+define profile::postgresql::ssl (
+ Optional[String] $cert = undef,
+ Optional[String] $key = undef,
+ Optional[String] $certname = undef,
+ Optional[Boolean] $copy_keys = true,
+ Optional[String] $pg_user = $profile::postgresql::pg_user,
+ Optional[String] $pg_group = $profile::postgresql::pg_user
+) {
+ $pg_dir = $title
+ $datadir = "$pg_dir/data"
+
+ file { "$datadir/certs":
+ ensure => directory,
+ mode => "0700",
+ owner => $pg_user,
+ group => $pg_group,
+ require => File[$pg_dir],
+ }
+
+ if empty($cert) or empty($key) {
+ if empty($certname) {
+ fail("A certificate name is necessary to generate ssl certificate")
+ }
+
+ ssl::self_signed_certificate { $certname:
+ common_name => $certname,
+ country => "FR",
+ days => "3650",
+ organization => "Immae",
+ owner => $pg_user,
+ group => $pg_group,
+ directory => "$datadir/certs",
+ }
+
+ $ssl_key = "$datadir/certs/$backup_host_cn.key"
+ $ssl_cert = "$datadir/certs/$backup_host_cn.crt"
+ } elsif $copy_keys {
+ $ssl_key = "$datadir/certs/privkey.pem"
+ $ssl_cert = "$datadir/certs/cert.pem"
+
+ file { $ssl_cert:
+ source => "file://$cert",
+ mode => "0600",
+ links => "follow",
+ owner => $pg_user,
+ group => $pg_group,
+ require => File["$datadir/certs"],
+ }
+ file { $ssl_key:
+ source => "file://$key",
+ mode => "0600",
+ links => "follow",
+ owner => $pg_user,
+ group => $pg_group,
+ require => File["$datadir/certs"],
+ }
+ } else {
+ $ssl_key = $key
+ $ssl_cert = $cert
+ }
+
+ postgresql::server::config_entry { "ssl":
+ value => "on",
+ }
+
+ postgresql::server::config_entry { "ssl_cert_file":
+ value => $ssl_cert,
+ }
+
+ postgresql::server::config_entry { "ssl_key_file":
+ value => $ssl_key,
+ }
+}