forked from ISTI-ansible-roles/ansible-roles
postgresql: Fix the letsencrypt and ssl tasks so that ssl can be disabled.
This commit is contained in:
parent
94eba820ae
commit
af2f3f397c
|
@ -62,12 +62,19 @@ psql_autovacuum_configuration:
|
||||||
# SSL as a special case
|
# SSL as a special case
|
||||||
psql_enable_ssl: False
|
psql_enable_ssl: False
|
||||||
psql_force_ssl_client_connection: False
|
psql_force_ssl_client_connection: False
|
||||||
postgresql_letsencrypt_managed: True
|
postgresql_letsencrypt_managed: '{{ psql_enable_ssl }}'
|
||||||
|
psql_ssl_privkey_global_file: '/var/lib/acme/live/{{ ansible_fqdn }}/privkey'
|
||||||
|
psql_ssl_privkey_file: /etc/pki/postgresql/postgresql.key
|
||||||
|
psql_ssl_cert_file: '/var/lib/acme/live/{{ ansible_fqdn }}/cert'
|
||||||
|
psql_ssl_ca_file: '/var/lib/acme/live/{{ ansible_fqdn }}/chain'
|
||||||
psql_conf_ssl_parameters:
|
psql_conf_ssl_parameters:
|
||||||
- { name: 'ssl', value: 'true' }
|
- { name: 'ssl', value: 'true' }
|
||||||
- { name: 'ssl_cert_file', value: '/var/lib/acme/live/{{ ansible_fqdn }}/cert' }
|
- { name: 'ssl_cert_file', value: '{{ psql_ssl_cert_file }}' }
|
||||||
- { name: 'ssl_key_file', value: '/etc/pki/postgresql/postgresql.key' }
|
- { name: 'ssl_key_file', value: '{{ psql_ssl_privkey_path }}' }
|
||||||
- { name: 'ssl_ca_file', value: '/var/lib/acme/live/{{ ansible_fqdn }}/chain' }
|
- { name: 'ssl_ca_file', value: '{{ psql_ssl_ca_file }}' }
|
||||||
|
|
||||||
|
psql_conf_disable_ssl_parameters:
|
||||||
|
- { name: 'ssl', value: 'false' }
|
||||||
|
|
||||||
psql_set_shared_memory: False
|
psql_set_shared_memory: False
|
||||||
psql_sysctl_file: 30-postgresql-shm.conf
|
psql_sysctl_file: 30-postgresql-shm.conf
|
||||||
|
|
|
@ -26,10 +26,8 @@ chgrp postgres ${PGPOOL2_KEYFILE}
|
||||||
|
|
||||||
echo "Reload the pgpool2 service" >> $LE_LOG_DIR/pgpool2.log
|
echo "Reload the pgpool2 service" >> $LE_LOG_DIR/pgpool2.log
|
||||||
if [ -x /bin/systemctl ] ; then
|
if [ -x /bin/systemctl ] ; then
|
||||||
sleep $RANDOM
|
|
||||||
systemctl reload pgpool2 >> $LE_LOG_DIR/pgpool2.log 2>&1
|
systemctl reload pgpool2 >> $LE_LOG_DIR/pgpool2.log 2>&1
|
||||||
else
|
else
|
||||||
sleep $RANDOM
|
|
||||||
service pgpool2 reload >> $LE_LOG_DIR/pgpool2.log 2>&1
|
service pgpool2 reload >> $LE_LOG_DIR/pgpool2.log 2>&1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
|
@ -26,10 +26,8 @@ chgrp postgres ${POSTGRESQL_KEYFILE}
|
||||||
|
|
||||||
echo "Restart the postgresql service" >> $LE_LOG_DIR/postgresql.log
|
echo "Restart the postgresql service" >> $LE_LOG_DIR/postgresql.log
|
||||||
if [ -x /bin/systemctl ] ; then
|
if [ -x /bin/systemctl ] ; then
|
||||||
sleep $RANDOM
|
|
||||||
systemctl restart postgresql >> $LE_LOG_DIR/postgresql.log 2>&1
|
systemctl restart postgresql >> $LE_LOG_DIR/postgresql.log 2>&1
|
||||||
else
|
else
|
||||||
sleep $RANDOM
|
|
||||||
service postgresql restart >> $LE_LOG_DIR/postgresql.log 2>&1
|
service postgresql restart >> $LE_LOG_DIR/postgresql.log 2>&1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
|
@ -32,11 +32,9 @@
|
||||||
when: psql_pgpool_service_install
|
when: psql_pgpool_service_install
|
||||||
- include: postgresql-letsencrypt-acmetool.yml
|
- include: postgresql-letsencrypt-acmetool.yml
|
||||||
when:
|
when:
|
||||||
- postgresql_letsencrypt_managed
|
|
||||||
- letsencrypt_acme_install is defined
|
- letsencrypt_acme_install is defined
|
||||||
- include: pgpool-letsencrypt-acmetool.yml
|
- include: pgpool-letsencrypt-acmetool.yml
|
||||||
when:
|
when:
|
||||||
- pgpool_letsencrypt_managed
|
|
||||||
- letsencrypt_acme_install is defined
|
- letsencrypt_acme_install is defined
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,17 +1,23 @@
|
||||||
---
|
---
|
||||||
- name: Create the acme hooks directory if it does not yet exist
|
- block:
|
||||||
|
- name: Create the acme hooks directory if it does not yet exist
|
||||||
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
|
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
|
||||||
when:
|
|
||||||
- psql_pgpool_service_install
|
|
||||||
- pgpool_letsencrypt_managed
|
|
||||||
- letsencrypt_acme_install
|
|
||||||
tags: [ 'postgresql', 'postgres', 'pgpool', 'letsencrypt' ]
|
|
||||||
|
|
||||||
- name: Install a script that fix the letsencrypt certificate for pgpool and then reloads the service
|
- name: Install a script that fix the letsencrypt certificate for pgpool and then reloads the service
|
||||||
