diff --git a/ansible/pontos.yml b/ansible/pontos.yml
index 88cbae70fd730a6e23256570a6616cdf8db130ea..2a958d979fa17d6db7e471250d5c53c34804b679 100644
--- a/ansible/pontos.yml
+++ b/ansible/pontos.yml
@@ -29,89 +29,8 @@
- import_role:
name: postgres_deb
- - block:
- - name: "cgroups v2"
- lineinfile:
- path: /etc/default/grub
- regexp: '^GRUB_CMDLINE_LINUX_DEFAULT="([^"]*) (systemd.unified_cgroup_hierarchy=1 +)*([^"]*)"'
- line: 'GRUB_CMDLINE_LINUX_DEFAULT="\1 systemd.unified_cgroup_hierarchy=1 \3"'
- backrefs: true
- register: grub_cgroups
-
- - command: update-grub
- when: grub_cgroups.changed
-
- - name: Enable user namespaces
- sysctl:
- name: kernel.unprivileged_userns_clone
- value: "1"
- state: present
- reload: true
-
- - name: Add apt-key for podman
- apt_key:
- data: |
- -----BEGIN PGP PUBLIC KEY BLOCK-----
- Version: GnuPG v1.4.5 (GNU/Linux)
-
- mQENBFtkV0cBCADStSTCG5qgYtzmWfymHZqxxhfwfS6fdHJcbGUeXsI5dxjeCWhs
- XarZm6rWZOd5WfSmpXhbKOyM6Ll+6bpSl5ICHLa6fcpizYWEPa8fpg9EGl0cF12G
- GgVLnnOZ6NIbsoW0LHt2YN0jn8xKVwyPp7KLHB2paZh+KuURERG406GXY/DgCxUx
- Ffgdelym/gfmt3DSq6GAQRRGHyucMvPYm53r+jVcKsf2Bp6E1XAfqBrD5r0maaCU
- Wvd7bi0B2Q0hIX0rfDCBpl4rFqvyaMPgn+Bkl6IW37zCkWIXqf1E5eDm/XzP881s
- +yAvi+JfDwt7AE+Hd2dSf273o3WUdYJGRwyZABEBAAG0OGRldmVsOmt1YmljIE9C
- UyBQcm9qZWN0IDxkZXZlbDprdWJpY0BidWlsZC5vcGVuc3VzZS5vcmc+iQE+BBMB
- CAAoBQJfcJJOAhsDBQkIKusHBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBN
- ZDkDdQYKpB0xCACmtCT6ruPiQa4l0DEptZ+u3NNbZfSVGH4fE4hyTjLbzrCxqcoh
- xJvDKxspuJ85wWFWMtl57+lFFE1KP0AX2XTT+/v2vN1PIfwgOSw3yp2sgWuIXFAi
- 89YSjSh8G0SGAH90A9YFMnTbllzGoGURjSX03iasW3A408ljbDehA6rpS3t3FD7P
- PnUF6204orYu00Qvc54an/xVJzxupb69MKW5EeK7x8MJnIToT8hIdOdGVD6axsis
- x+1U71oMK1gBke7p4QPUdhJFpSUd6kT8bcO+7rYouoljFNYkUfwnqtUn7525fkfg
- uDqqXvOJMpJ/sK1ajHOeehp5T4Q45L/qUCb3iEYEExECAAYFAltkV0cACgkQOzAR
- t2udZSOoswCdF44NTN09DwhPFbNYhEMb9juP5ykAn0bcELvuKmgDwEwZMrPQkG8t
- Pu9n
- =42uC
- -----END PGP PUBLIC KEY BLOCK-----
-
- - name: Podman repository for Buster
- apt_repository:
- repo: "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_10/ /"
- filename: podman
- state: present
-
- - apt:
- pkg:
- - libseccomp2
- - systemd
