mirror of
https://gitea.0xace.cc/ansible-galaxy/postgresql.git
synced 2024-11-25 00:06:42 +00:00
rewrite ssl cert generation
This commit is contained in:
parent
7b924b24dd
commit
5fe171c8b0
@ -1,4 +1,4 @@
|
|||||||
postgresql_version: "15.5"
|
postgresql_version: "15.6"
|
||||||
|
|
||||||
# Options
|
# Options
|
||||||
postgresql_install_official_repo: true
|
postgresql_install_official_repo: true
|
||||||
@ -6,6 +6,8 @@ postgresql_play_group: "postgresql"
|
|||||||
postgresql_superuser_db: "postgres"
|
postgresql_superuser_db: "postgres"
|
||||||
postgresql_superuser_username: "postgres"
|
postgresql_superuser_username: "postgres"
|
||||||
postgresql_superuser_password: "postgres"
|
postgresql_superuser_password: "postgres"
|
||||||
|
postgresql_user: "postgres"
|
||||||
|
postgresql_group: "postgres"
|
||||||
|
|
||||||
# SSL options
|
# SSL options
|
||||||
postgresql_ssl: true
|
postgresql_ssl: true
|
||||||
@ -15,6 +17,9 @@ postgresql_self_signed_cert_name: "cert"
|
|||||||
postgresql_cacert_force_append_ips: []
|
postgresql_cacert_force_append_ips: []
|
||||||
postgresql_cacert_force_append_names: []
|
postgresql_cacert_force_append_names: []
|
||||||
postgresql_cacert_multiple_default_gw_workaround: false
|
postgresql_cacert_multiple_default_gw_workaround: false
|
||||||
|
postgresql_cacert_ca_host_group: "postgresql_cacert_ca_host"
|
||||||
|
postgresql_cacert_clients_group: "postgresql_cacert_clients"
|
||||||
|
postgresql_cacert_ca_trust_anchors_update: true
|
||||||
|
|
||||||
## WAL-G backup and restore options
|
## WAL-G backup and restore options
|
||||||
postgresql_wal_g_install: false
|
postgresql_wal_g_install: false
|
||||||
|
@ -2,15 +2,15 @@
|
|||||||
- name: Create data directory
|
- name: Create data directory
|
||||||
file:
|
file:
|
||||||
path: "{{ postgresql_data_dir }}"
|
path: "{{ postgresql_data_dir }}"
|
||||||
owner: "postgres"
|
owner: "{{ postgresql_user }}"
|
||||||
group: "postgres"
|
group: "{{ postgresql_group }}"
|
||||||
state: directory
|
state: directory
|
||||||
|
|
||||||
- name: Create configuration directory
|
- name: Create configuration directory
|
||||||
file:
|
file:
|
||||||
path: "{{ postgresql_config_dir }}/{{ postgresql_major_version }}/{{ postgresql_cluster_name }}"
|
path: "{{ postgresql_config_dir }}/{{ postgresql_major_version }}/{{ postgresql_cluster_name }}"
|
||||||
owner: "postgres"
|
owner: "{{ postgresql_user }}"
|
||||||
group: "postgres"
|
group: "{{ postgresql_group }}"
|
||||||
state: directory
|
state: directory
|
||||||
|
|
||||||
- name: Merge user options for PostgreSQL config
|
- name: Merge user options for PostgreSQL config
|
||||||
@ -29,33 +29,33 @@
|
|||||||
block:
|
block:
|
||||||
- name: Template PostgreSQL pg_hba configuration
|
- name: Template PostgreSQL pg_hba configuration
|
||||||
template:
|
template:
|
||||||
src: "{{ postgresql_major_version }}-pg_hba.conf.j2"
|
src: "pg_hba.conf.j2"
|
||||||
dest: "{{ postgresql_config_dir }}/{{ postgresql_major_version }}/{{ postgresql_cluster_name }}/pg_hba.conf"
|
dest: "{{ postgresql_config_dir }}/{{ postgresql_major_version }}/{{ postgresql_cluster_name }}/pg_hba.conf"
|
||||||
mode: 0600
|
mode: 0600
|
||||||
owner: postgres
|
owner: "{{ postgresql_user }}"
|
||||||
group: postgres
|
group: "{{ postgresql_group }}"
|
||||||
register: pg_hba_config_file
|
register: pg_hba_config_file
|
||||||
notify:
|
notify:
|
||||||
- Reload PostgreSQL
|
- Reload PostgreSQL
|
||||||
- Restart PostgreSQL
|
- Restart PostgreSQL
|
||||||
- name: Template PostgreSQL configuration
|
- name: Template PostgreSQL configuration
|
||||||
template:
|
template:
|
||||||
src: "{{ postgresql_major_version }}-postgresql.conf.j2"
|
src: "postgresql.conf.j2"
|
||||||
dest: "{{ postgresql_config_dir }}/{{ postgresql_major_version }}/{{ postgresql_cluster_name }}/postgresql.conf"
|
dest: "{{ postgresql_config_dir }}/{{ postgresql_major_version }}/{{ postgresql_cluster_name }}/postgresql.conf"
|
||||||
mode: 0600
|
mode: 0600
|
||||||
owner: postgres
|
owner: "{{ postgresql_user }}"
|
||||||
group: postgres
|
group: "{{ postgresql_group }}"
|
||||||
register: postgresql_config_file
|
register: postgresql_config_file
|
||||||
notify:
|
notify:
|
||||||
- Reload PostgreSQL
|
- Reload PostgreSQL
|
||||||
- Restart PostgreSQL
|
- Restart PostgreSQL
|
||||||
- name: Template PostgreSQL SSL configuration
|
- name: Template PostgreSQL SSL configuration
|
||||||
template:
|
template:
|
||||||
src: "{{ postgresql_major_version }}-postgresql.ssl.conf.j2"
|
src: "postgresql.ssl.conf.j2"
|
||||||
dest: "{{ postgresql_config_dir }}/{{ postgresql_major_version }}/{{ postgresql_cluster_name }}/postgresql.ssl.conf"
|
dest: "{{ postgresql_config_dir }}/{{ postgresql_major_version }}/{{ postgresql_cluster_name }}/postgresql.ssl.conf"
|
||||||
mode: 0600
|
mode: 0600
|
||||||
owner: postgres
|
owner: "{{ postgresql_user }}"
|
||||||
group: postgres
|
group: "{{ postgresql_group }}"
|
||||||
register: postgresql_ssl_config_file
|
register: postgresql_ssl_config_file
|
||||||
notify:
|
notify:
|
||||||
- Reload PostgreSQL
|
- Reload PostgreSQL
|
||||||
|
@ -7,7 +7,8 @@
|
|||||||
tags: postgresql_configuration
|
tags: postgresql_configuration
