postgres: store DB password with other secrets

Let’s uncomplicate our lives. Also I’m not sure if the ~/.pgpass stuff ever worked properly or even at all.
2024-08-15 12:57:15 +02:00 · 2024-08-15 12:57:15 +02:00 · 8ba6959065
parent 3261bc7f98
commit 8ba6959065
2 changed files with 3 additions and 28 deletions
--- a/roles/netbox/tasks/main.yml
+++ b/roles/netbox/tasks/main.yml
@ -65,6 +65,8 @@
      line: "ALLOWED_HOSTS = ['{{ dns_name }}']"
    - key: 'USER.*PostgreSQL username'
      line: "    'USER': '{{ user }}', # PostgreSQL username"
+    - key: 'PASSWORD.*PostgreSQL password'
+      line: "    'PASSWORD': '{{ password.db_pass }}', # PostgreSQL password"
    # XXX unnecessary?
    #- key: '(OPTIONS|PASSWORD).*PostgreSQL password'
    #  line: "    'OPTIONS': { 'passfile': '{{ user_info.home }}/.pgpass' }, # PostgreSQL password"
--- a/roles/postgres/tasks/main.yml
+++ b/roles/postgres/tasks/main.yml
@ -10,32 +10,6 @@
    enabled: true
    state: started

- name: Check for existing database password
-  become: yes
-  become_user: '{{ user }}'
-  slurp:
-    path: '~/.pgpass'
-  register: pgpass
-  failed_when: false
-
- name: Get database password
-  when: '"content" in pgpass'
-  set_fact: db_password='{{ pgpass.content | b64decode | split(":") | last }}'
-
- name: Create database password
-  when: '"content" not in pgpass'
-  set_fact: db_password='{{ lookup("password", "/dev/null", chars=["ascii_letters", "digits"]) }}'
-
- name: Create .pgpass
-  become: yes
-  become_user: '{{ user }}'
-  copy:
-    dest: '~/.pgpass'
-    content: |
-      localhost:5432:{{ user }}:{{ user }}:{{ db_password }}
-    force: no
-    mode: 0600
-
 - become: yes
  become_user: postgres
  block:
@ -47,8 +21,7 @@
      postgresql_user:
        db: '{{ database | default(user) }}'
        name: '{{ user }}'
-        password: '{{ db_password }}'
-        no_password_changes: '{{ "content" in pgpass }}'
+        password: '{{ password.db_pass }}'

    - name: Set schema owner
      postgresql_owner: