From e94940e81db5acdb4cf11bd68c7008ac9a56c48e Mon Sep 17 00:00:00 2001
From: Mikhail Konyakhin <m.konyahin@gmail.com>
Date: Wed, 18 Dec 2019 13:24:43 +0300
Subject: [PATCH 1/2] Correct manage setting 'password_encryption' for
 PostgreSQL 10 and above.

---
 defaults/main.yml               | 2 +-
 templates/postgresql.conf-10.j2 | 2 +-
 templates/postgresql.conf-11.j2 | 2 +-
 templates/postgresql.conf-12.j2 | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 8b105762..aea2237e 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -148,7 +148,7 @@ postgresql_ssl_cert_file: "/etc/ssl/certs/ssl-cert-snakeoil.pem"    # (>= 9.2)
 postgresql_ssl_key_file: "/etc/ssl/private/ssl-cert-snakeoil.key"   # (>= 9.2)
 postgresql_ssl_ca_file: ""                                          # (>= 9.2)
 postgresql_ssl_crl_file: ""                                         # (>= 9.2)
-postgresql_password_encryption: on
+postgresql_password_encryption: "{{ 'md5' if postgresql_version is version_compare('10', '>=') else 'on' }}"
 postgresql_db_user_namespace: off
 postgresql_row_security: off                                        # (>= 9.5)
 
diff --git a/templates/postgresql.conf-10.j2 b/templates/postgresql.conf-10.j2
index 53636991..cf00d9dd 100644
--- a/templates/postgresql.conf-10.j2
+++ b/templates/postgresql.conf-10.j2
@@ -87,7 +87,7 @@ ssl_cert_file = '{{postgresql_ssl_cert_file}}'		# (change requires restart)
 ssl_key_file = '{{postgresql_ssl_key_file}}'		# (change requires restart)
 ssl_ca_file = '{{postgresql_ssl_ca_file}}'			# (change requires restart)
 ssl_crl_file = '{{postgresql_ssl_crl_file}}'			# (change requires restart)
-password_encryption = {{'on' if postgresql_password_encryption else 'off'}}     # md5 or scram-sha-256
+password_encryption = {{ 'md5' if postgresql_password_encryption != 'scram-sha-256' else 'scram-sha-256' }}     # md5 or scram-sha-256
 db_user_namespace = {{'on' if postgresql_db_user_namespace else 'off'}}
 row_security = {{'on' if postgresql_row_security else 'off'}}
 
diff --git a/templates/postgresql.conf-11.j2 b/templates/postgresql.conf-11.j2
index dd989eea..2f0e58e5 100644
--- a/templates/postgresql.conf-11.j2
+++ b/templates/postgresql.conf-11.j2
@@ -87,7 +87,7 @@ tcp_keepalives_count = {{ postgresql_tcp_keepalives_count }}		# TCP_KEEPCNT;
 # - Authentication -
 
 authentication_timeout = {{ postgresql_authentication_timeout }}		# 1s-600s
-password_encryption = {{ 'on' if postgresql_password_encryption else 'off' }}		# md5 or scram-sha-256
+password_encryption = {{ 'md5' if postgresql_password_encryption != 'scram-sha-256' else 'scram-sha-256' }}     # md5 or scram-sha-256
 db_user_namespace = {{ 'on' if postgresql_db_user_namespace else 'off' }}
 
 # GSSAPI using Kerberos
diff --git a/templates/postgresql.conf-12.j2 b/templates/postgresql.conf-12.j2
index 9aee094f..9632b759 100644
--- a/templates/postgresql.conf-12.j2
+++ b/templates/postgresql.conf-12.j2
@@ -89,7 +89,7 @@ tcp_user_timeout = {{ postgresql_tcp_user_timeout }}                   # TCP_USE
 # - Authentication -
 
 authentication_timeout = {{ postgresql_authentication_timeout }}		# 1s-600s
-password_encryption = {{ 'on' if postgresql_password_encryption else 'off' }}		# md5 or scram-sha-256
+password_encryption = {{ 'md5' if postgresql_password_encryption != 'scram-sha-256' else 'scram-sha-256' }}     # md5 or scram-sha-256
 db_user_namespace = {{ 'on' if postgresql_db_user_namespace else 'off' }}
 
 # GSSAPI using Kerberos

From 1bb95b318d527ee2d1450be598bbc9a91fc00a99 Mon Sep 17 00:00:00 2001
From: Mikhail Konyakhin <m.konyahin@gmail.com>
Date: Wed, 10 Jun 2020 11:39:41 +0300
Subject: [PATCH 2/2] Disable check correct values of
 postgresql_password_encryption.

