From f13d989a7c389c13cd0d162ba7f6ddcfeb2d8f9dedd0d318c7a8caf22cc3a27c Mon Sep 17 00:00:00 2001
From: Emmanuel Garette <egarette@silique.fr>
Date: Tue, 14 Apr 2026 07:40:42 +0200
Subject: [PATCH] feat: first commit

---
 .rougail_doc.yml                              |  11 +
 README.md                                     | 118 +++
 roles/postgresql/defaults/main.yml            |  16 +
 roles/postgresql/files/pg_ident.conf          |  46 +
 roles/postgresql/files/postgresql_init        |  22 +
 .../postgresql/files/sysuser-postgresql.conf  |   3 +
 .../postgresql/files/tmpfiles.postgresql.conf |   2 +
 roles/postgresql/tasks/main.yml               |  45 +
 roles/postgresql/templates/pg_hba.conf.j2     | 108 +++
 roles/postgresql/templates/postgresql.conf.j2 | 870 ++++++++++++++++++
 .../templates/postgresql.service.j2           |  38 +
 roles/postgresql/templates/postgresql.sql.j2  |  15 +
 roles/postgresql/templates/risotto_backup.j2  |  12 +
 roles/postgresql/vars/main.yml                |   8 +
 rougail/risotto/accounts.yml                  |  27 +
 rougail/risotto/postgresql.yml                |  42 +
 rougail/types/10_postgresql.yml               |  98 ++
 rougail/types/50_accounts.yml                 |  24 +
 18 files changed, 1505 insertions(+)
 create mode 100644 .rougail_doc.yml
 create mode 100644 README.md
 create mode 100644 roles/postgresql/defaults/main.yml
 create mode 100644 roles/postgresql/files/pg_ident.conf
 create mode 100644 roles/postgresql/files/postgresql_init
 create mode 100644 roles/postgresql/files/sysuser-postgresql.conf
 create mode 100644 roles/postgresql/files/tmpfiles.postgresql.conf
 create mode 100644 roles/postgresql/tasks/main.yml
 create mode 100644 roles/postgresql/templates/pg_hba.conf.j2
 create mode 100644 roles/postgresql/templates/postgresql.conf.j2
 create mode 100644 roles/postgresql/templates/postgresql.service.j2
 create mode 100644 roles/postgresql/templates/postgresql.sql.j2
 create mode 100644 roles/postgresql/templates/risotto_backup.j2
 create mode 100644 roles/postgresql/vars/main.yml
 create mode 100644 rougail/risotto/accounts.yml
 create mode 100644 rougail/risotto/postgresql.yml
 create mode 100644 rougail/types/10_postgresql.yml
 create mode 100644 rougail/types/50_accounts.yml

diff --git a/.rougail_doc.yml b/.rougail_doc.yml
new file mode 100644
index 0000000..01921a6
--- /dev/null
+++ b/.rougail_doc.yml
@@ -0,0 +1,11 @@
+---
+main_structural_directories:
+  - rougail/types/
+step:
+  output: ansible
+ansible:
+  output: doc
+  doc:
+    project_name: postgresql
+    author: risotto
+    output_format: github
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..dd18691
--- /dev/null
+++ b/README.md
@@ -0,0 +1,118 @@
+# risotto.postgresql - Configure the PostgreSQL server
+
+This repository contains the `risotto.postgresql` Ansible Collection.
+
+PostgreSQL is the World's Most Advanced Open Source Relational Database.
+
+This collection allows you to configure a PostgreSQL server and create user
+accounts.
+
+## Variables
+
+### The group variable &quot;postgresql&quot; - Configure the PostgreSQL server
+
+| Variable                                                                                                                   | Description                                                                                                                                                                                                                                                                                       | Default value   | Type                                                                                            | Validator                                               |
+|----------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------|-------------------------------------------------------------------------------------------------|---------------------------------------------------------|
+| **<a id="postgresql.max_connections" name="postgresql.max_connections">max_connections</a>**                               | The maximum number of concurrent connections.                                                                                                                                                                                                                                                     | 100             | [`integer`](https://rougail.readthedocs.io/en/latest/variable.html#variables-types) `mandatory` |                                                         |
+| **<a id="postgresql.authentication_timeout" name="postgresql.authentication_timeout">authentication_timeout</a>**          | The maximum allowed time to complete client authentication.<br/>In seconds.                                                                                                                                                                                                                       | 60              | [`integer`](https://rougail.readthedocs.io/en/latest/variable.html#variables-types) `mandatory` |                                                         |
+| **<a id="postgresql.autovacuum" name="postgresql.autovacuum">autovacuum</a>**                                              | Starts the autovacuum subprocess.                                                                                                                                                                                                                                                                 | true            | [`boolean`](https://rougail.readthedocs.io/en/latest/variable.html#variables-types) `mandatory` |                                                         |
+| **<a id="postgresql.work_mem" name="postgresql.work_mem">work_mem</a>**                                                    | The maximum memory to be used for query workspaces.<br/>Sets the base maximum amount of memory to be used by a query operation (such as a sort or hash table) before writing to temporary disk files.                                                                                             | 4               | [`integer`](https://rougail.readthedocs.io/en/latest/variable.html#variables-types) `mandatory` |                                                         |
+| **<a id="postgresql.work_mem_unit" name="postgresql.work_mem_unit">work_mem_unit</a>**                                     | Unit of work_mem.                                                                                                                                                                                                                                                                                 | MB              | [`choice`](https://rougail.readthedocs.io/en/latest/variable.html#variables-types) `mandatory`  | **Choices**: <br/>•&nbsp;kB<br/>•&nbsp;MB               |
+| **<a id="postgresql.maintenance_work_mem" name="postgresql.maintenance_work_mem">maintenance_work_mem</a>**                | The maximum memory to be used for maintenance operations.<br/>Specifies the maximum amount of memory to be used by maintenance operations, such as VACUUM, CREATE INDEX, and ALTER TABLE ADD FOREIGN KEY.                                                                                         | 64              | [`integer`](https://rougail.readthedocs.io/en/latest/variable.html#variables-types) `mandatory` |                                                         |
+| **<a id="postgresql.maintenance_work_mem_unit" name="postgresql.maintenance_work_mem_unit">maintenance_work_mem_unit</a>** | Unit of maintenance_work_mem parameter.                                                                                                                                                                                                                                                           | MB              | [`choice`](https://rougail.readthedocs.io/en/latest/variable.html#variables-types) `mandatory`  | **Choices**: <br/>•&nbsp;kB<br/>•&nbsp;MB               |
+| **<a id="postgresql.wal_buffers" name="postgresql.wal_buffers">wal_buffers</a>**                                           | The number of disk-page buffers in shared memory for WAL.<br/>The amount of shared memory used for WAL data that has not yet been written to disk (The default setting of -1 selects a size equal to 1/32nd of shared_buffers, but not less than 64kB nor more than the size of one WAL segment). | -1              | [`integer`](https://rougail.readthedocs.io/en/latest/variable.html#variables-types) `mandatory` |                                                         |
+| **<a id="postgresql.max_wal_size" name="postgresql.max_wal_size">max_wal_size</a>**                                        | The WAL size that triggers a checkpoint.<br/>Maximum (soft limit) size to let the WAL grow during automatic checkpoints.                                                                                                                                                                          | 2               | [`integer`](https://rougail.readthedocs.io/en/latest/variable.html#variables-types) `mandatory` |                                                         |
+| **<a id="postgresql.max_wal_size_unit" name="postgresql.max_wal_size_unit">max_wal_size_unit</a>**                         | Unité de la limite douce du Write Ahead Log.                                                                                                                                                                                                                                                      | GB              | [`choice`](https://rougail.readthedocs.io/en/latest/variable.html#variables-types) `mandatory`  | **Choices**: <br/>•&nbsp;GB<br/>•&nbsp;MB<br/>•&nbsp;kB |
+| **<a id="postgresql.shared_buffers" name="postgresql.shared_buffers">shared_buffers</a>**                                  | The number of shared memory buffers used by the server.                                                                                                                                                                                                                                           | 128             | [`integer`](https://rougail.readthedocs.io/en/latest/variable.html#variables-types) `mandatory` |                                                         |
+| **<a id="postgresql.shared_buffers_unit" name="postgresql.shared_buffers_unit">shared_buffers_unit</a>**                   | Unit of shared_buffers.                                                                                                                                                                                                                                                                           | MB              | [`choice`](https://rougail.readthedocs.io/en/latest/variable.html#variables-types) `mandatory`  | **Choices**: <br/>•&nbsp;MB<br/>•&nbsp;kB               |
+| **<a id="postgresql.effective_cache_size" name="postgresql.effective_cache_size">effective_cache_size</a>**                | Sets the planner&#x27;s assumption about the total size of the data caches.<br/>Sets the planner&#x27;s assumption about the effective size of the disk cache that is available to a single query.                                                                                                | 4               | [`integer`](https://rougail.readthedocs.io/en/latest/variable.html#variables-types) `mandatory` |                                                         |
+| **<a id="postgresql.effective_cache_size_unit" name="postgresql.effective_cache_size_unit">effective_cache_size_unit</a>** | Unit of effective_cache_size.                                                                                                                                                                                                                                                                     | GB              | [`choice`](https://rougail.readthedocs.io/en/latest/variable.html#variables-types) `mandatory`  | **Choices**: <br/>•&nbsp;MB<br/>•&nbsp;kB<br/>•&nbsp;GB |
+
+### The group variable &quot;accounts&quot; - Accounts to the PostgreSQL server
+
+| Variable                                                         | Description                | Type                                                                                                          | Validator                     |
+|------------------------------------------------------------------|----------------------------|---------------------------------------------------------------------------------------------------------------|-------------------------------|
+| **<a id="accounts.remotes" name="accounts.remotes">remotes</a>** | PostgreSQL client address. | [`domainname`](https://rougail.readthedocs.io/en/latest/variable.html#variables-types) `multiple` `mandatory` | `unique`<br/>Type domainname. |
+
+#### Account for *example*
+
+> [!NOTE]
+> 
+> This family builds families dynamically.\
+> **Path**: remote_*example*\
+> **Identifiers**: the value of the variable "[PostgreSQL client address](#accounts.remotes)".
