CactuseSecurity · tpurschke · Nov 18, 2025 · Nov 18, 2025 · Nov 18, 2025 · Nov 18, 2025
diff --git a/collections/requirements.yml b/collections/requirements.yml
@@ -0,0 +1,5 @@
+---
+collections:
+  - name: ansible.posix
+  - name: community.general
+  - name: community.postgresql
diff --git a/documentation/developer-docs/installer/ansible_conditional_vars.md b/documentation/developer-docs/installer/ansible_conditional_vars.md
@@ -5,8 +5,8 @@
 Say you register a variable like this
 
     - name: check if there already is an ldap connection in DB
-      postgresql_query:
-        db: fworchdb
+      community.postgresql.postgresql_query:
+        login_db: fworchdb
         query: SELECT COUNT(*) FROM ldap_connection
       become: yes
       become_user: postgres

diff --git a/documentation/installer/basic-installation.md b/documentation/installer/basic-installation.md
@@ -52,6 +52,12 @@ Note that if your server is behind a proxy, you will have to set the proxy for p
 
          pip config set global.proxy http://YOUR-PROXY-NAME:YOUR-PROXY-PORT
 
+Regardless of how Ansible is installed, make sure the required collections are available (they contain the `synchronize` and PostgreSQL modules used by the playbooks):
+
+```console
+ansible-galaxy collection install -r collections/requirements.yml
+```
+
 4) Firewall Orchestrator installation
 
 ```console

diff --git a/roles/api/tasks/main.yml b/roles/api/tasks/main.yml
@@ -91,8 +91,8 @@
   become: true
 
 - name: set grants for hasura schemas (after hasura install)
-  postgresql_query:
-    db: "{{ fworch_db_name }}"
+  community.postgresql.postgresql_query:
+    login_db: "{{ fworch_db_name }}"
     query: "GRANT USAGE ON SCHEMA {{ item }} TO dbbackupusers; Grant select on ALL TABLES in SCHEMA {{ item }} to group dbbackupusers; ALTER DEFAULT PRIVILEGES IN SCHEMA {{ item }} GRANT SELECT ON TABLES TO group dbbackupusers;"
   become: true
   become_user: postgres

diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
@@ -71,6 +71,11 @@
         state: present
       become: true
 
+    - name: check for existing ssh key for {{ fworch_user }}
+      stat:
+        path: "{{ fworch_home }}/.ssh/id_rsa"
+      register: fworch_existing_ssh_key
+
     - name: add user {{ fworch_user }}
       user:
         name: "{{ fworch_user }}"
@@ -79,11 +84,21 @@
         home: "{{ fworch_home }}"
         shell: /bin/bash
         group: "{{ fworch_group }}"
-        generate_ssh_key: true
+        generate_ssh_key: "{{ not fworch_existing_ssh_key.stat.exists | default(false) }}"
         ssh_key_bits: 4096
         ssh_key_file: .ssh/id_rsa
       become: true
 
+    - name: ensure ansible remote tmp directory exists
+      file:
+        path: "/tmp/.ansible-{{ fworch_user }}/tmp"
+        state: directory
+        owner: "{{ fworch_user }}"
+        group: "{{ fworch_group }}"
+        mode: "0770"
+        recurse: true
+      become: true
+
     - name: global apache config
       include_tasks: global-apache2-config.yml
       # vars:

diff --git a/roles/common/tasks/uninstall.yml b/roles/common/tasks/uninstall.yml
@@ -53,8 +53,8 @@
     when: pg_version|int >= 13
 
   - name: check if db still exists
-    postgresql_query:
-      db: "{{ fworch_db_name }}"
+    community.postgresql.postgresql_query:
+      login_db: "{{ fworch_db_name }}"
       query: "select exists(SELECT datname FROM pg_catalog.pg_database WHERE lower(datname) = lower('fworchdb'))"
     register: db_exists
 

diff --git a/roles/database/tasks/create-ro-user.yml b/roles/database/tasks/create-ro-user.yml
@@ -8,13 +8,13 @@
       role_attr_flags: LOGIN,NOSUPERUSER,INHERIT,NOCREATEDB,NOCREATEROLE
 
   - name: GRANT ro user
-    postgresql_query:
-      db: "{{ fworch_db_name }}"
+    community.postgresql.postgresql_query:
+      login_db: "{{ fworch_db_name }}"
       query: GRANT CONNECT ON DATABASE {{ fworch_db_name }} TO {{ fwo_db_ro_user }}
 
