ansible: Add missing roles to git

ansible/pontos.yml

@@ -29,89 +29,8 @@
       - import_role:
           name: postgres_deb
 
-      - block:
-          - name: "cgroups v2"
-            lineinfile:
-              path: /etc/default/grub
-              regexp: '^GRUB_CMDLINE_LINUX_DEFAULT="([^"]*) (systemd.unified_cgroup_hierarchy=1 +)*([^"]*)"'
-              line: 'GRUB_CMDLINE_LINUX_DEFAULT="\1 systemd.unified_cgroup_hierarchy=1 \3"'
-              backrefs: true
-            register: grub_cgroups
-
-          - command: update-grub
-            when: grub_cgroups.changed
-
-          - name: Enable user namespaces
-            sysctl:
-              name: kernel.unprivileged_userns_clone
-              value: "1"
-              state: present
-              reload: true
-
-          - name: Add apt-key for podman
-            apt_key:
-                data: |
-                    -----BEGIN PGP PUBLIC KEY BLOCK-----
-                    Version: GnuPG v1.4.5 (GNU/Linux)
-
-                    mQENBFtkV0cBCADStSTCG5qgYtzmWfymHZqxxhfwfS6fdHJcbGUeXsI5dxjeCWhs
-                    XarZm6rWZOd5WfSmpXhbKOyM6Ll+6bpSl5ICHLa6fcpizYWEPa8fpg9EGl0cF12G
-                    GgVLnnOZ6NIbsoW0LHt2YN0jn8xKVwyPp7KLHB2paZh+KuURERG406GXY/DgCxUx
-                    Ffgdelym/gfmt3DSq6GAQRRGHyucMvPYm53r+jVcKsf2Bp6E1XAfqBrD5r0maaCU
-                    Wvd7bi0B2Q0hIX0rfDCBpl4rFqvyaMPgn+Bkl6IW37zCkWIXqf1E5eDm/XzP881s
-                    +yAvi+JfDwt7AE+Hd2dSf273o3WUdYJGRwyZABEBAAG0OGRldmVsOmt1YmljIE9C
-                    UyBQcm9qZWN0IDxkZXZlbDprdWJpY0BidWlsZC5vcGVuc3VzZS5vcmc+iQE+BBMB
-                    CAAoBQJfcJJOAhsDBQkIKusHBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBN
-                    ZDkDdQYKpB0xCACmtCT6ruPiQa4l0DEptZ+u3NNbZfSVGH4fE4hyTjLbzrCxqcoh
-                    xJvDKxspuJ85wWFWMtl57+lFFE1KP0AX2XTT+/v2vN1PIfwgOSw3yp2sgWuIXFAi
-                    89YSjSh8G0SGAH90A9YFMnTbllzGoGURjSX03iasW3A408ljbDehA6rpS3t3FD7P
-                    PnUF6204orYu00Qvc54an/xVJzxupb69MKW5EeK7x8MJnIToT8hIdOdGVD6axsis
-                    x+1U71oMK1gBke7p4QPUdhJFpSUd6kT8bcO+7rYouoljFNYkUfwnqtUn7525fkfg
-                    uDqqXvOJMpJ/sK1ajHOeehp5T4Q45L/qUCb3iEYEExECAAYFAltkV0cACgkQOzAR
-                    t2udZSOoswCdF44NTN09DwhPFbNYhEMb9juP5ykAn0bcELvuKmgDwEwZMrPQkG8t
-                    Pu9n
-                    =42uC
-                    -----END PGP PUBLIC KEY BLOCK-----
-
-          - name: Podman repository for Buster
-            apt_repository:
-                repo: "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_10/ /"
-                filename: podman
-                state: present
-
-          - apt:
-              pkg:
-                - libseccomp2
-                - systemd
-              default_release: buster-backports
-              state: latest
-          - apt:
-              pkg:
-                - podman
-                - fuse-overlayfs
-
-          - apt:
-              pkg:
-                - slirp4netns
-                - libslirp0
-              state: absent
-
-          - copy:
-              src: bin/slirp4netns-x86_64-v1.1.9
-              dest: /usr/local/bin/slirp4netns
-              mode: 0755
-
-          - copy:
-              dest: /etc/containers/storage.conf
-              content: |
-                [storage]
-                  driver = "overlay"
-                  runroot = "/var/obj/podman/storage"
-                  graphroot = "/var/obj/podman/storage"
-                  rootless_storage_path = "/var/obj/podman/$USER/storage"
-                [storage.options]
-                  mount_program = "/bin/fuse-overlayfs"
-
+      - import_role:
+          name: podman_deb
         when: inventory_hostname == "pontos08.fi.muni.cz"
 