+
+| Variable                                                                                                                             | Description                             | Type                                                                                              |
+|--------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------|---------------------------------------------------------------------------------------------------|
+| **<a id="accounts.remote_:::identifier:::.database" name="accounts.remote_:::identifier:::.database">remote_*example*.database</a>** | PostgreSQL database name for *example*. | [`string`](https://rougail.readthedocs.io/en/latest/variable.html#variables-types) `mandatory`    |
+| **<a id="accounts.remote_:::identifier:::.username" name="accounts.remote_:::identifier:::.username">remote_*example*.username</a>** | PostgreSQL username for *example*.      | [`UNIX user`](https://rougail.readthedocs.io/en/latest/variable.html#variables-types) `mandatory` |
+| **<a id="accounts.remote_:::identifier:::.password" name="accounts.remote_:::identifier:::.password">remote_*example*.password</a>** | PostgreSQL password for *example*.      | [`secret`](https://rougail.readthedocs.io/en/latest/variable.html#variables-types) `mandatory`    |
+
+## Usage
+
+### Example playbook with Rougail
+
+Add to your structural file something like:
+
+```yaml
+%YAML 1.2
+---
+version: 1.1
+my_postgresql:
+  type: postgresql
+my_accounts:
+  type: accounts
+...
+```
+
+> [!NOTE]
+> 
+> Do not forget to add Rougail structural file as Rougail types.
+
+For example you can add an YAML user data with something like:
+
+```yaml
+---
+my_accounts:
+  remotes:                              # PostgreSQL client address
+    - example.net
+  remote_example_net:                   # Account for example.net
+    database: example                   # PostgreSQL database name for example.net
+    username: username                  # PostgreSQL username for example.net
+    password: secrets                   # PostgreSQL password for example.net
+```
+
+Add to your playbook:
+
+```yaml
+---
+- name: Configure the PostgreSQL server
+  hosts: servers
+  vars:
+    postgresql: '{{ my_postgresql }}'
+    accounts: '{{ my_accounts }}'
+  roles:
+    - role: risotto.postgresql
+```
+
+### Example playbook without Rougail
+
+> [!NOTE]
+> 
+> The variables will not be properly validated without Rougail.
+
+```yaml
+---
+- name: Configure the PostgreSQL server
+  hosts: servers
+  vars:
+    accounts:
+      remotes:                        # PostgreSQL client address
+        - example.net
+      remote_example_net:             # Account for example.net
+        database: example             # PostgreSQL database name for example.net
+        username: username            # PostgreSQL username for example.net
+        password: secrets             # PostgreSQL password for example.net
+  roles:
+    - role: risotto.postgresql
+```
diff --git a/roles/postgresql/defaults/main.yml b/roles/postgresql/defaults/main.yml
new file mode 100644
index 0000000..9c3171c
--- /dev/null
+++ b/roles/postgresql/defaults/main.yml
@@ -0,0 +1,16 @@
+---
+postgresql:                             # Configure the PostgreSQL server
+  max_connections: 100                  # The maximum number of concurrent connections
+  authentication_timeout: 60            # The maximum allowed time to complete client authentication
+  autovacuum: true                      # Starts the autovacuum subprocess
+  work_mem: 4                           # The maximum memory to be used for query workspaces
+  work_mem_unit: MB                     # Unit of work_mem
+  maintenance_work_mem: 64              # The maximum memory to be used for maintenance operations
+  maintenance_work_mem_unit: MB         # Unit of maintenance_work_mem parameter
+  wal_buffers: -1                       # The number of disk-page buffers in shared memory for WAL
+  max_wal_size: 2                       # The WAL size that triggers a checkpoint
+  max_wal_size_unit: GB                 # Unité de la limite douce du Write Ahead Log
+  shared_buffers: 128                   # The number of shared memory buffers used by the server
+  shared_buffers_unit: MB               # Unit of shared_buffers
+  effective_cache_size: 4               # Sets the planner's assumption about the total size of the data caches
+  effective_cache_size_unit: GB         # Unit of effective_cache_size
diff --git a/roles/postgresql/files/pg_ident.conf b/roles/postgresql/files/pg_ident.conf
new file mode 100644
index 0000000..88a4f39
--- /dev/null
+++ b/roles/postgresql/files/pg_ident.conf
@@ -0,0 +1,46 @@
+#RISOTTO: file://usr/share/pgsql/pg_ident.conf.sample
+# PostgreSQL User Name Maps
+# =========================
+#
+# Refer to the PostgreSQL documentation, chapter "Client
+# Authentication" for a complete description.  A short synopsis
+# follows.
+#
+# This file controls PostgreSQL user name mapping.  It maps external
+# user names to their corresponding PostgreSQL user names.  Records
+# are of the form:
+#
+# MAPNAME  SYSTEM-USERNAME  PG-USERNAME
+#
+# (The uppercase quantities must be replaced by actual values.)
+#
+# MAPNAME is the (otherwise freely chosen) map name that was used in
+# pg_hba.conf.  SYSTEM-USERNAME is the detected user name of the
+# client.  PG-USERNAME is the requested PostgreSQL user name.  The
+# existence of a record specifies that SYSTEM-USERNAME may connect as
+# PG-USERNAME.
+#
+# If SYSTEM-USERNAME starts with a slash (/), it will be treated as a
+# regular expression.  Optionally this can contain a capture (a
+# parenthesized subexpression).  The substring matching the capture
+# will be substituted for \1 (backslash-one) if present in
+# PG-USERNAME.
+#
+# Multiple maps may be specified in this file and used by pg_hba.conf.
+#
+# No map names are defined in the default configuration.  If all
+# system user names and PostgreSQL user names are the same, you don't
+# need anything in this file.
+#
+# This file is read on server startup and when the postmaster receives
+# a SIGHUP signal.  If you edit the file on a running system, you have
+# to SIGHUP the postmaster for the changes to take effect.  You can
+# use "pg_ctl reload" to do that.
+
+# Put your actual configuration here
+# ----------------------------------
+
+# MAPNAME       SYSTEM-USERNAME         PG-USERNAME
+#>GNUNUX
+pg_map		postgres		postgres
+#<GNUNUX
diff --git a/roles/postgresql/files/postgresql_init b/roles/postgresql/files/postgresql_init
new file mode 100644
index 0000000..642e391
--- /dev/null
+++ b/roles/postgresql/files/postgresql_init
@@ -0,0 +1,22 @@
+#!/bin/bash -e
+
+if [ ! -d "/srv/postgresql" ]; then
+    /bin/mkdir -p /srv/postgresql/postgresql
+    /bin/chown -R postgres: /srv/postgresql
+    /usr/bin/postgresql-setup --initdb
+    #/bin/rm /srv/postgresql/postgresql.conf
+    #/bin/rm /srv/postgresql/pg_hba.conf  
+    #/bin/rm /srv/postgresql/pg_ident.conf
+elif [ ! -d "/srv/postgresql/postgresql" ]; then
+    # migrate /srv/postgresql to /srv/postgresql/postgresql
+    # needed for upgrade...
+    mkdir /srv/postgresql/postgresql
+    mv /srv/postgresql/* /srv/postgresql/postgresql || true
+    chown postgres: /srv/postgresql/postgresql
+    chmod 700 /srv/postgresql/postgresql
+fi
+# for postgresql-setup...
