remove wireguard endpoint

allow postgresql from everywhere with password
terraform state without wireguard

ansible/hypervisors.yml

@@ -43,10 +43,17 @@
 - name: Setup special services
   hosts: atlas
 
+  pre_tasks:
+    - name: Create terraform database
+      include_role:
+        name: postgresql_database
+      vars:
+        database_name: terraform_state
+        database_user: terraform
+        database_password: "{{ terraform_db_password }}"
+
   roles:
-    - {role: postgresql, tags: postgresql}
     - {role: ssh_ca, tags: ssh_ca}
-    - {role: wireguard, tags: wireguard}
 
 - hosts: hypervisors
 

ansible/inventory/host_vars/atlas/postgresql.yml

@@ -0,0 +1,8 @@
+terraform_db_password: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  63343662633564343266666137313830333333666663393639633664356463343063666334616665
+  6664333262343337333136656161383963396262616662620a623831383438613230396463353933
+  38633265333239613232616532373635623433613136343264366635666462373062393566313233
+  3338373062333635370a646563663639353033363737623064313464363332323831646262326138
+  62303530626239643963623530613631636631363234383161363736613139643939653438316166
+  6465346362373161353733343431336235323161313831303934

ansible/requirements.yml

@@ -10,5 +10,6 @@
 - name: ssh_ca_known_hosts
   src: https://git.pim.kunis.nl/home/ansible-role-ssh-ca-known-hosts
   scm: git
-- name: wireguard
+- name: postgresql_database
-  src: githubixx.ansible_role_wireguard
+  src: https://git.pim.kunis.nl/home/ansible-role-postgresql-database
+  scm: git

ansible/roles/postgresql/handlers/main.yml

@@ -1,4 +0,0 @@
-- name: restart postgres
-  systemd:
-    name: postgresql
-    state: restarted

ansible/roles/postgresql/tasks/main.yml

@@ -1,44 +0,0 @@
-- name: Create terraform database
-  postgresql_db:
-    name: terraform_state
-    owner: terraform
-  become: true
-  become_user: postgres
-
-- name: Create database user
-  postgresql_user:
-    name: terraform
-  become: true
-  become_user: postgres
-
-- name: Grant database user access to database
-  postgresql_privs:
-    type: database
-    database: terraform_state
-    roles: terraform
-    grant_option: no
-    privs: all
-  become: true
-  become_user: postgres
-  notify: restart postgres
-
-- name: Allow remote access to database for user
-  postgresql_pg_hba:
-    dest: /etc/postgresql/15/main/pg_hba.conf
-    contype: host
-    databases: all
-    method: trust
-    users: terraform
-    address: "10.42.0.0/24"
-    create: true
-  become: true
-  become_user: postgres
-  notify: restart postgres
-    
-- name: Open postgres port
-  ini_file:
-    path: /etc/postgresql/15/main/postgresql.conf
-    section: null
-    option: listen_addresses
-    value: "'*'"
-  notify: restart postgres

terraform/main.tf

@@ -1,7 +1,6 @@
 terraform {
   backend "pg" {
     schema_name = "bootstrap"
-    conn_str    = "postgres://terraform@10.42.0.1/terraform_state"
   }
 
   required_providers {