---
 defaults/main.yml                | 2 +-
 templates/postgresql.conf-10.j2  | 2 +-
 templates/postgresql.conf-11.j2  | 2 +-
 templates/postgresql.conf-12.j2  | 2 +-
 templates/postgresql.conf-9.1.j2 | 2 +-
 templates/postgresql.conf-9.2.j2 | 2 +-
 templates/postgresql.conf-9.3.j2 | 2 +-
 templates/postgresql.conf-9.4.j2 | 2 +-
 templates/postgresql.conf-9.5.j2 | 2 +-
 templates/postgresql.conf-9.6.j2 | 2 +-
 10 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index aea2237e..8b105762 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -148,7 +148,7 @@ postgresql_ssl_cert_file: "/etc/ssl/certs/ssl-cert-snakeoil.pem"    # (>= 9.2)
 postgresql_ssl_key_file: "/etc/ssl/private/ssl-cert-snakeoil.key"   # (>= 9.2)
 postgresql_ssl_ca_file: ""                                          # (>= 9.2)
 postgresql_ssl_crl_file: ""                                         # (>= 9.2)
-postgresql_password_encryption: "{{ 'md5' if postgresql_version is version_compare('10', '>=') else 'on' }}"
+postgresql_password_encryption: on
 postgresql_db_user_namespace: off
 postgresql_row_security: off                                        # (>= 9.5)
 
diff --git a/templates/postgresql.conf-10.j2 b/templates/postgresql.conf-10.j2
index cf00d9dd..c2fb2cf2 100644
--- a/templates/postgresql.conf-10.j2
+++ b/templates/postgresql.conf-10.j2
@@ -87,7 +87,7 @@ ssl_cert_file = '{{postgresql_ssl_cert_file}}'		# (change requires restart)
 ssl_key_file = '{{postgresql_ssl_key_file}}'		# (change requires restart)
 ssl_ca_file = '{{postgresql_ssl_ca_file}}'			# (change requires restart)
 ssl_crl_file = '{{postgresql_ssl_crl_file}}'			# (change requires restart)
-password_encryption = {{ 'md5' if postgresql_password_encryption != 'scram-sha-256' else 'scram-sha-256' }}     # md5 or scram-sha-256
+password_encryption = {{postgresql_password_encryption}}
 db_user_namespace = {{'on' if postgresql_db_user_namespace else 'off'}}
 row_security = {{'on' if postgresql_row_security else 'off'}}
 
diff --git a/templates/postgresql.conf-11.j2 b/templates/postgresql.conf-11.j2
index 1898c8cc..a194d8c4 100644
--- a/templates/postgresql.conf-11.j2
+++ b/templates/postgresql.conf-11.j2
@@ -87,7 +87,7 @@ tcp_keepalives_count = {{ postgresql_tcp_keepalives_count }}		# TCP_KEEPCNT;
 # - Authentication -
 
 authentication_timeout = {{ postgresql_authentication_timeout }}		# 1s-600s
-password_encryption = {{ 'md5' if postgresql_password_encryption != 'scram-sha-256' else 'scram-sha-256' }}     # md5 or scram-sha-256
+password_encryption = {{ postgresql_password_encryption }}
 db_user_namespace = {{ 'on' if postgresql_db_user_namespace else 'off' }}
 
 # GSSAPI using Kerberos
diff --git a/templates/postgresql.conf-12.j2 b/templates/postgresql.conf-12.j2
index 8e94c918..c64bdfaf 100644
--- a/templates/postgresql.conf-12.j2
+++ b/templates/postgresql.conf-12.j2
@@ -89,7 +89,7 @@ tcp_user_timeout = {{ postgresql_tcp_user_timeout }}                   # TCP_USE
 # - Authentication -
 
 authentication_timeout = {{ postgresql_authentication_timeout }}		# 1s-600s
-password_encryption = {{ 'md5' if postgresql_password_encryption != 'scram-sha-256' else 'scram-sha-256' }}     # md5 or scram-sha-256
+password_encryption = {{ postgresql_password_encryption }}
 db_user_namespace = {{ 'on' if postgresql_db_user_namespace else 'off' }}
 
 # GSSAPI using Kerberos
diff --git a/templates/postgresql.conf-9.1.j2 b/templates/postgresql.conf-9.1.j2
index d5a67086..6b926e94 100644
--- a/templates/postgresql.conf-9.1.j2
+++ b/templates/postgresql.conf-9.1.j2
@@ -82,7 +82,7 @@ ssl = {{'on' if postgresql_ssl else 'off'}}				# (change requires restart)
 ssl_ciphers = '{{postgresql_ssl_ciphers|join(':')}}'	# allowed SSL ciphers
 					# (change requires restart)
 ssl_renegotiation_limit = {{postgresql_ssl_renegotiation_limit}}	# amount of data between renegotiations
-password_encryption = {{'on' if postgresql_password_encryption else 'off'}}
+password_encryption = {{postgresql_password_encryption}}
 db_user_namespace = {{'on' if postgresql_db_user_namespace else 'off'}}
 