   - name: GRANT ro user all access to schemata
-    postgresql_query:
-      db: "{{ fworch_db_name }}"
+    community.postgresql.postgresql_query:
+      login_db: "{{ fworch_db_name }}"
       query: |
         GRANT USAGE ON SCHEMA {{ item }} TO {{ fwo_db_ro_user }};
         GRANT SELECT ON ALL TABLES IN SCHEMA {{ item }} TO {{ fwo_db_ro_user }};

diff --git a/roles/database/tasks/create-users.yml b/roles/database/tasks/create-users.yml
@@ -14,18 +14,18 @@
     loop: "{{ database_users }}"
 
   - name: add user dbbackup to group dbbackupusers
-    postgresql_query:
-      db: "{{ fworch_db_name }}"
+    community.postgresql.postgresql_query:
+      login_db: "{{ fworch_db_name }}"
       query: GRANT dbbackupusers TO dbbackup
 
   - name: add user fworchimporter to group configimporters
-    postgresql_query:
-      db: "{{ fworch_db_name }}"
+    community.postgresql.postgresql_query:
+      login_db: "{{ fworch_db_name }}"
       query: GRANT configimporters TO fworchimporter
 
   - name: add user fworch to group fworchadmins
-    postgresql_query:
-      db: "{{ fworch_db_name }}"
+    community.postgresql.postgresql_query:
+      login_db: "{{ fworch_db_name }}"
       query: GRANT fworchadmins TO fworch
 
   become: true

diff --git a/roles/database/tasks/install-database.yml b/roles/database/tasks/install-database.yml
@@ -54,9 +54,9 @@
   # include add-tablespace.yml here
 
   - name: make sure sorting order of psql client and postgresql server match for databases to be created
-    postgresql_query:
+    community.postgresql.postgresql_query:
       login_user: postgres
-      db: postgres
+      login_db: postgres
       query: "ALTER DATABASE template1 REFRESH COLLATION VERSION"
     when: pg_version|int >= 15
 
@@ -66,8 +66,8 @@
       state: present
 
   - name: test module postgresql_query functionality (only works with ansible >= 2.8) in case of an error message you may run scripts/install-lastes-ansible.yml
-    postgresql_query:
-      db: "{{ fworch_db_name }}"
+    community.postgresql.postgresql_query:
+      login_db: "{{ fworch_db_name }}"
       query: 'select version()'
     register: test_query
     when: ansible_version.full is version ('2.8', '>=')
@@ -82,7 +82,7 @@
 
   - name: creating {{ fworch_db_name }}-db-model
     community.postgresql.postgresql_script:
-      db: "{{ fworch_db_name }}"
+      login_db: "{{ fworch_db_name }}"
       path: "{{ database_install_dir }}/sql/creation/{{ item }}"
     loop:
       - fworch-create-tables.sql
@@ -96,7 +96,7 @@
 
   - name: add colors to the database
     postgresql_copy:
-      db: "{{ fworch_db_name }}"
+      login_db: "{{ fworch_db_name }}"
       copy_from: "{{ database_install_dir }}/csv/color.csv"
       dst: stm_color
       columns:
@@ -109,7 +109,7 @@
 
   - name: add error messages to the database
     postgresql_copy:
-      db: "{{ fworch_db_name }}"
+      login_db: "{{ fworch_db_name }}"
       copy_from: "{{ database_install_dir }}/csv/error.csv"
       dst: error
       columns:
@@ -124,7 +124,7 @@
 
   - name: add ip protocols to the database
     postgresql_copy:
-      db: "{{ fworch_db_name }}"
+      login_db: "{{ fworch_db_name }}"
       copy_from: "{{ database_install_dir }}/csv/ip-protocol-list.csv"
       dst: stm_ip_proto
       columns:

diff --git a/roles/database/tasks/main.yml b/roles/database/tasks/main.yml
@@ -160,9 +160,9 @@
   become: true
 
 - name: check if database already exists
-  postgresql_query:
+  community.postgresql.postgresql_query:
     query: SELECT count(*) FROM pg_database WHERE datname='{{ fworch_db_name }}'
-    db: postgres
+    login_db: postgres
   register: db_exists
   become: true
   become_user: postgres
@@ -194,7 +194,7 @@
 
 - name: (re)defines functions and views (idempotent)
   community.postgresql.postgresql_script:
-    db: "{{ fworch_db_name }}"
+    login_db: "{{ fworch_db_name }}"
     path: "{{ database_install_dir }}/sql/idempotent/{{ item }}"
   become: true
   become_user: postgres

diff --git a/roles/database/tasks/run-unit-tests.yml b/roles/database/tasks/run-unit-tests.yml
@@ -14,7 +14,7 @@
 
 - name: run db unit tests
   community.postgresql.postgresql_script:
-    db: "{{ fworch_db_name }}"
+    login_db: "{{ fworch_db_name }}"
     path: "{{ database_install_dir }}/sql/test/{{ item }}"
   become: true
   become_user: "postgres"

diff --git a/roles/database/tasks/upgrade-database.yml b/roles/database/tasks/upgrade-database.yml
@@ -42,7 +42,7 @@
 
 - name: install upgrades
   community.postgresql.postgresql_script:
-      db: "{{ fworch_db_name }}"
+      login_db: "{{ fworch_db_name }}"
       path: "{{ database_install_dir }}/upgrade/{{ item }}.sql"
   loop: "{{ upgrade_files | community.general.version_sort }}"
   become: true

diff --git a/roles/finalize/tasks/main.yml b/roles/finalize/tasks/main.yml
@@ -70,8 +70,8 @@
   when: "'frontends' in group_names"
 
 - name: test whether demo data is present
-  postgresql_query:
-    db: "{{ fworch_db_name }}"
+  community.postgresql.postgresql_query:
+    login_db: "{{ fworch_db_name }}"
     query: >
       SELECT * FROM device WHERE dev_name='{{ sample_fortigate_name }}'
   register: demo_data_present

diff --git a/roles/middleware/tasks/main.yml b/roles/middleware/tasks/main.yml
@@ -159,7 +159,7 @@
     bind_pw: "{{ ldap_manager_pwd }}"
   when: installation_mode == "new"
 
-- name: Set {{ audit_user }} password in ldap
+- name: Set audit user password in ldap
   ldap_passwd:
     dn: "uid={{ audit_user }},ou=tenant0,ou=operator,ou=user,{{ openldap_path }}"
     passwd: "{{ auditor_initial_pwd }}"
@@ -169,8 +169,8 @@
   when: audit_user is defined and auditor_initial_pwd is defined and installation_mode=='new'
 
 - name: insert admin tenant0 to database
-  postgresql_query:
-    db: "{{ fworch_db_name }}"
+  community.postgresql.postgresql_query:
+    login_db: "{{ fworch_db_name }}"
     query: >
       DO $do$ BEGIN IF NOT EXISTS
       (SELECT tenant_id FROM tenant WHERE tenant_name='tenant0')
@@ -182,8 +182,8 @@
   when: installation_mode == "new"
 
 - name: add connection for internal ldap with encrypted passwords
-  postgresql_query:
-    db: "{{ fworch_db_name }}"
+  community.postgresql.postgresql_query:
+    login_db: "{{ fworch_db_name }}"
     query: >
       DO $do$ BEGIN 
       PERFORM insertLocalLdapWithEncryptedPasswords ('{{ openldap_server }}', {{ openldap_port }},
@@ -196,8 +196,8 @@
   when: installation_mode == "new"
 
 - name: insert admin tenant0 to device mapping - tenant0 can see all devices
-  postgresql_query:
-    db: "{{ fworch_db_name }}"
+  community.postgresql.postgresql_query:
+    login_db: "{{ fworch_db_name }}"
     query: >
       DO $do$ BEGIN IF NOT EXISTS (SELECT * FROM tenant_to_device LEFT JOIN tenant USING (tenant_id) WHERE tenant_name='tenant0')
         THEN INSERT INTO tenant_to_device (tenant_id, device_id) 

diff --git a/roles/middleware/tasks/upgrade/5.5.5.yml b/roles/middleware/tasks/upgrade/5.5.5.yml
@@ -1,6 +1,6 @@
 - name: set ldap tenant level to 5
-  postgresql_query:
-    db: "{{ fworch_db_name }}"
+  community.postgresql.postgresql_query:
+    login_db: "{{ fworch_db_name }}"
     query: >
       DO $do$ BEGIN IF EXISTS
       (SELECT * FROM ldap_connection

diff --git a/roles/openldap-server/templates/config.ldif.j2 b/roles/openldap-server/templates/config.ldif.j2
@@ -13,9 +13,9 @@ dn: cn=module{0},cn=config
 objectClass: olcModuleList
 cn: module{0}
 olcModulePath: /usr/lib/ldap
-olcModuleLoad: {0}back_mdb.la
-olcModuleLoad: {1}memberof.la
-olcModuleLoad: {2}refint.la
+olcModuleLoad: {0}back_mdb
+olcModuleLoad: {1}memberof
+olcModuleLoad: {2}refint
 
 # internal schema
 dn: cn=schema,cn=config

