aboutsummaryrefslogtreecommitdiff
path: root/modules/profile/manifests/postgresql/ssl.pp
blob: 9b0a95cf41cd29ec6744e93bdbb7595e33feb51f (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83

define profile::postgresql::ssl (
  Optional[String]  $cert                 = undef,
  Optional[String]  $key                  = undef,
  Optional[String]  $certname             = undef,
  Optional[Boolean] $copy_keys            = true,
  Optional[Boolean] $handle_config_entry  = false,
  Optional[Boolean] $handle_concat_config = false,
  Optional[String]  $pg_user              = "postgres",
  Optional[String]  $pg_group             = "postgres",
) {
  $datadir = $title

  file { "$datadir/certs":
    ensure  => directory,
    mode    => "0700",
    owner   => $pg_user,
    group   => $pg_group,
    require => File[$datadir],
  }

  if empty($cert) or empty($key) {
    if empty($certname) {
      fail("A certificate name is necessary to generate ssl certificate")
    }

    ssl::self_signed_certificate { $certname:
      common_name  => $certname,
      country      => "FR",
      days         => "3650",
      organization => "Immae",
      owner        => $pg_user,
      group        => $pg_group,
      directory    => "$datadir/certs",
    }

    $ssl_key  = "$datadir/certs/$certname.key"
    $ssl_cert = "$datadir/certs/$certname.crt"
  } elsif $copy_keys {
    $ssl_key  = "$datadir/certs/privkey.pem"
    $ssl_cert = "$datadir/certs/cert.pem"

    file { $ssl_cert:
      source  => "file://$cert",
      mode    => "0600",
      links   => "follow",
      owner   => $pg_user,
      group   => $pg_group,
      require => File["$datadir/certs"],
    }
    file { $ssl_key:
      source  => "file://$key",
      mode    => "0600",
      links   => "follow",
      owner   => $pg_user,
      group   => $pg_group,
      require => File["$datadir/certs"],
    }
  } else {
    $ssl_key  = $key
    $ssl_cert = $cert
  }

  if $handle_config_entry {
    postgresql::server::config_entry { "ssl":
      value => "on",
    }

    postgresql::server::config_entry { "ssl_cert_file":
      value => $ssl_cert,
    }

    postgresql::server::config_entry { "ssl_key_file":
      value => $ssl_key,
    }
  } elsif $handle_concat_config {
    concat::fragment { "$datadir/postgresql.conf ssl config":
      target  => "$datadir/postgresql.conf",
      content => "ssl = on\nssl_key_file = '$ssl_key'\nssl_cert_file = '$ssl_cert'\n"
    }
  }

  # FIXME: add monitoring for ssl
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-17 22:16:10 +0000