- default_release: buster-backports
- state: latest
- - apt:
- pkg:
- - podman
- - fuse-overlayfs
-
- - apt:
- pkg:
- - slirp4netns
- - libslirp0
- state: absent
-
- - copy:
- src: bin/slirp4netns-x86_64-v1.1.9
- dest: /usr/local/bin/slirp4netns
- mode: 0755
-
- - copy:
- dest: /etc/containers/storage.conf
- content: |
- [storage]
- driver = "overlay"
- runroot = "/var/obj/podman/storage"
- graphroot = "/var/obj/podman/storage"
- rootless_storage_path = "/var/obj/podman/$USER/storage"
- [storage.options]
- mount_program = "/bin/fuse-overlayfs"
-
+ - import_role:
+ name: podman_deb
when: inventory_hostname == "pontos08.fi.muni.cz"
- apt:
diff --git a/ansible/roles/pds_deb/files/FI_CA.crt b/ansible/roles/pds_deb/files/FI_CA.crt
new file mode 100644
index 0000000000000000000000000000000000000000..05758b484fabe8f8e9c31217d5220b2ac987d38a
Binary files /dev/null and b/ansible/roles/pds_deb/files/FI_CA.crt differ
diff --git a/ansible/roles/pds_deb/files/FI_CA.pem b/ansible/roles/pds_deb/files/FI_CA.pem
new file mode 100644
index 0000000000000000000000000000000000000000..d373d3d412f3a37eac2c0901b8bbcf35dae92a3c
--- /dev/null
+++ b/ansible/roles/pds_deb/files/FI_CA.pem
@@ -0,0 +1,44 @@
+-----BEGIN CERTIFICATE-----
+MIIHvTCCBaWgAwIBAgIJAIOlKRAWJsF6MA0GCSqGSIb3DQEBDQUAMIG8MQswCQYD
+VQQGEwJDWjEXMBUGA1UECBMOQ3plY2ggUmVwdWJsaWMxDTALBgNVBAcTBEJybm8x
+MzAxBgNVBAoTKkZhY3VsdHkgb2YgSW5mb3JtYXRpY3MsIE1hc2FyeWsgVW5pdmVy
+c2l0eTEMMAoGA1UECxMDQ1ZUMSIwIAYDVQQDExlGYWN1bHR5IG9mIEluZm9ybWF0
+aWNzIENBMR4wHAYJKoZIhvcNAQkBFg91bml4QGZpLm11bmkuY3owHhcNMTMwMTE2
+MTUwNDE3WhcNMzMwMTExMTUwNDE3WjCBvDELMAkGA1UEBhMCQ1oxFzAVBgNVBAgT
+DkN6ZWNoIFJlcHVibGljMQ0wCwYDVQQHEwRCcm5vMTMwMQYDVQQKEypGYWN1bHR5
+IG9mIEluZm9ybWF0aWNzLCBNYXNhcnlrIFVuaXZlcnNpdHkxDDAKBgNVBAsTA0NW
+VDEiMCAGA1UEAxMZRmFjdWx0eSBvZiBJbmZvcm1hdGljcyBDQTEeMBwGCSqGSIb3
+DQEJARYPdW5peEBmaS5tdW5pLmN6MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
+CgKCAgEAoGSifSFVk1SIQTgTb8e2wAPe1vSPL9WSd7MoV2Z3pg8Smdsn2RVcVtoh
+oqlqsXdbi1UOjx6XFHjpX3S8xrnqSdYYf9kl9k27/yL2vcaTW0SjmsV6WULWm9m6
+yXmsf1Qh+O1BIFvG9hHdsEVLJnU4PBAzZyKPKxFa07Zi1Ltlmjl2wgD+N23lXAuQ
+YWlRWeqyi/VadSByHuMSjjDCFPo7ihuFfDv8aF6SAuXDiU47M8zfMay9LRKXMYVv
