jpp/ansible-roles
1
0
Fork 0
mirror of https://git.lapiole.org/dani/ansible-roles.git synced 2025-07-27 00:05:44 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update to 2022-03-18 15:00

Browse Source
This commit is contained in:
Daniel Berteaud
2022-03-18 15:00:07 +01:00
parent 74ba55223d
commit 897e3c74b4
8 changed files with 50 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
roles/postgresql_server/defaults/main.yml
View File

@@ -35,6 +35,9 @@ pg_base_conf:
lc_monetary: fr_FR.UTF-8
lc_numeric: fr_FR.UTF-8
lc_time: fr_FR.UTF-8
ssl_cert_file: /var/lib/pgsql/ssl/server.crt
ssl_key_file: /var/lib/pgsql/ssl/server.key
ssl: "{{ pg_letsencrypt_cert is defined | ternary('on', 'off') }}"
pg_extra_conf: {}
pg_conf: "{{ pg_base_conf | combine(pg_extra_conf, recursive=True) }}"
@@ -74,4 +77,6 @@ pg_privs: []
# Databases and roles to remove
pg_databases_to_remove: []
pg_roles_to_remove: []
...
# If defined, a Let's Encrypt cert will be obtained and used
# pg_letsencrypt_cert: postgres.example.org

17
roles/postgresql_server/tasks/main.yml
View File

@@ -14,6 +14,23 @@
name: "{{ pg_packages }}"
tags: pg
- name: Create ssl directory
file: path=/var/lib/pgsql/ssl state=directory owner=postgres group=postgres mode=700
tags: pg
- name: Create default self-signed cert
import_tasks: ../includes/create_selfsigned_cert.yml
vars:
- cert_path: /var/lib/pgsql/ssl/server.crt
- cert_key_path: /var/lib/pgsql/ssl/server.key
- cert_key_group: postgres
- cert_key_mode: 0640
tags: pg
- name: Install dehydrated hook
template: src=dehydrated_hook.j2 dest=/etc/dehydrated/hooks_deploy_cert.d/postgresql mode=755
tags: pg
- name: Check if PG_VERSION exists
stat: path=/var/lib/pgsql/{{ (pg_version != 'default') | ternary(pg_version | string + '/','') }}data/PG_VERSION
register: pg_version_file

20
roles/postgresql_server/templates/dehydrated_hook.j2 Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/sh
{% if pg_letsencrypt_cert is defined %}
if [ $1 == "{{ pg_letsencrypt_cert }}" ]; then
cp /var/lib/dehydrated/certificates/certs/{{ pg_letsencrypt_cert }}/fullchain.pem /var/lib/pgsql/ssl/server.crt
cp /var/lib/dehydrated/certificates/certs/{{ pg_letsencrypt_cert }}/privkey.pem /var/lib/pgsql/ssl/server.key
chown root:postgres /var/lib/pgsql/ssl/server.key
chown root:root /var/lib/pgsql/ssl/server.crt
chmod 640 /var/lib/pgsql/ssl/server.key
chmod 644 /var/lib/pgsql/ssl/server.crt
systemctl reload postgresql{{ (pg_version != 'default') | ternary('-' + pg_version | string,'') }}
fi
{% else %}
# No Let's Encrypt cert configured, nothing to do
exit 0
{% endif %}