+/bin/ln -sf /etc/postgresql/postgresql.conf /srv/postgresql/postgresql/postgresql.conf
+/bin/ln -sf /etc/postgresql/pg_hba.conf /srv/postgresql/postgresql/pg_hba.conf  
+/bin/ln -sf /etc/postgresql/pg_ident.conf /srv/postgresql/postgresql/pg_ident.conf
+exit 0
diff --git a/roles/postgresql/files/sysuser-postgresql.conf b/roles/postgresql/files/sysuser-postgresql.conf
new file mode 100644
index 0000000..26b3864
--- /dev/null
+++ b/roles/postgresql/files/sysuser-postgresql.conf
@@ -0,0 +1,3 @@
+g postgres 26 -
+u postgres 26:26     "PostgreSQL Server" /srv/postgresql/postgresql  /bin/bash
+
diff --git a/roles/postgresql/files/tmpfiles.postgresql.conf b/roles/postgresql/files/tmpfiles.postgresql.conf
new file mode 100644
index 0000000..3870e87
--- /dev/null
+++ b/roles/postgresql/files/tmpfiles.postgresql.conf
@@ -0,0 +1,2 @@
+# for postgresql-setup only...
+d /var/lib/pgsql/ 0750 postgres postgres -
diff --git a/roles/postgresql/tasks/main.yml b/roles/postgresql/tasks/main.yml
new file mode 100644
index 0000000..27b2415
--- /dev/null
+++ b/roles/postgresql/tasks/main.yml
@@ -0,0 +1,45 @@
+---
+- name: Configure PostgreSQL
+  ansible.builtin.template:
+    src: item.src
+    dest: item.dst
+    owner: item.owner | default("root")
+    group: item.group | default("root")
+    mode: item.mode | default("0644")
+  loop:
+    - src: postgresql.conf.j2
+      dst: /etc/postgresql/postgresql.conf
+    - src: pg_hba.conf.j2
+      dst: /etc/postgresql/pg_hba.conf
+    - src: postgresql.service.j2
+      dst: /systemd/system/postgresql.service.d/risotto.conf
+    - src: postgresql.sql.j2
+      dst: /etc/postgresql/postgresql.sql
+      mode: '0600'
+      owner: postgres
+
+- name: Copy static files for PostgreSQL
+  ansible.builtin.copy:
+    dest: item.dst
+    owner: item.owner | default("root")
+    group: item.group | default("root")
+    mode: item.mode | default("0644")
+  loop:
+    - src: pg_ident.conf
+      dst: /etc/postgresql/pg_ident.conf
+    - src: postgresql_init
+      dst: /sbin/postgresql_init
+      mode: '0755'
+    - src: sysuser-postgresql.conf
+      dst: /sysusers.d/0postgresql.conf
+    - src: tmpfiles.postgresql.conf
+      dst: /tmpfiles.d/0postgresql.conf
+
+- name: Gen backup file
+  ansible.builtin.template:
+    src: risotto_backup.j2
+    dest: /sbin/risotto_backup
+    owner: root
+    group: root
+    mode: "0700"
+  when: do_backup | default(false)
diff --git a/roles/postgresql/templates/pg_hba.conf.j2 b/roles/postgresql/templates/pg_hba.conf.j2
new file mode 100644
index 0000000..a614658
--- /dev/null
+++ b/roles/postgresql/templates/pg_hba.conf.j2
@@ -0,0 +1,108 @@
+#RISOTTO: file://usr/share/pgsql/pg_hba.conf.sample
+# PostgreSQL Client Authentication Configuration File
+# ===================================================
+#
+# Refer to the "Client Authentication" section in the PostgreSQL
+# documentation for a complete description of this file.  A short
+# synopsis follows.
+#
+# This file controls: which hosts are allowed to connect, how clients
+# are authenticated, which PostgreSQL user names they can use, which
+# databases they can access.  Records take one of these forms:
+#
+# local         DATABASE  USER  METHOD  [OPTIONS]
+# host          DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
+# hostssl       DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
+# hostnossl     DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
+# hostgssenc    DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
+# hostnogssenc  DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
+#
+# (The uppercase items must be replaced by actual values.)
+#
+# The first field is the connection type:
+# - "local" is a Unix-domain socket
+# - "host" is a TCP/IP socket (encrypted or not)
+# - "hostssl" is a TCP/IP socket that is SSL-encrypted
+# - "hostnossl" is a TCP/IP socket that is not SSL-encrypted
+# - "hostgssenc" is a TCP/IP socket that is GSSAPI-encrypted
+# - "hostnogssenc" is a TCP/IP socket that is not GSSAPI-encrypted
+#
+# DATABASE can be "all", "sameuser", "samerole", "replication", a
+# database name, or a comma-separated list thereof. The "all"
+# keyword does not match "replication". Access to replication
+# must be enabled in a separate record (see example below).
+#
+# USER can be "all", a user name, a group name prefixed with "+", or a
+# comma-separated list thereof.  In both the DATABASE and USER fields
+# you can also write a file name prefixed with "@" to include names
+# from a separate file.
+#
+# ADDRESS specifies the set of hosts the record matches.  It can be a
+# host name, or it is made up of an IP address and a CIDR mask that is
+# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that
+# specifies the number of significant bits in the mask.  A host name
+# that starts with a dot (.) matches a suffix of the actual host name.
+# Alternatively, you can write an IP address and netmask in separate
+# columns to specify the set of hosts.  Instead of a CIDR-address, you
+# can write "samehost" to match any of the server's own IP addresses,
+# or "samenet" to match any address in any subnet that the server is
+# directly connected to.
+#
+# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256",
+# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert".
+# Note that "password" sends passwords in clear text; "md5" or
+# "scram-sha-256" are preferred since they send encrypted passwords.
+#
+# OPTIONS are a set of options for the authentication in the format
+# NAME=VALUE.  The available options depend on the different
+# authentication methods -- refer to the "Client Authentication"
+# section in the documentation for a list of which options are
+# available for which authentication methods.
+#
+# Database and user names containing spaces, commas, quotes and other
+# special characters must be quoted.  Quoting one of the keywords
+# "all", "sameuser", "samerole" or "replication" makes the name lose
+# its special character, and just match a database or username with
+# that name.
+#
+# This file is read on server startup and when the server receives a
+# SIGHUP signal.  If you edit the file on a running system, you have to
+# SIGHUP the server for the changes to take effect, run "pg_ctl reload",
+# or execute "SELECT pg_reload_conf()".
+#
+# Put your actual configuration here
+# ----------------------------------
+#
+# If you want to allow non-local connections, you need to add more
+# "host" records.  In that case you will also need to make PostgreSQL
+# listen on a non-local interface via the listen_addresses
+# configuration parameter, or via the -i or -h command line switches.
+
+#GNUNUX @authcomment@
+
+# TYPE  DATABASE        USER            ADDRESS                 METHOD
+
+#>GNUNUX
+#@remove-line-for-nolocal@# "local" is for Unix domain socket connections only
+#@remove-line-for-nolocal@local   all             all                                     @authmethodlocal@
+local   all         postgres	ident	map=pg_map
+#<GNUNUX
+# IPv4 local connections:
+#>GNUNUX
+#host    all             all             127.0.0.1/32            @authmethodhost@
+{%- for server in accounts.remotes -%}
+  {%- set name = server | normalize_family -%}
+  {%- set database = accounts["remote_" + name].database -%}
+  {%- set username = accounts["remote_" + name].username %}
+hostssl	{{ database }}	{{ username }}	{{ server }}	scram-sha-256
+{%- endfor %}
+#<GNUNUX
+# IPv6 local connections:
+#GNUNUX host    all             all             ::1/128                 @authmethodhost@
+# Allow replication connections from localhost, by a user with the
+# replication privilege.
+#>GNUNUX
+#@remove-line-for-nolocal@local   replication     all                                     @authmethodlocal@
+#host    replication     all             127.0.0.1/32            @authmethodhost@
+#host    replication     all             ::1/128                 @authmethodhost@
+#<GNUNUX
diff --git a/roles/postgresql/templates/postgresql.conf.j2 b/roles/postgresql/templates/postgresql.conf.j2
new file mode 100644
index 0000000..b80bb99
--- /dev/null
+++ b/roles/postgresql/templates/postgresql.conf.j2
@@ -0,0 +1,870 @@
+#RISOTTO: file://usr/share/pgsql/postgresql.conf.sample
+#GNUNUX: encoding is present in source so try to convert it
+#encoding: utf8
+# -----------------------------
+# PostgreSQL configuration file
+# -----------------------------
+#
+# This file consists of lines of the form:
+#
+#   name = value
+#
+# (The "=" is optional.)  Whitespace may be used.  Comments are introduced with
+# "#" anywhere on a line.  The complete list of parameter names and allowed
+# values can be found in the PostgreSQL documentation.
