define profile::postgresql::ssl (
- Optional[String] $cert = undef,
- Optional[String] $key = undef,
- Optional[String] $certname = undef,
- Optional[Boolean] $copy_keys = true,
- Optional[String] $pg_user = $profile::postgresql::pg_user,
- Optional[String] $pg_group = $profile::postgresql::pg_user
+ Optional[String] $cert = undef,
+ Optional[String] $key = undef,
+ Optional[String] $certname = undef,
+ Optional[Boolean] $copy_keys = true,
+ Optional[Boolean] $handle_config_entry = false,
+ Optional[Boolean] $handle_concat_config = false,
+ Optional[String] $pg_user = "postgres",
+ Optional[String] $pg_group = "postgres",
) {
- $pg_dir = $title
- $datadir = "$pg_dir/data"
+ $datadir = $title
file { "$datadir/certs":
ensure => directory,
mode => "0700",
owner => $pg_user,
group => $pg_group,
- require => File[$pg_dir],
+ require => File[$datadir],
}
if empty($cert) or empty($key) {
directory => "$datadir/certs",
}
- $ssl_key = "$datadir/certs/$backup_host_cn.key"
- $ssl_cert = "$datadir/certs/$backup_host_cn.crt"
+ $ssl_key = "$datadir/certs/$certname.key"
+ $ssl_cert = "$datadir/certs/$certname.crt"
} elsif $copy_keys {
$ssl_key = "$datadir/certs/privkey.pem"
$ssl_cert = "$datadir/certs/cert.pem"
$ssl_cert = $cert
}
- postgresql::server::config_entry { "ssl":
- value => "on",
- }
+ if $handle_config_entry {
+ postgresql::server::config_entry { "ssl":
+ value => "on",
+ }
- postgresql::server::config_entry { "ssl_cert_file":
- value => $ssl_cert,
- }
+ postgresql::server::config_entry { "ssl_cert_file":
+ value => $ssl_cert,
+ }
- postgresql::server::config_entry { "ssl_key_file":
- value => $ssl_key,
+ postgresql::server::config_entry { "ssl_key_file":
+ value => $ssl_key,
+ }
+ } elsif $handle_concat_config {
+ concat::fragment { "$datadir/postgresql.conf ssl config":
+ target => "$datadir/postgresql.conf",
+ content => "ssl = on\nssl_key_file = '$ssl_key'\nssl_cert_file = '$ssl_cert'\n"
+ }
}
+
+ # FIXME: add monitoring for ssl
}