|
||||||
|
|
||||||
- name: "Manage TLS/SSL certificates"
|
- name: "Manage TLS/SSL certificates"
|
||||||
include_tasks: cacert.yaml
|
#include_tasks: cacert.yaml
|
||||||
|
include_tasks: ssl/main.yaml
|
||||||
when: postgresql_ssl
|
when: postgresql_ssl
|
||||||
|
|
||||||
- name: Include WAL-G role
|
- name: Include WAL-G role
|
||||||
|
@ -15,33 +15,33 @@
|
|||||||
block:
|
block:
|
||||||
- name: Template PostgreSQL pg_hba configuration
|
- name: Template PostgreSQL pg_hba configuration
|
||||||
template:
|
template:
|
||||||
src: "{{ postgresql_major_version }}-pg_hba.conf.j2"
|
src: "pg_hba.conf.j2"
|
||||||
dest: "{{ postgresql_data_dir }}/pg_hba.conf"
|
dest: "{{ postgresql_data_dir }}/pg_hba.conf"
|
||||||
mode: 0600
|
mode: 0600
|
||||||
owner: postgres
|
owner: "{{ postgresql_user }}"
|
||||||
group: postgres
|
group: "{{ postgresql_group }}"
|
||||||
register: pg_hba_config_file
|
register: pg_hba_config_file
|
||||||
notify:
|
notify:
|
||||||
- Reload PostgreSQL
|
- Reload PostgreSQL
|
||||||
- Restart PostgreSQL
|
- Restart PostgreSQL
|
||||||
- name: Template PostgreSQL configuration
|
- name: Template PostgreSQL configuration
|
||||||
template:
|
template:
|
||||||
src: "{{ postgresql_major_version }}-postgresql.conf.j2"
|
src: "postgresql.conf.j2"
|
||||||
dest: "{{ postgresql_data_dir }}/postgresql.conf"
|
dest: "{{ postgresql_data_dir }}/postgresql.conf"
|
||||||
mode: 0600
|
mode: 0600
|
||||||
owner: postgres
|
owner: "{{ postgresql_user }}"
|
||||||
group: postgres
|
group: "{{ postgresql_group }}"
|
||||||
register: postgresql_config_file
|
register: postgresql_config_file
|
||||||
notify:
|
notify:
|
||||||
- Reload PostgreSQL
|
- Reload PostgreSQL
|
||||||
- Restart PostgreSQL
|
- Restart PostgreSQL
|
||||||
- name: Template PostgreSQL SSL configuration
|
- name: Template PostgreSQL SSL configuration
|
||||||
template:
|
template:
|
||||||
src: "{{ postgresql_major_version }}-postgresql.ssl.conf.j2"
|
src: "postgresql.ssl.conf.j2"
|
||||||
dest: "{{ postgresql_data_dir }}/postgresql.ssl.conf"
|
dest: "{{ postgresql_data_dir }}/postgresql.ssl.conf"
|
||||||
mode: 0600
|
mode: 0600
|
||||||
owner: postgres
|
owner: "{{ postgresql_user }}"
|
||||||
group: postgres
|
group: "{{ postgresql_group }}"
|
||||||
register: postgresql_ssl_config_file
|
register: postgresql_ssl_config_file
|
||||||
notify:
|
notify:
|
||||||
- Reload PostgreSQL
|
- Reload PostgreSQL
|
||||||
|
@ -28,7 +28,8 @@
|
|||||||
include_tasks: data_dir.yaml
|
include_tasks: data_dir.yaml
|
||||||
|
|
||||||
- name: "Manage TLS/SSL certificates"
|
- name: "Manage TLS/SSL certificates"
|
||||||
include_tasks: cacert.yaml
|
#include_tasks: cacert.yaml
|
||||||
|
include_tasks: ssl/main.yaml
|
||||||
when: postgresql_ssl
|
when: postgresql_ssl
|
||||||
|
|
||||||
- name: Include WAL-G role
|
- name: Include WAL-G role
|
||||||
|
@ -27,10 +27,6 @@
|
|||||||
include_tasks: "{{ ansible_facts['os_family'] }}/main.yaml"
|
include_tasks: "{{ ansible_facts['os_family'] }}/main.yaml"
|
||||||
tags: postgresql_setup
|
tags: postgresql_setup
|
||||||
|
|
||||||
#- name: "Manage TLS/SSL certificates"
|
|
||||||
# include_tasks: cacert.yaml
|
|
||||||
# when: postgresql_ssl
|
|
||||||
|
|
||||||
- name: Enable and start PostgreSQL
|
- name: Enable and start PostgreSQL
|
||||||
systemd:
|
systemd:
|
||||||
daemon_reload: true
|
daemon_reload: true
|
||||||
|
142
tasks/ssl/ca.yaml
Normal file
142
tasks/ssl/ca.yaml
Normal file
@ -0,0 +1,142 @@
|
|||||||
|
- name: Create CA
|
||||||
|
when: inventory_hostname in groups[postgresql_cacert_ca_host_group]
|
||||||
|
block:
|
||||||
|
- name: CA and certs | Install cryptography library
|
||||||
|
package:
|
||||||
|
name: python3-cryptography
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: CA and certs | Check if ssl gen dir exist
|
||||||
|
file:
|
||||||
|
name: "{{ postgresql_ssl_path }}"
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: Generate an OpenSSL private CA key with the default values (4096 bits, RSA)
|
||||||
|
community.crypto.openssl_privatekey:
|
||||||
|
path: "{{ postgresql_ssl_path }}/CA-{{ postgresql_self_signed_cert_name }}.key"
|
||||||
|
register: postgresql_cacert_ca_key_gen
|
||||||
|
|
||||||
|
- name: Generate an OpenSSL Certificate Signing Request
|
||||||
|
community.crypto.openssl_csr:
|
||||||
|
path: "{{ postgresql_ssl_path }}/CA-{{ postgresql_self_signed_cert_name }}.csr"
|
||||||
|
privatekey_path: "{{ postgresql_ssl_path }}/CA-{{ postgresql_self_signed_cert_name }}.key"
|
||||||
|
use_common_name_for_san: false
|
||||||
|
basic_constraints:
|
||||||
|
- 'CA:TRUE'
|
||||||
|
basic_constraints_critical: yes
|
||||||
|
key_usage:
|
||||||
|
- keyCertSign
|
||||||
|
key_usage_critical: true
|
||||||
|
common_name: "CA-{{ postgresql_self_signed_cert_name }}"
|
||||||
|
register: postgresql_cacert_ca_csr
|
||||||
|
|
||||||
|
- name: Generate a Self Signed OpenSSL CA certificate
|
||||||
|
community.crypto.x509_certificate:
|
||||||
|
path: "{{ postgresql_ssl_path }}/CA-{{ postgresql_self_signed_cert_name }}.crt"
|
||||||
|
csr_path: "{{ postgresql_ssl_path }}/CA-{{ postgresql_self_signed_cert_name }}.csr"
|
||||||
|