+#
+# The commented-out settings shown in this file represent the default values.
+# Re-commenting a setting is NOT sufficient to revert it to the default value;
+# you need to reload the server.
+#
+# This file is read on server startup and when the server receives a SIGHUP
+# signal.  If you edit the file on a running system, you have to SIGHUP the
+# server for the changes to take effect, run "pg_ctl reload", or execute
+# "SELECT pg_reload_conf()".  Some parameters, which are marked below,
+# require a server shutdown and restart to take effect.
+#
+# Any parameter can also be given as a command-line option to the server, e.g.,
+# "postgres -c log_connections=on".  Some parameters can be changed at run time
+# with the "SET" SQL command.
+#
+# Memory units:  B  = bytes            Time units:  us  = microseconds
+#                kB = kilobytes                     ms  = milliseconds
+#                MB = megabytes                     s   = seconds
+#                GB = gigabytes                     min = minutes
+#                TB = terabytes                     h   = hours
+#                                                   d   = days
+
+
+#------------------------------------------------------------------------------
+# FILE LOCATIONS
+#------------------------------------------------------------------------------
+
+# The default values of these variables are driven from the -D command-line
+# option or PGDATA environment variable, represented here as ConfigDir.
+
+#data_directory = 'ConfigDir'		# use data in another directory
+					# (change requires restart)
+#hba_file = 'ConfigDir/pg_hba.conf'	# host-based authentication file
+					# (change requires restart)
+#>GNUNUX
+hba_file = '/etc/postgresql/pg_hba.conf'
+#<GNUNUX
+#ident_file = 'ConfigDir/pg_ident.conf'	# ident configuration file
+					# (change requires restart)
+#>GNUNUX
+ident_file = '/etc/postgresql/pg_ident.conf'
+#<GNUNUX
+
+# If external_pid_file is not explicitly set, no extra PID file is written.
+#external_pid_file = ''			# write an extra PID file
+					# (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# CONNECTIONS AND AUTHENTICATION
+#------------------------------------------------------------------------------
+
+# - Connection Settings -
+
+#listen_addresses = 'localhost'		# what IP address(es) to listen on;
+					# comma-separated list of addresses;
+					# defaults to 'localhost'; use '*' for all
+					# (change requires restart)
+#>GNUNUX
+listen_addresses = '*'
+#<GNUNUX
+#port = 5432				# (change requires restart)
+#max_connections = 100			# (change requires restart)
+#>GNUNUX
+max_connections = {{ postgresql.max_connections }}
+#<GNUNUX
+#superuser_reserved_connections = 3	# (change requires restart)
+#unix_socket_directories = '/tmp'	# comma-separated list of directories
+					# (change requires restart)
+#>GNUNUX
+unix_socket_directories = '/var/run/postgresql'
+#<GNUNUX
+#unix_socket_group = ''			# (change requires restart)
+#unix_socket_permissions = 0777		# begin with 0 to use octal notation
+					# (change requires restart)
+#bonjour = off				# advertise server via Bonjour
+					# (change requires restart)
+#bonjour_name = ''			# defaults to the computer name
+					# (change requires restart)
+
+# - TCP settings -
+# see "man tcp" for details
+
+#tcp_keepalives_idle = 0		# TCP_KEEPIDLE, in seconds;
+					# 0 selects the system default
+#tcp_keepalives_interval = 0		# TCP_KEEPINTVL, in seconds;
+					# 0 selects the system default
+#tcp_keepalives_count = 0		# TCP_KEEPCNT;
+					# 0 selects the system default
+#tcp_user_timeout = 0			# TCP_USER_TIMEOUT, in milliseconds;
+					# 0 selects the system default
+
+#client_connection_check_interval = 0	# time between checks for client
+					# disconnection while running queries;
+					# 0 for never
+
+# - Authentication -
+
+#authentication_timeout = 1min		# 1s-600s
+#>GNUNUX
+authentication_timeout = {{ postgresql.authentication_timeout }}s
+#<GNUNUX
+#password_encryption = scram-sha-256	# scram-sha-256 or md5
+#db_user_namespace = off
+
+# GSSAPI using Kerberos
+#krb_server_keyfile = 'FILE:${sysconfdir}/krb5.keytab'
+#krb_caseins_users = off
+
+# - SSL -
+
+#ssl = off
+#ssl_ca_file = ''
+#ssl_cert_file = 'server.crt'
+#ssl_crl_file = ''
+#ssl_crl_dir = ''
+#ssl_key_file = 'server.key'
+#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
+#ssl_prefer_server_ciphers = on
+#ssl_ecdh_curve = 'prime256v1'
+#ssl_min_protocol_version = 'TLSv1.2'
+#ssl_max_protocol_version = ''
+#ssl_dh_params_file = ''
+#ssl_passphrase_command = ''
+#ssl_passphrase_command_supports_reload = off
+#>GNUNUX
+ssl = true				# (change requires restart)
+ssl_cert_file = '{{ tls.cert_directory }}/postgresql.crt'		# (change requires restart)
+ssl_key_file = '{{ tls.key_directory }}/postgresql.key'		# (change requires restart)
+ssl_ca_file = '{{ tls.ca_directory }}/PostgreSQL.crt'
+#<GNUNUX
+
+
+#------------------------------------------------------------------------------
+# RESOURCE USAGE (except WAL)
+#------------------------------------------------------------------------------
+
+# - Memory -
+
+#shared_buffers = 32MB			# min 128kB
+					# (change requires restart)
+#>GNUNUX
+shared_buffers = {{ postgresql.shared_buffers }}{{ postgresql.shared_buffers_unit }}
+#<GNUNUX
+#huge_pages = try			# on, off, or try
+					# (change requires restart)
+#huge_page_size = 0			# zero for system default
+					# (change requires restart)
+#temp_buffers = 8MB			# min 800kB
+#max_prepared_transactions = 0		# zero disables the feature
+					# (change requires restart)
+# Caution: it is not advisable to set max_prepared_transactions nonzero unless
+# you actively intend to use prepared transactions.
