library/roles/postgresql: Configure ssl for pgpool too, if enable. Option to force ssl client connections to postgres.
This commit is contained in:
parent
2544a66b68
commit
ebe5e5e79f
|
@ -33,6 +33,7 @@ psql_conf_parameters:
|
|||
|
||||
# SSL as a special case
|
||||
psql_enable_ssl: False
|
||||
psql_force_ssl_client_connection: False
|
||||
postgresql_letsencrypt_managed: True
|
||||
psql_conf_ssl_parameters:
|
||||
- { name: 'ssl', value: 'true' }
|
||||
|
@ -125,6 +126,14 @@ pgpool_memqcache_memcached_port: 11211
|
|||
pgpool_memqcache_expire: 0
|
||||
pgpool_memqcache_auto_cache_invalidation: 'on'
|
||||
|
||||
# SSL as a special case
|
||||
pgpool_enable_ssl: False
|
||||
pgpool_letsencrypt_managed: True
|
||||
pgpool_ssl_key: /etc/pki/pgpool2/pgpool2.key
|
||||
pgpool_ssl_cert: '/var/lib/acme/live/{{ ansible_fqdn }}/cert'
|
||||
pgpool_ssl_ca: '/var/lib/acme/live/{{ ansible_fqdn }}/chain'
|
||||
pgpool_ssl_ca_dir: /etc/ssl/certs
|
||||
|
||||
# WAL files archiving is mandatory for pgpool recovery
|
||||
psql_wal_files_archiving_enabled: '{{ psql_pgpool_install }}'
|
||||
psql_restart_after_wal_enabling: True
|
||||
|
|
|
@ -0,0 +1,36 @@
|
|||
#!/bin/bash
|
||||
|
||||
H_NAME=$( hostname -f )
|
||||
LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks
|
||||
LE_CERTS_DIR=/var/lib/acme/live/$H_NAME
|
||||
LE_LOG_DIR=/var/log/letsencrypt
|
||||
PGPOOL2_CERTDIR=/etc/pki/pgpool2
|
||||
PGPOOL2_KEYFILE=$PGPOOL2_CERTDIR/pgpool2.key
|
||||
DATE=$( date )
|
||||
|
||||
[ ! -d $PGPOOL2_CERTDIR ] && mkdir -p $PGPOOL2_CERTDIR
|
||||
[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
|
||||
echo "$DATE" >> $LE_LOG_DIR/pgpool2.log
|
||||
|
||||
if [ -f /etc/default/letsencrypt ] ; then
|
||||
. /etc/default/letsencrypt
|
||||
else
|
||||
echo "No letsencrypt default file" >> $LE_LOG_DIR/pgpool2.log
|
||||
fi
|
||||
|
||||
echo "Copy the key file" >> $LE_LOG_DIR/pgpool2.log
|
||||
cp ${LE_CERTS_DIR}/privkey ${PGPOOL2_KEYFILE}
|
||||
chmod 440 ${PGPOOL2_KEYFILE}
|
||||
chgrp postgres ${PGPOOL2_KEYFILE}
|
||||
|
||||
echo "Reload the pgpool2 service" >> $LE_LOG_DIR/pgpool2.log
|
||||
if [ -x /bin/systemctl ] ; then
|
||||
systemctl reload pgpool2 >> $LE_LOG_DIR/pgpool2.log 2>&1
|
||||
else
|
||||
service pgpool2 reload >> $LE_LOG_DIR/pgpool2.log 2>&1
|
||||
fi
|
||||
|
||||
echo "Done." >> $LE_LOG_DIR/pgpool2.log
|
||||
|
||||
exit 0
|
||||
|
|
@ -6,7 +6,7 @@
|
|||
# - { name: 'db_name', user: 'db_user', pwd: 'db_pwd', allowed_hosts: [ '146.48.123.17/32', '146.48.122.110/32' ] }
|
||||
#
|
||||
- name: Give access to the remote postgresql client
|
||||
lineinfile: name=/etc/postgresql/{{ psql_version }}/main/pg_hba.conf regexp="^host {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="host {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5"
|
||||
lineinfile: name=/etc/postgresql/{{ psql_version }}/main/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="host {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5"
|
||||
with_subelements:
|
||||
- '{{ psql_db_data | default([]) }}'
|
||||
- allowed_hosts
|
||||
|
@ -14,6 +14,20 @@
|
|||
- psql_listen_on_ext_int
|
||||
- psql_db_data is defined
|
||||
- item.1 is defined
|
||||
- not psql_force_ssl_client_connection
|
||||
notify: Reload postgresql
|
||||
tags: [ 'postgresql', 'postgres', 'pg_hba' ]
|
||||
|
||||
- name: Give access to the remote postgresql client, force ssl
|
||||
lineinfile: name=/etc/postgresql/{{ psql_version }}/main/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="hostssl {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5"
|
||||
with_subelements:
|
||||
- '{{ psql_db_data | default([]) }}'
|
||||
- allowed_hosts
|
||||
when:
|
||||
- psql_listen_on_ext_int
|
||||
- psql_db_data is defined
|
||||
- item.1 is defined
|
||||
- psql_force_ssl_client_connection
|
||||
notify: Reload postgresql
|
||||
tags: [ 'postgresql', 'postgres', 'pg_hba' ]
|
||||
|
||||
|
|
|
@ -33,5 +33,9 @@
|
|||
when:
|
||||
- postgresql_letsencrypt_managed
|
||||
- letsencrypt_acme_install is defined
|
||||
- include: pgpool-letsencrypt-acmetool.yml
|
||||
when:
|
||||
- pgpool_letsencrypt_managed
|
||||
- letsencrypt_acme_install is defined
|
||||
|
||||
|
||||
|
|
|
@ -0,0 +1,15 @@
|
|||
---
|
||||
- name: Create the acme hooks directory if it does not yet exist
|
||||
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
|
||||
when:
|
||||
- pgpool_letsencrypt_managed
|
||||
- letsencrypt_acme_install
|
||||
tags: [ 'postgresql', 'postgres', 'pgpool', 'letsencrypt' ]
|
||||
|
||||
- name: Install a script that fix the letsencrypt certificate for postgresql and then reload the service
|
||||
copy: src=pgpool-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/pgpool owner=root group=root mode=4555
|
||||
when:
|
||||
- pgpool_letsencrypt_managed
|
||||
- letsencrypt_acme_install
|
||||
tags: [ 'postgresql', 'postgres', 'pgpool', 'letsencrypt' ]
|
||||
|
|
@ -77,25 +77,14 @@ authentication_timeout = 60
|
|||
# Delay in seconds to complete client authentication
|
||||
# 0 means no timeout.
|
||||
|
||||
{% if pgpool_enable_ssl %}
|
||||
# - SSL Connections -
|
||||
|
||||
ssl = off
|
||||
# Enable SSL support
|
||||
# (change requires restart)
|
||||
#ssl_key = './server.key'
|
||||
# Path to the SSL private key file
|
||||
# (change requires restart)
|
||||
#ssl_cert = './server.cert'
|
||||
# Path to the SSL public certificate file
|
||||
# (change requires restart)
|
||||
#ssl_ca_cert = ''
|
||||
# Path to a single PEM format file
|
||||
# containing CA root certificate(s)
|
||||
# (change requires restart)
|
||||
#ssl_ca_cert_dir = ''
|
||||
# Directory containing CA root certificate(s)
|
||||
# (change requires restart)
|
||||
|
||||
ssl = on
|
||||
ssl_key = '{{ pgpool_ssl_key }}'
|
||||
ssl_cert = '{{ pgpool_ssl_cert }}'
|
||||
ssl_ca_cert = '{{ pgpool_ssl_ca }}'
|
||||
ssl_ca_cert_dir = '{{ pgpool_ssl_ca_dir }}'
|
||||
{% endif %}
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# POOLS
|
||||
|
|
Loading…
Reference in New Issue