add base tls implementation

defaults/main.yml

@@ -20,3 +20,11 @@ postgres_socket_directories:
   - /var/run/postgresql
 
 postgres_password_encryption: md5
+
+postgres_tls_enabled: False
+postgres_tls_cert_filename: "mycert.pem"
+postgres_tls_key_filename: "mykey.pem"
+postgres_tls_source_use_content: False
+postgres_tls_source_use_files: True
+postgres_tls_cert_source: mycert.pem
+postgres_tls_key_source: mykey.pem

tasks/main.yml

@@ -2,4 +2,6 @@
 - import_tasks: prepare.yml
 - import_tasks: install.yml
 - import_tasks: config.yml
+- import_tasks: tls.yml
+  tags: tls_renewal
 - import_tasks: post_tasks.yml

tasks/tls.yml

@@ -0,0 +1,41 @@
+---
+- block:
+  - name: Create tls folder structure
+    file:
+      path: "{{ item }}"
+      state: directory
+      owner: "{{ openhab_user }}"
+      group: "{{ openhab_group }}"
+      recurse: True
+    with_items:
+      - "{{ __postgres_tls_key_path }}"
+      - "{{ __postgres_tls_cert_path }}"
+  become: True
+  become_user: root
+
+- block:
+  - name: Copy certs and private key (file)
+    copy:
+      src: "{{ item.src }}"
+      dest: "{{ item.dest }}"
+      mode: "{{ item.mode }}"
+    with_items:
+      - { src: "{{ postgres_tls_key_source }}", dest: '{{ __postgres_tls_key_path }}', mode: '0600' }
+      - { src: "{{ postgres_tls_cert_source }}", dest: '{{ __postgres_tls_cert_path }}', mode: '0750' }
+    loop_control:
+      label: "{{ item.dest }}"
+    when: postgres_tls_source_use_files
+
+  - name: Copy certs and private key (content)
+    copy:
+      content: "{{ item.src }}"
+      dest: "{{ item.dest }}"
+      mode: "{{ item.mode }}"
+    with_items:
+      - { src: "{{ postgres_tls_key_source }}", dest: '{{ __postgres_tls_key_path }}', mode: '0600' }
+      - { src: "{{ postgres_tls_cert_source }}", dest: '{{ __postgres_tls_cert_path }}', mode: '0750' }
+    loop_control:
+      label: "{{ item.dest }}"
+    when: postgres_tls_source_use_content
+  become: True
+  become_user: "{{ postgres_user }}"

templates/postgresql/data/postgresql.conf.j2

@@ -39,15 +39,22 @@ unix_socket_directories = '{{ postgres_socket_directories | join(",") }}'
 # - Security and Authentication -
 
 #authentication_timeout = 1min
-#ssl = off
+{% if postgres_tls_enabled %}
+ssl = on
+{% else %}
+ssl = off
+{% endif %}
+
+{% if postgres_tls_enabled %}
 #ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL'
 #ssl_prefer_server_ciphers = on
 #ssl_ecdh_curve = 'prime256v1'
 #ssl_dh_params_file = ''
-#ssl_cert_file = 'server.crt'
+ssl_cert_file = '{{ __postgres_tls_path }}/certs/{{ postgres_tls_cert_filename }}'
-#ssl_key_file = 'server.key'
+ssl_key_file = '{{ __postgres_tls_path }}/key/{{ postgres_tls_key_filename }}'
 #ssl_ca_file = ''
 #ssl_crl_file = ''
+{% endif %}
 password_encryption = {{ postgres_password_encryption }}
 #db_user_namespace = off
 #row_security = on

vars/main.yml

@@ -8,3 +8,5 @@ __postgres_packages:
   - "{{ __postgres_packagename }}-server"
 __postgres_data_dir: "/var/lib/pgsql/{{ __postgres_version }}/data"
 __postgres_config_path: "{{ __postgres_data_dir }}"
+__postgres_tls_key_path: "{{ __postgres_data_dir }}/tls/key"
+__postgres_tls_cert_path: "{{ __postgres_data_dir }}/tls/key"