Update to 2022-03-18 15:00

roles/coturn/tasks/main.yml

@@ -43,7 +43,7 @@
   vars:
     - cert_path: /etc/coturn/ssl/cert.pem
     - cert_key_path: /etc/coturn/ssl/key.pem
-    - cert_user: coturn
+    - cert_key_user: coturn
   tags: turn
 
 - name: Deploy dehydrated hook

roles/includes/create_selfsigned_cert.yml

@@ -21,4 +21,4 @@
     creates: "{{ cert_path }}"
 
 - name: Restrict permissions of the private key
-  file: path={{ cert_key_path }} owner={{ cert_user | default(omit) }} group={{ cert_group | default(omit) }} mode={{ cert_mode | default('600') }}
+  file: path={{ cert_key_path }} owner={{ cert_key_user | default(omit) }} group={{ cert_key_group | default(omit) }} mode={{ cert_key_mode | default('600') }}

roles/letsencrypt/templates/domains.txt.j2

@@ -49,3 +49,6 @@
 {% endif %}
 {% endfor %}
 {% endif %}
+{% if pg_letsencrypt_cert is defined and pg_letsencrypt_cert is string and pg_letsencrypt_cert not in letsencrypt_certs | default([]) | map(attribute='common_name') %}
+{{ pg_letsencrypt_cert }}
+{% endif %}

roles/nginx/tasks/ssl.yml

@@ -3,7 +3,7 @@
   vars:
     - cert_path: /etc/nginx/ssl/cert.pem
     - cert_key_path: /etc/nginx/ssl/key.pem
-    - cert_user: nginx
+    - cert_key_user: nginx
   tags: web
 
 - name: Create DH param

roles/postgresql_server/defaults/main.yml

@@ -35,6 +35,9 @@ pg_base_conf:
   lc_monetary: fr_FR.UTF-8
   lc_numeric: fr_FR.UTF-8
   lc_time: fr_FR.UTF-8
+  ssl_cert_file: /var/lib/pgsql/ssl/server.crt
+  ssl_key_file: /var/lib/pgsql/ssl/server.key
+  ssl: "{{ pg_letsencrypt_cert is defined | ternary('on', 'off') }}"
 
 pg_extra_conf: {}
 pg_conf: "{{ pg_base_conf | combine(pg_extra_conf, recursive=True) }}"
@@ -74,4 +77,6 @@ pg_privs: []
 # Databases and roles to remove
 pg_databases_to_remove: []
 pg_roles_to_remove: []
-...
+
+# If defined, a Let's Encrypt cert will be obtained and used
+# pg_letsencrypt_cert: postgres.example.org

roles/postgresql_server/tasks/main.yml

@@ -14,6 +14,23 @@
     name: "{{ pg_packages }}"
   tags: pg
 
+- name: Create ssl directory
+  file: path=/var/lib/pgsql/ssl state=directory owner=postgres group=postgres mode=700
+  tags: pg
+
+- name: Create default self-signed cert
+  import_tasks: ../includes/create_selfsigned_cert.yml
+  vars:
+    - cert_path: /var/lib/pgsql/ssl/server.crt
+    - cert_key_path: /var/lib/pgsql/ssl/server.key
+    - cert_key_group: postgres
+    - cert_key_mode: 0640
+  tags: pg
+
+- name: Install dehydrated hook
+  template: src=dehydrated_hook.j2 dest=/etc/dehydrated/hooks_deploy_cert.d/postgresql mode=755
+  tags: pg
+
 - name: Check if PG_VERSION exists
   stat: path=/var/lib/pgsql/{{ (pg_version != 'default') | ternary(pg_version | string + '/','') }}data/PG_VERSION
   register: pg_version_file

roles/postgresql_server/templates/dehydrated_hook.j2

@@ -0,0 +1,20 @@
+#!/bin/sh
+
+{% if pg_letsencrypt_cert is defined %}
+
+if [ $1 == "{{ pg_letsencrypt_cert }}" ]; then
+  cp /var/lib/dehydrated/certificates/certs/{{ pg_letsencrypt_cert }}/fullchain.pem /var/lib/pgsql/ssl/server.crt
+  cp /var/lib/dehydrated/certificates/certs/{{ pg_letsencrypt_cert }}/privkey.pem /var/lib/pgsql/ssl/server.key
+  chown root:postgres /var/lib/pgsql/ssl/server.key
+  chown root:root /var/lib/pgsql/ssl/server.crt
+  chmod 640 /var/lib/pgsql/ssl/server.key
+  chmod 644 /var/lib/pgsql/ssl/server.crt
+  systemctl reload postgresql{{ (pg_version != 'default') | ternary('-' + pg_version | string,'') }}
+fi
+
+{% else %}
+
+# No Let's Encrypt cert configured, nothing to do
+exit 0
+
+{% endif %}

roles/rabbitmq_server/tasks/conf.yml

@@ -12,7 +12,7 @@
   vars:
     - cert_path: /etc/rabbitmq/ssl/cert.pem
     - cert_key_path: /etc/rabbitmq/ssl/key.pem
-    - cert_user: rabbitmq
+    - cert_key_user: rabbitmq
   tags: rabbitmq
 
 - name: Check if the cert chain exists