+68YAS7t6U7Pefvm300CVSpK0B1N8/7C4ta1aVct6PijmF6qjaab4eicrTkQOrcME
+/0ES/08PHOSO66A0JXD+elQkmPDXOJEDGQaNt5FO9FTTNqEeGGPRuU/HQIGFXK9O
+v0ML/c3LfCBpIm09UDL5CxESZrZb4rSRPVoDBxWZTEB+I550IXGn/T8E0S5zjod8
+k12x9uVVYDgK3Hg9MRCrnrrrK1nmvXLVExbB8gj8L33CbUa5zZO9T/kjbAW26sWD
+hMSZmIwU69la09A6lhlDd1hjpITcR6Mibj/DINAmao8ZnrY9vVKxRlojAiBWJSAA
+9m0FMPAnGddgGQ5HYfjJ44qL1vyFhv6JMXcsG+Vx11izoiz10ekOJpDZo/FYqhdO
+NBIyx/HiGHlDpOdqVXRBSfiO0Snc9oZGczuOdnSLb0w8eQiI/ZsCAwEAAaOCAb4w
+ggG6MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQW
+BBR2nnguNcRVJ/X2a4j0bsue+Vy7mzCB8QYDVR0jBIHpMIHmgBR2nnguNcRVJ/X2
+a4j0bsue+Vy7m6GBwqSBvzCBvDELMAkGA1UEBhMCQ1oxFzAVBgNVBAgTDkN6ZWNo
+IFJlcHVibGljMQ0wCwYDVQQHEwRCcm5vMTMwMQYDVQQKEypGYWN1bHR5IG9mIElu
+Zm9ybWF0aWNzLCBNYXNhcnlrIFVuaXZlcnNpdHkxDDAKBgNVBAsTA0NWVDEiMCAG
+A1UEAxMZRmFjdWx0eSBvZiBJbmZvcm1hdGljcyBDQTEeMBwGCSqGSIb3DQEJARYP
+dW5peEBmaS5tdW5pLmN6ggkAg6UpEBYmwXowRQYIKwYBBQUHAQEEOTA3MDUGCCsG
+AQUFBzAChilodHRwOi8vZmFkbWluLmZpLm11bmkuY3ovY2FjZXJ0L0ZJX0NBLmNy
+dDA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vZmFkbWluLmZpLm11bmkuY3ovY2Fj
+ZXJ0L0ZJX0NBLmNybDANBgkqhkiG9w0BAQ0FAAOCAgEATIm56exar1GuVjFNnLh3
+1r7fjoOKiq155LrnU0jKI5X7/gXfuzzycjsVNR4sIo+5uB3QNlHtsFK1E7CSOGoC
+dIuCAjlzbqosrvtkn09oX4+9aY9uHEybS4U116ieGMVpTLcQ+TFhfq+jQGdmrRmn
+17fMb4eZxHxRQohG+8Z7TO/gI4cQTrl5//rV4dDdIFnqjz4bHG7bDYmiSWHtZJv5
+cFaOG/NQqBI1TasdyKPco+Xbp+1POhV5ArBaHotqOmTaBG/TB7nyy1Aoo/yrH4Op
++8Yl8dIZyWel/QdUflU4CGSz8jogM40pTJxvQ117L3KOBv/acqd7SWvX4KIEn+tV
+HLUw7agoPCXsl/5POUmJH9NA8KDYBNZUAyWWprXazbKwg7RdLDQS/8uY7O/zsgsU
+Bf67eS3UNUYEHGFnXAuJCj8zyF6j+2k0VEUP88FcEAq4KTbgUq+wZNqL9R5BWYO3
+Z82Ms0xl1vVves6BpsrP7GyLCWDHO7EJZ12O1GBPtr3wxAI6Vq2/r6O7PIW16NQt
+93WBrOlM1zwmu+XJcQdvi+QgU5e7Y8DIWI9kPD1Cd5E+LKgI9XyfoO6Jk7bAaRil
+DV0J7FEBQUyXSmHLnK9OY1i6ritGYjHlIJntRx3m7aJb9Q/8ClYXVIPIvBWeEv8s
+b7lCCz1q5Gm4RkdxRJQ+GCc=
+-----END CERTIFICATE-----
diff --git a/ansible/roles/pds_deb/files/libnss-ldap.conf b/ansible/roles/pds_deb/files/libnss-ldap.conf
new file mode 100644
index 0000000000000000000000000000000000000000..7f64b654b7df79fea460eeb8545af5e67b6c2da8
--- /dev/null
+++ b/ansible/roles/pds_deb/files/libnss-ldap.conf
@@ -0,0 +1,13 @@
+## managed by ansible!