       - apt:

ansible/roles/pds_deb/files/FI_CA.pem

+-----BEGIN CERTIFICATE-----
+MIIHvTCCBaWgAwIBAgIJAIOlKRAWJsF6MA0GCSqGSIb3DQEBDQUAMIG8MQswCQYD
+VQQGEwJDWjEXMBUGA1UECBMOQ3plY2ggUmVwdWJsaWMxDTALBgNVBAcTBEJybm8x
+MzAxBgNVBAoTKkZhY3VsdHkgb2YgSW5mb3JtYXRpY3MsIE1hc2FyeWsgVW5pdmVy
+c2l0eTEMMAoGA1UECxMDQ1ZUMSIwIAYDVQQDExlGYWN1bHR5IG9mIEluZm9ybWF0
+aWNzIENBMR4wHAYJKoZIhvcNAQkBFg91bml4QGZpLm11bmkuY3owHhcNMTMwMTE2
+MTUwNDE3WhcNMzMwMTExMTUwNDE3WjCBvDELMAkGA1UEBhMCQ1oxFzAVBgNVBAgT
+DkN6ZWNoIFJlcHVibGljMQ0wCwYDVQQHEwRCcm5vMTMwMQYDVQQKEypGYWN1bHR5
+IG9mIEluZm9ybWF0aWNzLCBNYXNhcnlrIFVuaXZlcnNpdHkxDDAKBgNVBAsTA0NW
+VDEiMCAGA1UEAxMZRmFjdWx0eSBvZiBJbmZvcm1hdGljcyBDQTEeMBwGCSqGSIb3
+DQEJARYPdW5peEBmaS5tdW5pLmN6MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
+CgKCAgEAoGSifSFVk1SIQTgTb8e2wAPe1vSPL9WSd7MoV2Z3pg8Smdsn2RVcVtoh
+oqlqsXdbi1UOjx6XFHjpX3S8xrnqSdYYf9kl9k27/yL2vcaTW0SjmsV6WULWm9m6
+yXmsf1Qh+O1BIFvG9hHdsEVLJnU4PBAzZyKPKxFa07Zi1Ltlmjl2wgD+N23lXAuQ
+YWlRWeqyi/VadSByHuMSjjDCFPo7ihuFfDv8aF6SAuXDiU47M8zfMay9LRKXMYVv
+68YAS7t6U7Pefvm300CVSpK0B1N8/7C4ta1aVct6PijmF6qjaab4eicrTkQOrcME
+/0ES/08PHOSO66A0JXD+elQkmPDXOJEDGQaNt5FO9FTTNqEeGGPRuU/HQIGFXK9O
+v0ML/c3LfCBpIm09UDL5CxESZrZb4rSRPVoDBxWZTEB+I550IXGn/T8E0S5zjod8
+k12x9uVVYDgK3Hg9MRCrnrrrK1nmvXLVExbB8gj8L33CbUa5zZO9T/kjbAW26sWD
+hMSZmIwU69la09A6lhlDd1hjpITcR6Mibj/DINAmao8ZnrY9vVKxRlojAiBWJSAA
+9m0FMPAnGddgGQ5HYfjJ44qL1vyFhv6JMXcsG+Vx11izoiz10ekOJpDZo/FYqhdO
+NBIyx/HiGHlDpOdqVXRBSfiO0Snc9oZGczuOdnSLb0w8eQiI/ZsCAwEAAaOCAb4w
+ggG6MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQW
+BBR2nnguNcRVJ/X2a4j0bsue+Vy7mzCB8QYDVR0jBIHpMIHmgBR2nnguNcRVJ/X2
+a4j0bsue+Vy7m6GBwqSBvzCBvDELMAkGA1UEBhMCQ1oxFzAVBgNVBAgTDkN6ZWNo
+IFJlcHVibGljMQ0wCwYDVQQHEwRCcm5vMTMwMQYDVQQKEypGYWN1bHR5IG9mIElu
+Zm9ybWF0aWNzLCBNYXNhcnlrIFVuaXZlcnNpdHkxDDAKBgNVBAsTA0NWVDEiMCAG
+A1UEAxMZRmFjdWx0eSBvZiBJbmZvcm1hdGljcyBDQTEeMBwGCSqGSIb3DQEJARYP
+dW5peEBmaS5tdW5pLmN6ggkAg6UpEBYmwXowRQYIKwYBBQUHAQEEOTA3MDUGCCsG
+AQUFBzAChilodHRwOi8vZmFkbWluLmZpLm11bmkuY3ovY2FjZXJ0L0ZJX0NBLmNy
+dDA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vZmFkbWluLmZpLm11bmkuY3ovY2Fj
+ZXJ0L0ZJX0NBLmNybDANBgkqhkiG9w0BAQ0FAAOCAgEATIm56exar1GuVjFNnLh3
+1r7fjoOKiq155LrnU0jKI5X7/gXfuzzycjsVNR4sIo+5uB3QNlHtsFK1E7CSOGoC
+dIuCAjlzbqosrvtkn09oX4+9aY9uHEybS4U116ieGMVpTLcQ+TFhfq+jQGdmrRmn
+17fMb4eZxHxRQohG+8Z7TO/gI4cQTrl5//rV4dDdIFnqjz4bHG7bDYmiSWHtZJv5
+cFaOG/NQqBI1TasdyKPco+Xbp+1POhV5ArBaHotqOmTaBG/TB7nyy1Aoo/yrH4Op
++8Yl8dIZyWel/QdUflU4CGSz8jogM40pTJxvQ117L3KOBv/acqd7SWvX4KIEn+tV
+HLUw7agoPCXsl/5POUmJH9NA8KDYBNZUAyWWprXazbKwg7RdLDQS/8uY7O/zsgsU
+Bf67eS3UNUYEHGFnXAuJCj8zyF6j+2k0VEUP88FcEAq4KTbgUq+wZNqL9R5BWYO3
+Z82Ms0xl1vVves6BpsrP7GyLCWDHO7EJZ12O1GBPtr3wxAI6Vq2/r6O7PIW16NQt
+93WBrOlM1zwmu+XJcQdvi+QgU5e7Y8DIWI9kPD1Cd5E+LKgI9XyfoO6Jk7bAaRil
+DV0J7FEBQUyXSmHLnK9OY1i6ritGYjHlIJntRx3m7aJb9Q/8ClYXVIPIvBWeEv8s
+b7lCCz1q5Gm4RkdxRJQ+GCc=
+-----END CERTIFICATE-----

