linux-system-roles · richm · May 7, 2026 · May 7, 2026 · sourcery-ai · May 7, 2026
@@ -150,6 +150,20 @@ container build is independent of the actual deployment.
 
 See the [`examples/`](examples) for details.
 
+### postgresql_secure_logging
+
+If `true`, suppress potentially sensitive output from tasks that handle
+credentials, secrets, and other sensitive data by setting `no_log: true` on
+those tasks. This prevents passwords, API tokens, private keys, and similar
+sensitive information from appearing in Ansible logs and console output.
+
+If you need to debug issues with credential handling or secret management, you
+can temporarily set `postgresql_secure_logging: false` to see the full output from
+these tasks. However, be aware that this may expose sensitive information in
+logs, so it should only be used in development or troubleshooting scenarios.
+
+Default: `true`
+
 ## Idempotence
 
 This section should cover role behavior for repeated runs.

@@ -23,3 +23,4 @@ postgresql_ssl_enable: false
 #     dns: ['localhost', 'www.example.com']
 #     ca: self-sign
 postgresql_certificates: []
+postgresql_secure_logging: true
@@ -7,6 +7,7 @@
 
 - name: Gather the package facts
   package_facts:
+  no_log: "{{ ansible_verbosity < 2 }}"
 
 - name: Check if requested version is supported in the system (RHEL8)
   fail:
@@ -133,7 +134,7 @@
         cmd: >
           psql -c "ALTER USER postgres WITH ENCRYPTED PASSWORD
           '{{ postgresql_password }}';"
-      no_log: true
+      no_log: "{{ postgresql_secure_logging }}"
       changed_when: false
 
     - name: Enable logging in by password