copy: src=pgpool-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/pgpool owner=root group=root mode=4555
|
copy: src=pgpool-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/pgpool owner=root group=root mode=4555
|
||||||
|
|
||||||
when:
|
when:
|
||||||
- psql_pgpool_service_install
|
- psql_pgpool_service_install
|
||||||
- pgpool_letsencrypt_managed
|
- pgpool_letsencrypt_managed
|
||||||
- letsencrypt_acme_install
|
- letsencrypt_acme_install
|
||||||
tags: [ 'postgresql', 'postgres', 'pgpool', 'letsencrypt' ]
|
tags: [ 'postgresql', 'postgres', 'pgpool', 'letsencrypt' ]
|
||||||
|
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- name: Remove the letsencrypt hook for pgpool
|
||||||
|
file: dest=/usr/lib/acme/hooks/pgpool state=absent
|
||||||
|
|
||||||
|
when:
|
||||||
|
- psql_pgpool_service_install
|
||||||
|
- not pgpool_letsencrypt_managed
|
||||||
|
tags: [ 'postgresql', 'postgres', 'pgpool', 'letsencrypt' ]
|
||||||
|
|
|
@ -1,15 +1,21 @@
|
||||||
---
|
---
|
||||||
- name: Create the acme hooks directory if it does not yet exist
|
- block:
|
||||||
|
- name: Create the acme hooks directory if it does not yet exist
|
||||||
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
|
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
|
||||||
when:
|
|
||||||
- postgresql_letsencrypt_managed
|
|
||||||
- letsencrypt_acme_install
|
|
||||||
tags: [ 'postgresql', 'postgres', 'letsencrypt' ]
|
|
||||||
|
|
||||||
- name: Install a script that fix the letsencrypt certificate for postgresql and then restarts the service
|
- name: Install a script that fix the letsencrypt certificate for postgresql and then restarts the service
|
||||||
copy: src=postgresql-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/postgresql owner=root group=root mode=4555
|
copy: src=postgresql-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/postgresql owner=root group=root mode=4555
|
||||||
|
|
||||||
when:
|
when:
|
||||||
- postgresql_letsencrypt_managed
|
- postgresql_letsencrypt_managed
|
||||||
- letsencrypt_acme_install
|
- letsencrypt_acme_install
|
||||||
tags: [ 'postgresql', 'postgres', 'letsencrypt' ]
|
tags: [ 'postgresql', 'postgres', 'letsencrypt' ]
|
||||||
|
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- name: Remove the letsencrypt certificate hook for postgresql
|
||||||
|
file: dest=/usr/lib/acme/hooks/postgresql state=absent
|
||||||
|
|
||||||
|
when:
|
||||||
|
- not postgresql_letsencrypt_managed
|
||||||
|
tags: [ 'postgresql', 'postgres', 'letsencrypt' ]
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
- block:
|
- block:
|
||||||
- name: Setup ssl in the postgresql configuration
|
- name: Setup SSL in the postgresql configuration
|
||||||
become: True
|
become: True
|
||||||
become_user: postgres
|
become_user: postgres
|
||||||
action: configfile path=/etc/postgresql/{{ psql_version }}/main/postgresql.conf key={{ item.name }} value="'{{ item.value }}'"
|
action: configfile path=/etc/postgresql/{{ psql_version }}/main/postgresql.conf key={{ item.name }} value="'{{ item.value }}'"
|
||||||
|
@ -11,7 +11,19 @@
|
||||||
file: dest=/etc/pki/postgresql state=directory owner=postgres group=postgres mode=0750
|
file: dest=/etc/pki/postgresql state=directory owner=postgres group=postgres mode=0750
|
||||||
|
|
||||||
- name: Create a postgres accessible ssl key file if it does not exist
|
- name: Create a postgres accessible ssl key file if it does not exist
|
||||||
copy: src=/var/lib/acme/live/{{ ansible_fqdn }}/privkey dest=/etc/pki/postgresql/postgresql.key owner=postgres group=postgres mode=0400 remote_src=True
|
copy: src={{ psql_ssl_privkey_global_file }} dest={{ psql_ssl_privkey_file }} owner=postgres group=postgres mode=0400 remote_src=True
|
||||||
|
|
||||||
when: psql_enable_ssl
|
when: psql_enable_ssl
|
||||||
tags: [ 'postgresql', 'postgres', 'pg_conf' ]
|
tags: [ 'postgresql', 'postgres', 'pg_ssl_conf', 'pg_conf' ]
|
||||||
|
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- name: Disable SSL in the postgresql configuration
|
||||||
|
become: True
|
||||||
|
become_user: postgres
|
||||||
|
action: configfile path=/etc/postgresql/{{ psql_version }}/main/postgresql.conf key={{ item.name }} value="'{{ item.value }}'"
|
||||||
|
with_items: '{{ psql_conf_disable_ssl_parameters }}'
|
||||||
|
notify: Restart postgresql
|
||||||
|
|
||||||
|
when: not psql_enable_ssl
|
||||||
|
tags: [ 'postgresql', 'postgres', 'pg_ssl_conf', 'pg_conf' ]
|
||||||
|
|
Loading…
Reference in New Issue