+base dc=fi,dc=muni,dc=cz
+uri ldaps://ldap1.fi.muni.cz ldaps://ldap.fi.muni.cz
+ldap_version 3
+rootbinddn dc=fi,dc=muni,dc=cz
+
+nss_base_passwd ou=People,dc=fi,dc=muni,dc=cz?one?host=lpds
+nss_base_group ou=Group,dc=fi,dc=muni,dc=cz?one?host=lpds
+
+ssl on
+tls_checkpeer yes
+tls_reqchert hard
+tls_cacertfile /etc/ldap/ssl/FI_CA.pem
diff --git a/ansible/roles/pds_deb/handlers/main.yml b/ansible/roles/pds_deb/handlers/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..125c9766ff7e3eda4cceff968a4ad5e05f972e40
--- /dev/null
+++ b/ansible/roles/pds_deb/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: restart nscd
+ service:
+ name: nscd
+ state: restarted
diff --git a/ansible/roles/pds_deb/tasks/main.yml b/ansible/roles/pds_deb/tasks/main.yml
index c5200fb6525d6d57a24105c71a8448303821cecb..3a50366542b22e5b5a92bd5beb0ff11abc4120fd 100644
--- a/ansible/roles/pds_deb/tasks/main.yml
+++ b/ansible/roles/pds_deb/tasks/main.yml
@@ -2,7 +2,10 @@
apt:
pkg:
- cups
- - cups-bsd # lpr
+ - cups-bsd # lpr
+ - ldap-utils # ldapsearch
+ - zsh
+ - fish
- name: "Set CUPS server"
lineinfile:
@@ -10,3 +13,41 @@
regexp: "^CUPS_SERVER="
line: "CUPS_SERVER=print.fi.muni.cz"
path: /etc/environment
+
+- name: NSSwitch LDAP prerequisites
+ apt:
+ pkg:
+ - nscd
+ - libnss-ldap
+
+- name: FI_CA (LDAP) dir
+ file:
+ path: /etc/ldap/ssl/
+ state: directory
+
+- name: FI_CA (LDAP)
+ copy:
+ src: FI_CA.pem
+ dest: /etc/ldap/ssl/FI_CA.pem
+
+- name: LDAP config for NSSwitch
+ copy:
+ src: '{{item}}'
+ dest: '/etc/{{item}}'
+ loop:
+ - libnss-ldap.conf
+ notify:
+ - restart nscd
+
+- name: NSSwitch LDAP
+ lineinfile:
+ regexp: '^({{item.0}}):(\s+)'
+ line: '\1:\2{{item.1}}'
+ backrefs: true
+ path: /etc/nsswitch.conf
+ loop:
+ - ['passwd', 'files systemd ldap']
+ - ['group', 'files systemd ldap']
+ - ['shadow', 'files ldap']
+ notify:
+ - restart nscd
diff --git a/ansible/roles/podman_deb/tasks/main.yml b/ansible/roles/podman_deb/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..53fd8ddb994348696437ac2ca45a12dc0a9d7b15
--- /dev/null
+++ b/ansible/roles/podman_deb/tasks/main.yml
@@ -0,0 +1,83 @@
+---
+- name: "cgroups v2"
+ lineinfile:
+ path: /etc/default/grub
+ regexp: '^GRUB_CMDLINE_LINUX_DEFAULT="([^"]*) (systemd.unified_cgroup_hierarchy=1 +)*([^"]*)"'
+ line: 'GRUB_CMDLINE_LINUX_DEFAULT="\1 systemd.unified_cgroup_hierarchy=1 \3"'
+ backrefs: true
+ register: grub_cgroups
+
+- command: update-grub
+ when: grub_cgroups.changed
+
+- name: Enable user namespaces
+ sysctl:
+ name: kernel.unprivileged_userns_clone
+ value: "1"
+ state: present
+ reload: true
+
+- name: Add apt-key for podman
+ apt_key:
+ data: |