ansible/roles/pds_deb/files/libnss-ldap.conf

+## managed by ansible!
+base dc=fi,dc=muni,dc=cz
+uri ldaps://ldap1.fi.muni.cz ldaps://ldap.fi.muni.cz
+ldap_version 3
+rootbinddn dc=fi,dc=muni,dc=cz
+
+nss_base_passwd		ou=People,dc=fi,dc=muni,dc=cz?one?host=lpds
+nss_base_group		ou=Group,dc=fi,dc=muni,dc=cz?one?host=lpds
+
+ssl on
+tls_checkpeer yes
+tls_reqchert hard
+tls_cacertfile /etc/ldap/ssl/FI_CA.pem

ansible/roles/pds_deb/handlers/main.yml

+- name: restart nscd
+  service:
+    name: nscd
+    state: restarted

ansible/roles/pds_deb/tasks/main.yml

@@ -2,7 +2,10 @@
   apt:
     pkg:
       - cups
-      - cups-bsd # lpr
+      - cups-bsd  # lpr
+      - ldap-utils  # ldapsearch
+      - zsh
+      - fish
 
 - name: "Set CUPS server"
   lineinfile:
@@ -10,3 +13,41 @@
     regexp: "^CUPS_SERVER="
     line: "CUPS_SERVER=print.fi.muni.cz"
     path: /etc/environment
+
+- name: NSSwitch LDAP prerequisites
+  apt:
+    pkg:
+      - nscd
+      - libnss-ldap
+
+- name: FI_CA (LDAP) dir
+  file:
+    path: /etc/ldap/ssl/
+    state: directory
+
+- name: FI_CA (LDAP)
+  copy:
+    src: FI_CA.pem
+    dest: /etc/ldap/ssl/FI_CA.pem
+
+- name: LDAP config for NSSwitch
+  copy:
+    src: '{{item}}'
+    dest: '/etc/{{item}}'
+  loop:
+    - libnss-ldap.conf
+  notify:
+    - restart nscd
+
+- name: NSSwitch LDAP
+  lineinfile:
+    regexp: '^({{item.0}}):(\s+)'
+    line: '\1:\2{{item.1}}'
+    backrefs: true
+    path: /etc/nsswitch.conf
+  loop:
+    - ['passwd', 'files systemd ldap']
+    - ['group', 'files systemd ldap']
+    - ['shadow', 'files ldap']
+  notify:
+    - restart nscd

ansible/roles/podman_deb/tasks/main.yml

+---
+- name: "cgroups v2"
+  lineinfile:
+    path: /etc/default/grub
+    regexp: '^GRUB_CMDLINE_LINUX_DEFAULT="([^"]*) (systemd.unified_cgroup_hierarchy=1 +)*([^"]*)"'
+    line: 'GRUB_CMDLINE_LINUX_DEFAULT="\1 systemd.unified_cgroup_hierarchy=1 \3"'
+    backrefs: true
+  register: grub_cgroups
+
+- command: update-grub
+  when: grub_cgroups.changed
+
+- name: Enable user namespaces
+  sysctl:
+    name: kernel.unprivileged_userns_clone
+    value: "1"
+    state: present
+    reload: true
+
+- name: Add apt-key for podman
+  apt_key:
+      data: |
