ConfDroid PostgreSQL Module – Standalone Database Management Made Simple with Puppet
We’re thrilled to keep building out the ConfDroid Puppet modules series! After covering the foundational confdroid_puppet module, we’re moving up the stack to the data layer. Today we’re excited to introduce confdroid_postgresql — a clean, opinionated Puppet module that gives you a fully managed, production-ready PostgreSQL instance on Rocky Linux 9 (and other compatible DNF-based systems) with Puppet 8.
Whether you’re running Gitea, SonarQube, a custom web app, or any other service that needs a reliable database backend, this module handles the heavy lifting so you can focus on your applications instead of fighting config files.
What is confdroid_postgresql?
In short, it’s your one-stop Puppet class for deploying and managing a standalone PostgreSQL server. It installs the server and client packages, configures the service, secures access with pg_hba.conf, sets up firewall rules, enforces SELinux contexts, and optionally creates the databases and roles your applications need.
It fits perfectly into the ConfDroid layered architecture: infrastructure → platform → application. Once this module is in place, other ConfDroid modules (like confdroid_gitea) can simply declare their required databases and roles — no manual SQL scripts required. Or you use your control repo to declare roles, and databases for container solutions like SonarQube, OpenProject or anything else.
Key Features
Core Components
- Full installation and management of
postgresql-serverandpostgresqlclient packages - Service management for
postgresql.servicevia systemd - Templated management of
postgresql.confandpg_hba.conf. - Configuration files are populated with values from params
- Automatic firewall rules (opens port 5432 or a custom port) (requires puppetlabs-firewall)
- SELinux context enforcement for data directories and config files
- Clean separation of server and client classes for maximum flexibility
Optional Add-Ons (controlled by simple boolean parameters)
- installation of pg_bouncer for connection management and performance tuning
pl_manage_content→ create roles and databases declarativelypl_manage_extensions→ install and enable PostgreSQL extensionspl_use_pg_bouncer→ add connection pooling for high-traffic servicespl_ssl_enabled→ turn on TLS encryption (certificates managed externally)
All PostgreSQL-specific parameters are nicely prefixed with pl_ so they never clash with other modules.
This module is strictly for standalone PostgreSQL servers. It does not support clustering, streaming replication, Patroni, repmgr, or any high-availability setups. If you need a clustered environment, you’ll want to look at dedicated HA solutions outside this module — at least for now.
How to Use It
via site.pp or node.pp:
node 'example.example.net' {
include confdroid_postgresql
}Via Foreman
In order to apply parameters through Foreman, __confdroid_postgresql::params__ must be added to the host or host group in question.
Creating roles, databases and entries in pg_hba
In your control repo or your site/node.pp:
- role:
confdroid_postgresql::server::roles::role_df { 'example_role':
pl_role_name => 'example_role',
pl_role_pw => 'SuperStrongPassword',
pl_role_attributes => 'LOGIN',
pl_role_status => 'CREATE ROLE',
}- database ( typically requires the role to be created first):
confdroid_postgresql::server::databases::db_df { 'example_db':
pl_db_name => 'example_db',
pl_owner_name => 'example_role',
pl_db_action => 'CREATE DATABASE',
pl_db_extension => 'pg_trgm',
}- pg_hba:
confdroid_postgresql::server::pghba::pg_hba_rule { 'example db access ssl':
pl_auth_type => 'hostssl',
pl_auth_database => 'example_db',
pl_auth_user => 'example_role',
pl_auth_address => '10.0.1.0/24',
pl_auth_method => 'scram-sha-256',
pl_auth_order => '020', # relevant only for ordering in the file, can be left out
pl_auth_option => '',
}Add the module to your Puppetfile with r10k (or however you deploy modules), assign the class via Foreman ENC or site.pp, and you’re done.
Security & Best Practices
The module follows the same security-first approach as the rest of the ConfDroid collection:
- Firewall rules are automatically added and restricted ( requires puppetlabs-firewall)
- SELinux correct contexts are configured, whether you enforce it or not
- SSL/TLS is easy to enable (just drop your certificates in place)
- All passwords and sensitive data should be handled via Hiera or Foreman parameters
Why Choose confdroid_postgresql?
Because you get a battle-tested, consistent PostgreSQL setup that plays nicely with the rest of your ConfDroid infrastructure. No more copy-pasting config snippets across servers. Everything is version-controlled, idempotent, and ready for your CI/CD pipeline. The modules are designed to work together and are tested in doing so.
What’s Coming Next
We’re already working on:
Optional PostgreSQL exporter for Prometheus (so your metrics just work) Optional Nagios checks for database health Expanded extension support, including TimescaleDB and other popular extensions
These can all be toggled on/off via Boolean parameters.
Ready to Get Started?
Head over to the source on our Forge: https://sourcecode.confdroid.com/confdroid/confdroid_postgresql
Try it out (best via R10k) , open issues, or drop feedback in the ConfDroid feedback portal. We love hearing how you’re using these modules in the real world.
Let’s keep automating smarter — one reliable database at a time! What’s the next module you’d like to see? Let us know in the comments.
Did you find this post helpful? You can support me.
Related posts
- Confdroid Puppet Modules – Pilot
- Confdroid Puppet Modules – Puppet
- ConfDroid Puppet Modules – confdroid_resources
Author Profile
Latest entries
blog26.02.2026ConfDroid Puppet Modules – Postgresql
blog23.02.2026Secure & Smart – Pilot- blog18.02.2026Publishing Pipeline – Telegram
- blog16.02.2026Puppet with Foreman – Populating the master with R10k