+#work_mem = 4MB				# min 64kB
+#hash_mem_multiplier = 1.0		# 1-1000.0 multiplier on hash table work_mem
+#maintenance_work_mem = 64MB		# min 1MB
+#autovacuum_work_mem = -1		# min 1MB, or -1 to use maintenance_work_mem
+#logical_decoding_work_mem = 64MB	# min 64kB
+#>GNUNUX
+work_mem = {{ postgresql.work_mem }}{{ postgresql.work_mem_unit }}	# min 64kB
+maintenance_work_mem = {{ postgresql.maintenance_work_mem }}{{ postgresql.maintenance_work_mem_unit }}	# min 1MB
+#<GNUNUX
+#max_stack_depth = 2MB			# min 100kB
+#shared_memory_type = mmap		# the default is the first option
+					# supported by the operating system:
+					#   mmap
+					#   sysv
+					#   windows
+					# (change requires restart)
+#dynamic_shared_memory_type = posix	# the default is the first option
+					# supported by the operating system:
+					#   posix
+					#   sysv
+					#   windows
+					#   mmap
+					# (change requires restart)
+#min_dynamic_shared_memory = 0MB	# (change requires restart)
+
+# - Disk -
+
+#temp_file_limit = -1			# limits per-process temp file space
+					# in kilobytes, or -1 for no limit
+
+# - Kernel Resources -
+
+#max_files_per_process = 1000		# min 64
+					# (change requires restart)
+
+# - Cost-Based Vacuum Delay -
+
+#vacuum_cost_delay = 0			# 0-100 milliseconds (0 disables)
+#vacuum_cost_page_hit = 1		# 0-10000 credits
+#vacuum_cost_page_miss = 2		# 0-10000 credits
+#vacuum_cost_page_dirty = 20		# 0-10000 credits
+#vacuum_cost_limit = 200		# 1-10000 credits
+
+# - Background Writer -
+
+#bgwriter_delay = 200ms			# 10-10000ms between rounds
+#bgwriter_lru_maxpages = 100		# max buffers written/round, 0 disables
+#bgwriter_lru_multiplier = 2.0		# 0-10.0 multiplier on buffers scanned/round
+#bgwriter_flush_after = 0		# measured in pages, 0 disables
+
+# - Asynchronous Behavior -
+
+#backend_flush_after = 0		# measured in pages, 0 disables
+#effective_io_concurrency = 1		# 1-1000; 0 disables prefetching
+#maintenance_io_concurrency = 10	# 1-1000; 0 disables prefetching
+#max_worker_processes = 8		# (change requires restart)
+#max_parallel_workers_per_gather = 2	# taken from max_parallel_workers
+#max_parallel_maintenance_workers = 2	# taken from max_parallel_workers
+#max_parallel_workers = 8		# maximum number of max_worker_processes that
+					# can be used in parallel operations
+#parallel_leader_participation = on
+#old_snapshot_threshold = -1		# 1min-60d; -1 disables; 0 is immediate
+					# (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# WRITE-AHEAD LOG
+#------------------------------------------------------------------------------
+
+# - Settings -
+
+#wal_level = replica			# minimal, replica, or logical
+					# (change requires restart)
+#fsync = on				# flush data to disk for crash safety
+					# (turning this off can cause
+					# unrecoverable data corruption)
+#synchronous_commit = on		# synchronization level;
+					# off, local, remote_write, remote_apply, or on
+#wal_sync_method = fsync		# the default is the first option
+					# supported by the operating system:
+					#   open_datasync
+					#   fdatasync (default on Linux and FreeBSD)
+					#   fsync
+					#   fsync_writethrough
+					#   open_sync
+#full_page_writes = on			# recover from partial page writes
+#wal_log_hints = off			# also do full page writes of non-critical updates
+					# (change requires restart)
+#wal_compression = off			# enable compression of full-page writes
+#wal_init_zero = on			# zero-fill new WAL files
+#wal_recycle = on			# recycle WAL files
+#wal_buffers = -1			# min 32kB, -1 sets based on shared_buffers
+#>GNUNUX
+wal_buffers = {{ postgresql.wal_buffers }}
+#<GNUNUX
+					# (change requires restart)
+#wal_writer_delay = 200ms		# 1-10000 milliseconds
+#wal_writer_flush_after = 1MB		# measured in pages, 0 disables
+#wal_skip_threshold = 2MB
+
+#commit_delay = 0			# range 0-100000, in microseconds
+#commit_siblings = 5			# range 1-1000
+
+# - Checkpoints -
+
+#checkpoint_timeout = 5min		# range 30s-1d
+#checkpoint_completion_target = 0.9	# checkpoint target duration, 0.0 - 1.0
+#checkpoint_flush_after = 0		# measured in pages, 0 disables
+#checkpoint_warning = 30s		# 0 disables
+#max_wal_size = 1GB
+#min_wal_size = 80MB
+#>GNUNUX
+max_wal_size = {{ postgresql.max_wal_size }}{{ postgresql.max_wal_size_unit }}
+min_wal_size = 80MB
+#<GNUNUX
+
+# - Archiving -
+
+#archive_mode = off		# enables archiving; off, on, or always
+				# (change requires restart)
+#archive_command = ''		# command to use to archive a logfile segment
+				# placeholders: %p = path of file to archive
+				#               %f = file name only
+				# e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f'
+#archive_timeout = 0		# force a logfile segment switch after this
+				# number of seconds; 0 disables
+
+# - Archive Recovery -
+
+# These are only used in recovery mode.
+
+#restore_command = ''		# command to use to restore an archived logfile segment
+				# placeholders: %p = path of file to restore
+				#               %f = file name only
+				# e.g. 'cp /mnt/server/archivedir/%f %p'
+#archive_cleanup_command = ''	# command to execute at every restartpoint
+#recovery_end_command = ''	# command to execute at completion of recovery
+
+# - Recovery Target -
+
+# Set these only when performing a targeted recovery.
+
+#recovery_target = ''		# 'immediate' to end recovery as soon as a
+                                # consistent state is reached
+				# (change requires restart)
+#recovery_target_name = ''	# the named restore point to which recovery will proceed
+				# (change requires restart)
+#recovery_target_time = ''	# the time stamp up to which recovery will proceed
+				# (change requires restart)
+#recovery_target_xid = ''	# the transaction ID up to which recovery will proceed
+				# (change requires restart)
+#recovery_target_lsn = ''	# the WAL LSN up to which recovery will proceed
+				# (change requires restart)
+#recovery_target_inclusive = on # Specifies whether to stop:
+				# just after the specified recovery target (on)
+				# just before the recovery target (off)
+				# (change requires restart)
+#recovery_target_timeline = 'latest'	# 'current', 'latest', or timeline ID
+				# (change requires restart)
+#recovery_target_action = 'pause'	# 'pause', 'promote', 'shutdown'
+				# (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# REPLICATION
+#------------------------------------------------------------------------------
+
+# - Sending Servers -
+
+# Set these on the primary and on any standby that will send replication data.
+
+#max_wal_senders = 10		# max number of walsender processes
+				# (change requires restart)
+#max_replication_slots = 10	# max number of replication slots
+				# (change requires restart)
+#wal_keep_size = 0		# in megabytes; 0 disables
+#max_slot_wal_keep_size = -1	# in megabytes; -1 disables
+#wal_sender_timeout = 60s	# in milliseconds; 0 disables
+#track_commit_timestamp = off	# collect timestamp of transaction commit
+				# (change requires restart)
+
+# - Primary Server -
+
+# These settings are ignored on a standby server.
+
+#synchronous_standby_names = ''	# standby servers that provide sync rep
+				# method to choose sync standbys, number of sync standbys,
+				# and comma-separated list of application_name
+				# from standby(s); '*' = all
+#vacuum_defer_cleanup_age = 0	# number of xacts by which cleanup is delayed
+
+# - Standby Servers -
+
+# These settings are ignored on a primary server.
+
+#primary_conninfo = ''			# connection string to sending server
+#primary_slot_name = ''			# replication slot on sending server
+#promote_trigger_file = ''		# file name whose presence ends recovery
+#hot_standby = on			# "off" disallows queries during recovery
+					# (change requires restart)
+#max_standby_archive_delay = 30s	# max delay before canceling queries
+					# when reading WAL from archive;
+					# -1 allows indefinite delay
+#max_standby_streaming_delay = 30s	# max delay before canceling queries
+					# when reading streaming WAL;
+					# -1 allows indefinite delay
+#wal_receiver_create_temp_slot = off	# create temp slot if primary_slot_name
+					# is not set
+#wal_receiver_status_interval = 10s	# send replies at least this often
+					# 0 disables
+#hot_standby_feedback = off		# send info from standby to prevent
+					# query conflicts
+#wal_receiver_timeout = 60s		# time that receiver waits for
+					# communication from primary
+					# in milliseconds; 0 disables
+#wal_retrieve_retry_interval = 5s	# time to wait before retrying to
+					# retrieve WAL after a failed attempt
+#recovery_min_apply_delay = 0		# minimum delay for applying changes during recovery
+
+# - Subscribers -
+
+# These settings are ignored on a publisher.
+
+#max_logical_replication_workers = 4	# taken from max_worker_processes
+					# (change requires restart)
+#max_sync_workers_per_subscription = 2	# taken from max_logical_replication_workers
+
+
+#------------------------------------------------------------------------------
+# QUERY TUNING
+#------------------------------------------------------------------------------
+
+# - Planner Method Configuration -
+
+#enable_async_append = on
+#enable_bitmapscan = on
+#enable_gathermerge = on
+#enable_hashagg = on
+#enable_hashjoin = on
+#enable_incremental_sort = on
+#enable_indexscan = on
+#enable_indexonlyscan = on
+#enable_material = on
+#enable_memoize = on
+#enable_mergejoin = on
+#enable_nestloop = on
+#enable_parallel_append = on
+#enable_parallel_hash = on
+#enable_partition_pruning = on
+#enable_partitionwise_join = off
+#enable_partitionwise_aggregate = off
+#enable_seqscan = on
+#enable_sort = on
+#enable_tidscan = on
+
+# - Planner Cost Constants -
+
+#seq_page_cost = 1.0			# measured on an arbitrary scale
+#random_page_cost = 4.0			# same scale as above
+#cpu_tuple_cost = 0.01			# same scale as above
+#cpu_index_tuple_cost = 0.005		# same scale as above
+#cpu_operator_cost = 0.0025		# same scale as above
+#parallel_setup_cost = 1000.0	# same scale as above
+#parallel_tuple_cost = 0.1		# same scale as above
+#min_parallel_table_scan_size = 8MB
+#min_parallel_index_scan_size = 512kB
+#effective_cache_size = 4GB
+#>GNUNUX
+effective_cache_size = {{ postgresql.effective_cache_size }}{{ postgresql.effective_cache_size_unit }}
+#<GNUNUX
+
+#jit_above_cost = 100000		# perform JIT compilation if available
+					# and query more expensive than this;
+					# -1 disables
+#jit_inline_above_cost = 500000		# inline small functions if query is
+					# more expensive than this; -1 disables
+#jit_optimize_above_cost = 500000	# use expensive JIT optimizations if
+					# query is more expensive than this;
+					# -1 disables
+
+# - Genetic Query Optimizer -
+
+#geqo = on
+#geqo_threshold = 12
+#geqo_effort = 5			# range 1-10
+#geqo_pool_size = 0			# selects default based on effort
+#geqo_generations = 0			# selects default based on effort
+#geqo_selection_bias = 2.0		# range 1.5-2.0
+#geqo_seed = 0.0			# range 0.0-1.0
+
+# - Other Planner Options -
+
+#default_statistics_target = 100	# range 1-10000
+#constraint_exclusion = partition	# on, off, or partition
+#cursor_tuple_fraction = 0.1		# range 0.0-1.0
+#from_collapse_limit = 8
+#jit = on				# allow JIT compilation
+#join_collapse_limit = 8		# 1 disables collapsing of explicit
+					# JOIN clauses
+#plan_cache_mode = auto			# auto, force_generic_plan or
+					# force_custom_plan
+
+
+#------------------------------------------------------------------------------
+# REPORTING AND LOGGING
+#------------------------------------------------------------------------------
+
+# - Where to Log -
+
+#log_destination = 'stderr'		# Valid values are combinations of
+					# stderr, csvlog, syslog, and eventlog,
+					# depending on platform.  csvlog
+					# requires logging_collector to be on.
+
+# This is used when logging to stderr:
+#GNUNUX: logging_collector = on		# Enable capturing of stderr and csvlog
+					# into log files. Required to be on for
+					# csvlogs.
+					# (change requires restart)
+
+# These are only used if logging_collector is on:
+#log_directory = 'log'			# directory where log files are written,
+					# can be absolute or relative to PGDATA
+#GNUNUX: log_filename = 'postgresql-%a.log'	# log file name pattern,
+					# can include strftime() escapes
+#log_file_mode = 0600			# creation mode for log files,
+					# begin with 0 to use octal notation
+#GNUNUX: log_rotation_age = 1d			# Automatic rotation of logfiles will
+					# happen after that time.  0 disables.
+#GNUNUX: log_rotation_size = 0			# Automatic rotation of logfiles will
+					# happen after that much log output.
+					# 0 disables.
+#GNUNUX: log_truncate_on_rotation = on		# If on, an existing log file with the
+					# same name as the new log file will be
+					# truncated rather than appended to.
+					# But such truncation only occurs on
+					# time-driven rotation, not on restarts
+					# or size-driven rotation.  Default is
+					# off, meaning append to existing files
+					# in all cases.
+#>GNUNUX
+log_destination = 'syslog'
+#<GNUNUX
+
+# These are relevant when logging to syslog:
+#syslog_facility = 'LOCAL0'
+#syslog_ident = 'postgres'
+#syslog_sequence_numbers = on
+#syslog_split_messages = on
+
+# This is only relevant when logging to eventlog (Windows):
+# (change requires restart)
+#event_source = 'PostgreSQL'
+
+# - When to Log -
+
+#log_min_messages = warning		# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   info
+					#   notice
+					#   warning
+					#   error
+					#   log
+					#   fatal
+					#   panic
+
+#log_min_error_statement = error	# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   info
+					#   notice
+					#   warning
+					#   error
+					#   log
+					#   fatal
+					#   panic (effectively off)
+
+#log_min_duration_statement = -1	# -1 is disabled, 0 logs all statements
+					# and their durations, > 0 logs only
+					# statements running at least this number
+					# of milliseconds
+
+#log_min_duration_sample = -1		# -1 is disabled, 0 logs a sample of statements
+					# and their durations, > 0 logs only a sample of
+					# statements running at least this number
+					# of milliseconds;
+					# sample fraction is determined by log_statement_sample_rate
+
+#log_statement_sample_rate = 1.0	# fraction of logged statements exceeding
+					# log_min_duration_sample to be logged;
+					# 1.0 logs all such statements, 0.0 never logs
+
+
+#log_transaction_sample_rate = 0.0	# fraction of transactions whose statements
+					# are logged regardless of their duration; 1.0 logs all
+					# statements from all transactions, 0.0 never logs
+
+# - What to Log -
+
+#debug_print_parse = off
+#debug_print_rewritten = off
+#debug_print_plan = off
+#debug_pretty_print = on
+#log_autovacuum_min_duration = -1	# log autovacuum activity;
+					# -1 disables, 0 logs all actions and
+					# their durations, > 0 logs only
+					# actions running at least this number
+					# of milliseconds.
+#log_checkpoints = off
+#log_connections = off
+#log_disconnections = off
+#log_duration = off
+#log_error_verbosity = default		# terse, default, or verbose messages
+#log_hostname = off
+#log_line_prefix = '%m [%p] '		# special values:
+					#   %a = application name
+					#   %u = user name
+					#   %d = database name
+					#   %r = remote host and port
+					#   %h = remote host
+					#   %b = backend type
+					#   %p = process ID
+					#   %P = process ID of parallel group leader
+					#   %t = timestamp without milliseconds
+					#   %m = timestamp with milliseconds
+					#   %n = timestamp with milliseconds (as a Unix epoch)
+					#   %Q = query ID (0 if none or not computed)
+					#   %i = command tag
+					#   %e = SQL state
+					#   %c = session ID
+					#   %l = session line number
+					#   %s = session start timestamp
+					#   %v = virtual transaction ID
+					#   %x = transaction ID (0 if none)
+					#   %q = stop here in non-session
+					#        processes
+					#   %% = '%'
+					# e.g. '<%u%%%d> '
+#log_lock_waits = off			# log lock waits >= deadlock_timeout
+#log_recovery_conflict_waits = off	# log standby recovery conflict waits
+					# >= deadlock_timeout
+#log_parameter_max_length = -1		# when logging statements, limit logged
+					# bind-parameter values to N bytes;
+					# -1 means print in full, 0 disables
+#log_parameter_max_length_on_error = 0	# when logging an error, limit logged
+					# bind-parameter values to N bytes;
+					# -1 means print in full, 0 disables
+#log_statement = 'none'			# none, ddl, mod, all
+#log_replication_commands = off
+#log_temp_files = -1			# log temporary files equal or larger
+					# than the specified size in kilobytes;
+					# -1 disables, 0 logs all temp files
+#FIXME en dure ?
+#>GNUNUX
+#log_timezone = 'GMT'
+log_timezone = '{{ time_zone }}'
+#<GNUNUX
+
+
+#------------------------------------------------------------------------------
+# PROCESS TITLE
+#------------------------------------------------------------------------------
+
+#cluster_name = ''			# added to process titles if nonempty
+					# (change requires restart)
+#update_process_title = on
+
+
+#------------------------------------------------------------------------------
+# STATISTICS
+#------------------------------------------------------------------------------
+
+# - Query and Index Statistics Collector -
+
+#track_activities = on
+#track_activity_query_size = 1024	# (change requires restart)
+#track_counts = on
+#track_io_timing = off
+#track_wal_io_timing = off
+#track_functions = none			# none, pl, all
+#stats_temp_directory = 'pg_stat_tmp'
+
+
+# - Monitoring -
+
+#compute_query_id = auto
+#log_statement_stats = off
+#log_parser_stats = off
+#log_planner_stats = off
+#log_executor_stats = off
+
+
+#------------------------------------------------------------------------------
+# AUTOVACUUM
+#------------------------------------------------------------------------------
+
+#autovacuum = on			# Enable autovacuum subprocess?  'on'
+					# requires track_counts to also be on.
+#>GNUNUX
+{% if postgresql.autovacuum %}
+autovacuum = on
+{% else %}
+autovacuum = off
+{% endif %}
+#<GNUNUX
+#autovacuum_max_workers = 3		# max number of autovacuum subprocesses
+					# (change requires restart)
+#autovacuum_naptime = 1min		# time between autovacuum runs
+#autovacuum_vacuum_threshold = 50	# min number of row updates before
+					# vacuum
+#autovacuum_vacuum_insert_threshold = 1000	# min number of row inserts
+					# before vacuum; -1 disables insert
+					# vacuums
+#autovacuum_analyze_threshold = 50	# min number of row updates before
+					# analyze
+#autovacuum_vacuum_scale_factor = 0.2	# fraction of table size before vacuum
+#autovacuum_vacuum_insert_scale_factor = 0.2	# fraction of inserts over table
+					# size before insert vacuum
+#autovacuum_analyze_scale_factor = 0.1	# fraction of table size before analyze
+#autovacuum_freeze_max_age = 200000000	# maximum XID age before forced vacuum
+					# (change requires restart)
+#autovacuum_multixact_freeze_max_age = 400000000	# maximum multixact age
+					# before forced vacuum
+					# (change requires restart)
+#autovacuum_vacuum_cost_delay = 2ms	# default vacuum cost delay for
+					# autovacuum, in milliseconds;
+					# -1 means use vacuum_cost_delay
+#autovacuum_vacuum_cost_limit = -1	# default vacuum cost limit for
+					# autovacuum, -1 means use
+					# vacuum_cost_limit
+
+
+#------------------------------------------------------------------------------
+# CLIENT CONNECTION DEFAULTS
+#------------------------------------------------------------------------------
+
+# - Statement Behavior -
+
+#client_min_messages = notice		# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   log
+					#   notice
+					#   warning
+					#   error
+#search_path = '"$user", public'	# schema names
+#row_security = on
+#default_table_access_method = 'heap'
+#default_tablespace = ''		# a tablespace name, '' uses the default
+#default_toast_compression = 'pglz'	# 'pglz' or 'lz4'
+#temp_tablespaces = ''			# a list of tablespace names, '' uses
+					# only default tablespace
+#check_function_bodies = on
+#default_transaction_isolation = 'read committed'
+#default_transaction_read_only = off
+#default_transaction_deferrable = off
+#session_replication_role = 'origin'
+#statement_timeout = 0			# in milliseconds, 0 is disabled
+#lock_timeout = 0			# in milliseconds, 0 is disabled
+#idle_in_transaction_session_timeout = 0	# in milliseconds, 0 is disabled
+#idle_session_timeout = 0		# in milliseconds, 0 is disabled
+#vacuum_freeze_table_age = 150000000
+#vacuum_freeze_min_age = 50000000
+#vacuum_failsafe_age = 1600000000
+#vacuum_multixact_freeze_table_age = 150000000
+#vacuum_multixact_freeze_min_age = 5000000
+#vacuum_multixact_failsafe_age = 1600000000
+#bytea_output = 'hex'			# hex, escape
+#xmlbinary = 'base64'
+#xmloption = 'content'
+#gin_pending_list_limit = 4MB
+
+# - Locale and Formatting -
+
+#datestyle = 'iso, mdy'
+#>GNUNUX
+datestyle = 'iso, dmy'
+#<GNUNUX
+#intervalstyle = 'postgres'
+#timezone = 'GMT'
+#>GNUNUX
+timezone = '{{ time_zone }}'
+#<GNUNUX
+#timezone_abbreviations = 'Default'     # Select the set of available time zone
+					# abbreviations.  Currently, there are
+					#   Default
+					#   Australia (historical usage)
+					#   India
+					# You can create your own file in
+					# share/timezonesets/.
+#extra_float_digits = 1			# min -15, max 3; any value >0 actually
+					# selects precise output mode
+#client_encoding = sql_ascii		# actually, defaults to database
+					# encoding
+
+# These settings are initialized by initdb, but they can be changed.
+#lc_messages = 'C'			# locale for system error message
+					# strings
+#lc_monetary = 'C'			# locale for monetary formatting
+#lc_numeric = 'C'			# locale for number formatting
+#lc_time = 'C'				# locale for time formatting
+#>GNUNUX
+#FIXME en dure ?
+lc_messages = 'fr_FR.UTF-8'
+lc_monetary = 'fr_FR.UTF-8'
+lc_numeric = 'fr_FR.UTF-8'
+lc_time = 'fr_FR.UTF-8'	
+#<GNUNUX
+
+# default configuration for text search
+#>GNUNUX
+#default_text_search_config = 'pg_catalog.french'
+default_text_search_config = 'pg_catalog.french'
+#<GNUNUX
+
+# - Shared Library Preloading -
+
+#local_preload_libraries = ''
+#session_preload_libraries = ''
+#shared_preload_libraries = ''	# (change requires restart)
+#jit_provider = 'llvmjit'		# JIT library to use
+
+# - Other Defaults -
+
+#dynamic_library_path = '$libdir'
+#gin_fuzzy_search_limit = 0
+
+
+#------------------------------------------------------------------------------
+# LOCK MANAGEMENT
+#------------------------------------------------------------------------------
+
+#deadlock_timeout = 1s
+#max_locks_per_transaction = 64		# min 10
+					# (change requires restart)
+#max_pred_locks_per_transaction = 64	# min 10
+					# (change requires restart)
+#max_pred_locks_per_relation = -2	# negative values mean
+					# (max_pred_locks_per_transaction
+					#  / -max_pred_locks_per_relation) - 1
+#max_pred_locks_per_page = 2            # min 0
+
+
+#------------------------------------------------------------------------------
+# VERSION AND PLATFORM COMPATIBILITY
+#------------------------------------------------------------------------------
+
+# - Previous PostgreSQL Versions -
+
+#array_nulls = on
+#backslash_quote = safe_encoding	# on, off, or safe_encoding
+#escape_string_warning = on
+#lo_compat_privileges = off
+#quote_all_identifiers = off
+#standard_conforming_strings = on
+#synchronize_seqscans = on
+
+# - Other Platforms and Clients -
+
+#transform_null_equals = off
+
+
+#------------------------------------------------------------------------------
+# ERROR HANDLING
+#------------------------------------------------------------------------------
+
+#exit_on_error = off			# terminate session on any error?
+#restart_after_crash = on		# reinitialize after backend crash?
+#data_sync_retry = off			# retry or panic on failure to fsync
+					# data?
+					# (change requires restart)
+#recovery_init_sync_method = fsync	# fsync, syncfs (Linux 5.8+)
+
+
+#------------------------------------------------------------------------------
+# CONFIG FILE INCLUDES
+#------------------------------------------------------------------------------
+
+# These options allow settings to be loaded from files other than the
+# default postgresql.conf.  Note that these are directives, not variable
+# assignments, so they can usefully be given more than once.
+
+#include_dir = '...'			# include files ending in '.conf' from
+					# a directory, e.g., 'conf.d'
+#include_if_exists = '...'		# include file only if it exists
+#include = '...'			# include file
+
+
+#------------------------------------------------------------------------------
+# CUSTOMIZED OPTIONS
+#------------------------------------------------------------------------------
+
+# Add settings for extensions here
diff --git a/roles/postgresql/templates/postgresql.service.j2 b/roles/postgresql/templates/postgresql.service.j2
new file mode 100644
index 0000000..3e7c3ed
--- /dev/null
+++ b/roles/postgresql/templates/postgresql.service.j2
@@ -0,0 +1,38 @@
+[Service]
+Environment=PGDATA=/srv/postgresql/postgresql
+Environment=PG_CONF=/etc/postgresql/postgresql.conf
+Environment=PG_HBA=/etc/postgresql/pg_hba.conf
+Environment=PG_IDENT=/etc/postgresql/pg_ident.conf
+Environment=LC_ALL=fr_FR.UTF-8
+ExecStartPre=
+ExecStartPre=+/usr/local/lib/sbin/postgresql_init
+{# if upgrade needed, do it #}
+ExecStartPre=/bin/bash -c '{% if True -%}{% endif -%}
+/usr/libexec/postgresql-check-db-dir %N || ({% if True -%}{% endif -%}
+ echo "UPGRADE" &&{% if True -%}{% endif -%}
+{# directory creation must have 700 rights #}
+ umask 0077 &&{% if True -%}{% endif -%}
+{# pg_upgrade do not like ssl activation #}
+ /bin/grep -v "ssl " ${PG_CONF} > /tmp/postgresql.conf &&{% if True -%}{% endif -%}
+ mv -f /tmp/postgresql.conf ${PGDATA}/postgresql.conf &&{% if True -%}{% endif -%}
+{# pg_upgrade modify pg_hba.conf so copy it #}
+ /bin/rm ${PGDATA}/pg_hba.conf &&{% if True -%}{% endif -%}
+ /bin/cp -af ${PG_HBA} ${PGDATA} &&{% if True -%}{% endif -%}
+{# do upgrade #}
+ /usr/bin/postgresql-setup --upgrade &&{% if True -%}{% endif -%}
+{# re do link #}
+ ln -sf ${PG_HBA} ${PGDATA}/ &&{% if True -%}{% endif -%}
+ ln -sf ${PG_CONF} ${PGDATA}/ &&{% if True -%}{% endif -%}
+{# remove old cluster #}
