.pam_user | default(False)

    - name: Setup client authentication
      postgresql_pg_hba:
        dest: "{{ __postgres_config_path }}/pg_hba.conf"
        contype: "{{ item.contype | default('local') }}"
        users: "{{ item.users | default(['all'])) | join(',') }}"
        address: "{{ item.address | default('samehost') }}"
        databases: "{{ item.databases | default(['all'])) | join(',') }}"
        method: "{{ item.auth_method | default('md5') }}"
        state: "{{ item.state | default('present') }}"
      loop: "{{ postgres_hba_entries }}"
      loop_control:
        label: "{{ item.address | default('samehost') }}:{{ item.databases | default(['all'])) | join(',') }}:{{ item.users | default(['all'])) | join(',') }}"
      notify: __postgres_restart

    - name: Open ports in iptables
      iptables_raw:
        name: allow_postgres_port
        state: present
        rules: '-A INPUT -m state --state NEW -p tcp --dport {{ postgres_connection_port }} -j ACCEPT'
      when: postgres_iptables_enabled | bool
  become: True
  become_user: root