From 0b402a7a0a773dfa40e5549235941cd1217617d3 Mon Sep 17 00:00:00 2001
From: Luke Hoersten <luke@hoersten.org>
Date: Sun, 5 Apr 2026 20:15:02 -0500
Subject: Add re-key support for soju and postgresql
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- soju: add change-password task so admin password updates on every
  playbook run via sojudb change-password
- postgresql: remove superuser password task — postgres uses peer auth
  (Unix socket), no password needed or desired
---
 postgresql/tasks/main.yaml | 1 +
 soju/tasks/main.yaml       | 7 +++++++
 2 files changed, 8 insertions(+)

diff --git a/postgresql/tasks/main.yaml b/postgresql/tasks/main.yaml
index 6efa491..865f111 100644
--- a/postgresql/tasks/main.yaml
+++ b/postgresql/tasks/main.yaml
@@ -36,3 +36,4 @@
 - name: ensure postgresql is started
   become: yes
   systemd: name="postgresql" enabled="yes" state="started"
+
diff --git a/soju/tasks/main.yaml b/soju/tasks/main.yaml
index a1f2963..7a4c25f 100644
--- a/soju/tasks/main.yaml
+++ b/soju/tasks/main.yaml
@@ -53,6 +53,13 @@
   failed_when: soju_create_user.rc != 0 and 'duplicate key' not in soju_create_user.stderr
   no_log: true
 
+- name: update soju admin password
+  become: yes
+  become_user: "{{soju_user}}"
+  shell: "echo '{{soju_admin_password}}' | sojudb -config /etc/soju/config change-password {{soju_admin_user}}"
+  changed_when: false
+  no_log: true
+
 - name: install nginx stream config
   become: yes
   template:
-- 
cgit v1.2.3