From ebe5e5e79f3d477c98d67ef71803fee32577db66 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Tue, 12 Jul 2016 16:19:48 +0200 Subject: [PATCH] library/roles/postgresql: Configure ssl for pgpool too, if enable. Option to force ssl client connections to postgres. --- postgresql/defaults/main.yml | 9 +++++ postgresql/files/pgpool-letsencrypt-acme.sh | 36 +++++++++++++++++++ postgresql/tasks/configure-access.yml | 16 ++++++++- postgresql/tasks/main.yml | 4 +++ .../tasks/pgpool-letsencrypt-acmetool.yml | 15 ++++++++ postgresql/templates/pgpool.conf.j2 | 25 ++++--------- 6 files changed, 86 insertions(+), 19 deletions(-) create mode 100644 postgresql/files/pgpool-letsencrypt-acme.sh create mode 100644 postgresql/tasks/pgpool-letsencrypt-acmetool.yml diff --git a/postgresql/defaults/main.yml b/postgresql/defaults/main.yml index 32e10d53..958d1fee 100644 --- a/postgresql/defaults/main.yml +++ b/postgresql/defaults/main.yml @@ -33,6 +33,7 @@ psql_conf_parameters: # SSL as a special case psql_enable_ssl: False +psql_force_ssl_client_connection: False postgresql_letsencrypt_managed: True psql_conf_ssl_parameters: - { name: 'ssl', value: 'true' } @@ -125,6 +126,14 @@ pgpool_memqcache_memcached_port: 11211 pgpool_memqcache_expire: 0 pgpool_memqcache_auto_cache_invalidation: 'on' +# SSL as a special case +pgpool_enable_ssl: False +pgpool_letsencrypt_managed: True +pgpool_ssl_key: /etc/pki/pgpool2/pgpool2.key +pgpool_ssl_cert: '/var/lib/acme/live/{{ ansible_fqdn }}/cert' +pgpool_ssl_ca: '/var/lib/acme/live/{{ ansible_fqdn }}/chain' +pgpool_ssl_ca_dir: /etc/ssl/certs + # WAL files archiving is mandatory for pgpool recovery psql_wal_files_archiving_enabled: '{{ psql_pgpool_install }}' psql_restart_after_wal_enabling: True diff --git a/postgresql/files/pgpool-letsencrypt-acme.sh b/postgresql/files/pgpool-letsencrypt-acme.sh new file mode 100644 index 00000000..4093f67b --- /dev/null +++ b/postgresql/files/pgpool-letsencrypt-acme.sh @@ -0,0 +1,36 @@ +#!/bin/bash + +H_NAME=$( hostname -f ) +LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks +LE_CERTS_DIR=/var/lib/acme/live/$H_NAME +LE_LOG_DIR=/var/log/letsencrypt +PGPOOL2_CERTDIR=/etc/pki/pgpool2 +PGPOOL2_KEYFILE=$PGPOOL2_CERTDIR/pgpool2.key +DATE=$( date ) + +[ ! -d $PGPOOL2_CERTDIR ] && mkdir -p $PGPOOL2_CERTDIR +[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR +echo "$DATE" >> $LE_LOG_DIR/pgpool2.log + +if [ -f /etc/default/letsencrypt ] ; then + . /etc/default/letsencrypt +else + echo "No letsencrypt default file" >> $LE_LOG_DIR/pgpool2.log +fi + +echo "Copy the key file" >> $LE_LOG_DIR/pgpool2.log +cp ${LE_CERTS_DIR}/privkey ${PGPOOL2_KEYFILE} +chmod 440 ${PGPOOL2_KEYFILE} +chgrp postgres ${PGPOOL2_KEYFILE} + +echo "Reload the pgpool2 service" >> $LE_LOG_DIR/pgpool2.log +if [ -x /bin/systemctl ] ; then + systemctl reload pgpool2 >> $LE_LOG_DIR/pgpool2.log 2>&1 +else + service pgpool2 reload >> $LE_LOG_DIR/pgpool2.log 2>&1 +fi + +echo "Done." >> $LE_LOG_DIR/pgpool2.log + +exit 0 + diff --git a/postgresql/tasks/configure-access.yml b/postgresql/tasks/configure-access.yml index 30154ba1..ca4ff1fc 100644 --- a/postgresql/tasks/configure-access.yml +++ b/postgresql/tasks/configure-access.yml @@ -6,7 +6,7 @@ # - { name: 'db_name', user: 'db_user', pwd: 'db_pwd', allowed_hosts: [ '146.48.123.17/32', '146.48.122.110/32' ] } # - name: Give access to the remote postgresql client - lineinfile: name=/etc/postgresql/{{ psql_version }}/main/pg_hba.conf regexp="^host {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="host {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5" + lineinfile: name=/etc/postgresql/{{ psql_version }}/main/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="host {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5" with_subelements: - '{{ psql_db_data | default([]) }}' - allowed_hosts @@ -14,6 +14,20 @@ - psql_listen_on_ext_int - psql_db_data is defined - item.1 is defined + - not psql_force_ssl_client_connection + notify: Reload postgresql + tags: [ 'postgresql', 'postgres', 'pg_hba' ] + +- name: Give access to the remote postgresql client, force ssl + lineinfile: name=/etc/postgresql/{{ psql_version }}/main/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="hostssl {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5" + with_subelements: + - '{{ psql_db_data | default([]) }}' + - allowed_hosts + when: + - psql_listen_on_ext_int + - psql_db_data is defined + - item.1 is defined + - psql_force_ssl_client_connection notify: Reload postgresql tags: [ 'postgresql', 'postgres', 'pg_hba' ] diff --git a/postgresql/tasks/main.yml b/postgresql/tasks/main.yml index 115e215e..36fe4d16 100644 --- a/postgresql/tasks/main.yml +++ b/postgresql/tasks/main.yml @@ -33,5 +33,9 @@ when: - postgresql_letsencrypt_managed - letsencrypt_acme_install is defined +- include: pgpool-letsencrypt-acmetool.yml + when: + - pgpool_letsencrypt_managed + - letsencrypt_acme_install is defined diff --git a/postgresql/tasks/pgpool-letsencrypt-acmetool.yml b/postgresql/tasks/pgpool-letsencrypt-acmetool.yml new file mode 100644 index 00000000..dc2f333d --- /dev/null +++ b/postgresql/tasks/pgpool-letsencrypt-acmetool.yml @@ -0,0 +1,15 @@ +--- +- name: Create the acme hooks directory if it does not yet exist + file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root + when: + - pgpool_letsencrypt_managed + - letsencrypt_acme_install + tags: [ 'postgresql', 'postgres', 'pgpool', 'letsencrypt' ] + +- name: Install a script that fix the letsencrypt certificate for postgresql and then reload the service + copy: src=pgpool-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/pgpool owner=root group=root mode=4555 + when: + - pgpool_letsencrypt_managed + - letsencrypt_acme_install + tags: [ 'postgresql', 'postgres', 'pgpool', 'letsencrypt' ] + diff --git a/postgresql/templates/pgpool.conf.j2 b/postgresql/templates/pgpool.conf.j2 index 04f3d9ff..14fc72bb 100644 --- a/postgresql/templates/pgpool.conf.j2 +++ b/postgresql/templates/pgpool.conf.j2 @@ -77,25 +77,14 @@ authentication_timeout = 60 # Delay in seconds to complete client authentication # 0 means no timeout. +{% if pgpool_enable_ssl %} # - SSL Connections - - -ssl = off - # Enable SSL support - # (change requires restart) -#ssl_key = './server.key' - # Path to the SSL private key file - # (change requires restart) -#ssl_cert = './server.cert' - # Path to the SSL public certificate file - # (change requires restart) -#ssl_ca_cert = '' - # Path to a single PEM format file - # containing CA root certificate(s) - # (change requires restart) -#ssl_ca_cert_dir = '' - # Directory containing CA root certificate(s) - # (change requires restart) - +ssl = on +ssl_key = '{{ pgpool_ssl_key }}' +ssl_cert = '{{ pgpool_ssl_cert }}' +ssl_ca_cert = '{{ pgpool_ssl_ca }}' +ssl_ca_cert_dir = '{{ pgpool_ssl_ca_dir }}' +{% endif %} #------------------------------------------------------------------------------ # POOLS