+ -----BEGIN PGP PUBLIC KEY BLOCK-----
+ Version: GnuPG v1.4.5 (GNU/Linux)
+
+ mQENBFtkV0cBCADStSTCG5qgYtzmWfymHZqxxhfwfS6fdHJcbGUeXsI5dxjeCWhs
+ XarZm6rWZOd5WfSmpXhbKOyM6Ll+6bpSl5ICHLa6fcpizYWEPa8fpg9EGl0cF12G
+ GgVLnnOZ6NIbsoW0LHt2YN0jn8xKVwyPp7KLHB2paZh+KuURERG406GXY/DgCxUx
+ Ffgdelym/gfmt3DSq6GAQRRGHyucMvPYm53r+jVcKsf2Bp6E1XAfqBrD5r0maaCU
+ Wvd7bi0B2Q0hIX0rfDCBpl4rFqvyaMPgn+Bkl6IW37zCkWIXqf1E5eDm/XzP881s
+ +yAvi+JfDwt7AE+Hd2dSf273o3WUdYJGRwyZABEBAAG0OGRldmVsOmt1YmljIE9C
+ UyBQcm9qZWN0IDxkZXZlbDprdWJpY0BidWlsZC5vcGVuc3VzZS5vcmc+iQE+BBMB
+ CAAoBQJfcJJOAhsDBQkIKusHBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBN
+ ZDkDdQYKpB0xCACmtCT6ruPiQa4l0DEptZ+u3NNbZfSVGH4fE4hyTjLbzrCxqcoh
+ xJvDKxspuJ85wWFWMtl57+lFFE1KP0AX2XTT+/v2vN1PIfwgOSw3yp2sgWuIXFAi
+ 89YSjSh8G0SGAH90A9YFMnTbllzGoGURjSX03iasW3A408ljbDehA6rpS3t3FD7P
+ PnUF6204orYu00Qvc54an/xVJzxupb69MKW5EeK7x8MJnIToT8hIdOdGVD6axsis
+ x+1U71oMK1gBke7p4QPUdhJFpSUd6kT8bcO+7rYouoljFNYkUfwnqtUn7525fkfg
+ uDqqXvOJMpJ/sK1ajHOeehp5T4Q45L/qUCb3iEYEExECAAYFAltkV0cACgkQOzAR
+ t2udZSOoswCdF44NTN09DwhPFbNYhEMb9juP5ykAn0bcELvuKmgDwEwZMrPQkG8t
+ Pu9n
+ =42uC
+ -----END PGP PUBLIC KEY BLOCK-----
+
+- name: Podman repository for Buster
+ apt_repository:
+ repo: "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_10/ /"
+ filename: podman
+ state: present
+
+- apt:
+ pkg:
+ - libseccomp2
+ - systemd
+ default_release: buster-backports
+ state: latest
+- apt:
+ pkg:
+ - podman
+ - fuse-overlayfs
+
+- apt:
+ pkg:
+ - slirp4netns
+ - libslirp0
+ state: absent
+
+- copy:
+ src: bin/slirp4netns-x86_64-v1.1.9
+ dest: /usr/local/bin/slirp4netns
+ mode: 0755
+
+- copy:
+ dest: /etc/containers/storage.conf
+ content: |
+ [storage]
+ driver = "overlay"
+ runroot = "/var/obj/podman/storage"
+ graphroot = "/var/obj/podman/storage"
+ rootless_storage_path = "/var/obj/podman/$USER/storage"
+ [storage.options]
+ mount_program = "/bin/fuse-overlayfs"
+...
diff --git a/ansible/roles/postgres_deb/defaults/main.yml b/ansible/roles/postgres_deb/defaults/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e517526a53c194a2a398f438552c20555ced3cc7
--- /dev/null
+++ b/ansible/roles/postgres_deb/defaults/main.yml
@@ -0,0 +1,3 @@
+postgres_server: False
+postgres_server_root: /srv/postgresql
+postgres_client: False
diff --git a/ansible/roles/postgres_deb/tasks/main.yml b/ansible/roles/postgres_deb/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..89180766063d9eb81d3176555e7baca77cf61022
--- /dev/null
+++ b/ansible/roles/postgres_deb/tasks/main.yml
@@ -0,0 +1,163 @@
+- name: Postgres key
+ apt_key:
+ data: |
+ -----BEGIN PGP PUBLIC KEY BLOCK-----
+
+ mQINBE6XR8IBEACVdDKT2HEH1IyHzXkb4nIWAY7echjRxo7MTcj4vbXAyBKOfjja
