Verified Commit a0025830 authored by Florian Pritz's avatar Florian Pritz
Browse files

postgres: Install SSL certs before starting postgres


Signed-off-by: Florian Pritz's avatarFlorian Pritz <bluewind@xinu.at>
parent f6870347
......@@ -22,19 +22,6 @@
notify:
- restart postgres
- name: start and enable postgres
service: name=postgresql enabled=yes state=started
- name: set postgres user password
postgresql_user: name=postgres password={{ vault_postgres_users.postgres }} encrypted=yes
become: yes
become_user: postgres
become_method: su
- name: install postgres cert renewal hook
template: src=letsencrypt.hook.d.j2 dest=/etc/letsencrypt/hook.d/postgres owner=root group=root mode=0755
when: postgres_ssl == 'on'
- name: install postgres certificate
copy: src=/etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem dest={{ postgres_ssl_cert_file }}
remote_src=true owner=postgres group=postgres mode=0400
......@@ -50,6 +37,19 @@
remote_src=true owner=postgres group=postgres mode=0400
when: postgres_ssl == 'on'
- name: start and enable postgres
service: name=postgresql enabled=yes state=started
- name: set postgres user password
postgresql_user: name=postgres password={{ vault_postgres_users.postgres }} encrypted=yes
become: yes
become_user: postgres
become_method: su
- name: install postgres cert renewal hook
template: src=letsencrypt.hook.d.j2 dest=/etc/letsencrypt/hook.d/postgres owner=root group=root mode=0755
when: postgres_ssl == 'on'
- name: open firewall holes to known postgresql ipv4 clients
firewalld: permanent=true state=enabled immediate=yes
rich_rule="rule family=ipv4 source address={{item}} port protocol=tcp port=5432 accept"
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment