From 1192e6de7d8d0367c90d1fec71af11c74a9fb4e6 Mon Sep 17 00:00:00 2001 From: Robert Kaussow Date: Tue, 16 Oct 2018 23:05:15 +0200 Subject: [PATCH] add base tls implementation --- defaults/main.yml | 8 ++++ tasks/main.yml | 2 + tasks/tls.yml | 41 ++++++++++++++++++++ templates/postgresql/data/postgresql.conf.j2 | 13 +++++-- vars/main.yml | 2 + 5 files changed, 63 insertions(+), 3 deletions(-) create mode 100644 tasks/tls.yml diff --git a/defaults/main.yml b/defaults/main.yml index 97a38bb..69c8576 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -20,3 +20,11 @@ postgres_socket_directories: - /var/run/postgresql postgres_password_encryption: md5 + +postgres_tls_enabled: False +postgres_tls_cert_filename: "mycert.pem" +postgres_tls_key_filename: "mykey.pem" +postgres_tls_source_use_content: False +postgres_tls_source_use_files: True +postgres_tls_cert_source: mycert.pem +postgres_tls_key_source: mykey.pem diff --git a/tasks/main.yml b/tasks/main.yml index 57b44a9..7d70fe2 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -2,4 +2,6 @@ - import_tasks: prepare.yml - import_tasks: install.yml - import_tasks: config.yml +- import_tasks: tls.yml + tags: tls_renewal - import_tasks: post_tasks.yml diff --git a/tasks/tls.yml b/tasks/tls.yml new file mode 100644 index 0000000..d173ce1 --- /dev/null +++ b/tasks/tls.yml @@ -0,0 +1,41 @@ +--- +- block: + - name: Create tls folder structure + file: + path: "{{ item }}" + state: directory + owner: "{{ openhab_user }}" + group: "{{ openhab_group }}" + recurse: True + with_items: + - "{{ __postgres_tls_key_path }}" + - "{{ __postgres_tls_cert_path }}" + become: True + become_user: root + +- block: + - name: Copy certs and private key (file) + copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + mode: "{{ item.mode }}" + with_items: + - { src: "{{ postgres_tls_key_source }}", dest: '{{ __postgres_tls_key_path }}', mode: '0600' } + - { src: "{{ postgres_tls_cert_source }}", dest: '{{ __postgres_tls_cert_path }}', mode: '0750' } + loop_control: + label: "{{ item.dest }}" + when: postgres_tls_source_use_files + + - name: Copy certs and private key (content) + copy: + content: "{{ item.src }}" + dest: "{{ item.dest }}" + mode: "{{ item.mode }}" + with_items: + - { src: "{{ postgres_tls_key_source }}", dest: '{{ __postgres_tls_key_path }}', mode: '0600' } + - { src: "{{ postgres_tls_cert_source }}", dest: '{{ __postgres_tls_cert_path }}', mode: '0750' } + loop_control: + label: "{{ item.dest }}" + when: postgres_tls_source_use_content + become: True + become_user: "{{ postgres_user }}" diff --git a/templates/postgresql/data/postgresql.conf.j2 b/templates/postgresql/data/postgresql.conf.j2 index 9dc7dfe..3039236 100644 --- a/templates/postgresql/data/postgresql.conf.j2 +++ b/templates/postgresql/data/postgresql.conf.j2 @@ -39,15 +39,22 @@ unix_socket_directories = '{{ postgres_socket_directories | join(",") }}' # - Security and Authentication - #authentication_timeout = 1min -#ssl = off +{% if postgres_tls_enabled %} +ssl = on +{% else %} +ssl = off +{% endif %} + +{% if postgres_tls_enabled %} #ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' #ssl_prefer_server_ciphers = on #ssl_ecdh_curve = 'prime256v1' #ssl_dh_params_file = '' -#ssl_cert_file = 'server.crt' -#ssl_key_file = 'server.key' +ssl_cert_file = '{{ __postgres_tls_path }}/certs/{{ postgres_tls_cert_filename }}' +ssl_key_file = '{{ __postgres_tls_path }}/key/{{ postgres_tls_key_filename }}' #ssl_ca_file = '' #ssl_crl_file = '' +{% endif %} password_encryption = {{ postgres_password_encryption }} #db_user_namespace = off #row_security = on diff --git a/vars/main.yml b/vars/main.yml index 200ee7a..8602a68 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -8,3 +8,5 @@ __postgres_packages: - "{{ __postgres_packagename }}-server" __postgres_data_dir: "/var/lib/pgsql/{{ __postgres_version }}/data" __postgres_config_path: "{{ __postgres_data_dir }}" +__postgres_tls_key_path: "{{ __postgres_data_dir }}/tls/key" +__postgres_tls_cert_path: "{{ __postgres_data_dir }}/tls/key"