## ConfDroid PostgreSQL Module – Standalone Database Management Made Simple with Puppet
We’re thrilled to keep building out the ConfDroid Puppet modules series! After covering the foundational [**confdroid_puppet**](https://sourcecode.confdroid.com/confdroid/confdroid_puppet) module, we’re moving up the stack to the data layer. Today we’re excited to introduce [**confdroid_postgresql**](https://sourcecode.confdroid.com/confdroid/confdroid_postgresql) — a clean, opinionated Puppet module that gives you a fully managed, production-ready PostgreSQL instance on Rocky Linux 9 (and other compatible DNF-based systems) with Puppet 8.
Whether you’re running Gitea, SonarQube, a custom web app, or any other service that needs a reliable database backend, this module handles the heavy lifting so you can focus on your applications instead of fighting config files.
## What is confdroid_postgresql?
In short, it’s your one-stop Puppet class for deploying and managing a standalone PostgreSQL server. It installs the server and client packages, configures the service, secures access with pg_hba.conf, sets up firewall rules, enforces SELinux contexts, and optionally creates the databases and roles your applications need.
It fits perfectly into the ConfDroid layered architecture: infrastructure → platform → application. Once this module is in place, other ConfDroid modules (like [confdroid_gitea](https://sourcecode.confdroid.com/confdroid/confdroid_gitea)) can simply declare their required databases and roles — no manual SQL scripts required. Or you use your control repo to declare roles, and databases for container solutions like SonarQube, OpenProject or anything else.
## Key Features
### Core Components
– Full installation and management of `postgresql-server` and `postgresql` client packages
– Service management for `postgresql.service` via systemd
– Templated management of `postgresql.conf` and `pg_hba.conf`.
– Configuration files are populated with values from params
– Automatic firewall rules (opens port 5432 or a custom port) (requires puppetlabs-firewall)
– SELinux context enforcement for data directories and config files
– Clean separation of server and client classes for maximum flexibility
### Optional Add-Ons (controlled by simple boolean parameters)
– installation of pg_bouncer for connection management and performance tuning
– `pl_manage_content` → create roles and databases declaratively
– `pl_manage_extensions` → install and enable PostgreSQL extensions
– `pl_use_pg_bouncer` → add connection pooling for high-traffic services
– `pl_ssl_enabled` → turn on TLS encryption (certificates managed externally)
All PostgreSQL-specific parameters are nicely prefixed with pl_ so they never clash with other modules.
> This module is strictly for standalone PostgreSQL servers. It does not support clustering, streaming replication, Patroni, repmgr, or any high-availability setups. If you need a clustered environment, you’ll want to look at dedicated HA solutions outside this module — at least for now.
## How to Use It
### via site.pp or node.pp:
“`ruby
node ‘example.example.net’ {
include confdroid_postgresql
}
“`
### Via Foreman
In order to apply parameters through Foreman, **__confdroid_postgresql::params__** must be added to the host or host group in question.
### Creating roles, databases and entries in pg_hba
In your control repo or your site/node.pp:
– role:
“`ruby
confdroid_postgresql::server::roles::role_df { ‘example_role’:
pl_role_name => ‘example_role’,
pl_role_pw => ‘SuperStrongPassword’,
pl_role_attributes => ‘LOGIN’,
pl_role_status => ‘CREATE ROLE’,
}
“`
– database ( typically requires the role to be created first):
“`ruby
confdroid_postgresql::server::databases::db_df { ‘example_db’:
pl_db_name => ‘example_db’,
pl_owner_name => ‘example_role’,
pl_db_action => ‘CREATE DATABASE’,
pl_db_extension => ‘pg_trgm’,
}
“`
– pg_hba:
“`ruby
confdroid_postgresql::server::pghba::pg_hba_rule { ‘example db access ssl’:
pl_auth_type => ‘hostssl’,
pl_auth_database => ‘example_db’,
pl_auth_user => ‘example_role’,
pl_auth_address => ‘10.0.1.0/24’,
pl_auth_method => ‘scram-sha-256’,
pl_auth_order => ‘020’, # relevant only for ordering in the file, can be left out
pl_auth_option => ”,
}
“`
Add the module to your Puppetfile with r10k (or however you deploy modules), assign the class via Foreman ENC or site.pp, and you’re done.
## Security & Best Practices
The module follows the same security-first approach as the rest of the ConfDroid collection:
– Firewall rules are automatically added and restricted ( requires puppetlabs-firewall)
– SELinux correct contexts are configured, whether you enforce it or not
– SSL/TLS is easy to enable (just drop your certificates in place)
– All passwords and sensitive data should be handled via Hiera or Foreman parameters
## Why Choose confdroid_postgresql?
Because you get a battle-tested, consistent PostgreSQL setup that plays nicely with the rest of your ConfDroid infrastructure. No more copy-pasting config snippets across servers. Everything is version-controlled, idempotent, and ready for your CI/CD pipeline. The modules are designed to work together and are tested in doing so.
## What’s Coming Next
We’re already working on:
Optional **PostgreSQL exporter** for Prometheus (so your metrics just work)
Optional Nagios checks for database health
Expanded extension support, including TimescaleDB and other popular extensions
These can all be toggled on/off via Boolean parameters.
## Ready to Get Started?
Head over to the source on our Forge:
https://sourcecode.confdroid.com/confdroid/confdroid_postgresql
Try it out (best via R10k) , open issues, or drop feedback in the [ConfDroid feedback](https://feedback.confdroid.com/) portal. We love hearing how you’re using these modules in the real world.
Let’s keep automating smarter — one reliable database at a time!
What’s the next module you’d like to see? Let us know in the comments.
—
Did you find this post helpful? You can support me.
[](https://www.buymeacoffee.com/grizzly_coda)
[](https://hetzner.cloud/?ref=EY14C8Tema9j)
[](https://confdroid.substack.com/subscribe?params=%5Bobject%20Object%5D)
[](https://feedback.confdroid.com/)
## Related posts
– [Confdroid Puppet Modules – Pilot](https://confdroid.com/confdroid-puppet-module-pilot/)
– [Confdroid Puppet Modules – Puppet](https://confdroid.com/confdroid-puppet-module-puppet/)
– [ConfDroid Puppet Modules – confdroid_resources](https://confdroid.com/confdroid-puppet-module-resources/)
– [ConfDroid Puppet Modules – Gitea](https://confdroid.com/confdroid-puppet-module-gitea/)
– [ConfDroid Puppet Modules – Apache](https://confdroid.com/confdroid-puppet-module-apache/)
– [ConfDroid Puppet Modules – Nagios](https://confdroid.com/confdroid-puppet-module-nagios/)
– [ConfDroid Puppet Modules – NRPE](https://confdroid.com/confdroid-puppet-module-nrpe/)
– [ConfDroid Puppet Modules – Fail2ban](https://confdroid.com/confdroid-puppet-module-fail2ban/)
– [ConfDroid Puppet Modules – Automatic](https://confdroid.com/confdroid-puppet-module-automatic/)
– [ConfDroid Puppet Modules – Selinux](https://confdroid.com/confdroid-puppet-module-selinux/)
Author Profile