privatekey_path: "{{ postgresql_ssl_path }}/CA-{{ postgresql_self_signed_cert_name }}.key"
|
||||||
|
provider: selfsigned
|
||||||
|
register: postgresql_cacert_ca_cert_gen
|
||||||
|
|
||||||
|
- name: Get CA cert content
|
||||||
|
slurp:
|
||||||
|
src: "{{ postgresql_ssl_path }}/CA-{{ postgresql_self_signed_cert_name }}.crt"
|
||||||
|
register: postgresql_cacert_ca_cert_b64
|
||||||
|
|
||||||
|
- name: Get CA csr content
|
||||||
|
slurp:
|
||||||
|
src: "{{ postgresql_ssl_path }}/CA-{{ postgresql_self_signed_cert_name }}.csr"
|
||||||
|
register: postgresql_cacert_ca_csr_b64
|
||||||
|
|
||||||
|
- name: Get CA key content
|
||||||
|
slurp:
|
||||||
|
src: "{{ postgresql_ssl_path }}/CA-{{ postgresql_self_signed_cert_name }}.key"
|
||||||
|
register: postgresql_cacert_ca_key_b64
|
||||||
|
|
||||||
|
- name: Set facts about key and cert
|
||||||
|
set_fact:
|
||||||
|
postgresql_cacert_ca_key: "{{ postgresql_cacert_ca_key_b64.content | b64decode }}"
|
||||||
|
postgresql_cacert_ca_csr: "{{ postgresql_cacert_ca_csr_b64.content | b64decode }}"
|
||||||
|
postgresql_cacert_ca_cert: "{{ postgresql_cacert_ca_cert_b64.content | b64decode }}"
|
||||||
|
delegate_to: "{{ fact_item }}"
|
||||||
|
delegate_facts: true
|
||||||
|
with_items:
|
||||||
|
- "{{ groups[postgresql_cacert_ca_host_group] | default([]) }}"
|
||||||
|
- "{{ groups[postgresql_cacert_clients_group] | default([]) }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: fact_item
|
||||||
|
|
||||||
|
- name: Distribute CA certificates
|
||||||
|
become: true
|
||||||
|
block:
|
||||||
|
- name: CA and cert | Check if dest dir exist on remote host
|
||||||
|
file:
|
||||||
|
name: "{{ postgresql_ssl_path }}"
|
||||||
|
state: directory
|
||||||
|
loop:
|
||||||
|
- "{{ groups[postgresql_cacert_ca_host_group] | default([]) }}"
|
||||||
|
- "{{ groups[postgresql_cacert_clients_group] | default([]) }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: host_item
|
||||||
|
|
||||||
|
- name: Put CA key
|
||||||
|
copy:
|
||||||
|
content: "{{ postgresql_cacert_ca_key }}"
|
||||||
|
dest: "{{ postgresql_ssl_path }}/CA-{{ postgresql_self_signed_cert_name }}.key"
|
||||||
|
mode: 0600
|
||||||
|
owner: "{{ postgresql_user }}"
|
||||||
|
group: "{{ postgresql_group }}"
|
||||||
|
loop:
|
||||||
|
- "{{ groups[postgresql_cacert_ca_host_group] | default([]) }}"
|
||||||
|
- "{{ groups[postgresql_cacert_clients_group] | default([]) }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: host_item
|
||||||
|
|
||||||
|
- name: Put CA csr
|
||||||
|
copy:
|
||||||
|
content: "{{ postgresql_cacert_ca_csr }}"
|
||||||
|
dest: "{{ postgresql_ssl_path }}/CA-{{ postgresql_self_signed_cert_name }}.csr"
|
||||||
|
mode: 0644
|
||||||
|
owner: "{{ postgresql_user }}"
|
||||||
|
group: "{{ postgresql_group }}"
|
||||||
|
loop:
|
||||||
|
- "{{ groups[postgresql_cacert_ca_host_group] | default([]) }}"
|
||||||
|
- "{{ groups[postgresql_cacert_clients_group] | default([]) }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: host_item
|
||||||
|
|
||||||
|
- name: Put CA cert
|
||||||
|
copy:
|
||||||
|
content: "{{ postgresql_cacert_ca_cert }}"
|
||||||
|
dest: "{{ postgresql_ssl_path }}/CA-{{ postgresql_self_signed_cert_name }}.crt"
|
||||||
|
mode: 0644
|
||||||
|
owner: "{{ postgresql_user }}"
|
||||||
|
group: "{{ postgresql_group }}"
|
||||||
|
loop:
|
||||||
|
- "{{ groups[postgresql_cacert_ca_host_group] | default([]) }}"
|
||||||
|
- "{{ groups[postgresql_cacert_clients_group] | default([]) }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: host_item
|
||||||
|
|
||||||
|
- name: Put CA OpenSSL cert to PKI
|
||||||
|
copy:
|
||||||
|
content: "{{ postgresql_cacert_ca_cert }}"
|
||||||
|
dest: "{{ postgresql_cacert_ca_trust_dir }}/CA-{{ postgresql_self_signed_cert_name }}.crt"
|
||||||
|
mode: 0644
|
||||||
|
loop:
|
||||||
|
- "{{ groups[postgresql_cacert_ca_host_group] | default([]) }}"
|
||||||
|
- "{{ groups[postgresql_cacert_clients_group] | default([]) }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: host_item
|
||||||
|
register: postgresql_ca_trust_anchors
|
||||||
|
|
||||||
|
- name: Update CA trust
|
||||||
|
shell: "{{ postgresql_cacert_update_ca_trust_command }}"
|
||||||
|
loop:
|
||||||
|
- "{{ groups[postgresql_cacert_ca_host_group] | default([]) }}"
|
||||||
|
- "{{ groups[postgresql_cacert_clients_group] | default([]) }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: host_item
|
||||||
|
when:
|
||||||
|
- postgresql_ca_trust_anchors.changed
|
||||||
|
- postgresql_cacert_ca_trust_anchors_update
|
181
tasks/ssl/certs.yaml
Normal file
181
tasks/ssl/certs.yaml
Normal file
@ -0,0 +1,181 @@
|
|||||||
|
- name: CA and certs | Generate CN certs and keys
|
||||||
|
when: inventory_hostname in groups[postgresql_cacert_ca_host_group]
|
||||||
|
block:
|
||||||
|
- name: Generate an OpenSSL private client key {{ item }} with the default values (4096 bits, RSA)
|
||||||
|
community.crypto.openssl_privatekey:
|
||||||
|
path: "{{ postgresql_ssl_path }}/{{ item }}.key"
|
||||||
|
register: postgresql_cacert_client_key_gen
|
||||||
|
|
||||||
|
- name: Generate PostgreSQL subject_alt_ips from ansible_host
|
||||||
|
set_fact:
|
||||||
|
postgresql_server_subject_alt_ips_from_ansible_host: "{{ hostvars[item]['ansible_host'] | regex_replace('^', 'IP:') }}"
|
||||||
|
when: hostvars[item]['ansible_host'] is defined
|
||||||
|
|
||||||
|
- name: Generate PostgreSQL subject_alt_ips from default ipv4 address
|
||||||
|
set_fact:
|
||||||
|
postgresql_server_subject_alt_ips: "{{ hostvars[item]['ansible_default_ipv4']['address'] | regex_replace('^', 'IP:') }}"
|
||||||
|
when:
|
||||||
|
- hostvars[item]['ansible_default_ipv4']['address'] is defined
|
||||||
|
- not postgresql_cacert_multiple_default_gw_workaround
|
||||||
|
|
||||||
|
- name: Generate PostgreSQL subject_alt_names from inventory_hostname
|
||||||
|
set_fact:
|
||||||
|
postgresql_server_subject_alt_names: "{{ item | regex_replace('^', 'DNS:') }}"
|
||||||
|
|
||||||
|
- name: Generate PostgreSQL subject_alt_ips from ansible_all_ipv4_addresses
|
||||||
|
set_fact:
|
||||||
|
postgresql_server_subject_alt_ips_all_ipv4: "{{ hostvars[item]['ansible_all_ipv4_addresses'] | map('regex_replace', '^', 'IP:') | join(',') }}"
|
||||||
|
when: hostvars[item]['ansible_all_ipv4_addresses'] is defined
|
||||||
|
|
||||||
|
- name: Generate PostgreSQL subject_alt_ips from postgresql_cacert_force_append_ips
|
||||||
|
set_fact:
|
||||||
|
postgresql_server_subject_alt_ips_force_append: "{{ postgresql_cacert_force_append_ips | map('regex_replace', '^', 'IP:') | join(',') }}"
|
||||||
|
when:
|
||||||
|
- postgresql_cacert_force_append_ips is defined
|
||||||
|
- postgresql_cacert_force_append_ips | length > 0
|
||||||
|
|
||||||
|
- name: Generate PostgreSQL subject_alt_names from postgresql_cacert_force_append_names
|
||||||
|
set_fact:
|
||||||
|
postgresql_server_subject_alt_names_force_append: "{{ postgresql_cacert_force_append_names | map('regex_replace', '^', 'DNS:') | join(',') }}"
|
||||||
|
when:
|
||||||
|
- postgresql_cacert_force_append_names is defined
|
||||||
|
- postgresql_cacert_force_append_names | length > 0
|
||||||
|
|
||||||
|
- name: Construct base subject_alt_name
|
||||||
|
set_fact:
|
||||||
|
subject_alt_name:
|
||||||
|
- "{{ postgresql_server_subject_alt_names }}"
|
||||||
|
- "{{ postgresql_server_subject_alt_ips_from_ansible_host }}"
|
||||||
|
- "{{ postgresql_server_subject_alt_ips_all_ipv4 }}"
|
||||||
|
|
||||||
|
- name: Construct subject_alt_name with postgresql_server_subject_alt_ips
|
||||||
|
set_fact:
|
||||||
|
subject_alt_name:
|
||||||
|
- "{{ subject_alt_name | join(',') }}"
|
||||||
|
- "{{ postgresql_server_subject_alt_ips }}"
|
||||||
|
when: postgresql_server_subject_alt_ips is defined
|
||||||
|
|
||||||
|
- name: Construct subject_alt_name with postgresql_server_subject_alt_ips_force_append
|
||||||
|
set_fact:
|
||||||
|
subject_alt_name:
|
||||||
|
- "{{ subject_alt_name | join(',') }}"
|
||||||
|
- "{{ postgresql_server_subject_alt_ips_force_append }}"
|
||||||
|
when: postgresql_server_subject_alt_ips_force_append is defined
|
||||||
|
|
||||||
|
- name: Construct subject_alt_name with postgresql_server_subject_alt_names_force_append
|
||||||
|
set_fact:
|
||||||
|
subject_alt_name:
|
||||||
|
- "{{ subject_alt_name | join(',') }}"
|
||||||
|
- "{{ postgresql_server_subject_alt_names_force_append }}"
|
||||||
|
when: postgresql_server_subject_alt_names_force_append is defined
|
||||||
|
|
||||||
|
- debug:
|
||||||
|
msg: "{{ subject_alt_name }}"
|
||||||
|
|
||||||
|
- name: Generate an OpenSSL Certificate Signing Request for client
|
||||||
|
community.crypto.openssl_csr:
|
||||||
|
path: "{{ postgresql_ssl_path }}/{{ item }}.csr"
|
||||||
|
privatekey_path: "{{ postgresql_ssl_path }}/{{ item }}.key"
|
||||||
|
common_name: "{{ item }}"
|
||||||
|
subject_alt_name: "{{ subject_alt_name | join(',') }}"
|
||||||
|
owner: "{{ postgresql_user }}"
|
||||||
|
group: "{{ postgresql_group }}"
|
||||||
|
register: postgresql_csr
|
||||||
|
|
||||||
|
- name: Generate an OpenSSL certificate for client signed with your own CA certificate
|
||||||
|
community.crypto.x509_certificate:
|
||||||
|
path: "{{ postgresql_ssl_path }}/{{ item }}.crt"
|
||||||
|
csr_path: "{{ postgresql_ssl_path }}/{{ item }}.csr"
|
||||||
|
ownca_path: "{{ postgresql_ssl_path }}/CA-{{ postgresql_self_signed_cert_name }}.crt"
|
||||||
|
ownca_privatekey_path: "{{ postgresql_ssl_path }}/CA-{{ postgresql_self_signed_cert_name }}.key"
|
||||||
|
provider: ownca
|
||||||
|
owner: "{{ postgresql_user }}"
|
||||||
|
group: "{{ postgresql_group }}"
|
||||||
|
register: postgresql_cert
|
||||||
|
|
||||||
|
- name: Get {{ item }} OpenSSL crt and key content
|
||||||
|
ansible.builtin.shell: |
|
||||||
|
cat {{ postgresql_ssl_path }}/{{ item }}.crt {{ postgresql_ssl_path }}/{{ item }}.key
|
||||||
|
register: concated_crt_key
|
||||||
|
changed_when: false
|
||||||
|
|
||||||
|
- name: Concatenate and save {{ item }} OpenSSL crt and key to single file
|
||||||
|
copy:
|
||||||
|
content: "{{ concated_crt_key.stdout }}"
|
||||||
|
dest: "{{ postgresql_ssl_path }}/{{ item }}.pem"
|
||||||
|
|
||||||
|
- name: Get CN key {{ item }} content
|
||||||
|
slurp:
|
||||||
|
src: "{{ postgresql_ssl_path }}/{{ item }}.key"
|
||||||
|
register: postgresql_cacert_cn_certs_key_b64
|
||||||
|
|
||||||
|
- name: Get CN csr {{ item }} content
|
||||||
|
slurp:
|
||||||
|
src: "{{ postgresql_ssl_path }}/{{ item }}.csr"
|
||||||
|
register: postgresql_cacert_cn_certs_csr_b64
|
||||||
|
|
||||||
|
- name: Get CN cert {{ item }} content
|
||||||
|
slurp:
|
||||||
|
src: "{{ postgresql_ssl_path }}/{{ item }}.crt"
|
||||||
|
register: postgresql_cacert_cn_certs_cert_b64
|
||||||
|
|
||||||
|
- name: Get CN cert and key concat {{ item }} content
|
||||||
|
slurp:
|
||||||
|
src: "{{ postgresql_ssl_path }}/{{ item }}.pem"
|
||||||
|
register: postgresql_cacert_cn_certs_concat_b64
|
||||||
|
|
||||||
|
- name: Set facts about {{ item }} key and cert and delegate
|
||||||
|
set_fact:
|
||||||
|
postgresql_cacert_cn_certs_key: "{{ postgresql_cacert_cn_certs_key_b64.content | b64decode }}"
|
||||||
|
postgresql_cacert_cn_certs_csr: "{{ postgresql_cacert_cn_certs_csr_b64.content | b64decode }}"
|
||||||
|
postgresql_cacert_cn_certs_cert: "{{ postgresql_cacert_cn_certs_cert_b64.content | b64decode }}"
|
||||||
|
postgresql_cacert_cn_certs_concat: "{{ postgresql_cacert_cn_certs_concat_b64.content | b64decode }}"
|
||||||
|
delegate_to: "{{ fact_item }}"
|
||||||
|
delegate_facts: true
|
||||||
|
with_items:
|
||||||
|
- "{{ groups[postgresql_cacert_ca_host_group] | default([]) }}"
|
||||||
|
- "{{ groups[postgresql_cacert_clients_group] | default([]) }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: fact_item
|
||||||
|
|
||||||
|
- name: Distribute CN certificates
|
||||||
|
become: true
|
||||||
|
when:
|
||||||
|
- inventory_hostname in groups[postgresql_cacert_clients_group]
|
||||||
|
block:
|
||||||
|
- name: CA and cert | Check if dest dir exist on remote host
|
||||||
|
file:
|
||||||
|
name: "{{ postgresql_ssl_path }}"
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: Put CN key
|
||||||
|
copy:
|
||||||
|
content: "{{ postgresql_cacert_cn_certs_key }}"
|
||||||
|
dest: "{{ postgresql_ssl_path }}/{{ item }}.key"
|
||||||
|
mode: 0600
|
||||||
|
owner: "{{ postgresql_user }}"
|
||||||
|
group: "{{ postgresql_group }}"
|
||||||
|
|
||||||
|
- name: Put CN csr
|
||||||
|
copy:
|
||||||
|
content: "{{ postgresql_cacert_cn_certs_csr }}"
|
||||||
|
dest: "{{ postgresql_ssl_path }}/{{ item }}.csr"
|
||||||
|
mode: 0644
|
||||||
|
owner: "{{ postgresql_user }}"
|
||||||
|
group: "{{ postgresql_group }}"
|
||||||
|
|
||||||
|
- name: Put CN cert
|
||||||
|
copy:
|
||||||
|
content: "{{ postgresql_cacert_cn_certs_cert }}"
|
||||||
|
dest: "{{ postgresql_ssl_path }}/{{ item }}.crt"
|
||||||
|
mode: 0644
|
||||||
|
owner: "{{ postgresql_user }}"
|
||||||
|
group: "{{ postgresql_group }}"
|
||||||
|
|
||||||
|
- name: Put CN key and cert concat
|
||||||
|
copy:
|
||||||
|
content: "{{ postgresql_cacert_cn_certs_concat }}"
|
||||||
|
dest: "{{ postgresql_ssl_path }}/{{ item }}.pem"
|
||||||
|
mode: 0644
|
||||||
|
owner: "{{ postgresql_user }}"
|
||||||
|
group: "{{ postgresql_group }}"
|
26
tasks/ssl/main.yaml
Normal file
26
tasks/ssl/main.yaml
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
- name: Add host to {{ postgresql_cacert_ca_host_group }}
|
||||||
|
add_host:
|
||||||
|
groups: "{{ postgresql_cacert_ca_host_group }}"
|
||||||
|
hostname: "{{ hostvars[item]['ansible_hostname'] }}"
|
||||||
|
ansible_host: "{{ hostvars[item]['ansible_host'] }}"
|
||||||
|
with_items:
|
||||||
|
- "{{ ansible_play_hosts[0] }}"
|
||||||
|
changed_when: false
|
||||||
|
when: groups[postgresql_cacert_ca_host_group] is not defined
|
||||||
|
|
||||||
|
- name: Add all hosts to {{ postgresql_cacert_clients_group }}
|
||||||
|
add_host:
|
||||||
|
groups: "{{ postgresql_cacert_clients_group }}"
|
||||||
|
hostname: "{{ hostvars[item]['ansible_hostname'] }}"
|
||||||
|
ansible_host: "{{ hostvars[item]['ansible_host'] }}"
|
||||||
|
with_items:
|
||||||
|
- "{{ ansible_play_hosts }}"
|
||||||
|
changed_when: false
|
||||||
|
when: groups[postgresql_cacert_clients_group] is not defined
|
||||||
|
|
||||||
|
- name: CA and certs | Include CA
|
||||||
|
include_tasks: ca.yaml
|
||||||
|
|
||||||
|
- name: CA and certs | Include Certificates
|
||||||
|
include_tasks: certs.yaml
|
||||||
|
loop: "{{ groups[postgresql_cacert_clients_group] }}"
|
@ -1,3 +0,0 @@
|
|||||||
ssl = on
|
|
||||||
ssl_cert_file = '{{ postgresql_ssl_path }}/{{ postgresql_self_signed_cert_name }}.crt'
|
|
||||||
ssl_key_file = '{{ postgresql_ssl_path }}/{{ postgresql_self_signed_cert_name }}.key'
|
|
@ -1,101 +0,0 @@
|
|||||||
# PostgreSQL Client Authentication Configuration File
|
|
||||||
# ===================================================
|
|
||||||
#
|
|
||||||
# Refer to the "Client Authentication" section in the PostgreSQL
|
|
||||||
# documentation for a complete description of this file. A short
|
|
||||||
# synopsis follows.
|
|
||||||
#
|
|
||||||
# This file controls: which hosts are allowed to connect, how clients
|
|
||||||
# are authenticated, which PostgreSQL user names they can use, which
|
|
||||||
# databases they can access. Records take one of these forms:
|
|
||||||
#
|
|
||||||
# local DATABASE USER METHOD [OPTIONS]
|
|
||||||
# host DATABASE USER ADDRESS METHOD [OPTIONS]
|
|
||||||
# hostssl DATABASE USER ADDRESS METHOD [OPTIONS]
|
|
||||||
# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS]