+          -----BEGIN PGP PUBLIC KEY BLOCK-----
+          Version: GnuPG v1.4.5 (GNU/Linux)
+
+          mQENBFtkV0cBCADStSTCG5qgYtzmWfymHZqxxhfwfS6fdHJcbGUeXsI5dxjeCWhs
+          XarZm6rWZOd5WfSmpXhbKOyM6Ll+6bpSl5ICHLa6fcpizYWEPa8fpg9EGl0cF12G
+          GgVLnnOZ6NIbsoW0LHt2YN0jn8xKVwyPp7KLHB2paZh+KuURERG406GXY/DgCxUx
+          Ffgdelym/gfmt3DSq6GAQRRGHyucMvPYm53r+jVcKsf2Bp6E1XAfqBrD5r0maaCU
+          Wvd7bi0B2Q0hIX0rfDCBpl4rFqvyaMPgn+Bkl6IW37zCkWIXqf1E5eDm/XzP881s
+          +yAvi+JfDwt7AE+Hd2dSf273o3WUdYJGRwyZABEBAAG0OGRldmVsOmt1YmljIE9C
+          UyBQcm9qZWN0IDxkZXZlbDprdWJpY0BidWlsZC5vcGVuc3VzZS5vcmc+iQE+BBMB
+          CAAoBQJfcJJOAhsDBQkIKusHBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBN
+          ZDkDdQYKpB0xCACmtCT6ruPiQa4l0DEptZ+u3NNbZfSVGH4fE4hyTjLbzrCxqcoh
+          xJvDKxspuJ85wWFWMtl57+lFFE1KP0AX2XTT+/v2vN1PIfwgOSw3yp2sgWuIXFAi
+          89YSjSh8G0SGAH90A9YFMnTbllzGoGURjSX03iasW3A408ljbDehA6rpS3t3FD7P
+          PnUF6204orYu00Qvc54an/xVJzxupb69MKW5EeK7x8MJnIToT8hIdOdGVD6axsis
+          x+1U71oMK1gBke7p4QPUdhJFpSUd6kT8bcO+7rYouoljFNYkUfwnqtUn7525fkfg
+          uDqqXvOJMpJ/sK1ajHOeehp5T4Q45L/qUCb3iEYEExECAAYFAltkV0cACgkQOzAR
+          t2udZSOoswCdF44NTN09DwhPFbNYhEMb9juP5ykAn0bcELvuKmgDwEwZMrPQkG8t
+          Pu9n
+          =42uC
+          -----END PGP PUBLIC KEY BLOCK-----
+
+- name: Podman repository for Buster
+  apt_repository:
+      repo: "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_10/ /"
+      filename: podman
+      state: present
+
+- apt:
+    pkg:
+      - libseccomp2
+      - systemd
+    default_release: buster-backports
+    state: latest
+- apt:
+    pkg:
+      - podman
+      - fuse-overlayfs
+
+- apt:
+    pkg:
+      - slirp4netns
+      - libslirp0
+    state: absent
+
+- copy:
+    src: bin/slirp4netns-x86_64-v1.1.9
+    dest: /usr/local/bin/slirp4netns
+    mode: 0755
+
+- copy:
+    dest: /etc/containers/storage.conf
+    content: |
+      [storage]
+        driver = "overlay"
+        runroot = "/var/obj/podman/storage"
+        graphroot = "/var/obj/podman/storage"
+        rootless_storage_path = "/var/obj/podman/$USER/storage"
+      [storage.options]
+        mount_program = "/bin/fuse-overlayfs"
+...

