library/roles/postgresql: Configure ssl for pgpool too, if enable. Option to force ssl client connections to postgres.

postgresql/defaults/main.yml

@@ -33,6 +33,7 @@ psql_conf_parameters:
 
 # SSL as a special case
 psql_enable_ssl: False
+psql_force_ssl_client_connection: False
 postgresql_letsencrypt_managed: True
 psql_conf_ssl_parameters:
   - { name: 'ssl', value: 'true' }
@@ -125,6 +126,14 @@ pgpool_memqcache_memcached_port: 11211
 pgpool_memqcache_expire: 0
 pgpool_memqcache_auto_cache_invalidation: 'on'
 
+# SSL as a special case
+pgpool_enable_ssl: False
+pgpool_letsencrypt_managed: True
+pgpool_ssl_key: /etc/pki/pgpool2/pgpool2.key
+pgpool_ssl_cert: '/var/lib/acme/live/{{ ansible_fqdn }}/cert'
+pgpool_ssl_ca: '/var/lib/acme/live/{{ ansible_fqdn }}/chain'
+pgpool_ssl_ca_dir: /etc/ssl/certs
+
 # WAL files archiving is mandatory for pgpool recovery
 psql_wal_files_archiving_enabled: '{{ psql_pgpool_install }}'
 psql_restart_after_wal_enabling: True

postgresql/files/pgpool-letsencrypt-acme.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+H_NAME=$( hostname -f )
+LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks
+LE_CERTS_DIR=/var/lib/acme/live/$H_NAME
+LE_LOG_DIR=/var/log/letsencrypt
+PGPOOL2_CERTDIR=/etc/pki/pgpool2
+PGPOOL2_KEYFILE=$PGPOOL2_CERTDIR/pgpool2.key
+DATE=$( date )
+
+[ ! -d $PGPOOL2_CERTDIR ] && mkdir -p $PGPOOL2_CERTDIR
+[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
+echo "$DATE" >> $LE_LOG_DIR/pgpool2.log
+
+if [ -f /etc/default/letsencrypt ] ; then
+    . /etc/default/letsencrypt
+else
+    echo "No letsencrypt default file" >> $LE_LOG_DIR/pgpool2.log
+fi
+
+echo "Copy the key file" >> $LE_LOG_DIR/pgpool2.log
+cp ${LE_CERTS_DIR}/privkey  ${PGPOOL2_KEYFILE}
+chmod 440 ${PGPOOL2_KEYFILE}
+chgrp postgres ${PGPOOL2_KEYFILE}
+
+echo "Reload the pgpool2 service" >> $LE_LOG_DIR/pgpool2.log
+if [ -x /bin/systemctl ] ; then
+    systemctl reload pgpool2 >> $LE_LOG_DIR/pgpool2.log 2>&1
+else
+    service pgpool2 reload >> $LE_LOG_DIR/pgpool2.log 2>&1
+fi
+
+echo "Done." >> $LE_LOG_DIR/pgpool2.log
+
+exit 0
+

postgresql/tasks/configure-access.yml

@@ -6,7 +6,7 @@
 #    - { name: 'db_name', user: 'db_user', pwd: 'db_pwd', allowed_hosts: [ '146.48.123.17/32', '146.48.122.110/32' ] }
 #
 - name: Give access to the remote postgresql client
-  lineinfile: name=/etc/postgresql/{{ psql_version }}/main/pg_hba.conf regexp="^host {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="host {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5"
+  lineinfile: name=/etc/postgresql/{{ psql_version }}/main/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="host {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5"
   with_subelements: 
     - '{{ psql_db_data | default([]) }}'
     - allowed_hosts
@@ -14,6 +14,20 @@
     - psql_listen_on_ext_int
     - psql_db_data is defined
     - item.1 is defined
+    - not psql_force_ssl_client_connection
+  notify: Reload postgresql
+  tags: [ 'postgresql', 'postgres', 'pg_hba' ]
+
+- name: Give access to the remote postgresql client, force ssl
+  lineinfile: name=/etc/postgresql/{{ psql_version }}/main/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="hostssl {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5"
+  with_subelements: 
+    - '{{ psql_db_data | default([]) }}'
+    - allowed_hosts
+  when:
+    - psql_listen_on_ext_int
+    - psql_db_data is defined
+    - item.1 is defined
+    - psql_force_ssl_client_connection
   notify: Reload postgresql
   tags: [ 'postgresql', 'postgres', 'pg_hba' ]
 

postgresql/tasks/main.yml

@@ -33,5 +33,9 @@
   when:
     - postgresql_letsencrypt_managed
     - letsencrypt_acme_install is defined
+- include: pgpool-letsencrypt-acmetool.yml
+  when:
+    - pgpool_letsencrypt_managed
+    - letsencrypt_acme_install is defined
 
 

postgresql/tasks/pgpool-letsencrypt-acmetool.yml

@@ -0,0 +1,15 @@
+---
+- name: Create the acme hooks directory if it does not yet exist
+  file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
+  when:
+    - pgpool_letsencrypt_managed
+    - letsencrypt_acme_install
+  tags: [ 'postgresql', 'postgres', 'pgpool', 'letsencrypt' ]
+
+- name: Install a script that fix the letsencrypt certificate for postgresql and then reload the service
+  copy: src=pgpool-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/pgpool owner=root group=root mode=4555
+  when:
+    - pgpool_letsencrypt_managed
+    - letsencrypt_acme_install
+  tags: [ 'postgresql', 'postgres', 'pgpool', 'letsencrypt' ]
+

postgresql/templates/pgpool.conf.j2

@@ -77,25 +77,14 @@ authentication_timeout = 60
                                    # Delay in seconds to complete client authentication
                                    # 0 means no timeout.
 
+{% if pgpool_enable_ssl %}
 # - SSL Connections -
-
+ssl = on
-ssl = off
+ssl_key = '{{ pgpool_ssl_key }}'
-                                   # Enable SSL support
+ssl_cert = '{{ pgpool_ssl_cert }}'
-                                   # (change requires restart)
+ssl_ca_cert = '{{ pgpool_ssl_ca }}'
-#ssl_key = './server.key'
+ssl_ca_cert_dir = '{{ pgpool_ssl_ca_dir }}'
-                                   # Path to the SSL private key file
+{% endif %}
-                                   # (change requires restart)
-#ssl_cert = './server.cert'
-                                   # Path to the SSL public certificate file
-                                   # (change requires restart)
-#ssl_ca_cert = ''
-                                   # Path to a single PEM format file
-                                   # containing CA root certificate(s)
-                                   # (change requires restart)
-#ssl_ca_cert_dir = ''
-                                   # Directory containing CA root certificate(s)
-                                   # (change requires restart)
-
 
 #------------------------------------------------------------------------------
 # POOLS