forked from ISTI-ansible-roles/ansible-roles
postgresql: Fix the letsencrypt and ssl tasks so that ssl can be disabled.
This commit is contained in:
Andrea Dell'Amico
parent
94eba820ae
commit
af2f3f397c
|
|
@ -62,12 +62,19 @@ psql_autovacuum_configuration:
|
|||
# SSL as a special case
|
||||
psql_enable_ssl: False
|
||||
psql_force_ssl_client_connection: False
|
||||
postgresql_letsencrypt_managed: True
|
||||
psql_conf_ssl_parameters:
|
||||
postgresql_letsencrypt_managed: '{{ psql_enable_ssl }}'
|
||||
psql_ssl_privkey_global_file: '/var/lib/acme/live/{{ ansible_fqdn }}/privkey'
|
||||
psql_ssl_privkey_file: /etc/pki/postgresql/postgresql.key
|
||||
psql_ssl_cert_file: '/var/lib/acme/live/{{ ansible_fqdn }}/cert'
|
||||
psql_ssl_ca_file: '/var/lib/acme/live/{{ ansible_fqdn }}/chain'
|
||||
psql_conf_ssl_parameters:
|
||||
- { name: 'ssl', value: 'true' }
|
||||
- { name: 'ssl_cert_file', value: '/var/lib/acme/live/{{ ansible_fqdn }}/cert' }
|
||||
- { name: 'ssl_key_file', value: '/etc/pki/postgresql/postgresql.key' }
|
||||
- { name: 'ssl_ca_file', value: '/var/lib/acme/live/{{ ansible_fqdn }}/chain' }
|
||||
- { name: 'ssl_cert_file', value: '{{ psql_ssl_cert_file }}' }
|
||||
- { name: 'ssl_key_file', value: '{{ psql_ssl_privkey_path }}' }
|
||||
- { name: 'ssl_ca_file', value: '{{ psql_ssl_ca_file }}' }
|
||||
|
||||
psql_conf_disable_ssl_parameters:
|
||||
- { name: 'ssl', value: 'false' }
|
||||
|
||||
psql_set_shared_memory: False
|
||||
psql_sysctl_file: 30-postgresql-shm.conf
|
||||
|
|
|
|||
|
|
@ -26,10 +26,8 @@ chgrp postgres ${PGPOOL2_KEYFILE}
|
|||
|
||||
echo "Reload the pgpool2 service" >> $LE_LOG_DIR/pgpool2.log
|
||||
if [ -x /bin/systemctl ] ; then
|
||||
sleep $RANDOM
|
||||
systemctl reload pgpool2 >> $LE_LOG_DIR/pgpool2.log 2>&1
|
||||
else
|
||||
sleep $RANDOM
|
||||
service pgpool2 reload >> $LE_LOG_DIR/pgpool2.log 2>&1
|
||||
fi
|
||||
|
||||
|
|
|
|||
|
|
@ -26,10 +26,8 @@ chgrp postgres ${POSTGRESQL_KEYFILE}
|
|||
|
||||
echo "Restart the postgresql service" >> $LE_LOG_DIR/postgresql.log
|
||||
if [ -x /bin/systemctl ] ; then
|
||||
sleep $RANDOM
|
||||
systemctl restart postgresql >> $LE_LOG_DIR/postgresql.log 2>&1
|
||||
else
|
||||
sleep $RANDOM
|
||||
service postgresql restart >> $LE_LOG_DIR/postgresql.log 2>&1
|
||||
fi
|
||||
|
||||
|
|
|
|||
|
|
@ -32,11 +32,9 @@
|
|||
when: psql_pgpool_service_install
|
||||
- include: postgresql-letsencrypt-acmetool.yml
|
||||
when:
|
||||
- postgresql_letsencrypt_managed
|
||||
- letsencrypt_acme_install is defined
|
||||
- include: pgpool-letsencrypt-acmetool.yml
|
||||
when:
|
||||
- pgpool_letsencrypt_managed
|
||||
- letsencrypt_acme_install is defined
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -1,17 +1,23 @@
|
|||
---
|
||||
- name: Create the acme hooks directory if it does not yet exist
|
||||
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
|
||||
- block:
|
||||
- name: Create the acme hooks directory if it does not yet exist
|
||||
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
|
||||
|
||||
- name: Install a script that fix the letsencrypt certificate for pgpool and then reloads the service
|
||||
copy: src=pgpool-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/pgpool owner=root group=root mode=4555
|
||||
|
||||
when:
|
||||
- psql_pgpool_service_install
|
||||
- pgpool_letsencrypt_managed
|
||||
- letsencrypt_acme_install
|
||||
tags: [ 'postgresql', 'postgres', 'pgpool', 'letsencrypt' ]
|
||||
|
||||
