ansible-playbooks/roles/postgres/defaults/main.yml

postgresql_user: postgres
postgresql_group: postgres

postgresql_data_dir: /db
postgresql_conf_dir: /etc/postgresql
postgresql_tls_dir: "{{ postgresql_conf_dir }}/tls"
postgresql_dhparam_file: dhparam.pem

postgresql_db: []

postgresql_string_parameters:
  - listen_addresses
  - log_destination
  - syslog_facility
  - datestyle
  - lc_monetary
  - lc_messages
  - lc_numeric
  - lc_time
  - unix_socket_directories
  - timezone
  - log_timezone
  - ssl_ciphers
  - ssl_ca_file
  - ssl_cert_file
  - ssl_key_file
  - ssl_dh_params_file


postgresql_default_config:
  listen_addresses: "{{ '*' if (host_primary_role == 'postgres') or (database_self_hosted == false) else '127.0.0.1' }}"
  max_connections: 125
  bonjour: no
  password_encryption: scram-sha-256

  wal_level: replica
  wal_init_zero: no
  wal_recycle: no

  log_destination: syslog
  syslog_facility: LOCAL0
  datestyle: "ISO, DMY"

  lc_messages: C
  lc_monetary: C
  lc_numeric: C
  lc_time: C
  unix_socket_directories: /var/run/postgresql

  log_timezone: "{{ timezone }}"
  timezone: "{{ timezone }}"

  shared_buffers: "{{ ((hardware.memory | d(512) | int) * (1024/2)) | int }}kB"
  work_mem: "{{ ((hardware.memory | d(512) | int) * (1024/35)) | round(1, 'ceil') | int }}kB"
  max_wal_size: "{{ ((hardware.disk | d(2) | float) * (1024 / 2)) | int }}MB"


postgresql_tls_config:
  ssl: yes
  ssl_ciphers: "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256"
  ssl_prefer_server_ciphers: yes
  ssl_min_protocol_version: TLSv1.2
  ssl_ecdh_curve: secp384r1
  ssl_ca_file: "{{ postgresql_tls_dir }}/root.crt"
  ssl_cert_file: "{{ postgresql_tls_dir }}/ecc384.crt"
  ssl_key_file: "{{ postgresql_tls_dir }}/ecc384.key"
  ssl_dh_params_file: "{{ postgresql_tls_dir ~ '/' ~ postgresql_dhparam_file }}"