diff --git a/roles/openldap-server/templates/override.conf.j2 b/roles/openldap-server/templates/override.conf.j2
@@ -2,4 +2,6 @@
 ExecStartPre=/bin/mkdir -p /run/slapd
 ExecStartPre=/bin/chown openldap:openldap /run/slapd
 ExecStart=
-ExecStart=/usr/sbin/slapd -u {{ openldap_server_user }} -g {{ openldap_server_user }} -h "ldap://{{ openldap_server }} ldaps:///"
+Type=forking
+PIDFile=/run/slapd/slapd.pid
+ExecStart=/usr/sbin/slapd -F {{ openldap_server_app_path }}/slapd.d -u {{ openldap_server_user }} -g {{ openldap_server_user }} -h "ldap://{{ openldap_server }} ldaps:///"
diff --git a/roles/sample-auth-data/tasks/auth_sample_data.yml b/roles/sample-auth-data/tasks/auth_sample_data.yml
@@ -1,8 +1,8 @@
 - block:
 
   - name: insert tenant tenant1{{ sample_postfix }}
-    postgresql_query:
-      db: "{{ fworch_db_name }}"
+    community.postgresql.postgresql_query:
+      login_db: "{{ fworch_db_name }}"
       query: >
         DO $do$ BEGIN
           IF NOT EXISTS (SELECT tenant_id FROM tenant WHERE tenant_name='tenant1{{ sample_postfix }}') THEN
@@ -12,8 +12,8 @@
         END $do$
 
   - name: add device mapping for tenant tenant1{{ sample_postfix }}
-    postgresql_query:
-      db: "{{ fworch_db_name }}"
+    community.postgresql.postgresql_query:
+      login_db: "{{ fworch_db_name }}"
       query: >
         DO $do$ BEGIN
           IF NOT EXISTS (SELECT * FROM tenant_to_device LEFT JOIN tenant USING (tenant_id) WHERE tenant_name='tenant1{{ sample_postfix }}') THEN 
@@ -23,8 +23,8 @@
         END $do$
 
   - name: add management mapping for tenant tenant1{{ sample_postfix }}
-    postgresql_query:
-      db: "{{ fworch_db_name }}"
+    community.postgresql.postgresql_query:
+      login_db: "{{ fworch_db_name }}"
       query: >
         DO $do$ BEGIN
           IF NOT EXISTS (SELECT * FROM tenant_to_management LEFT JOIN tenant USING (tenant_id) WHERE tenant_name='tenant1{{ sample_postfix }}') THEN 
@@ -38,8 +38,8 @@
         END $do$
 
   - name: insert tenant tenant2{{ sample_postfix }}
-    postgresql_query:
-      db: "{{ fworch_db_name }}"
+    community.postgresql.postgresql_query:
+      login_db: "{{ fworch_db_name }}"
       query: >
         DO $do$ BEGIN
           IF NOT EXISTS (SELECT tenant_id FROM tenant WHERE tenant_name='tenant2{{ sample_postfix }}') THEN
@@ -49,8 +49,8 @@
         END $do$
 
   - name: add device mapping for tenant tenant2{{ sample_postfix }}
-    postgresql_query:
-      db: "{{ fworch_db_name }}"
+    community.postgresql.postgresql_query:
+      login_db: "{{ fworch_db_name }}"
       query: >
         DO $do$ BEGIN 
           IF NOT EXISTS 
@@ -62,8 +62,8 @@
     when: sample_role_purpose is not match('test')
 
   - name: add management mapping for tenant tenant2{{ sample_postfix }}
-    postgresql_query:
-      db: "{{ fworch_db_name }}"
+    community.postgresql.postgresql_query:
+      login_db: "{{ fworch_db_name }}"
       query: >
         DO $do$ BEGIN
           IF NOT EXISTS (SELECT * FROM tenant_to_management LEFT JOIN tenant USING (tenant_id) WHERE tenant_name='tenant2{{ sample_postfix }}') THEN 
@@ -77,8 +77,8 @@
         END $do$
 
   - name: insert demo tenant network data 
-    postgresql_query:
-      db: "{{ fworch_db_name }}"
+    community.postgresql.postgresql_query:
+      login_db: "{{ fworch_db_name }}"
       query: >
         DO $do$ BEGIN
             IF EXISTS (SELECT tenant_id FROM tenant WHERE tenant_name='tenant1_demo') THEN

diff --git a/roles/sample-auth-data/tasks/sample_owner_data.yml b/roles/sample-auth-data/tasks/sample_owner_data.yml
@@ -1,7 +1,7 @@
 - name: adding demo owner data
 
-  postgresql_query:
-    db: "{{ fworch_db_name }}"
+  community.postgresql.postgresql_query:
+    login_db: "{{ fworch_db_name }}"
     query: >
       DO $do$ BEGIN
         INSERT INTO owner (name, dn, group_dn, is_default, tenant_id, recert_interval, app_id_external)