|
|
||||||
# hostgssenc DATABASE USER ADDRESS METHOD [OPTIONS]
|
|
||||||
# hostnogssenc DATABASE USER ADDRESS METHOD [OPTIONS]
|
|
||||||
#
|
|
||||||
# (The uppercase items must be replaced by actual values.)
|
|
||||||
#
|
|
||||||
# The first field is the connection type:
|
|
||||||
# - "local" is a Unix-domain socket
|
|
||||||
# - "host" is a TCP/IP socket (encrypted or not)
|
|
||||||
# - "hostssl" is a TCP/IP socket that is SSL-encrypted
|
|
||||||
# - "hostnossl" is a TCP/IP socket that is not SSL-encrypted
|
|
||||||
# - "hostgssenc" is a TCP/IP socket that is GSSAPI-encrypted
|
|
||||||
# - "hostnogssenc" is a TCP/IP socket that is not GSSAPI-encrypted
|
|
||||||
#
|
|
||||||
# DATABASE can be "all", "sameuser", "samerole", "replication", a
|
|
||||||
# database name, or a comma-separated list thereof. The "all"
|
|
||||||
# keyword does not match "replication". Access to replication
|
|
||||||
# must be enabled in a separate record (see example below).
|
|
||||||
#
|
|
||||||
# USER can be "all", a user name, a group name prefixed with "+", or a
|
|
||||||
# comma-separated list thereof. In both the DATABASE and USER fields
|
|
||||||
# you can also write a file name prefixed with "@" to include names
|
|
||||||
# from a separate file.
|
|
||||||
#
|
|
||||||
# ADDRESS specifies the set of hosts the record matches. It can be a
|
|
||||||
# host name, or it is made up of an IP address and a CIDR mask that is
|
|
||||||
# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that
|
|
||||||
# specifies the number of significant bits in the mask. A host name
|
|
||||||
# that starts with a dot (.) matches a suffix of the actual host name.
|
|
||||||
# Alternatively, you can write an IP address and netmask in separate
|
|
||||||
# columns to specify the set of hosts. Instead of a CIDR-address, you
|
|
||||||
# can write "samehost" to match any of the server's own IP addresses,
|
|
||||||
# or "samenet" to match any address in any subnet that the server is
|
|
||||||
# directly connected to.
|
|
||||||
#
|
|
||||||
# METHOD can be "trust", "reject", "md5", "password", "{{ postgresql_password_encryption_algorithm }}",
|
|
||||||
# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert".
|
|
||||||
# Note that "password" sends passwords in clear text; "md5" or
|
|
||||||
# "{{ postgresql_password_encryption_algorithm }}" are preferred since they send encrypted passwords.
|
|
||||||
#
|
|
||||||
# OPTIONS are a set of options for the authentication in the format
|
|
||||||
# NAME=VALUE. The available options depend on the different
|
|
||||||
# authentication methods -- refer to the "Client Authentication"
|
|
||||||
# section in the documentation for a list of which options are
|
|
||||||
# available for which authentication methods.
|
|
||||||
#
|
|
||||||
# Database and user names containing spaces, commas, quotes and other
|
|
||||||
# special characters must be quoted. Quoting one of the keywords
|
|
||||||
# "all", "sameuser", "samerole" or "replication" makes the name lose
|
|
||||||
# its special character, and just match a database or username with
|
|
||||||
# that name.
|
|
||||||
#
|
|
||||||
# This file is read on server startup and when the server receives a
|
|
||||||
# SIGHUP signal. If you edit the file on a running system, you have to
|
|
||||||
# SIGHUP the server for the changes to take effect, run "pg_ctl reload",
|
|
||||||
# or execute "SELECT pg_reload_conf()".
|
|
||||||
#
|
|
||||||
# Put your actual configuration here
|
|
||||||
# ----------------------------------
|
|
||||||
#
|
|
||||||
# If you want to allow non-local connections, you need to add more
|
|
||||||
# "host" records. In that case you will also need to make PostgreSQL
|
|
||||||
# listen on a non-local interface via the listen_addresses
|
|
||||||
# configuration parameter, or via the -i or -h command line switches.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# TYPE DATABASE USER ADDRESS METHOD
|
|
||||||
|
|
||||||
local all all trust
|
|
||||||
# "local" is for Unix domain socket connections only
|
|
||||||
local all all peer
|
|
||||||
# IPv4 local connections:
|
|
||||||
host all all 127.0.0.1/32 {{ postgresql_password_encryption_algorithm }}
|
|
||||||
# IPv6 local connections:
|
|
||||||
host all all ::1/128 {{ postgresql_password_encryption_algorithm }}
|
|
||||||
# Allow replication connections from localhost, by a user with the
|
|
||||||
# replication privilege.
|
|
||||||
local replication all peer
|
|
||||||
host replication all 127.0.0.1/32 {{ postgresql_password_encryption_algorithm }}
|
|
||||||
host replication all ::1/128 {{ postgresql_password_encryption_algorithm }}
|
|
||||||
{% if not postgresql_ssl|bool or postgresql_ssl_keep_nonssl_endpoint|bool %}
|
|
||||||
host all all 0.0.0.0/0 {{ postgresql_password_encryption_algorithm }}
|
|
||||||
{% endif %}
|
|
||||||
{% if postgresql_ssl|bool %}
|
|
||||||
hostssl all all 0.0.0.0/0 {{ postgresql_password_encryption_algorithm }}
|
|
||||||
{% endif %}
|
|
@ -1,7 +0,0 @@
|
|||||||
{% for key, value in postgresql_combined_parameters.items() %}
|
|
||||||
{{ key }} = '{{ value }}'
|
|
||||||
{% endfor %}
|
|
||||||
|
|
||||||
{% if postgresql_ssl | bool %}
|
|
||||||
include = 'postgresql.ssl.conf'
|
|
||||||
{% endif %}
|
|
@ -1,3 +0,0 @@
|
|||||||
ssl = on
|
|
||||||
ssl_cert_file = '{{ postgresql_ssl_path }}/{{ postgresql_self_signed_cert_name }}.crt'
|
|
||||||
ssl_key_file = '{{ postgresql_ssl_path }}/{{ postgresql_self_signed_cert_name }}.key'
|
|
@ -1,101 +0,0 @@
|
|||||||
# PostgreSQL Client Authentication Configuration File
|
|
||||||
# ===================================================
|
|
||||||
#
|
|
||||||
# Refer to the "Client Authentication" section in the PostgreSQL
|
|
||||||
# documentation for a complete description of this file. A short
|
|
||||||
# synopsis follows.
|
|
||||||
#
|
|
||||||
# This file controls: which hosts are allowed to connect, how clients
|
|
||||||
# are authenticated, which PostgreSQL user names they can use, which
|
|
||||||
# databases they can access. Records take one of these forms:
|
|
||||||
#
|
|
||||||
# local DATABASE USER METHOD [OPTIONS]
|
|
||||||
# host DATABASE USER ADDRESS METHOD [OPTIONS]
|
|
||||||
# hostssl DATABASE USER ADDRESS METHOD [OPTIONS]
|
|
||||||
# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS]
