diff --git a/tasks/main.yml b/tasks/main.yml index 4e3a2e1e3d755cd366e71b3fce2f2ec5c8c37dd9..36e0e037db6fec41260ef2a4af3b841de9cc384d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -456,47 +456,45 @@ # -------------------------------------------------- # Postgres Readonly user # -------------------------------------------------- -# - name: Postgres Read-only user -# tags: -# - "db_remote_ro_user" -# when: item.value.odoo_remote_db_access | default(false) -# block: -# - name: Allow readonly user connection to prod db (with userns_remap) -# when: docker_userns_remap -# ansible.builtin.blockinfile: -# path: "/var/lib/docker/{{ dockremap_subuid }}.{{ dockremap_subgid }}/volumes/{{ item.key }}_db/_data/pg_hba.conf" -# block: | -# host {{ item.value.db }} {{ odoo_instances[item.value.prod_instance | default(item.key)].db_user }} 172.16.0.0/12 md5 -# host postgres {{ odoo_instances[item.value.prod_instance | default(item.key)].db_user }} 172.16.0.0/12 md5 -# host {{ item.value.db }} {{ item.value.odoo_db_rouser }} all md5 - -# - name: PROD Allow readonly user connection to prod db (no userns_remap) -# when: not docker_userns_remap -# ansible.builtin.blockinfile: -# path: /var/lib/docker/volumes/{{ item.key }}_db/_data/pg_hba.conf -# block: | -# host {{ item.value.db }} {{ odoo_instances[item.value.prod_instance | default(item.key)].db_user }} 172.16.0.0/12 md5 -# host postgres {{ odoo_instances[item.value.prod_instance | default(item.key)].db_user }} 172.16.0.0/12 md5 -# host {{ item.value.db }} {{ item.value.odoo_db_rouser }} all md5 - -# - name: PROD Disable access all rights (with userns_remap) -# when: docker_userns_remap -# ansible.builtin.lineinfile: -# name: "/var/lib/docker/{{ dockremap_subuid }}.{{ dockremap_subgid }}/volumes/{{ item.key }}_db/_data/pg_hba.conf" -# regexp: "^host all all all md5" -# line: "#host all all all md5" - -# - name: PROD Disable access all rights (no userns_remap) -# when: not docker_userns_remap -# ansible.builtin.lineinfile: -# name: /var/lib/docker/volumes/{{ item.key }}_db/_data/pg_hba.conf -# regexp: "^host all all all md5" -# line: "#host all all all md5" - -# TODO: add restart db container - +- name: "Allow readonly user connection to prod db" + tags: + - "db_remote_ro_user" + vars: + pg_hba_path: "/var/lib/docker{{ '/' + (dockremap_subuid | string) + '.' + (dockremap_subgid | string) if docker_userns_remap else '' }}/volumes/{{ odoo_instance.key }}_db/_data/pg_hba.conf" + ansible.builtin.blockinfile: + path: "{{ pg_hba_path }}" + block: | + host {{ odoo_instance.value.db }} {{ odoo_instances[odoo_instance.value.prod_instance | default(odoo_instance.key)].db_user }} 172.16.0.0/12 md5 + host {{ odoo_instance.value.db }} {{ odoo_instances[odoo_instance.value.prod_instance | default(odoo_instance.key)].db_user }} 192.168.0.0/16 md5 + host postgres {{ odoo_instances[odoo_instance.value.prod_instance | default(odoo_instance.key)].db_user }} 172.16.0.0/12 md5 + host postgres {{ odoo_instances[odoo_instance.value.prod_instance | default(odoo_instance.key)].db_user }} 192.168.0.0/16 md5 + host {{ odoo_instance.value.db }} {{ odoo_instance.value.odoo_db_rouser }} all md5 + loop: "{{ odoo_instances | dict2items }}" + loop_control: + label: "{{ odoo_instance.key }}" + when: > + test_instance_is_prod + and test_instance_is_selected + and odoo_instance.value.odoo_remote_db_access | default(false) +- name: "Disable access all rights to prod db" + tags: + - "db_remote_ro_user" + vars: + pg_hba_path: "/var/lib/docker{{ '/' + (dockremap_subuid | string) + '.' + (dockremap_subgid | string) if docker_userns_remap else '' }}/volumes/{{ odoo_instance.key }}_db/_data/pg_hba.conf" + ansible.builtin.lineinfile: + name: "{{ pg_hba_path }}" + regexp: "^host all all all md5" + line: "#host all all all md5" + loop: "{{ odoo_instances | dict2items }}" + loop_control: + label: "{{ odoo_instance.key }}" + when: > + test_instance_is_prod + and test_instance_is_selected + and odoo_instance.value.odoo_remote_db_access | default(false) +# TODO: add restart db container # -------------------------------------------------- # Remote imports section