+ UrBEJWHN6fjKJXOYWXHLIYg0hOGeW9qcSiaa1/rYIbOzjfGfhE4x0Y+NJHS1db0V
+ G6GUj3qXaeyqIJGS2z7m0Thy4Lgr/LpZlZ78Nf1fliSzBlMo1sV7PpP/7zUO+aA4
+ bKa8Rio3weMXQOZgclzgeSdqtwKnyKTQdXY5MkH1QXyFIk1nTfWwyqpJjHlgtwMi
+ c2cxjqG5nnV9rIYlTTjYG6RBglq0SmzF/raBnF4Lwjxq4qRqvRllBXdFu5+2pMfC
+ IZ10HPRdqDCTN60DUix+BTzBUT30NzaLhZbOMT5RvQtvTVgWpeIn20i2NrPWNCUh
+ hj490dKDLpK/v+A5/i8zPvN4c6MkDHi1FZfaoz3863dylUBR3Ip26oM0hHXf4/2U
+ A/oA4pCl2W0hc4aNtozjKHkVjRx5Q8/hVYu+39csFWxo6YSB/KgIEw+0W8DiTII3
+ RQj/OlD68ZDmGLyQPiJvaEtY9fDrcSpI0Esm0i4sjkNbuuh0Cvwwwqo5EF1zfkVj
+ Tqz2REYQGMJGc5LUbIpk5sMHo1HWV038TWxlDRwtOdzw08zQA6BeWe9FOokRPeR2
+ AqhyaJJwOZJodKZ76S+LDwFkTLzEKnYPCzkoRwLrEdNt1M7wQBThnC5z6wARAQAB
+ tBxQb3N0Z3JlU1FMIERlYmlhbiBSZXBvc2l0b3J5iQJOBBMBCAA4AhsDBQsJCAcD
+ BRUKCQgLBRYCAwEAAh4BAheAFiEEuXsK/KoaR/BE8kSgf8x9RqzMTPgFAlhtCD8A
+ CgkQf8x9RqzMTPgECxAAk8uL+dwveTv6eH21tIHcltt8U3Ofajdo+D/ayO53LiYO
+ xi27kdHD0zvFMUWXLGxQtWyeqqDRvDagfWglHucIcaLxoxNwL8+e+9hVFIEskQAY
+ kVToBCKMXTQDLarz8/J030Pmcv3ihbwB+jhnykMuyyNmht4kq0CNgnlcMCdVz0d3
+ z/09puryIHJrD+A8y3TD4RM74snQuwc9u5bsckvRtRJKbP3GX5JaFZAqUyZNRJRJ
+ Tn2OQRBhCpxhlZ2afkAPFIq2aVnEt/Ie6tmeRCzsW3lOxEH2K7MQSfSu/kRz7ELf
+ Cz3NJHj7rMzC+76Rhsas60t9CjmvMuGONEpctijDWONLCuch3Pdj6XpC+MVxpgBy
+ 2VUdkunb48YhXNW0jgFGM/BFRj+dMQOUbY8PjJjsmVV0joDruWATQG/M4C7O8iU0
+ B7o6yVv4m8LDEN9CiR6r7H17m4xZseT3f+0QpMe7iQjz6XxTUFRQxXqzmNnloA1T
+ 7VjwPqIIzkj/u0V8nICG/ktLzp1OsCFatWXh7LbU+hwYl6gsFH/mFDqVxJ3+DKQi
+ vyf1NatzEwl62foVjGUSpvh3ymtmtUQ4JUkNDsXiRBWczaiGSuzD9Qi0ONdkAX3b
+ ewqmN4TfE+XIpCPxxHXwGq9Rv1IFjOdCX0iG436GHyTLC1tTUIKF5xV4Y0+cXIOI
+ RgQQEQgABgUCTpdI7gAKCRDFr3dKWFELWqaPAKD1TtT5c3sZz92Fj97KYmqbNQZP
+ +ACfSC6+hfvlj4GxmUjp1aepoVTo3weJAhwEEAEIAAYFAk6XSQsACgkQTFprqxLS
+ p64F8Q//cCcutwrH50UoRFejg0EIZav6LUKejC6kpLeubbEtuaIH3r2zMblPGc4i
+ +eMQKo/PqyQrceRXeNNlqO6/exHozYi2meudxa6IudhwJIOn1MQykJbNMSC2sGUp
+ 1W5M1N5EYgt4hy+qhlfnD66LR4G+9t5FscTJSy84SdiOuqgCOpQmPkVRm1HX5X1+
+ dmnzMOCk5LHHQuiacV0qeGO7JcBCVEIDr+uhU1H2u5GPFNHm5u15n25tOxVivb94
+ xg6NDjouECBH7cCVuW79YcExH/0X3/9G45rjdHlKPH1OIUJiiX47OTxdG3dAbB4Q
+ fnViRJhjehFscFvYWSqXo3pgWqUsEvv9qJac2ZEMSz9x2mj0ekWxuM6/hGWxJdB+
+ +985rIelPmc7VRAXOjIxWknrXnPCZAMlPlDLu6+vZ5BhFX0Be3y38f7GNCxFkJzl
+ hWZ4Cj3WojMj+0DaC1eKTj3rJ7OJlt9S9xnO7OOPEUTGyzgNIDAyCiu8F4huLPaT
+ ape6RupxOMHZeoCVlqx3ouWctelB2oNXcxxiQ/8y+21aHfD4n/CiIFwDvIQjl7dg
+ mT3u5Lr6yxuosR3QJx1P6rP5ZrDTP9khT30t+HZCbvs5Pq+v/9m6XDmi+NlU7Zuh
+ Ehy97tL3uBDgoL4b/5BpFL5U9nruPlQzGq1P9jj40dxAaDAX/WKJAj0EEwEIACcC
+ GwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAlB5KywFCQPDFt8ACgkQf8x9RqzM
+ TPhuCQ//QAjRSAOCQ02qmUAikT+mTB6baOAakkYq6uHbEO7qPZkv4E/M+HPIJ4wd
+ nBNeSQjfvdNcZBA/x0hr5EMcBneKKPDj4hJ0panOIRQmNSTThQw9OU351gm3YQct
