Add ssl certificate for postgresql connection

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2018-06-27 13:10:32 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2018-06-27 13:12:14 +0200
commit: 2f3d3a34ab0b3fd31bd84e4c935954740313dbed (patch)
tree: 97beae3acaf1c552cf5c19521260e76dedae5913
parent: cc278743bffea94197755c0d114389f5fd69596a (diff)
download: Puppet-2f3d3a34ab0b3fd31bd84e4c935954740313dbed.tar.gz
Puppet-2f3d3a34ab0b3fd31bd84e4c935954740313dbed.tar.zst
Puppet-2f3d3a34ab0b3fd31bd84e4c935954740313dbed.zip
2 files changed, 28 insertions, 4 deletions
diff --git a/modules/role/manifests/backup/postgresql.pp b/modules/role/manifests/backup/postgresql.pp
index aef177b..ee62a00 100644
--- a/modules/role/manifests/backup/postgresql.pp
+++ b/modules/role/manifests/backup/postgresql.pp
@@ -121,16 +121,38 @@ class role::backup::postgresql inherits role::backup {
    } else {
      $pg_backup_host = $host["vars"]["real_hostname"][0]
    }
+    $pg_path = "$mountpoint/$pg_backup_host/postgresql"
+    $pg_backup_path = "$mountpoint/$pg_backup_host/postgresql_backup"
+    $pg_host = "$pg_backup_host"
+    $pg_port = $pg_infos["dbport"]
    if has_key($host["vars"], "postgresql_backup_port") {
      $pg_listen_port = $host["vars"]["postgresql_backup_port"][0]
+      file { "$pg_path/certs":
+        ensure => directory,
+        mode   => "0700",
+        owner  => $pg_user,
+        group  => $pg_group,
+      } ->
+      ssl::self_signed_certificate { $backup_host_cn:
+        common_name  => $backup_host_cn,
+        country      => "FR",
+        days         => "3650",
+        organization => "Immae",
+        owner        => $pg_user,
+        group        => $pg_group,
+        directory    => "$pg_path/certs",
+        before       => File["$pg_path/postgresql.conf"],
+      }
+      $ssl_key  = "$pg_path/certs/$backup_host_cn.key"
+      $ssl_cert = "$pg_path/certs/$backup_host_cn.crt"
    } else {
      $pg_listen_port = undef
+      $ssl_key = undef
+      $ssl_cert = undef
    }
-    $pg_path = "$mountpoint/$pg_backup_host/postgresql"
-    $pg_backup_path = "$mountpoint/$pg_backup_host/postgresql_backup"
-    $pg_host = "$pg_backup_host"
-    $pg_port = $pg_infos["dbport"]
    unless empty($host) {
      $host["ipHostNumber"].each |$ip| {
diff --git a/modules/role/templates/backup/postgresql.conf.erb b/modules/role/templates/backup/postgresql.conf.erb
index c4d223e..8741507 100644
--- a/modules/role/templates/backup/postgresql.conf.erb
+++ b/modules/role/templates/backup/postgresql.conf.erb
@@ -2,6 +2,8 @@
 listen_addresses= '*'
 port = <%= @pg_listen_port %>
 ssl = on
+ssl_key_file = '<%= @ssl_key %>'
+ssl_cert_file = '<%= @ssl_cert %>'
 <%- else -%>
 listen_addresses= ''
 <%- end %>
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2018-06-27 13:10:32 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2018-06-27 13:12:14 +0200
commit	2f3d3a34ab0b3fd31bd84e4c935954740313dbed (patch)
tree	97beae3acaf1c552cf5c19521260e76dedae5913
parent	cc278743bffea94197755c0d114389f5fd69596a (diff)
download	Puppet-2f3d3a34ab0b3fd31bd84e4c935954740313dbed.tar.gz Puppet-2f3d3a34ab0b3fd31bd84e4c935954740313dbed.tar.zst Puppet-2f3d3a34ab0b3fd31bd84e4c935954740313dbed.zip

diff --git a/modules/role/manifests/backup/postgresql.pp b/modules/role/manifests/backup/postgresql.pp index aef177b..ee62a00 100644 --- a/modules/role/manifests/backup/postgresql.pp +++ b/modules/role/manifests/backup/postgresql.pp
@@ -121,16 +121,38 @@ class role::backup::postgresql inherits role::backup {
121	} else {	121	} else {
122	$pg_backup_host = $host["vars"]["real_hostname"][0]	122	$pg_backup_host = $host["vars"]["real_hostname"][0]
123	}	123	}
		124
		125	$pg_path = "$mountpoint/$pg_backup_host/postgresql"
		126	$pg_backup_path = "$mountpoint/$pg_backup_host/postgresql_backup"
		127	$pg_host = "$pg_backup_host"
		128	$pg_port = $pg_infos["dbport"]
		129
124	if has_key($host["vars"], "postgresql_backup_port") {	130	if has_key($host["vars"], "postgresql_backup_port") {
125	$pg_listen_port = $host["vars"]["postgresql_backup_port"][0]	131	$pg_listen_port = $host["vars"]["postgresql_backup_port"][0]
		132	file { "$pg_path/certs":
		133	ensure => directory,
		134	mode => "0700",
		135	owner => $pg_user,
		136	group => $pg_group,
		137	} ->
		138	ssl::self_signed_certificate { $backup_host_cn:
		139	common_name => $backup_host_cn,
		140	country => "FR",
		141	days => "3650",
		142	organization => "Immae",
		143	owner => $pg_user,
		144	group => $pg_group,
		145	directory => "$pg_path/certs",
		146	before => File["$pg_path/postgresql.conf"],
		147	}
		148	$ssl_key = "$pg_path/certs/$backup_host_cn.key"
		149	$ssl_cert = "$pg_path/certs/$backup_host_cn.crt"
126	} else {	150	} else {
127	$pg_listen_port = undef	151	$pg_listen_port = undef
		152	$ssl_key = undef
		153	$ssl_cert = undef
128	}	154	}
129		155
130	$pg_path = "$mountpoint/$pg_backup_host/postgresql"
131	$pg_backup_path = "$mountpoint/$pg_backup_host/postgresql_backup"
132	$pg_host = "$pg_backup_host"
133	$pg_port = $pg_infos["dbport"]
134		156
135	unless empty($host) {	157	unless empty($host) {
136	$host["ipHostNumber"].each \|$ip\| {	158	$host["ipHostNumber"].each \|$ip\| {


diff --git a/modules/role/templates/backup/postgresql.conf.erb b/modules/role/templates/backup/postgresql.conf.erb index c4d223e..8741507 100644 --- a/modules/role/templates/backup/postgresql.conf.erb +++ b/modules/role/templates/backup/postgresql.conf.erb
@@ -2,6 +2,8 @@
2	listen_addresses= '*'	2	listen_addresses= '*'
3	port = <%= @pg_listen_port %>	3	port = <%= @pg_listen_port %>
4	ssl = on	4	ssl = on
		5	ssl_key_file = '<%= @ssl_key %>'
		6	ssl_cert_file = '<%= @ssl_cert %>'
5	<%- else -%>	7	<%- else -%>
6	listen_addresses= ''	8	listen_addresses= ''
7	<%- end %>	9	<%- end %>