ansible/roles/postgres_deb/defaults/main.yml

+postgres_server: False
+postgres_server_root: /srv/postgresql
+postgres_client: False

ansible/roles/postgres_deb/tasks/main.yml

+- name: Postgres key
+  apt_key:
+    data: |
+        -----BEGIN PGP PUBLIC KEY BLOCK-----
+
+        mQINBE6XR8IBEACVdDKT2HEH1IyHzXkb4nIWAY7echjRxo7MTcj4vbXAyBKOfjja
+        UrBEJWHN6fjKJXOYWXHLIYg0hOGeW9qcSiaa1/rYIbOzjfGfhE4x0Y+NJHS1db0V
+        G6GUj3qXaeyqIJGS2z7m0Thy4Lgr/LpZlZ78Nf1fliSzBlMo1sV7PpP/7zUO+aA4
+        bKa8Rio3weMXQOZgclzgeSdqtwKnyKTQdXY5MkH1QXyFIk1nTfWwyqpJjHlgtwMi
+        c2cxjqG5nnV9rIYlTTjYG6RBglq0SmzF/raBnF4Lwjxq4qRqvRllBXdFu5+2pMfC
+        IZ10HPRdqDCTN60DUix+BTzBUT30NzaLhZbOMT5RvQtvTVgWpeIn20i2NrPWNCUh
+        hj490dKDLpK/v+A5/i8zPvN4c6MkDHi1FZfaoz3863dylUBR3Ip26oM0hHXf4/2U
+        A/oA4pCl2W0hc4aNtozjKHkVjRx5Q8/hVYu+39csFWxo6YSB/KgIEw+0W8DiTII3
+        RQj/OlD68ZDmGLyQPiJvaEtY9fDrcSpI0Esm0i4sjkNbuuh0Cvwwwqo5EF1zfkVj
+        Tqz2REYQGMJGc5LUbIpk5sMHo1HWV038TWxlDRwtOdzw08zQA6BeWe9FOokRPeR2
+        AqhyaJJwOZJodKZ76S+LDwFkTLzEKnYPCzkoRwLrEdNt1M7wQBThnC5z6wARAQAB
+        tBxQb3N0Z3JlU1FMIERlYmlhbiBSZXBvc2l0b3J5iQJOBBMBCAA4AhsDBQsJCAcD
+        BRUKCQgLBRYCAwEAAh4BAheAFiEEuXsK/KoaR/BE8kSgf8x9RqzMTPgFAlhtCD8A
+        CgkQf8x9RqzMTPgECxAAk8uL+dwveTv6eH21tIHcltt8U3Ofajdo+D/ayO53LiYO
+        xi27kdHD0zvFMUWXLGxQtWyeqqDRvDagfWglHucIcaLxoxNwL8+e+9hVFIEskQAY
+        kVToBCKMXTQDLarz8/J030Pmcv3ihbwB+jhnykMuyyNmht4kq0CNgnlcMCdVz0d3
+        z/09puryIHJrD+A8y3TD4RM74snQuwc9u5bsckvRtRJKbP3GX5JaFZAqUyZNRJRJ
+        Tn2OQRBhCpxhlZ2afkAPFIq2aVnEt/Ie6tmeRCzsW3lOxEH2K7MQSfSu/kRz7ELf
+        Cz3NJHj7rMzC+76Rhsas60t9CjmvMuGONEpctijDWONLCuch3Pdj6XpC+MVxpgBy
+        2VUdkunb48YhXNW0jgFGM/BFRj+dMQOUbY8PjJjsmVV0joDruWATQG/M4C7O8iU0
+        B7o6yVv4m8LDEN9CiR6r7H17m4xZseT3f+0QpMe7iQjz6XxTUFRQxXqzmNnloA1T
+        7VjwPqIIzkj/u0V8nICG/ktLzp1OsCFatWXh7LbU+hwYl6gsFH/mFDqVxJ3+DKQi
+        vyf1NatzEwl62foVjGUSpvh3ymtmtUQ4JUkNDsXiRBWczaiGSuzD9Qi0ONdkAX3b
+        ewqmN4TfE+XIpCPxxHXwGq9Rv1IFjOdCX0iG436GHyTLC1tTUIKF5xV4Y0+cXIOI
+        RgQQEQgABgUCTpdI7gAKCRDFr3dKWFELWqaPAKD1TtT5c3sZz92Fj97KYmqbNQZP
+        +ACfSC6+hfvlj4GxmUjp1aepoVTo3weJAhwEEAEIAAYFAk6XSQsACgkQTFprqxLS
+        p64F8Q//cCcutwrH50UoRFejg0EIZav6LUKejC6kpLeubbEtuaIH3r2zMblPGc4i
+        +eMQKo/PqyQrceRXeNNlqO6/exHozYi2meudxa6IudhwJIOn1MQykJbNMSC2sGUp
+        1W5M1N5EYgt4hy+qhlfnD66LR4G+9t5FscTJSy84SdiOuqgCOpQmPkVRm1HX5X1+
+        dmnzMOCk5LHHQuiacV0qeGO7JcBCVEIDr+uhU1H2u5GPFNHm5u15n25tOxVivb94
+        xg6NDjouECBH7cCVuW79YcExH/0X3/9G45rjdHlKPH1OIUJiiX47OTxdG3dAbB4Q
+        fnViRJhjehFscFvYWSqXo3pgWqUsEvv9qJac2ZEMSz9x2mj0ekWxuM6/hGWxJdB+