+ AMPRUu1fTJAL/AuZUQf9ESmhyVtWNlH/56HBfYjE4iVeaRkkNLJyX3vkWdJSMwC/
+ LO3Lw/0M3R8itDsm74F8w4xOdSQ52nSRFRh7PunFtREl+QzQ3EA/WB4AIj3VohIG
+ kWDfPFCzV3cyZQiEnjAe9gG5pHsXHUWQsDFZ12t784JgkGyO5wT26pzTiuApWM3k
+ /9V+o3HJSgH5hn7wuTi3TelEFwP1fNzI5iUUtZdtxbFOfWMnZAypEhaLmXNkg4zD
+ kH44r0ss9fR0DAgUav1a25UnbOn4PgIEQy2fgHKHwRpCy20d6oCSlmgyWsR40EPP
+ YvtGq49A2aK6ibXmdvvFT+Ts8Z+q2SkFpoYFX20mR2nsF0fbt1lfH65P64dukxeR
+ GteWIeNakDD40bAAOH8+OaoTGVBJ2ACJfLVNM53PEoftavAwUYMrR910qvwYfd/4
+ 6rh46g1Frr9SFMKYE9uvIJIgDsQB3QBp71houU4H55M5GD8XURYs+bfiQpJG1p7e
+ B8e5jZx1SagNWc4XwL2FzQ9svrkbg1Y+359buUiP7T6QXX2zY++JAj0EEwEIACcC
+ GwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAlEqbZUFCQg2wEEACgkQf8x9RqzM
+ TPhFMQ//WxAfKMdpSIA9oIC/yPD/dJpY/+DyouOljpE6MucMy/ArBECjFTBwi/j9
+ NYM4ynAk34IkhuNexc1i9/05f5RM6+riLCLgAOsADDbHD4miZzoSxiVr6GQ3YXMb
+ OGld9kV9Sy6mGNjcUov7iFcf5Hy5w3AjPfKuR9zXswyfzIU1YXObiiZT38l55pp/
+ BSgvGVQsvbNjsff5CbEKXS7q3xW+WzN0QWF6YsfNVhFjRGj8hKtHvwKcA02wwjLe
+ LXVTm6915ZUKhZXUFc0vM4Pj4EgNswH8Ojw9AJaKWJIZmLyW+aP+wpu6YwVCicxB
+ Y59CzBO2pPJDfKFQzUtrErk9irXeuCCLesDyirxJhv8o0JAvmnMAKOLhNFUrSQ2m
+ +3EnF7zhfz70gHW+EG8X8mL/EN3/dUM09j6TVrjtw43RLxBzwMDeariFF9yC+5bL
+ tnGgxjsB9Ik6GV5v34/NEEGf1qBiAzFmDVFRZlrNDkq6gmpvGnA5hUWNr+y0i01L
+ jGyaLSWHYjgw2UEQOqcUtTFK9MNzbZze4mVaHMEz9/aMfX25R6qbiNqCChveIm8m
+ Yr5Ds2zdZx+G5bAKdzX7nx2IUAxFQJEE94VLSp3npAaTWv3sHr7dR8tSyUJ9poDw
+ gw4W9BIcnAM7zvFYbLF5FNggg/26njHCCN70sHt8zGxKQINMc6SJAj0EEwEIACcC
+ GwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAlLpFRkFCQ6EJy0ACgkQf8x9RqzM
+ TPjOZA//Zp0e25pcvle7cLc0YuFr9pBv2JIkLzPm83nkcwKmxaWayUIG4Sv6pH6h
+ m8+S/CHQij/yFCX+o3ngMw2J9HBUvafZ4bnbI0RGJ70GsAwraQ0VlkIfg7GUw3Tz
+ voGYO42rZTru9S0K/6nFP6D1HUu+U+AsJONLeb6oypQgInfXQExPZyliUnHdipei
+ 4WR1YFW6sjSkZT/5C3J1wkAvPl5lvOVthI9Zs6bZlJLZwusKxU0UM4Btgu1Sf3nn
+ JcHmzisixwS9PMHE+AgPWIGSec/N27a0KmTTvImV6K6nEjXJey0K2+EYJuIBsYUN
+ orOGBwDFIhfRk9qGlpgt0KRyguV+AP5qvgry95IrYtrOuE7307SidEbSnvO5ezNe
+ mE7gT9Z1tM7IMPfmoKph4BfpNoH7aXiQh1Wo+ChdP92hZUtQrY2Nm13cmkxYjQ4Z
+ gMWfYMC+DA/GooSgZM5i6hYqyyfAuUD9kwRN6BqTbuAUAp+hCWYeN4D88sLYpFh3
+ paDYNKJ+Gf7Yyi6gThcV956RUFDH3ys5Dk0vDL9NiWwdebWfRFbzoRM3dyGP889a
+ OyLzS3mh6nHzZrNGhW73kslSQek8tjKrB+56hXOnb4HaElTZGDvD5wmrrhN94kby
+ Gtz3cydIohvNO9d90+29h0eGEDYti7j7maHkBKUAwlcPvMg5m3Y=
+ =DA1T
+ -----END PGP PUBLIC KEY BLOCK-----
+
+
+- name: Postgres repo
+ apt_repository:
+ repo: deb http://apt.postgresql.org/pub/repos/apt buster-pgdg main
+ filename: postgres
+
+- block:
+ - name: Postgres server
+ apt:
+ pkg:
+ - postgresql-12
+ - libpq-dev
+ default_release: buster-pgdg
+
+ - name: Postgres disable default server
+ systemd:
+ enabled: False
+ state: stopped
+ masked: True
+ name: postgresql@12-main.service
