From dcbe8a7a174a9da6ff92b28b8760e877d3a06b34 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A9o=20-=20Le=20Filament?= <theo@le-filament.com>
Date: Tue, 8 Oct 2024 18:09:23 +0200
Subject: [PATCH] feat: allow access to database with a read-only user

---
 tasks/main.yml | 76 ++++++++++++++++++++++++--------------------------
 1 file changed, 37 insertions(+), 39 deletions(-)

diff --git a/tasks/main.yml b/tasks/main.yml
index 4e3a2e1..36e0e03 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -456,47 +456,45 @@
 # --------------------------------------------------
 # Postgres Readonly user
 # --------------------------------------------------
-# - name: Postgres Read-only user
-#   tags:
-#     - "db_remote_ro_user"
-#   when: item.value.odoo_remote_db_access | default(false)
-#   block:
-#       - name: Allow readonly user connection to prod db (with userns_remap)
-#         when: docker_userns_remap
-#         ansible.builtin.blockinfile:
-#             path: "/var/lib/docker/{{ dockremap_subuid }}.{{ dockremap_subgid }}/volumes/{{ item.key }}_db/_data/pg_hba.conf"
-#             block: |
-#                 host {{ item.value.db }} {{ odoo_instances[item.value.prod_instance | default(item.key)].db_user }} 172.16.0.0/12 md5
-#                 host postgres {{ odoo_instances[item.value.prod_instance | default(item.key)].db_user }} 172.16.0.0/12 md5
-#                 host {{ item.value.db }} {{ item.value.odoo_db_rouser }} all md5
-
-#       - name: PROD Allow readonly user connection to prod db (no userns_remap)
-#         when: not docker_userns_remap
-#         ansible.builtin.blockinfile:
-#             path: /var/lib/docker/volumes/{{ item.key }}_db/_data/pg_hba.conf
-#             block: |
-#                 host {{ item.value.db }} {{ odoo_instances[item.value.prod_instance | default(item.key)].db_user }} 172.16.0.0/12 md5
-#                 host postgres {{ odoo_instances[item.value.prod_instance | default(item.key)].db_user }} 172.16.0.0/12 md5
-#                 host {{ item.value.db }} {{ item.value.odoo_db_rouser }} all md5
-
-#       - name: PROD Disable access all rights (with userns_remap)
-#         when: docker_userns_remap
-#         ansible.builtin.lineinfile:
-#             name: "/var/lib/docker/{{ dockremap_subuid }}.{{ dockremap_subgid }}/volumes/{{ item.key }}_db/_data/pg_hba.conf"
-#             regexp: "^host all all all md5"
-#             line: "#host all all all md5"
-
-#       - name: PROD Disable access all rights (no userns_remap)
-#         when: not docker_userns_remap
-#         ansible.builtin.lineinfile:
-#             name: /var/lib/docker/volumes/{{ item.key }}_db/_data/pg_hba.conf
-#             regexp: "^host all all all md5"
-#             line: "#host all all all md5"
-
-# TODO: add restart db container
-
+- name: "Allow readonly user connection to prod db"
+  tags:
+    - "db_remote_ro_user"
+  vars:
+    pg_hba_path: "/var/lib/docker{{ '/' + (dockremap_subuid | string) + '.' + (dockremap_subgid | string) if docker_userns_remap else '' }}/volumes/{{ odoo_instance.key }}_db/_data/pg_hba.conf"
+  ansible.builtin.blockinfile:
+    path: "{{ pg_hba_path }}"
+    block: |
+      host {{ odoo_instance.value.db }} {{ odoo_instances[odoo_instance.value.prod_instance | default(odoo_instance.key)].db_user }} 172.16.0.0/12 md5
+      host {{ odoo_instance.value.db }} {{ odoo_instances[odoo_instance.value.prod_instance | default(odoo_instance.key)].db_user }} 192.168.0.0/16 md5
+      host postgres {{ odoo_instances[odoo_instance.value.prod_instance | default(odoo_instance.key)].db_user }} 172.16.0.0/12 md5
+      host postgres {{ odoo_instances[odoo_instance.value.prod_instance | default(odoo_instance.key)].db_user }} 192.168.0.0/16 md5
+      host {{ odoo_instance.value.db }} {{ odoo_instance.value.odoo_db_rouser }} all md5
+  loop: "{{ odoo_instances | dict2items }}"
+  loop_control:
+    label: "{{ odoo_instance.key }}"
+  when: >
+    test_instance_is_prod
+    and test_instance_is_selected
+    and odoo_instance.value.odoo_remote_db_access | default(false)
 
+- name: "Disable access all rights to prod db"
+  tags:
+    - "db_remote_ro_user"
+  vars:
+    pg_hba_path: "/var/lib/docker{{ '/' + (dockremap_subuid | string) + '.' + (dockremap_subgid | string) if docker_userns_remap else '' }}/volumes/{{ odoo_instance.key }}_db/_data/pg_hba.conf"
+  ansible.builtin.lineinfile:
+    name: "{{ pg_hba_path }}"
+    regexp: "^host all all all md5"
+    line: "#host all all all md5"
+  loop: "{{ odoo_instances | dict2items }}"
+  loop_control:
+    label: "{{ odoo_instance.key }}"
+  when: >
+    test_instance_is_prod
+    and test_instance_is_selected
+    and odoo_instance.value.odoo_remote_db_access | default(false)
 
+# TODO: add restart db container
 
 # --------------------------------------------------
 # Remote imports section
-- 
GitLab