+        +985rIelPmc7VRAXOjIxWknrXnPCZAMlPlDLu6+vZ5BhFX0Be3y38f7GNCxFkJzl
+        hWZ4Cj3WojMj+0DaC1eKTj3rJ7OJlt9S9xnO7OOPEUTGyzgNIDAyCiu8F4huLPaT
+        ape6RupxOMHZeoCVlqx3ouWctelB2oNXcxxiQ/8y+21aHfD4n/CiIFwDvIQjl7dg
+        mT3u5Lr6yxuosR3QJx1P6rP5ZrDTP9khT30t+HZCbvs5Pq+v/9m6XDmi+NlU7Zuh
+        Ehy97tL3uBDgoL4b/5BpFL5U9nruPlQzGq1P9jj40dxAaDAX/WKJAj0EEwEIACcC
+        GwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAlB5KywFCQPDFt8ACgkQf8x9RqzM
+        TPhuCQ//QAjRSAOCQ02qmUAikT+mTB6baOAakkYq6uHbEO7qPZkv4E/M+HPIJ4wd
+        nBNeSQjfvdNcZBA/x0hr5EMcBneKKPDj4hJ0panOIRQmNSTThQw9OU351gm3YQct
+        AMPRUu1fTJAL/AuZUQf9ESmhyVtWNlH/56HBfYjE4iVeaRkkNLJyX3vkWdJSMwC/
+        LO3Lw/0M3R8itDsm74F8w4xOdSQ52nSRFRh7PunFtREl+QzQ3EA/WB4AIj3VohIG
+        kWDfPFCzV3cyZQiEnjAe9gG5pHsXHUWQsDFZ12t784JgkGyO5wT26pzTiuApWM3k
+        /9V+o3HJSgH5hn7wuTi3TelEFwP1fNzI5iUUtZdtxbFOfWMnZAypEhaLmXNkg4zD
+        kH44r0ss9fR0DAgUav1a25UnbOn4PgIEQy2fgHKHwRpCy20d6oCSlmgyWsR40EPP
+        YvtGq49A2aK6ibXmdvvFT+Ts8Z+q2SkFpoYFX20mR2nsF0fbt1lfH65P64dukxeR
+        GteWIeNakDD40bAAOH8+OaoTGVBJ2ACJfLVNM53PEoftavAwUYMrR910qvwYfd/4
+        6rh46g1Frr9SFMKYE9uvIJIgDsQB3QBp71houU4H55M5GD8XURYs+bfiQpJG1p7e
+        B8e5jZx1SagNWc4XwL2FzQ9svrkbg1Y+359buUiP7T6QXX2zY++JAj0EEwEIACcC
+        GwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAlEqbZUFCQg2wEEACgkQf8x9RqzM
+        TPhFMQ//WxAfKMdpSIA9oIC/yPD/dJpY/+DyouOljpE6MucMy/ArBECjFTBwi/j9
+        NYM4ynAk34IkhuNexc1i9/05f5RM6+riLCLgAOsADDbHD4miZzoSxiVr6GQ3YXMb
+        OGld9kV9Sy6mGNjcUov7iFcf5Hy5w3AjPfKuR9zXswyfzIU1YXObiiZT38l55pp/
+        BSgvGVQsvbNjsff5CbEKXS7q3xW+WzN0QWF6YsfNVhFjRGj8hKtHvwKcA02wwjLe
+        LXVTm6915ZUKhZXUFc0vM4Pj4EgNswH8Ojw9AJaKWJIZmLyW+aP+wpu6YwVCicxB
+        Y59CzBO2pPJDfKFQzUtrErk9irXeuCCLesDyirxJhv8o0JAvmnMAKOLhNFUrSQ2m
+        +3EnF7zhfz70gHW+EG8X8mL/EN3/dUM09j6TVrjtw43RLxBzwMDeariFF9yC+5bL
+        tnGgxjsB9Ik6GV5v34/NEEGf1qBiAzFmDVFRZlrNDkq6gmpvGnA5hUWNr+y0i01L
+        jGyaLSWHYjgw2UEQOqcUtTFK9MNzbZze4mVaHMEz9/aMfX25R6qbiNqCChveIm8m
+        Yr5Ds2zdZx+G5bAKdzX7nx2IUAxFQJEE94VLSp3npAaTWv3sHr7dR8tSyUJ9poDw
+        gw4W9BIcnAM7zvFYbLF5FNggg/26njHCCN70sHt8zGxKQINMc6SJAj0EEwEIACcC
+        GwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAlLpFRkFCQ6EJy0ACgkQf8x9RqzM
+        TPjOZA//Zp0e25pcvle7cLc0YuFr9pBv2JIkLzPm83nkcwKmxaWayUIG4Sv6pH6h
+        m8+S/CHQij/yFCX+o3ngMw2J9HBUvafZ4bnbI0RGJ70GsAwraQ0VlkIfg7GUw3Tz
+        voGYO42rZTru9S0K/6nFP6D1HUu+U+AsJONLeb6oypQgInfXQExPZyliUnHdipei
+        4WR1YFW6sjSkZT/5C3J1wkAvPl5lvOVthI9Zs6bZlJLZwusKxU0UM4Btgu1Sf3nn