- name: Install a script that fix the letsencrypt certificate for pgpool and then reloads the service
|
||||
copy: src=pgpool-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/pgpool owner=root group=root mode=4555
|
||||
|
||||
- block:
|
||||
- name: Remove the letsencrypt hook for pgpool
|
||||
file: dest=/usr/lib/acme/hooks/pgpool state=absent
|
||||
|
||||
when:
|
||||
- psql_pgpool_service_install
|
||||
- pgpool_letsencrypt_managed
|
||||
- letsencrypt_acme_install
|
||||
- not pgpool_letsencrypt_managed
|
||||
tags: [ 'postgresql', 'postgres', 'pgpool', 'letsencrypt' ]
|
||||
|
||||
|
|
|
|||
|
|
@ -1,15 +1,21 @@
|
|||
---
|
||||
- name: Create the acme hooks directory if it does not yet exist
|
||||
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
|
||||
- block:
|
||||
- name: Create the acme hooks directory if it does not yet exist
|
||||
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
|
||||
|
||||
- name: Install a script that fix the letsencrypt certificate for postgresql and then restarts the service
|
||||
copy: src=postgresql-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/postgresql owner=root group=root mode=4555
|
||||
|
||||
when:
|
||||
- postgresql_letsencrypt_managed
|
||||
- letsencrypt_acme_install
|
||||
tags: [ 'postgresql', 'postgres', 'letsencrypt' ]
|
||||
|
||||
- name: Install a script that fix the letsencrypt certificate for postgresql and then restarts the service
|
||||
copy: src=postgresql-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/postgresql owner=root group=root mode=4555
|
||||
when:
|
||||
- postgresql_letsencrypt_managed
|
||||
- letsencrypt_acme_install
|
||||
tags: [ 'postgresql', 'postgres', 'letsencrypt' ]
|
||||
|
||||
- block:
|
||||
- name: Remove the letsencrypt certificate hook for postgresql
|
||||
file: dest=/usr/lib/acme/hooks/postgresql state=absent
|
||||
|
||||
when:
|
||||
- not postgresql_letsencrypt_managed
|
||||
tags: [ 'postgresql', 'postgres', 'letsencrypt' ]
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
- block:
|
||||
- name: Setup ssl in the postgresql configuration
|
||||
- name: Setup SSL in the postgresql configuration
|
||||
become: True
|
||||
become_user: postgres
|
||||
action: configfile path=/etc/postgresql/{{ psql_version }}/main/postgresql.conf key={{ item.name }} value="'{{ item.value }}'"
|
||||
|
|
@ -11,7 +11,19 @@
|
|||
file: dest=/etc/pki/postgresql state=directory owner=postgres group=postgres mode=0750
|
||||
|
||||
- name: Create a postgres accessible ssl key file if it does not exist
|
||||
copy: src=/var/lib/acme/live/{{ ansible_fqdn }}/privkey dest=/etc/pki/postgresql/postgresql.key owner=postgres group=postgres mode=0400 remote_src=True
|
||||
copy: src={{ psql_ssl_privkey_global_file }} dest={{ psql_ssl_privkey_file }} owner=postgres group=postgres mode=0400 remote_src=True
|
||||
|
||||
when: psql_enable_ssl
|
||||
tags: [ 'postgresql', 'postgres', 'pg_conf' ]
|
||||
tags: [ 'postgresql', 'postgres', 'pg_ssl_conf', 'pg_conf' ]
|
||||
|
||||
|
||||
- block:
|
||||
- name: Disable SSL in the postgresql configuration
|
||||
become: True
|
||||
become_user: postgres
|
||||
action: configfile path=/etc/postgresql/{{ psql_version }}/main/postgresql.conf key={{ item.name }} value="'{{ item.value }}'"
|
||||
with_items: '{{ psql_conf_disable_ssl_parameters }}'
|
||||
notify: Restart postgresql
|
||||
|
||||
when: not psql_enable_ssl
|
||||
tags: [ 'postgresql', 'postgres', 'pg_ssl_conf', 'pg_conf' ]
|
||||
|
|
|
|||
Loading…
Reference in New Issue