Posted On 26.02.2026

ConfDroid Puppet Modules – Postgresql

0 comments
confdroid.com >> blog >> ConfDroid Puppet Modules – Postgresql

ConfDroid PostgreSQL Module – Standalone Database Management Made Simple with Puppet

We’re thrilled to keep building out the ConfDroid Puppet modules series! After covering the foundational confdroid_puppet module, we’re moving up the stack to the data layer. Today we’re excited to introduce confdroid_postgresql — a clean, opinionated Puppet module that gives you a fully managed, production-ready PostgreSQL instance on Rocky Linux 9 (and other compatible DNF-based systems) with Puppet 8.

Whether you’re running Gitea, SonarQube, a custom web app, or any other service that needs a reliable database backend, this module handles the heavy lifting so you can focus on your applications instead of fighting config files.

What is confdroid_postgresql?

In short, it’s your one-stop Puppet class for deploying and managing a standalone PostgreSQL server. It installs the server and client packages, configures the service, secures access with pg_hba.conf, sets up firewall rules, enforces SELinux contexts, and optionally creates the databases and roles your applications need.

It fits perfectly into the ConfDroid layered architecture: infrastructure → platform → application. Once this module is in place, other ConfDroid modules (like confdroid_gitea) can simply declare their required databases and roles — no manual SQL scripts required. Or you use your control repo to declare roles, and databases for container solutions like SonarQube, OpenProject or anything else.

Key Features

Core Components

  • Full installation and management of postgresql-server and postgresql client packages
  • Service management for postgresql.service via systemd
  • Templated management of postgresql.conf and pg_hba.conf.
  • Configuration files are populated with values from params
  • Automatic firewall rules (opens port 5432 or a custom port) (requires puppetlabs-firewall)
  • SELinux context enforcement for data directories and config files
  • Clean separation of server and client classes for maximum flexibility

Optional Add-Ons (controlled by simple boolean parameters)

  • installation of pg_bouncer for connection management and performance tuning
  • pl_manage_content → create roles and databases declaratively
  • pl_manage_extensions → install and enable PostgreSQL extensions
  • pl_use_pg_bouncer → add connection pooling for high-traffic services
  • pl_ssl_enabled → turn on TLS encryption (certificates managed externally)

All PostgreSQL-specific parameters are nicely prefixed with pl_ so they never clash with other modules.

This module is strictly for standalone PostgreSQL servers. It does not support clustering, streaming replication, Patroni, repmgr, or any high-availability setups. If you need a clustered environment, you’ll want to look at dedicated HA solutions outside this module — at least for now.

How to Use It

via site.pp or node.pp:

node 'example.example.net' {
  include confdroid_postgresql
}

Via Foreman

In order to apply parameters through Foreman, __confdroid_postgresql::params__ must be added to the host or host group in question.

Creating roles, databases and entries in pg_hba

In your control repo or your site/node.pp:

  • role:
confdroid_postgresql::server::roles::role_df { 'example_role':
    pl_role_name       => 'example_role',
    pl_role_pw         => 'SuperStrongPassword',
    pl_role_attributes => 'LOGIN',
    pl_role_status     => 'CREATE ROLE',
  }
  • database ( typically requires the role to be created first):
confdroid_postgresql::server::databases::db_df { 'example_db':
    pl_db_name      => 'example_db',
    pl_owner_name   => 'example_role',
    pl_db_action    => 'CREATE DATABASE',
    pl_db_extension => 'pg_trgm',
  }
  • pg_hba:
confdroid_postgresql::server::pghba::pg_hba_rule { 'example db access ssl':
  pl_auth_type     => 'hostssl',
  pl_auth_database => 'example_db',
  pl_auth_user     => 'example_role',
  pl_auth_address  => '10.0.1.0/24',
  pl_auth_method   => 'scram-sha-256',
  pl_auth_order    => '020', # relevant only for ordering in the file, can be left out
  pl_auth_option   => '',
}

Add the module to your Puppetfile with r10k (or however you deploy modules), assign the class via Foreman ENC or site.pp, and you’re done.

Security & Best Practices

The module follows the same security-first approach as the rest of the ConfDroid collection:

  • Firewall rules are automatically added and restricted ( requires puppetlabs-firewall)
  • SELinux correct contexts are configured, whether you enforce it or not
  • SSL/TLS is easy to enable (just drop your certificates in place)
  • All passwords and sensitive data should be handled via Hiera or Foreman parameters

Why Choose confdroid_postgresql?

Because you get a battle-tested, consistent PostgreSQL setup that plays nicely with the rest of your ConfDroid infrastructure. No more copy-pasting config snippets across servers. Everything is version-controlled, idempotent, and ready for your CI/CD pipeline. The modules are designed to work together and are tested in doing so.

What’s Coming Next

We’re already working on:

Optional PostgreSQL exporter for Prometheus (so your metrics just work) Optional Nagios checks for database health Expanded extension support, including TimescaleDB and other popular extensions

These can all be toggled on/off via Boolean parameters.

Ready to Get Started?

Head over to the source on our Forge: https://sourcecode.confdroid.com/confdroid/confdroid_postgresql

Try it out (best via R10k) , open issues, or drop feedback in the ConfDroid feedback portal. We love hearing how you’re using these modules in the real world.

Let’s keep automating smarter — one reliable database at a time! What’s the next module you’d like to see? Let us know in the comments.


Did you find this post helpful? You can support me.

Hetzner Referral
Substack
ConfDroid Feedback Portal

Related posts

Author Profile

12ww1160DevOps engineer & architect

Leave a Reply

Your email address will not be published. Required fields are marked *

sixteen − three =

Related Post

ConfDroid Puppet Modules – confdroid_resources

## confdroid_resources – Puppet Module **confdroid_resources** is a small, focused Puppet module that automates the…

Puppet with Foreman – Host Registration

## Next Steps: Registering Puppet Agents with Foreman – The Simple, Secure Way In the…

How We Integrated Jenkins with Keycloak

Intro Managing Jenkins users can get messy, especially with multiple teams. By integrating Jenkins with…
Social Media Auto Publish Powered By : XYZScripts.com