|
|
||||||
# hostgssenc DATABASE USER ADDRESS METHOD [OPTIONS]
|
|
||||||
# hostnogssenc DATABASE USER ADDRESS METHOD [OPTIONS]
|
|
||||||
#
|
|
||||||
# (The uppercase items must be replaced by actual values.)
|
|
||||||
#
|
|
||||||
# The first field is the connection type:
|
|
||||||
# - "local" is a Unix-domain socket
|
|
||||||
# - "host" is a TCP/IP socket (encrypted or not)
|
|
||||||
# - "hostssl" is a TCP/IP socket that is SSL-encrypted
|
|
||||||
# - "hostnossl" is a TCP/IP socket that is not SSL-encrypted
|
|
||||||
# - "hostgssenc" is a TCP/IP socket that is GSSAPI-encrypted
|
|
||||||
# - "hostnogssenc" is a TCP/IP socket that is not GSSAPI-encrypted
|
|
||||||
#
|
|
||||||
# DATABASE can be "all", "sameuser", "samerole", "replication", a
|
|
||||||
# database name, or a comma-separated list thereof. The "all"
|
|
||||||
# keyword does not match "replication". Access to replication
|
|
||||||
# must be enabled in a separate record (see example below).
|
|
||||||
#
|
|
||||||
# USER can be "all", a user name, a group name prefixed with "+", or a
|
|
||||||
# comma-separated list thereof. In both the DATABASE and USER fields
|
|
||||||
# you can also write a file name prefixed with "@" to include names
|
|
||||||
# from a separate file.
|
|
||||||
#
|
|
||||||
# ADDRESS specifies the set of hosts the record matches. It can be a
|
|
||||||
# host name, or it is made up of an IP address and a CIDR mask that is
|
|
||||||
# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that
|
|
||||||
# specifies the number of significant bits in the mask. A host name
|
|
||||||
# that starts with a dot (.) matches a suffix of the actual host name.
|
|
||||||
# Alternatively, you can write an IP address and netmask in separate
|
|
||||||
# columns to specify the set of hosts. Instead of a CIDR-address, you
|
|
||||||
# can write "samehost" to match any of the server's own IP addresses,
|
|
||||||
# or "samenet" to match any address in any subnet that the server is
|
|
||||||
# directly connected to.
|
|
||||||
#
|
|
||||||
# METHOD can be "trust", "reject", "md5", "password", "{{ postgresql_password_encryption_algorithm }}",
|
|
||||||
# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert".
|
|
||||||
# Note that "password" sends passwords in clear text; "md5" or
|
|
||||||
# "{{ postgresql_password_encryption_algorithm }}" are preferred since they send encrypted passwords.
|
|
||||||
#
|
|
||||||
# OPTIONS are a set of options for the authentication in the format
|
|
||||||
# NAME=VALUE. The available options depend on the different
|
|
||||||
# authentication methods -- refer to the "Client Authentication"
|
|
||||||
# section in the documentation for a list of which options are
|
|
||||||
# available for which authentication methods.
|
|
||||||
#
|
|
||||||
# Database and user names containing spaces, commas, quotes and other
|
|
||||||
# special characters must be quoted. Quoting one of the keywords
|
|
||||||
# "all", "sameuser", "samerole" or "replication" makes the name lose
|
|
||||||
# its special character, and just match a database or username with
|
|
||||||
# that name.
|
|
||||||
#
|
|
||||||
# This file is read on server startup and when the server receives a
|
|
||||||
# SIGHUP signal. If you edit the file on a running system, you have to
|
|
||||||
# SIGHUP the server for the changes to take effect, run "pg_ctl reload",
|
|
||||||
# or execute "SELECT pg_reload_conf()".
|
|
||||||
#
|
|
||||||
# Put your actual configuration here
|
|
||||||
# ----------------------------------
|
|
||||||
#
|
|
||||||
# If you want to allow non-local connections, you need to add more
|
|
||||||
# "host" records. In that case you will also need to make PostgreSQL
|
|
||||||
# listen on a non-local interface via the listen_addresses
|
|
||||||
# configuration parameter, or via the -i or -h command line switches.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# TYPE DATABASE USER ADDRESS METHOD
|
|
||||||
|
|
||||||
local all all trust
|
|
||||||
# "local" is for Unix domain socket connections only
|
|
||||||
local all all peer
|
|
||||||
# IPv4 local connections:
|
|
||||||
host all all 127.0.0.1/32 {{ postgresql_password_encryption_algorithm }}
|
|
||||||
# IPv6 local connections:
|
|
||||||
host all all ::1/128 {{ postgresql_password_encryption_algorithm }}
|
|
||||||
# Allow replication connections from localhost, by a user with the
|
|
||||||
# replication privilege.
|
|
||||||
local replication all peer
|
|
||||||
host replication all 127.0.0.1/32 {{ postgresql_password_encryption_algorithm }}
|
|
||||||
host replication all ::1/128 {{ postgresql_password_encryption_algorithm }}
|
|
||||||
{% if not postgresql_ssl|bool or postgresql_ssl_keep_nonssl_endpoint|bool %}
|
|
||||||
host all all 0.0.0.0/0 {{ postgresql_password_encryption_algorithm }}
|
|
||||||
{% endif %}
|
|
||||||
{% if postgresql_ssl|bool %}
|
|
||||||
hostssl all all 0.0.0.0/0 {{ postgresql_password_encryption_algorithm }}
|
|
||||||
{% endif %}
|
|
@ -1,7 +0,0 @@
|
|||||||
{% for key, value in postgresql_combined_parameters.items() %}
|
|
||||||
{{ key }} = '{{ value }}'
|
|
||||||
{% endfor %}
|
|
||||||
|
|
||||||
{% if postgresql_ssl | bool %}
|
|
||||||
include = 'postgresql.ssl.conf'
|
|
||||||
{% endif %}
|
|
@ -1,3 +0,0 @@
|
|||||||
ssl = on
|
|
||||||
ssl_cert_file = '{{ postgresql_ssl_path }}/{{ postgresql_self_signed_cert_name }}.crt'
|
|
||||||
ssl_key_file = '{{ postgresql_ssl_path }}/{{ postgresql_self_signed_cert_name }}.key'
|
|
3
templates/postgresql.ssl.conf.j2
Normal file
3
templates/postgresql.ssl.conf.j2
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
ssl = on
|
||||||
|
ssl_cert_file = '{{ postgresql_ssl_path }}/{{ inventory_hostname }}.crt'
|
||||||
|
ssl_key_file = '{{ postgresql_ssl_path }}/{{ inventory_hostname }}.key'
|
@ -19,6 +19,6 @@ postgresql_data_dir: "{{ postgresql_home_dir }}/{{ postgresql_major_version }}/{
|
|||||||
postgresql_ssl_path: "{{ postgresql_config_dir }}/{{ postgresql_major_version }}/{{ postgresql_cluster_name }}"
|
postgresql_ssl_path: "{{ postgresql_config_dir }}/{{ postgresql_major_version }}/{{ postgresql_cluster_name }}"
|
||||||