+        JcHmzisixwS9PMHE+AgPWIGSec/N27a0KmTTvImV6K6nEjXJey0K2+EYJuIBsYUN
+        orOGBwDFIhfRk9qGlpgt0KRyguV+AP5qvgry95IrYtrOuE7307SidEbSnvO5ezNe
+        mE7gT9Z1tM7IMPfmoKph4BfpNoH7aXiQh1Wo+ChdP92hZUtQrY2Nm13cmkxYjQ4Z
+        gMWfYMC+DA/GooSgZM5i6hYqyyfAuUD9kwRN6BqTbuAUAp+hCWYeN4D88sLYpFh3
+        paDYNKJ+Gf7Yyi6gThcV956RUFDH3ys5Dk0vDL9NiWwdebWfRFbzoRM3dyGP889a
+        OyLzS3mh6nHzZrNGhW73kslSQek8tjKrB+56hXOnb4HaElTZGDvD5wmrrhN94kby
+        Gtz3cydIohvNO9d90+29h0eGEDYti7j7maHkBKUAwlcPvMg5m3Y=
+        =DA1T
+        -----END PGP PUBLIC KEY BLOCK-----
+    
+
+- name: Postgres repo
+  apt_repository:
+    repo: deb http://apt.postgresql.org/pub/repos/apt buster-pgdg main
+    filename: postgres
+
+- block:
+    - name: Postgres server
+      apt:
+        pkg:
+          - postgresql-12
+          - libpq-dev
+        default_release: buster-pgdg
+
+    - name: Postgres disable default server
+      systemd:
+        enabled: False
+        state: stopped
+        masked: True
+        name: postgresql@12-main.service
+
+
+    - name: New Postgres service
+      template:
+        src: postgresql.service.j2
+        dest: /etc/systemd/system/postgresql.service
+      register: postgresql_service_changed
+
+    - name: Check if Postgres is created
+      stat:
+        path: '{{postgres_server_root}}'
+      register: postgres_server_created
+
+    - block:
+      - name: 'Create {{postgres_server_root}}'
+        file:
+          path: '{{postgres_server_root}}'
+          state: directory
+          owner: postgres
+          group: postgres
+          mode: '0755'
+
+      - name: Init postgres
+        command:
+          cmd: '/usr/lib/postgresql/12/bin/initdb --locale=en_US.UTF-8 -E UTF8  -D {{postgres_server_root}}/data'
+          chdir: '{{postgres_server_root}}'
+        become: True
+        become_user: postgres
+      when: not postgres_server_created.stat.exists
+
+    - block:
+      - name: Stop old service
+        systemd:
+            enabled: False
+            state: stopped
+            name: postgresql.service
+
+      - name: Reload systemd
+        systemd:
+          daemon_reload: True
+      when: postgresql_service_changed.changed
+
+    - name: Start postgres service
+      systemd:
+        enabled: True
+        state: started
+        name: postgresql.service
+
+    - name: Psycopg2 for the sake of ansible
+      apt:
+        pkg:
+          - python3-psycopg2
+  when: postgres_server
+
+- name: Postgres
+  apt:
+    pkg:
+      - postgresql-client-12
+      - libpq-dev
+    default_release: buster-pgdg
+  when: postgres_client
+

ansible/roles/postgres_deb/templates/postgresql.service.j2

+[Unit]
+Description=PostgreSQL database server
+After=network.target
+AssertPathExists={{postgres_server_root}}/data/postgresql.conf
+RequiresMountsFor={{postgres_server_root}}
+
+[Service]
+Type=notify
+TimeoutSec=120
+User=postgres
+Group=postgres
+
+Environment=PGROOT={{postgres_server_root}}
+
+SyslogIdentifier=postgres
+PIDFile=${PGROOT}/data/postmaster.pid
+RuntimeDirectory=postgresql
+RuntimeDirectoryMode=755
+
+ExecStart=/usr/lib/postgresql/12/bin/postgres -D ${PGROOT}/data
+ExecReload=/bin/kill -HUP ${MAINPID}
+KillMode=mixed
+KillSignal=SIGINT
+
+# Due to PostgreSQL's use of shared memory, OOM killer is often overzealous in
+# killing Postgres, so adjust it downward
+OOMScoreAdjust=-200
+
+# Additional security-related features
+PrivateTmp=true
+ProtectHome=true
+ProtectSystem=full
+NoNewPrivileges=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+PrivateDevices=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=true
+RestrictRealtime=true
+SystemCallArchitectures=native
+
+[Install]
+WantedBy=multi-user.target