 # Kerberos and GSSAPI
diff --git a/templates/postgresql.conf-9.2.j2 b/templates/postgresql.conf-9.2.j2
index 53ff3a42..c05880de 100644
--- a/templates/postgresql.conf-9.2.j2
+++ b/templates/postgresql.conf-9.2.j2
@@ -86,7 +86,7 @@ ssl_cert_file = '{{postgresql_ssl_cert_file}}'		# (change requires restart)
 ssl_key_file = '{{postgresql_ssl_key_file}}'		# (change requires restart)
 ssl_ca_file = '{{postgresql_ssl_ca_file}}'			# (change requires restart)
 ssl_crl_file = '{{postgresql_ssl_crl_file}}'			# (change requires restart)
-password_encryption = {{'on' if postgresql_password_encryption else 'off'}}
+password_encryption = {{postgresql_password_encryption}}
 db_user_namespace = {{'on' if postgresql_db_user_namespace else 'off'}}
 
 # Kerberos and GSSAPI
diff --git a/templates/postgresql.conf-9.3.j2 b/templates/postgresql.conf-9.3.j2
index cce06379..07187564 100644
--- a/templates/postgresql.conf-9.3.j2
+++ b/templates/postgresql.conf-9.3.j2
@@ -87,7 +87,7 @@ ssl_cert_file = '{{postgresql_ssl_cert_file}}'		# (change requires restart)
 ssl_key_file = '{{postgresql_ssl_key_file}}'		# (change requires restart)
 ssl_ca_file = '{{postgresql_ssl_ca_file}}'			# (change requires restart)
 ssl_crl_file = '{{postgresql_ssl_crl_file}}'			# (change requires restart)
-password_encryption = {{'on' if postgresql_password_encryption else 'off'}}
+password_encryption = {{postgresql_password_encryption}}
 db_user_namespace = {{'on' if postgresql_db_user_namespace else 'off'}}
 
 # Kerberos and GSSAPI
diff --git a/templates/postgresql.conf-9.4.j2 b/templates/postgresql.conf-9.4.j2
index 1ff5bb0f..0049c8a4 100644
--- a/templates/postgresql.conf-9.4.j2
+++ b/templates/postgresql.conf-9.4.j2
@@ -89,7 +89,7 @@ ssl_cert_file = '{{postgresql_ssl_cert_file}}'		# (change requires restart)
 ssl_key_file = '{{postgresql_ssl_key_file}}'		# (change requires restart)
 ssl_ca_file = '{{postgresql_ssl_ca_file}}'			# (change requires restart)
 ssl_crl_file = '{{postgresql_ssl_crl_file}}'			# (change requires restart)
-password_encryption = {{'on' if postgresql_password_encryption else 'off'}}
+password_encryption = {{postgresql_password_encryption}}
 db_user_namespace = {{'on' if postgresql_db_user_namespace else 'off'}}
 
 # GSSAPI using Kerberos
diff --git a/templates/postgresql.conf-9.5.j2 b/templates/postgresql.conf-9.5.j2
index 5152f517..49763b3e 100644
--- a/templates/postgresql.conf-9.5.j2
+++ b/templates/postgresql.conf-9.5.j2
@@ -88,7 +88,7 @@ ssl_cert_file = '{{postgresql_ssl_cert_file}}'		# (change requires restart)
 ssl_key_file = '{{postgresql_ssl_key_file}}'		# (change requires restart)
 ssl_ca_file = '{{postgresql_ssl_ca_file}}'			# (change requires restart)
 ssl_crl_file = '{{postgresql_ssl_crl_file}}'			# (change requires restart)
-password_encryption = {{'on' if postgresql_password_encryption else 'off'}}
+password_encryption = {{postgresql_password_encryption}}
 db_user_namespace = {{'on' if postgresql_db_user_namespace else 'off'}}
 row_security = {{'on' if postgresql_row_security else 'off'}}
 
diff --git a/templates/postgresql.conf-9.6.j2 b/templates/postgresql.conf-9.6.j2
index 2efdb1f1..c06a87d8 100644
--- a/templates/postgresql.conf-9.6.j2
+++ b/templates/postgresql.conf-9.6.j2
@@ -86,7 +86,7 @@ ssl_cert_file = '{{postgresql_ssl_cert_file}}'		# (change requires restart)
 ssl_key_file = '{{postgresql_ssl_key_file}}'		# (change requires restart)
 ssl_ca_file = '{{postgresql_ssl_ca_file}}'			# (change requires restart)
 ssl_crl_file = '{{postgresql_ssl_crl_file}}'			# (change requires restart)
-password_encryption = {{'on' if postgresql_password_encryption else 'off'}}
+password_encryption = {{postgresql_password_encryption}}
 db_user_namespace = {{'on' if postgresql_db_user_namespace else 'off'}}
 row_security = {{'on' if postgresql_row_security else 'off'}}