From 2f3d3a34ab0b3fd31bd84e4c935954740313dbed Mon Sep 17 00:00:00 2001
From: =?utf8?q?Isma=C3=ABl=20Bouya?= <ismael.bouya@normalesup.org>
Date: Wed, 27 Jun 2018 13:10:32 +0200
Subject: [PATCH] Add ssl certificate for postgresql connection

---
 modules/role/manifests/backup/postgresql.pp   | 30 ++++++++++++++++---
 .../role/templates/backup/postgresql.conf.erb |  2 ++
 2 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/modules/role/manifests/backup/postgresql.pp b/modules/role/manifests/backup/postgresql.pp
index aef177b..ee62a00 100644
--- a/modules/role/manifests/backup/postgresql.pp
+++ b/modules/role/manifests/backup/postgresql.pp
@@ -121,16 +121,38 @@ class role::backup::postgresql inherits role::backup {
     } else {
       $pg_backup_host = $host["vars"]["real_hostname"][0]
     }
+
+    $pg_path = "$mountpoint/$pg_backup_host/postgresql"
+    $pg_backup_path = "$mountpoint/$pg_backup_host/postgresql_backup"
+    $pg_host = "$pg_backup_host"
+    $pg_port = $pg_infos["dbport"]
+
     if has_key($host["vars"], "postgresql_backup_port") {
       $pg_listen_port = $host["vars"]["postgresql_backup_port"][0]
+      file { "$pg_path/certs":
+        ensure => directory,
+        mode   => "0700",
+        owner  => $pg_user,
+        group  => $pg_group,
+      } ->
+      ssl::self_signed_certificate { $backup_host_cn:
+        common_name  => $backup_host_cn,
+        country      => "FR",
+        days         => "3650",
+        organization => "Immae",
+        owner        => $pg_user,
+        group        => $pg_group,
+        directory    => "$pg_path/certs",
+        before       => File["$pg_path/postgresql.conf"],
+      }
+      $ssl_key  = "$pg_path/certs/$backup_host_cn.key"
+      $ssl_cert = "$pg_path/certs/$backup_host_cn.crt"
     } else {
       $pg_listen_port = undef
+      $ssl_key = undef
+      $ssl_cert = undef
     }
 
-    $pg_path = "$mountpoint/$pg_backup_host/postgresql"
-    $pg_backup_path = "$mountpoint/$pg_backup_host/postgresql_backup"
-    $pg_host = "$pg_backup_host"
-    $pg_port = $pg_infos["dbport"]
 
     unless empty($host) {
       $host["ipHostNumber"].each |$ip| {
diff --git a/modules/role/templates/backup/postgresql.conf.erb b/modules/role/templates/backup/postgresql.conf.erb
index c4d223e..8741507 100644
--- a/modules/role/templates/backup/postgresql.conf.erb
+++ b/modules/role/templates/backup/postgresql.conf.erb
@@ -2,6 +2,8 @@
 listen_addresses= '*'
 port = <%= @pg_listen_port %>
 ssl = on
+ssl_key_file = '<%= @ssl_key %>'
+ssl_cert_file = '<%= @ssl_cert %>'
 <%- else -%>
 listen_addresses= ''
 <%- end %>
-- 
2.41.0