From edffaf258b7cce99d784b99b8fee307f300e85a5 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Fri, 28 Jun 2024 20:44:54 -0500
Subject: [PATCH] r/wal-g-pg: Deploy WAL-G for PostgreSQL

This role installs `wal-g` from the DCH Yum repository, and creates a
configuration file for it in `/etc/postgresql`.  Additionally, it
installs a custom SELinux policy module that allows `wal-g` to run in
the `postgresql_t` domain (i.e. when spawned by the PostgreSQL server).
---
 roles/wal-g-pg/files/wal-g-postgresql.cil |  1 +
 roles/wal-g-pg/handlers/main.yml          |  3 ++
 roles/wal-g-pg/meta/main.yml              |  2 ++
 roles/wal-g-pg/tasks/main.yml             | 38 +++++++++++++++++++++++
 4 files changed, 44 insertions(+)
 create mode 100644 roles/wal-g-pg/files/wal-g-postgresql.cil
 create mode 100644 roles/wal-g-pg/handlers/main.yml
 create mode 100644 roles/wal-g-pg/meta/main.yml
 create mode 100644 roles/wal-g-pg/tasks/main.yml

diff --git a/roles/wal-g-pg/files/wal-g-postgresql.cil b/roles/wal-g-pg/files/wal-g-postgresql.cil
new file mode 100644
index 0000000..f288f8b
--- /dev/null
+++ b/roles/wal-g-pg/files/wal-g-postgresql.cil
@@ -0,0 +1 @@
+(allow postgresql_t http_port_t (tcp_socket (name_connect)))
diff --git a/roles/wal-g-pg/handlers/main.yml b/roles/wal-g-pg/handlers/main.yml
new file mode 100644
index 0000000..ec02016
--- /dev/null
+++ b/roles/wal-g-pg/handlers/main.yml
@@ -0,0 +1,3 @@
+- name: load wal-g-postgresql selinux module
+  command:
+    semodule -i /usr/local/share/selinux/wal-g-postgresql.cil
diff --git a/roles/wal-g-pg/meta/main.yml b/roles/wal-g-pg/meta/main.yml
new file mode 100644
index 0000000..6b7c3b9
--- /dev/null
+++ b/roles/wal-g-pg/meta/main.yml
@@ -0,0 +1,2 @@
+dependencies:
+- dch-yum
diff --git a/roles/wal-g-pg/tasks/main.yml b/roles/wal-g-pg/tasks/main.yml
new file mode 100644
index 0000000..ac51f9f
--- /dev/null
+++ b/roles/wal-g-pg/tasks/main.yml
@@ -0,0 +1,38 @@
+- name: ensure wal-g is installed
+  package:
+    name: wal-g-postgresql
+    state: present
+  tags:
+  - install
+
+- name: ensure wal-g is configured
+  copy:
+    content: |+
+      {{ wal_g_pg_config | to_nice_yaml(indent=2) }}
+    dest: /etc/postgresql/wal-g.yml
+    owner: root
+    group: postgres
+    mode: u=rw,g=r,o=
+  tags:
+  - config
+
+- name: ensure local selinux share directory exists
+  file:
+    path: /usr/local/share/selinux
+    state: directory
+  tags:
+  - selinux
+- name: ensure wal-g-postgresql selinux module is installed
+  copy:
+    src: wal-g-postgresql.cil
+    dest: /usr/local/share/selinux/wal-g-postgresql.cil
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - load wal-g-postgresql selinux module
+  tags:
+  - selinux
+
+- name: flush handlers
+  meta: flush_handlers