Support alternative database socket usage

[tyler-8]

The role task currently assumes the database socket (if used) is auth-less and port-less. However in some circumstances (like when using pgbouncer locally, to access a remote db), passwords and ports are necessary to define for the socket.

This behavior could be controlled with a simple variable flag, for example: netbox_database_use_alt_socket: true to ensure only one type of socket validation task is used.

- name: Ensure Postgres database exists (via socket with password/port)
  community.postgresql.postgresql_db:
    name: "{{ netbox_database }}"
    login_user: "{{ netbox_database_user }}"
    login_unix_socket: "{{ netbox_database_socket }}"
    port: "{{ netbox_database_port }}"
    login_password: "{{ netbox_database_password }}"
    maintenance_db: "{{ netbox_database_maintenance }}"
  become: true
  become_user: "{{ netbox_database_user }}"
  when:
    - netbox_database_socket is defined
    - netbox_database_use_alt_socket
    - netbox_database_host is not defined

[lae]

I believe we can still use the same task, just use the omit filter for the port/login password.
Although since netbox_database_port technically has a default I guess omit wouldn't make any difference, but I'm not sure if specifying it here for standard socket use will cause a problem or not.

[tyler-8]

In tinkering with this one more, I think this task is making too many assumptions about the environment that I've been running into problems with, particularly when using pgbouncer on the app server.

• It's possible netbox_database_user is not a database admin user with privileges to create databases, only permissions to fully manage an existing netbox_database. This task fails when the user can't create a database, even if the netbox_database database already exists but is using a local alias via pgbouncer that differs from the real database. Let's say the "real" database name is "netbox", but the local pgbouncer instance is calling it "netbox-local"; so all queries from NetBox/Django go to netbox-local and pgbouncer is proxying them to the real name, essentially. But the Ansible module is doing SELECT * FROM pg_database WHERE datname=%(db)s to determine if the database exists and so it tries to re-create the database in this scenario since the aliased DB name doesn't show up in the results.

TASK [lae.netbox : Ensure Postgres database exists (via socket)] *********************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: psycopg2.errors.InsufficientPrivilege: permission denied to create database
fatal: [mynetboxserver.example.com]: FAILED! => {"changed": false, "msg": "Database query failed: permission denied to create database\n"}

• In an environment where pgbouncer is running on the same server as NetBox, netbox_database_user is not an OS user and Ansible throws an error when trying to become_user for the task. In my local branch I use become_user: "{{ netbox_user }}" here and it works fine.

TASK [lae.netbox : Ensure Postgres database exists (via socket)] *********************************************************************************************************************
fatal: [mynetboxserver.example.com]: FAILED! => {"msg": "Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user (rc: 1, err: chmod: invalid mode: ‘A+user:netboxdbuser:rx:allow’\nTry 'chmod --help' for more information.\n}). For information on working around this, see https://docs.ansible.com/ansible-core/2.17/playbook_guide/playbooks_privilege_escalation.html#risks-of-becoming-an-unprivileged-user"}

I'm not entirely sure what the best path would be to address all of these, especially given they're quite specific to certain environments - I think ultimately having some way to maybe skip this task altogether (using tags?) would suffice and minimize the headache that the role needs to address.