From 4edbd0350ae482ea9f5a0433d70d5991a2ecb3b4 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <adellam@isti.cnr.it>
Date: Thu, 19 Jan 2017 16:43:04 +0100
Subject: [PATCH] library/roles/postgresql: Fix the ssl key permissions.

---
 postgresql/files/pgpool-letsencrypt-acme.sh      | 1 +
 postgresql/files/postgresql-letsencrypt-acme.sh  | 1 +
 postgresql/tasks/pgpool-letsencrypt-acmetool.yml | 2 ++
 3 files changed, 4 insertions(+)

diff --git a/postgresql/files/pgpool-letsencrypt-acme.sh b/postgresql/files/pgpool-letsencrypt-acme.sh
index 4093f67b..38ac48b9 100644
--- a/postgresql/files/pgpool-letsencrypt-acme.sh
+++ b/postgresql/files/pgpool-letsencrypt-acme.sh
@@ -21,6 +21,7 @@ fi
 echo "Copy the key file" >> $LE_LOG_DIR/pgpool2.log
 cp ${LE_CERTS_DIR}/privkey  ${PGPOOL2_KEYFILE}
 chmod 440 ${PGPOOL2_KEYFILE}
+chown root ${PGPOOL2_KEYFILE}
 chgrp postgres ${PGPOOL2_KEYFILE}
 
 echo "Reload the pgpool2 service" >> $LE_LOG_DIR/pgpool2.log
diff --git a/postgresql/files/postgresql-letsencrypt-acme.sh b/postgresql/files/postgresql-letsencrypt-acme.sh
index 571cc2d7..a84824c9 100644
--- a/postgresql/files/postgresql-letsencrypt-acme.sh
+++ b/postgresql/files/postgresql-letsencrypt-acme.sh
@@ -21,6 +21,7 @@ fi
 echo "Copy the key file" >> $LE_LOG_DIR/postgresql.log
 cp ${LE_CERTS_DIR}/privkey  ${POSTGRESQL_KEYFILE}
 chmod 440 ${POSTGRESQL_KEYFILE}
+chown root ${POSTGRESQL_KEYFILE}
 chgrp postgres ${POSTGRESQL_KEYFILE}
 
 echo "Reload the postgresql service" >> $LE_LOG_DIR/postgresql.log
diff --git a/postgresql/tasks/pgpool-letsencrypt-acmetool.yml b/postgresql/tasks/pgpool-letsencrypt-acmetool.yml
index dc2f333d..5da2a8e7 100644
--- a/postgresql/tasks/pgpool-letsencrypt-acmetool.yml
+++ b/postgresql/tasks/pgpool-letsencrypt-acmetool.yml
@@ -2,6 +2,7 @@
 - name: Create the acme hooks directory if it does not yet exist
   file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
   when:
+    - psql_pgpool_service_install
     - pgpool_letsencrypt_managed
     - letsencrypt_acme_install
   tags: [ 'postgresql', 'postgres', 'pgpool', 'letsencrypt' ]
@@ -9,6 +10,7 @@
 - name: Install a script that fix the letsencrypt certificate for postgresql and then reload the service
   copy: src=pgpool-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/pgpool owner=root group=root mode=4555
   when:
+    - psql_pgpool_service_install
     - pgpool_letsencrypt_managed
     - letsencrypt_acme_install
   tags: [ 'postgresql', 'postgres', 'pgpool', 'letsencrypt' ]