define profile::postgresql::ssl ( Optional[String] $cert = undef, Optional[String] $key = undef, Optional[String] $certname = undef, Optional[Boolean] $copy_keys = true, Optional[Boolean] $handle_config_entry = false, Optional[Boolean] $handle_concat_config = false, Optional[String] $pg_user = "postgres", Optional[String] $pg_group = "postgres", ) { $datadir = $title file { "$datadir/certs": ensure => directory, mode => "0700", owner => $pg_user, group => $pg_group, require => File[$datadir], } if empty($cert) or empty($key) { if empty($certname) { fail("A certificate name is necessary to generate ssl certificate") } ssl::self_signed_certificate { $certname: common_name => $certname, country => "FR", days => "3650", organization => "Immae", owner => $pg_user, group => $pg_group, directory => "$datadir/certs", } $ssl_key = "$datadir/certs/$certname.key" $ssl_cert = "$datadir/certs/$certname.crt" } elsif $copy_keys { $ssl_key = "$datadir/certs/privkey.pem" $ssl_cert = "$datadir/certs/cert.pem" file { $ssl_cert: source => "file://$cert", mode => "0600", links => "follow", owner => $pg_user, group => $pg_group, require => File["$datadir/certs"], } file { $ssl_key: source => "file://$key", mode => "0600", links => "follow", owner => $pg_user, group => $pg_group, require => File["$datadir/certs"], } } else { $ssl_key = $key $ssl_cert = $cert } if $handle_config_entry { postgresql::server::config_entry { "ssl": value => "on", } postgresql::server::config_entry { "ssl_cert_file": value => $ssl_cert, } postgresql::server::config_entry { "ssl_key_file": value => $ssl_key, } } elsif $handle_concat_config { concat::fragment { "$datadir/postgresql.conf ssl config": target => "$datadir/postgresql.conf", content => "ssl = on\nssl_key_file = '$ssl_key'\nssl_cert_file = '$ssl_cert'\n" } } }