+
+
+ - name: New Postgres service
+ template:
+ src: postgresql.service.j2
+ dest: /etc/systemd/system/postgresql.service
+ register: postgresql_service_changed
+
+ - name: Check if Postgres is created
+ stat:
+ path: '{{postgres_server_root}}'
+ register: postgres_server_created
+
+ - block:
+ - name: 'Create {{postgres_server_root}}'
+ file:
+ path: '{{postgres_server_root}}'
+ state: directory
+ owner: postgres
+ group: postgres
+ mode: '0755'
+
+ - name: Init postgres
+ command:
+ cmd: '/usr/lib/postgresql/12/bin/initdb --locale=en_US.UTF-8 -E UTF8 -D {{postgres_server_root}}/data'
+ chdir: '{{postgres_server_root}}'
+ become: True
+ become_user: postgres
+ when: not postgres_server_created.stat.exists
+
+ - block:
+ - name: Stop old service
+ systemd:
+ enabled: False
+ state: stopped
+ name: postgresql.service
+
+ - name: Reload systemd
+ systemd:
+ daemon_reload: True
+ when: postgresql_service_changed.changed
+
+ - name: Start postgres service
+ systemd:
+ enabled: True
+ state: started
+ name: postgresql.service
+
+ - name: Psycopg2 for the sake of ansible
+ apt:
+ pkg:
+ - python3-psycopg2
+ when: postgres_server
+
+- name: Postgres
+ apt:
+ pkg:
+ - postgresql-client-12
+ - libpq-dev
+ default_release: buster-pgdg
+ when: postgres_client
+
diff --git a/ansible/roles/postgres_deb/templates/postgresql.service.j2 b/ansible/roles/postgres_deb/templates/postgresql.service.j2
new file mode 100644
index 0000000000000000000000000000000000000000..da3dbacdcfcf684a8a6cbbd82c45ed55f4aac6da
--- /dev/null
+++ b/ansible/roles/postgres_deb/templates/postgresql.service.j2
@@ -0,0 +1,44 @@
+[Unit]
+Description=PostgreSQL database server
+After=network.target
+AssertPathExists={{postgres_server_root}}/data/postgresql.conf
+RequiresMountsFor={{postgres_server_root}}
+
+[Service]
+Type=notify
+TimeoutSec=120
+User=postgres
+Group=postgres
+
+Environment=PGROOT={{postgres_server_root}}
+
+SyslogIdentifier=postgres
+PIDFile=${PGROOT}/data/postmaster.pid
+RuntimeDirectory=postgresql
+RuntimeDirectoryMode=755
+
+ExecStart=/usr/lib/postgresql/12/bin/postgres -D ${PGROOT}/data
+ExecReload=/bin/kill -HUP ${MAINPID}
+KillMode=mixed
+KillSignal=SIGINT
+
+# Due to PostgreSQL's use of shared memory, OOM killer is often overzealous in
+# killing Postgres, so adjust it downward
+OOMScoreAdjust=-200
+
+# Additional security-related features
+PrivateTmp=true
+ProtectHome=true
+ProtectSystem=full
+NoNewPrivileges=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+PrivateDevices=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=true
+RestrictRealtime=true
+SystemCallArchitectures=native
+
+[Install]
+WantedBy=multi-user.target