Skip to content
Snippets Groups Projects
Verified Commit d4ed924d authored by Giancarlo Razzolini's avatar Giancarlo Razzolini
Browse files

roles/postgres: New letsencrypt hook to install renewed certs and also created tasks to copy them

parent 0b9f68ab
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
roles/postgres/defaults/main.yml
+ 3
3
View file @ d4ed924d
......@@ -4,9 +4,9 @@ postgres_max_connections: '100'
postgres_ssl: 'off'
postgres_ssl_prefer_server_ciphers: 'on'
postgres_ssl_cert_file: '/etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem'
postgres_ssl_key_file: '/etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem'
postgres_ssl_ca_file: '/etc/letsencrypt/live/{{ inventory_hostname }}/chain.pem'
postgres_ssl_cert_file: '/var/lib/postgres/data/fullchain.pem'
postgres_ssl_key_file: '/var/lib/postgres/data/privkey.pem'
postgres_ssl_ca_file: '/var/lib/postgres/data/chain.pem'
postgres_shared_buffers: '128MB'
......
roles/postgres/tasks/main.yml
+ 19
0
View file @ d4ed924d
......@@ -30,3 +30,22 @@
become: yes
become_user: postgres
become_method: su
- name: install postgres cert renewal hook
template: src=letsencrypt.hook.d.j2 dest=/etc/letsencrypt/hook.d/postgres owner=root group=root mode=0755
when: postgres_ssl == 'on'
- name: install postgres certificate
copy: src=/etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem dest={{ postgres_ssl_cert_file }}
remote_src=true owner=postgres group=postgres mode=0400
when: postgres_ssl == 'on'
- name: install postgres private key
copy: src=/etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem dest={{ postgres_ssl_key_file }}
remote_src=true owner=postgres group=postgres mode=0400
when: postgres_ssl == 'on'
- name: install postgres ca
copy: src=/etc/letsencrypt/live/{{ inventory_hostname }}/chain.pem dest={{ postgres_ssl_ca_file }}
remote_src=true owner=postgres group=postgres mode=0400
when: postgres_ssl == 'on'
roles/postgres/templates/letsencrypt.hook.d.j2 0 → 100644
+ 15
0
View file @ d4ed924d
#!/bin/sh
test "$1" = renew || exit 0
postgres_domain="{{ inventory_hostname }}"
for domain in $RENEWED_DOMAINS; do
case "$domain" in
$postgres_domain)
for pem in /etc/letsencrypt/live/$postgres_domain/{privkey,fullchain,chain}.pem; do
install -o postgres -g postgres -m 400 $pem /var/lib/postgres/data/$pem
done
;;
esac
done
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment