Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tSjqC-0019uf-85 for pgsql-general@arkaria.postgresql.org; Tue, 31 Dec 2024 21:31:52 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tSjqA-005F5z-B0 for pgsql-general@arkaria.postgresql.org; Tue, 31 Dec 2024 21:31:50 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tSjqA-005F5q-0L for pgsql-general@lists.postgresql.org; Tue, 31 Dec 2024 21:31:49 +0000 Received: from ageofdream.com ([2600:3c00::f03c:93ff:fe74:e1a]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1tSjq7-001SiC-02 for pgsql-general@lists.postgresql.org; Tue, 31 Dec 2024 21:31:48 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ageofdream.com; s=ageofdream; t=1735680705; bh=Ild1nZCnZjnyGvrAZ789VZbPJmQEAXttsOG/KDndfsQ=; h=Subject:From:To:Date:From; b=jLcBQHAFxuWEkK7AHyj3RxQdQbQ4/XvaHJ+V/p5Z1t8HYYQdzrbhfgxYAKx81DHIY 6FqRwwD4u2qHQDxoVnv6AN14T5gxFjpfSloj+XDqrlARj9D2q+PcUA22eOot8kha4R IEqVQndzR+UfGStpq9T80nutDS5mO3VgvSv3/PU9M77y8+wdU8ZzrtiaYIaD/7p96l UJJgCxZNkf2O7TVHWNyFGR1WyWCXcjSf9wFzFj0N/FIEPJX+NzOrJ5NAcUMcFHWJVe TbePu20qq2ke2J7LytVEsVEqx3q6bCgDAsFibJDroYQaRN/vk8VCTe01ZRAs2bN6Vq RZ4SeXKzRvMLA== Received: from [192.168.1.7] (unknown [72.255.194.227]) by ageofdream.com (Postfix) with ESMTPSA id 7933F27344 for ; Tue, 31 Dec 2024 16:31:45 -0500 (EST) Message-ID: <75b177a0f2627519419009a2134fe050f3f623cb.camel@ageofdream.com> Subject: Initial Postgres admin account setup using Ansible? From: Nick To: pgsql-general@lists.postgresql.org Date: Tue, 31 Dec 2024 16:31:44 -0500 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.46.4-2 MIME-Version: 1.0 X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on ageofdream.com List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk I'm trying to create an Ansible playbook that sets up and manages Postgres on Debian 12. I'm having issues with the default username/login structure, and could use some help. I'm installing the `postgresql` package via apt, and Debian creates a `postgres` system account that has a locked password. I can login to Postgres manually by first becoming root then running `sudo -u postgres psql` as root. But when the Ansible user (which has passwordless sudo) tries to run `sudo -u postgres psql`, I get: "Sorry, user Ansible is not allowed to execute '/usr/bin/psql' as postgres on example.com." This is likely because the postgres POSIX account has a locked password, so only root can become postgres. Other users with sudo permissions can't become a locked account. So I **could** unlock the `postgres` POSIX account, but I understand that this account is locked for a reason. The goal is to have Ansible manage the creation of databases and roles in the Postgres database. So I need to create an account in Postgres that Ansible can use as the super user. I would like to do this in a way that doesn't require me to manually login to the server, become root, become postgres as root, then manually create an Ansible role. What is the proper (secure) way to let the Ansible POSIX user manage postgres? It seems there should be a fully automated way to bootstrap an Ansible user for `postgres`.