From b7c827d447e988fbc2bb2bcd42a8e91f611ac661 Mon Sep 17 00:00:00 2001
From: Don Sizemore <don.sizemore@github.com>
Date: Wed, 13 Sep 2023 07:38:54 -0400
Subject: [PATCH 1/3] #319 allow configurable Postgres authentication

---
 defaults/main.yml                | 1 +
 templates/pg_hba.conf.j2         | 6 +++---
 tests/group_vars/jenkins.yml     | 1 +
 tests/group_vars/memorytests.yml | 1 +
 tests/group_vars/vagrant.yml     | 1 +
 5 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 4f7cb4f7..3c1ae775 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -265,6 +265,7 @@ build_guides: false
 db:
   postgres:
     enabled: true
+    auth: scram-sha-256
     adminpass: DVn33dsth1s
     name: dvndb
     host: localhost
diff --git a/templates/pg_hba.conf.j2 b/templates/pg_hba.conf.j2
index 205c5709..c350c330 100644
--- a/templates/pg_hba.conf.j2
+++ b/templates/pg_hba.conf.j2
@@ -1,9 +1,9 @@
 # "local" is for Unix domain socket connections only
-local   all             all                                     trust
+local   all             all                                     {{ db.postgres.auth }}
 # IPv4 local connections:
-host    all             all             127.0.0.1/32            password
+host    all             all             127.0.0.1/32            {{ db.postgres.auth }}
 # IPv6 local connections:
-host    all             all             ::1/128                 password
+host    all             all             ::1/128                 {{ db.postgres.auth }}
 
 # replication and dataverse access from other servers
 {% if db.postgres.replication.enabled is defined %}
diff --git a/tests/group_vars/jenkins.yml b/tests/group_vars/jenkins.yml
index 0929cb4f..cdb4b2ad 100644
--- a/tests/group_vars/jenkins.yml
+++ b/tests/group_vars/jenkins.yml
@@ -256,6 +256,7 @@ db:
   postgres:
     enabled: true
     adminpass: DVn33dsth1s
+    auth: scram-sha-256
     name: dvndb
     host: localhost
     user: dvnuser
diff --git a/tests/group_vars/memorytests.yml b/tests/group_vars/memorytests.yml
index 12f105ca..de1a40c3 100644
--- a/tests/group_vars/memorytests.yml
+++ b/tests/group_vars/memorytests.yml
@@ -258,6 +258,7 @@ db:
   postgres:
     enabled: true
     adminpass: DVn33dsth1s
+    auth: scram-sha-256
     name: dvndb
     host: localhost
     user: dvnuser
diff --git a/tests/group_vars/vagrant.yml b/tests/group_vars/vagrant.yml
index d5675422..82f2ce81 100644
--- a/tests/group_vars/vagrant.yml
+++ b/tests/group_vars/vagrant.yml
@@ -259,6 +259,7 @@ build_guides: false
 db:
   postgres:
     enabled: true
+    auth: trust
     adminpass: DVn33dsth1s
     name: vagrantdb
     host: localhost

From 0cd9110baa53e0eff53b023a0f877152624b7bc9 Mon Sep 17 00:00:00 2001
From: Don Sizemore <don.sizemore@github.com>
Date: Fri, 15 Sep 2023 13:31:09 -0400
Subject: [PATCH 2/3] #319 local auth should be peer, configure replication
 auth as well

---
 templates/pg_hba.conf.j2 | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/templates/pg_hba.conf.j2 b/templates/pg_hba.conf.j2
index c350c330..fc1c4e35 100644
--- a/templates/pg_hba.conf.j2
+++ b/templates/pg_hba.conf.j2
@@ -1,5 +1,5 @@
 # "local" is for Unix domain socket connections only
-local   all             all                                     {{ db.postgres.auth }}
+local   all             all                                     peer
 # IPv4 local connections:
 host    all             all             127.0.0.1/32            {{ db.postgres.auth }}
 # IPv6 local connections:
@@ -9,11 +9,11 @@ host    all             all             ::1/128                 {{ db.postgres.a
 {% if db.postgres.replication.enabled is defined %}
 {% for item in db.postgres.replication.servers %}
 {% if item | regex_search(".*/.*") %}
-host    all             all        {{ item }}      md5
-host    replication     rep        {{ item }}      md5
+host    all             all        {{ item }}      {{ db.postgres.auth }}
+host    replication     rep        {{ item }}      {{ db.postgres.auth }}
 {% else %}
-host    all             all        {{ item }}/32      md5
-host    replication     rep        {{ item }}/32      md5
+host    all             all        {{ item }}/32      {{ db.postgres.auth }}
+host    replication     rep        {{ item }}/32      {{ db.postgres.auth }}
 {% endif %}
 {% endfor %}
 {% endif %}

