add base tls implementation
This commit is contained in:
parent
7a82ac2005
commit
1192e6de7d
@ -20,3 +20,11 @@ postgres_socket_directories:
|
|||||||
- /var/run/postgresql
|
- /var/run/postgresql
|
||||||
|
|
||||||
postgres_password_encryption: md5
|
postgres_password_encryption: md5
|
||||||
|
|
||||||
|
postgres_tls_enabled: False
|
||||||
|
postgres_tls_cert_filename: "mycert.pem"
|
||||||
|
postgres_tls_key_filename: "mykey.pem"
|
||||||
|
postgres_tls_source_use_content: False
|
||||||
|
postgres_tls_source_use_files: True
|
||||||
|
postgres_tls_cert_source: mycert.pem
|
||||||
|
postgres_tls_key_source: mykey.pem
|
||||||
|
@ -2,4 +2,6 @@
|
|||||||
- import_tasks: prepare.yml
|
- import_tasks: prepare.yml
|
||||||
- import_tasks: install.yml
|
- import_tasks: install.yml
|
||||||
- import_tasks: config.yml
|
- import_tasks: config.yml
|
||||||
|
- import_tasks: tls.yml
|
||||||
|
tags: tls_renewal
|
||||||
- import_tasks: post_tasks.yml
|
- import_tasks: post_tasks.yml
|
||||||
|
41
tasks/tls.yml
Normal file
41
tasks/tls.yml
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
---
|
||||||
|
- block:
|
||||||
|
- name: Create tls folder structure
|
||||||
|
file:
|
||||||
|
path: "{{ item }}"
|
||||||
|
state: directory
|
||||||
|
owner: "{{ openhab_user }}"
|
||||||
|
group: "{{ openhab_group }}"
|
||||||
|
recurse: True
|
||||||
|
with_items:
|
||||||
|
- "{{ __postgres_tls_key_path }}"
|
||||||
|
- "{{ __postgres_tls_cert_path }}"
|
||||||
|
become: True
|
||||||
|
become_user: root
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- name: Copy certs and private key (file)
|
||||||
|
copy:
|
||||||
|
src: "{{ item.src }}"
|
||||||
|
dest: "{{ item.dest }}"
|
||||||
|
mode: "{{ item.mode }}"
|
||||||
|
with_items:
|
||||||
|
- { src: "{{ postgres_tls_key_source }}", dest: '{{ __postgres_tls_key_path }}', mode: '0600' }
|
||||||
|
- { src: "{{ postgres_tls_cert_source }}", dest: '{{ __postgres_tls_cert_path }}', mode: '0750' }
|
||||||
|
loop_control:
|
||||||
|
label: "{{ item.dest }}"
|
||||||
|
when: postgres_tls_source_use_files
|
||||||
|
|
||||||
|
- name: Copy certs and private key (content)
|
||||||
|
copy:
|
||||||
|
content: "{{ item.src }}"
|
||||||
|
dest: "{{ item.dest }}"
|
||||||
|
mode: "{{ item.mode }}"
|
||||||
|
with_items:
|
||||||
|
- { src: "{{ postgres_tls_key_source }}", dest: '{{ __postgres_tls_key_path }}', mode: '0600' }
|
||||||
|
- { src: "{{ postgres_tls_cert_source }}", dest: '{{ __postgres_tls_cert_path }}', mode: '0750' }
|
||||||
|
loop_control:
|
||||||
|
label: "{{ item.dest }}"
|
||||||
|
when: postgres_tls_source_use_content
|
||||||
|
become: True
|
||||||
|
become_user: "{{ postgres_user }}"
|
@ -39,15 +39,22 @@ unix_socket_directories = '{{ postgres_socket_directories | join(",") }}'
|
|||||||
# - Security and Authentication -
|
# - Security and Authentication -
|
||||||
|
|
||||||
#authentication_timeout = 1min
|
#authentication_timeout = 1min
|
||||||
#ssl = off
|
{% if postgres_tls_enabled %}
|
||||||
|
ssl = on
|
||||||
|
{% else %}
|
||||||
|
ssl = off
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
{% if postgres_tls_enabled %}
|
||||||
#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL'
|
#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL'
|
||||||
#ssl_prefer_server_ciphers = on
|
#ssl_prefer_server_ciphers = on
|
||||||
#ssl_ecdh_curve = 'prime256v1'
|
#ssl_ecdh_curve = 'prime256v1'
|
||||||
#ssl_dh_params_file = ''
|
#ssl_dh_params_file = ''
|
||||||
#ssl_cert_file = 'server.crt'
|
ssl_cert_file = '{{ __postgres_tls_path }}/certs/{{ postgres_tls_cert_filename }}'
|
||||||
#ssl_key_file = 'server.key'
|
ssl_key_file = '{{ __postgres_tls_path }}/key/{{ postgres_tls_key_filename }}'
|
||||||
#ssl_ca_file = ''
|
#ssl_ca_file = ''
|
||||||
#ssl_crl_file = ''
|
#ssl_crl_file = ''
|
||||||
|
{% endif %}
|
||||||
password_encryption = {{ postgres_password_encryption }}
|
password_encryption = {{ postgres_password_encryption }}
|
||||||
#db_user_namespace = off
|
#db_user_namespace = off
|
||||||
#row_security = on
|
#row_security = on
|
||||||
|
@ -8,3 +8,5 @@ __postgres_packages:
|
|||||||
- "{{ __postgres_packagename }}-server"
|
- "{{ __postgres_packagename }}-server"
|
||||||
__postgres_data_dir: "/var/lib/pgsql/{{ __postgres_version }}/data"
|
__postgres_data_dir: "/var/lib/pgsql/{{ __postgres_version }}/data"
|
||||||
__postgres_config_path: "{{ __postgres_data_dir }}"
|
__postgres_config_path: "{{ __postgres_data_dir }}"
|
||||||
|
__postgres_tls_key_path: "{{ __postgres_data_dir }}/tls/key"
|
||||||
|
__postgres_tls_cert_path: "{{ __postgres_data_dir }}/tls/key"
|
||||||
|
Loading…
Reference in New Issue
Block a user