postgresql_package_name_regex: "{{ postgresql_package_name }}-{{ postgresql_version }}-{{ postgresql_version_build }}"
|
postgresql_package_name_regex: "{{ postgresql_package_name }}-{{ postgresql_version }}-{{ postgresql_version_build }}"
|
||||||
postgresql_cluster_name: "main"
|
postgresql_cluster_name: "main"
|
||||||
postgresql_ssl_update_ca_command: "update-ca-certificates --fresh"
|
postgresql_cacert_update_ca_trust_command: "update-ca-certificates --fresh"
|
||||||
postgresql_ssl_ca_trust_dir: "/usr/local/share/ca-certificates"
|
postgresql_cacert_ca_trust_dir: "/usr/local/share/ca-certificates"
|
||||||
postgresql_unit_name: "postgresql@{{ postgresql_major_version}}-{{ postgresql_cluster_name }}"
|
postgresql_unit_name: "postgresql@{{ postgresql_major_version}}-{{ postgresql_cluster_name }}"
|
||||||
|
@ -19,6 +19,6 @@ postgresql_data_dir: "{{ postgresql_home_dir }}/{{ postgresql_major_version }}/{
|
|||||||
postgresql_ssl_path: "{{ postgresql_config_dir }}/{{ postgresql_major_version }}/{{ postgresql_cluster_name }}"
|
postgresql_ssl_path: "{{ postgresql_config_dir }}/{{ postgresql_major_version }}/{{ postgresql_cluster_name }}"
|
||||||
postgresql_package_name_regex: "{{ postgresql_package_name }}-{{ postgresql_version }}-{{ postgresql_version_build }}"
|
postgresql_package_name_regex: "{{ postgresql_package_name }}-{{ postgresql_version }}-{{ postgresql_version_build }}"
|
||||||
postgresql_cluster_name: "main"
|
postgresql_cluster_name: "main"
|
||||||
postgresql_ssl_update_ca_command: "update-ca-certificates --fresh"
|
postgresql_cacert_update_ca_trust_command: "update-ca-certificates --fresh"
|
||||||
postgresql_ssl_ca_trust_dir: "/usr/local/share/ca-certificates"
|
postgresql_cacert_ca_trust_dir: "/usr/local/share/ca-certificates"
|
||||||
postgresql_unit_name: "postgresql@{{ postgresql_major_version}}-{{ postgresql_cluster_name }}"
|
postgresql_unit_name: "postgresql@{{ postgresql_major_version}}-{{ postgresql_cluster_name }}"
|
||||||
|
@ -6,8 +6,8 @@ postgresql_home_dir: "/var/lib/pgsql"
|
|||||||
postgresql_data_dir: "{{ postgresql_home_dir }}/{{ postgresql_major_version }}/data"
|
postgresql_data_dir: "{{ postgresql_home_dir }}/{{ postgresql_major_version }}/data"
|
||||||
postgresql_ssl_path: "{{ postgresql_home_dir }}/{{ postgresql_major_version }}"
|
postgresql_ssl_path: "{{ postgresql_home_dir }}/{{ postgresql_major_version }}"
|
||||||
|
|
||||||
postgresql_ssl_update_ca_command: "update-ca-trust extract"
|
postgresql_cacert_update_ca_trust_command: "update-ca-trust extract"
|
||||||
postgresql_ssl_ca_trust_dir: "/etc/pki/ca-trust/source/anchors"
|
postgresql_cacert_ca_trust_dir: "/etc/pki/ca-trust/source/anchors"
|
||||||
postgresql_unit_name: "postgresql-{{ postgresql_major_version }}"
|
postgresql_unit_name: "postgresql-{{ postgresql_major_version }}"
|
||||||
postgresql_deps_packages:
|
postgresql_deps_packages:
|
||||||
- python39
|
- python39
|
||||||
|
@ -6,8 +6,8 @@ postgresql_home_dir: "/var/lib/pgsql"
|
|||||||
postgresql_data_dir: "{{ postgresql_home_dir }}/{{ postgresql_major_version }}/data"
|
postgresql_data_dir: "{{ postgresql_home_dir }}/{{ postgresql_major_version }}/data"
|
||||||
postgresql_ssl_path: "{{ postgresql_home_dir }}/{{ postgresql_major_version }}"
|
postgresql_ssl_path: "{{ postgresql_home_dir }}/{{ postgresql_major_version }}"
|
||||||
|
|
||||||
postgresql_ssl_update_ca_command: "update-ca-trust extract"
|
postgresql_cacert_update_ca_trust_command: "update-ca-trust extract"
|
||||||
postgresql_ssl_ca_trust_dir: "/etc/pki/ca-trust/source/anchors"
|
postgresql_cacert_ca_trust_dir: "/etc/pki/ca-trust/source/anchors"
|
||||||
postgresql_unit_name: "postgresql-{{ postgresql_major_version }}"
|
postgresql_unit_name: "postgresql-{{ postgresql_major_version }}"
|
||||||
postgresql_deps_packages:
|
postgresql_deps_packages:
|
||||||
- python3
|
- python3
|
||||||
|
@ -19,6 +19,6 @@ postgresql_data_dir: "{{ postgresql_home_dir }}/{{ postgresql_major_version }}/{
|
|||||||
postgresql_ssl_path: "{{ postgresql_config_dir }}/{{ postgresql_major_version }}/{{ postgresql_cluster_name }}"
|
postgresql_ssl_path: "{{ postgresql_config_dir }}/{{ postgresql_major_version }}/{{ postgresql_cluster_name }}"
|
||||||
postgresql_package_name_regex: "{{ postgresql_package_name }}-{{ postgresql_version }}-{{ postgresql_version_build }}"
|
postgresql_package_name_regex: "{{ postgresql_package_name }}-{{ postgresql_version }}-{{ postgresql_version_build }}"
|
||||||
postgresql_cluster_name: "main"
|
postgresql_cluster_name: "main"
|
||||||
postgresql_ssl_update_ca_command: "update-ca-certificates --fresh"
|
postgresql_cacert_update_ca_trust_command: "update-ca-certificates --fresh"
|
||||||
postgresql_ssl_ca_trust_dir: "/usr/local/share/ca-certificates"
|
postgresql_cacert_ca_trust_dir: "/usr/local/share/ca-certificates"
|
||||||
postgresql_unit_name: "postgresql@{{ postgresql_major_version}}-{{ postgresql_cluster_name }}"
|
postgresql_unit_name: "postgresql@{{ postgresql_major_version}}-{{ postgresql_cluster_name }}"
|
||||||
|
@ -19,6 +19,6 @@ postgresql_data_dir: "{{ postgresql_home_dir }}/{{ postgresql_major_version }}/{
|
|||||||
postgresql_ssl_path: "{{ postgresql_config_dir }}/{{ postgresql_major_version }}/{{ postgresql_cluster_name }}"
|
postgresql_ssl_path: "{{ postgresql_config_dir }}/{{ postgresql_major_version }}/{{ postgresql_cluster_name }}"
|
||||||
postgresql_package_name_regex: "{{ postgresql_package_name }}-{{ postgresql_version }}-{{ postgresql_version_build }}"
|
postgresql_package_name_regex: "{{ postgresql_package_name }}-{{ postgresql_version }}-{{ postgresql_version_build }}"
|
||||||
postgresql_cluster_name: "main"
|
postgresql_cluster_name: "main"
|
||||||
postgresql_ssl_update_ca_command: "update-ca-certificates --fresh"
|
postgresql_cacert_update_ca_trust_command: "update-ca-certificates --fresh"
|
||||||
postgresql_ssl_ca_trust_dir: "/usr/local/share/ca-certificates"
|
postgresql_cacert_ca_trust_dir: "/usr/local/share/ca-certificates"
|
||||||
postgresql_unit_name: "postgresql@{{ postgresql_major_version}}-{{ postgresql_cluster_name }}"
|
postgresql_unit_name: "postgresql@{{ postgresql_major_version}}-{{ postgresql_cluster_name }}"
|
||||||
|
Loading…
Reference in New Issue
Block a user