From 7ec81793e87745b859438d89daca8fdce5603a57 Mon Sep 17 00:00:00 2001
From: Don Sizemore <don.sizemore@github.com>
Date: Fri, 15 Sep 2023 16:37:00 -0400
Subject: [PATCH 3/3] #319 allow configurable Postgres authentication, correct
 local auth to peer

---
 defaults/main.yml                |  1 +
 tasks/postgres.yml               | 15 +++++++++++++--
 tests/group_vars/jenkins.yml     |  1 +
 tests/group_vars/memorytests.yml |  1 +
 tests/group_vars/vagrant.yml     |  3 ++-
 5 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 0b1e19f7..4ebd1884 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -267,6 +267,7 @@ db:
     enabled: true
     auth: scram-sha-256
     adminpass: DVn33dsth1s
+    adminuser: postgres
     name: dvndb
     host: localhost
     user: dvnuser
diff --git a/tasks/postgres.yml b/tasks/postgres.yml
index 7cb2de12..f8ae2331 100644
--- a/tasks/postgres.yml
+++ b/tasks/postgres.yml
@@ -109,14 +109,20 @@
 - meta: flush_handlers
 
 - name: dataverse python installer wants to be a postgres admin
-  postgresql_user:
-    name: postgres
+  community.postgresql.postgresql_user:
+    db: postgres
+    login_user: '{{ db.postgres.adminuser }}'
+    name: '{{ db.postgres.adminuser }}'
     password: '{{ db.postgres.adminpass }}'
+  become: true
+  become_user: postgres
   when: db.use_rds == false
 
 - name: create dataverse postgres database
   postgresql_db:
     name: '{{ db.postgres.name }}'
+  become: true
+  become_user: postgres
   when: db.use_rds == false
 
 - name: create dataverse postgres user, set permissions
@@ -125,6 +131,8 @@
     name: '{{ db.postgres.user }}'
     password: '{{ db.postgres.pass }}'
     role_attr_flags: 'NOSUPERUSER,CREATEDB,CREATEROLE,INHERIT,LOGIN'
+  become: true
+  become_user: postgres
   when: db.use_rds == false
 
 - name: postgresql 15 requires explicit permissions on public schema
@@ -134,6 +142,9 @@
     type: schema
     objs: public
     role: '{{ db.postgres.user }}'
+  become: true
+  become_user: postgres
+  when: db.use_rds == false
 
 - ansible.builtin.import_tasks: postgres_sequential_identifiers.yml
   when: dataverse.api.test_suite == true
diff --git a/tests/group_vars/jenkins.yml b/tests/group_vars/jenkins.yml
index cdb4b2ad..3b1a62e8 100644
--- a/tests/group_vars/jenkins.yml
+++ b/tests/group_vars/jenkins.yml
@@ -256,6 +256,7 @@ db:
   postgres:
     enabled: true
     adminpass: DVn33dsth1s
+    adminuser: postgres
     auth: scram-sha-256
     name: dvndb
     host: localhost
diff --git a/tests/group_vars/memorytests.yml b/tests/group_vars/memorytests.yml
index de1a40c3..44205012 100644
--- a/tests/group_vars/memorytests.yml
+++ b/tests/group_vars/memorytests.yml
@@ -258,6 +258,7 @@ db:
   postgres:
     enabled: true
     adminpass: DVn33dsth1s
+    adminuser: postgres
     auth: scram-sha-256
     name: dvndb
     host: localhost
diff --git a/tests/group_vars/vagrant.yml b/tests/group_vars/vagrant.yml
index 7311c48c..77d03f5f 100644
--- a/tests/group_vars/vagrant.yml
+++ b/tests/group_vars/vagrant.yml
@@ -260,7 +260,8 @@ build_guides: false
 db:
   postgres:
     enabled: true
-    auth: trust
+    auth: scram-sha-256
+    adminuser: postgres
     adminpass: DVn33dsth1s
     name: vagrantdb
     host: localhost