+ /srv/postgresql/postgresql/delete_old_cluster.sh &&{% if True -%}{% endif -%}
+ rm -f /srv/postgresql/postgresql/delete_old_cluster.sh &&{% if True -%}{% endif -%}
+{# force index (see later) #}
+ touch /srv/postgresql/risotto_upgrade.lock{% if True -%}{% endif -%}
+)'
+{# recheck db #}
+ExecStartPre=/usr/libexec/postgresql-check-db-dir %N
+ExecStart=
+ExecStart=/usr/bin/postmaster -D ${PGDATA} -c config_file=${PG_CONF} -c hba_file=${PG_HBA} -c ident_file=${PG_IDENT}
+ExecStartPost=-/usr/bin/psql -f /etc/postgresql/postgresql.sql
+{# if lock do reindex #}
+ExecStartPost=/bin/bash -c 'if [ -f /srv/postgresql/risotto_upgrade.lock ];then echo REINDEX; /usr/bin/reindexdb && rm -f /srv/postgresql/risotto_upgrade.lock; fi'
diff --git a/roles/postgresql/templates/postgresql.sql.j2 b/roles/postgresql/templates/postgresql.sql.j2
new file mode 100644
index 0000000..c94d15e
--- /dev/null
+++ b/roles/postgresql/templates/postgresql.sql.j2
@@ -0,0 +1,15 @@
+#RISOTTO: do not compare
+{%- set new_accounts = [] -%}
+{%- for server in accounts.remotes -%}
+  {%- set name = server|normalize_family -%}
+  {%- set database = accounts["remote_" + name].database -%}
+  {%- set username = accounts["remote_" + name].username -%}
+  {%- set password = accounts["remote_" + name].password -%}
+  {%- set x=new_accounts.append((database, username, password)) -%}
+{%- endfor -%}
+{%- for database, name, password in new_accounts %}
+CREATE DATABASE "{{ name }}";
+CREATE ROLE "{{ name }}" WITH LOGIN ENCRYPTED PASSWORD '{{ password }}';
+ALTER USER "{{ name }}" PASSWORD '{{ password }}';
+GRANT ALL PRIVILEGES ON DATABASE "{{ name }}" TO "{{ database }}";
+{%- endfor -%}
diff --git a/roles/postgresql/templates/risotto_backup.j2 b/roles/postgresql/templates/risotto_backup.j2
new file mode 100644
index 0000000..8a665fb
--- /dev/null
+++ b/roles/postgresql/templates/risotto_backup.j2
@@ -0,0 +1,12 @@
+#!/bin/bash -e
+
+rm -rf {{ backup_dir }}
+mkdir -p {{ backup_dir }}
+chown postgres: {{ backup_dir }}
+{%- for server in accounts.remotes -%}
+  {%- set name = server|normalize_family -%}
+  {%- set database = accounts["remote_" + name].database %}
+su -c "pg_dump -F c -b -v -f {{ backup_dir }}/{{ database }}.dump {{ database }}" postgres
+{%- endfor %}
+
+exit 0
diff --git a/roles/postgresql/vars/main.yml b/roles/postgresql/vars/main.yml
new file mode 100644
index 0000000..1988733
--- /dev/null
+++ b/roles/postgresql/vars/main.yml
@@ -0,0 +1,8 @@
+---
+accounts:                               # Accounts to the PostgreSQL server
+  remotes:                              # PostgreSQL client address
+    - example.net
+  remote_example_net:                   # Account for example.net
+    database: example                   # PostgreSQL database name for example.net
+    username: username                  # PostgreSQL username for example.net
+    password: secrets                   # PostgreSQL password for example.net
diff --git a/rougail/risotto/accounts.yml b/rougail/risotto/accounts.yml
new file mode 100644
index 0000000..e9cc319
--- /dev/null
+++ b/rougail/risotto/accounts.yml
@@ -0,0 +1,27 @@
+%YAML 1.2
+---
+version: 1.1
+
+accounts:
+
+  remotes:
+    redefine: true
+    provider: Postgresql
+    hidden: true
+
+  "remote_{{ identifier }}":
+    redefine: true
+    hidden: true
+
+    database:
+      redefine: true
+      provider: Postgresql:database
+
+    username:
+      redefine: true
+      provider: Postgresql:username
+
+    password:
+      redefine: true
+      provider: Postgresql:password
+...
diff --git a/rougail/risotto/postgresql.yml b/rougail/risotto/postgresql.yml
new file mode 100644
index 0000000..eee2479
--- /dev/null
+++ b/rougail/risotto/postgresql.yml
@@ -0,0 +1,42 @@
+%YAML 1.2
+---
+version: 1.1
+
+tls:
+
+  certificates:
+
+    postgresql:
+      leadership: true
+
+      authority:
+        type: unix_filename
+        default:
+          jinja: '{{ ___.ca_directory }}.PostgreSQL.crt'
+        provider: TLS-certificate:authority
+
+      domain:
+        type: domainname
+        default:
+          jinja: >-
+            {%- if ____.network.interfaces.domain_name -%}
+            {{- ____.network.interfaces.domain_name[0] -}}
+            {%- endif -%}
+        provider: TLS-certificate:domain
+
+      certificate:
+        type: unix_filename
+        default:
+          jinja: '{{ ___.cert_directory }}.postgresql.crt'
+        provider: TLS-certificate:certificate
+
+      private:
+        type: unix_filename
+        default:
+          jinja: '{{ ___.key_directory }}.postgresql.key'
+        provider: TLS-certificate:private_key
+
+      owner:
+        type: unix_user
+        default: postgres
+...
diff --git a/rougail/types/10_postgresql.yml b/rougail/types/10_postgresql.yml
new file mode 100644
index 0000000..abd7a74
--- /dev/null
+++ b/rougail/types/10_postgresql.yml
@@ -0,0 +1,98 @@
+%YAML 1.2
+---
+version: 1.1
+
+postgresql:
+  description: configure the PostgreSQL server
+  help: |-
+    PostgreSQL is the World's Most Advanced Open Source Relational Database.
+
+    This collection allows you to configure a PostgreSQL server and create user
+    accounts.
+
+  max_connections:
+    description: the maximum number of concurrent connections
+    default: 100
+
+  authentication_timeout:
+    description: the maximum allowed time to complete client authentication
+    help: in seconds
+    default: 60
+
+  autovacuum:
+    type: boolean
+    description: Starts the autovacuum subprocess
+
+  work_mem:
+    description: the maximum memory to be used for query workspaces
+    help: >-
+      Sets the base maximum amount of memory to be used by a query operation (such as a sort or hash table) before writing to temporary disk files
+    default: 4
+
+  work_mem_unit:
+    description: unit of work_mem
+    default: MB
+    choices:
+      - kB
+      - MB
+
+  maintenance_work_mem:
+    description: the maximum memory to be used for maintenance operations
+    help: >-
+      Specifies the maximum amount of memory to be used by maintenance operations,
+      such as VACUUM, CREATE INDEX, and ALTER TABLE ADD FOREIGN KEY.
+    default: 64
+
+  maintenance_work_mem_unit:
+    description: unit of maintenance_work_mem parameter
+    default: MB
+    choices:
+      - kB
+      - MB
+
+  wal_buffers:
+    description:  the number of disk-page buffers in shared memory for WAL 
+    help: >-
+      The amount of shared memory used for WAL data that has not yet been written to disk
+      (The default setting of -1 selects a size equal to 1/32nd of shared_buffers,
+      but not less than 64kB nor more than the size of one WAL segment)
+    default: -1
+
+  max_wal_size:
+    description: the WAL size that triggers a checkpoint
+    help: Maximum (soft limit) size to let the WAL grow during automatic checkpoints.
+    default: 2
+
+  max_wal_size_unit:
+    description: Unité de la limite douce du Write Ahead Log
+    default: GB
+    choices:
+      - GB
+      - MB
+      - kB
+
+  shared_buffers:
+    description: the number of shared memory buffers used by the server
+    default: 128
+
+  shared_buffers_unit:
+    description: unit of shared_buffers
+    default: MB
+    choices:
+      - MB
+      - kB
+
+  effective_cache_size:
+    description: Sets the planner's assumption about the total size of the data caches
+    help: >-
+      Sets the planner's assumption about the effective size of the disk cache that is available to a single query.
+    default: 4
+
+  effective_cache_size_unit:
+    description: unit of effective_cache_size
+    default: GB
+    choices:
+      - MB
+      - kB
+      - GB
+...
diff --git a/rougail/types/50_accounts.yml b/rougail/types/50_accounts.yml
new file mode 100644
index 0000000..8344a17
--- /dev/null
+++ b/rougail/types/50_accounts.yml
@@ -0,0 +1,24 @@
+---
+version: 1.1
+
+accounts:  # accounts to the PostgreSQL server
+
+  remotes:
+    description: PostgreSQL client address
+    type: domainname
+    multi: true
+
+  "remote_{{ identifier }}":
+    description: 'Account for {{ identifier }}'
+    dynamic:
+      variable: _.remotes
+
+    database:  # PostgreSQL database name for {{ identifier }}
+
+    username:
+      description: 'PostgreSQL username for {{ identifier }}'
+      type: unix_user
+
+    password:
+      description: 'PostgreSQL password for {{ identifier }}'
+      type: secret