add base tls implementation
This commit is contained in:
parent
7a82ac2005
commit
1192e6de7d
@ -20,3 +20,11 @@ postgres_socket_directories:
|
||||
- /var/run/postgresql
|
||||
|
||||
postgres_password_encryption: md5
|
||||
|
||||
postgres_tls_enabled: False
|
||||
postgres_tls_cert_filename: "mycert.pem"
|
||||
postgres_tls_key_filename: "mykey.pem"
|
||||
postgres_tls_source_use_content: False
|
||||
postgres_tls_source_use_files: True
|
||||
postgres_tls_cert_source: mycert.pem
|
||||
postgres_tls_key_source: mykey.pem
|
||||
|
@ -2,4 +2,6 @@
|
||||
- import_tasks: prepare.yml
|
||||
- import_tasks: install.yml
|
||||
- import_tasks: config.yml
|
||||
- import_tasks: tls.yml
|
||||
tags: tls_renewal
|
||||
- import_tasks: post_tasks.yml
|
||||
|
41
tasks/tls.yml
Normal file
41
tasks/tls.yml
Normal file
@ -0,0 +1,41 @@
|
||||
---
|
||||
- block:
|
||||
- name: Create tls folder structure
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
owner: "{{ openhab_user }}"
|
||||
group: "{{ openhab_group }}"
|
||||
recurse: True
|
||||
with_items:
|
||||
- "{{ __postgres_tls_key_path }}"
|
||||
- "{{ __postgres_tls_cert_path }}"
|
||||
become: True
|
||||
become_user: root
|
||||
|
||||
- block:
|
||||
- name: Copy certs and private key (file)
|
||||
copy:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
mode: "{{ item.mode }}"
|
||||
with_items:
|
||||
- { src: "{{ postgres_tls_key_source }}", dest: '{{ __postgres_tls_key_path }}', mode: '0600' }
|
||||
- { src: "{{ postgres_tls_cert_source }}", dest: '{{ __postgres_tls_cert_path }}', mode: '0750' }
|
||||
loop_control:
|
||||
label: "{{ item.dest }}"
|
||||
when: postgres_tls_source_use_files
|
||||
|
||||
- name: Copy certs and private key (content)
|
||||
copy:
|
||||
content: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
mode: "{{ item.mode }}"
|
||||
with_items:
|
||||
- { src: "{{ postgres_tls_key_source }}", dest: '{{ __postgres_tls_key_path }}', mode: '0600' }
|
||||
- { src: "{{ postgres_tls_cert_source }}", dest: '{{ __postgres_tls_cert_path }}', mode: '0750' }
|
||||
loop_control:
|
||||
label: "{{ item.dest }}"
|
||||
when: postgres_tls_source_use_content
|
||||
become: True
|
||||
become_user: "{{ postgres_user }}"
|
@ -39,15 +39,22 @@ unix_socket_directories = '{{ postgres_socket_directories | join(",") }}'
|
||||
# - Security and Authentication -
|
||||
|
||||
#authentication_timeout = 1min
|
||||
#ssl = off
|
||||
{% if postgres_tls_enabled %}
|
||||
ssl = on
|
||||
{% else %}
|
||||
ssl = off
|
||||
{% endif %}
|
||||
|
||||
{% if postgres_tls_enabled %}
|
||||
#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL'
|
||||
#ssl_prefer_server_ciphers = on
|
||||
#ssl_ecdh_curve = 'prime256v1'
|
||||
#ssl_dh_params_file = ''
|
||||
#ssl_cert_file = 'server.crt'
|
||||
#ssl_key_file = 'server.key'
|
||||
ssl_cert_file = '{{ __postgres_tls_path }}/certs/{{ postgres_tls_cert_filename }}'
|
||||
ssl_key_file = '{{ __postgres_tls_path }}/key/{{ postgres_tls_key_filename }}'
|
||||
#ssl_ca_file = ''
|
||||
#ssl_crl_file = ''
|
||||
{% endif %}
|
||||
password_encryption = {{ postgres_password_encryption }}
|
||||
#db_user_namespace = off
|
||||
#row_security = on
|
||||
|
@ -8,3 +8,5 @@ __postgres_packages:
|
||||
- "{{ __postgres_packagename }}-server"
|
||||
__postgres_data_dir: "/var/lib/pgsql/{{ __postgres_version }}/data"
|
||||
__postgres_config_path: "{{ __postgres_data_dir }}"
|
||||
__postgres_tls_key_path: "{{ __postgres_data_dir }}/tls/key"
|
||||
__postgres_tls_cert_path: "{{ __postgres_data_dir }}/tls/key"
|
||||
|
Loading…
Reference in New Issue
Block a user