diff options
Diffstat (limited to 'modules/profile/manifests/postgresql/ssl.pp')
-rw-r--r-- | modules/profile/manifests/postgresql/ssl.pp | 82 |
1 files changed, 82 insertions, 0 deletions
diff --git a/modules/profile/manifests/postgresql/ssl.pp b/modules/profile/manifests/postgresql/ssl.pp new file mode 100644 index 0000000..dc56c0b --- /dev/null +++ b/modules/profile/manifests/postgresql/ssl.pp | |||
@@ -0,0 +1,82 @@ | |||
1 | define profile::postgresql::ssl ( | ||
2 | Optional[String] $cert = undef, | ||
3 | Optional[String] $key = undef, | ||
4 | Optional[String] $certname = undef, | ||
5 | Optional[Boolean] $copy_keys = true, | ||
6 | Optional[Boolean] $handle_config_entry = false, | ||
7 | Optional[Boolean] $handle_concat_config = false, | ||
8 | Optional[String] $pg_user = "postgres", | ||
9 | Optional[String] $pg_group = "postgres", | ||
10 | ) { | ||
11 | $datadir = $title | ||
12 | |||
13 | file { "$datadir/certs": | ||
14 | ensure => directory, | ||
15 | mode => "0700", | ||
16 | owner => $pg_user, | ||
17 | group => $pg_group, | ||
18 | require => File[$datadir], | ||
19 | } | ||
20 | |||
21 | if empty($cert) or empty($key) { | ||
22 | if empty($certname) { | ||
23 | fail("A certificate name is necessary to generate ssl certificate") | ||
24 | } | ||
25 | |||
26 | ssl::self_signed_certificate { $certname: | ||
27 | common_name => $certname, | ||
28 | country => "FR", | ||
29 | days => "3650", | ||
30 | organization => "Immae", | ||
31 | owner => $pg_user, | ||
32 | group => $pg_group, | ||
33 | directory => "$datadir/certs", | ||
34 | } | ||
35 | |||
36 | $ssl_key = "$datadir/certs/$certname.key" | ||
37 | $ssl_cert = "$datadir/certs/$certname.crt" | ||
38 | } elsif $copy_keys { | ||
39 | $ssl_key = "$datadir/certs/privkey.pem" | ||
40 | $ssl_cert = "$datadir/certs/cert.pem" | ||
41 | |||
42 | file { $ssl_cert: | ||
43 | source => "file://$cert", | ||
44 | mode => "0600", | ||
45 | links => "follow", | ||
46 | owner => $pg_user, | ||
47 | group => $pg_group, | ||
48 | require => File["$datadir/certs"], | ||
49 | } | ||
50 | file { $ssl_key: | ||
51 | source => "file://$key", | ||
52 | mode => "0600", | ||
53 | links => "follow", | ||
54 | owner => $pg_user, | ||
55 | group => $pg_group, | ||
56 | require => File["$datadir/certs"], | ||
57 | } | ||
58 | } else { | ||
59 | $ssl_key = $key | ||
60 | $ssl_cert = $cert | ||
61 | } | ||
62 | |||
63 | if $handle_config_entry { | ||
64 | postgresql::server::config_entry { "ssl": | ||
65 | value => "on", | ||
66 | } | ||
67 | |||
68 | postgresql::server::config_entry { "ssl_cert_file": | ||
69 | value => $ssl_cert, | ||
70 | } | ||
71 | |||
72 | postgresql::server::config_entry { "ssl_key_file": | ||
73 | value => $ssl_key, | ||
74 | } | ||
75 | } elsif $handle_concat_config { | ||
76 | concat::fragment { "$datadir/postgresql.conf ssl config": | ||
77 | target => "$datadir/postgresql.conf", | ||
78 | content => "ssl = on\nssl_key_file = '$ssl_key'\nssl_cert_file = '$ssl_cert'\n" | ||
79 | } | ||
80 | } | ||
81 | |||
82 | } | ||