From 897e3c74b415900042b505cac6d21fc88edee245 Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <dbd@ehtrace.com>
Date: Fri, 18 Mar 2022 15:00:07 +0100
Subject: [PATCH] Update to 2022-03-18 15:00

---
 roles/coturn/tasks/main.yml                   |  2 +-
 roles/includes/create_selfsigned_cert.yml     |  2 +-
 roles/letsencrypt/templates/domains.txt.j2    |  3 +++
 roles/nginx/tasks/ssl.yml                     |  2 +-
 roles/postgresql_server/defaults/main.yml     |  7 ++++++-
 roles/postgresql_server/tasks/main.yml        | 17 ++++++++++++++++
 .../templates/dehydrated_hook.j2              | 20 +++++++++++++++++++
 roles/rabbitmq_server/tasks/conf.yml          |  2 +-
 8 files changed, 50 insertions(+), 5 deletions(-)
 create mode 100644 roles/postgresql_server/templates/dehydrated_hook.j2

diff --git a/roles/coturn/tasks/main.yml b/roles/coturn/tasks/main.yml
index 3422aa5..b5b48ce 100644
--- a/roles/coturn/tasks/main.yml
+++ b/roles/coturn/tasks/main.yml
@@ -43,7 +43,7 @@
   vars:
     - cert_path: /etc/coturn/ssl/cert.pem
     - cert_key_path: /etc/coturn/ssl/key.pem
-    - cert_user: coturn
+    - cert_key_user: coturn
   tags: turn
 
 - name: Deploy dehydrated hook
diff --git a/roles/includes/create_selfsigned_cert.yml b/roles/includes/create_selfsigned_cert.yml
index 8d49562..c932828 100644
--- a/roles/includes/create_selfsigned_cert.yml
+++ b/roles/includes/create_selfsigned_cert.yml
@@ -21,4 +21,4 @@
     creates: "{{ cert_path }}"
 
 - name: Restrict permissions of the private key
-  file: path={{ cert_key_path }} owner={{ cert_user | default(omit) }} group={{ cert_group | default(omit) }} mode={{ cert_mode | default('600') }}
+  file: path={{ cert_key_path }} owner={{ cert_key_user | default(omit) }} group={{ cert_key_group | default(omit) }} mode={{ cert_key_mode | default('600') }}
diff --git a/roles/letsencrypt/templates/domains.txt.j2 b/roles/letsencrypt/templates/domains.txt.j2
index a30e09d..dd5aadc 100644
--- a/roles/letsencrypt/templates/domains.txt.j2
+++ b/roles/letsencrypt/templates/domains.txt.j2
@@ -49,3 +49,6 @@
 {% endif %}
 {% endfor %}
 {% endif %}
+{% if pg_letsencrypt_cert is defined and pg_letsencrypt_cert is string and pg_letsencrypt_cert not in letsencrypt_certs | default([]) | map(attribute='common_name') %}
+{{ pg_letsencrypt_cert }}
+{% endif %}
diff --git a/roles/nginx/tasks/ssl.yml b/roles/nginx/tasks/ssl.yml
index e7f192d..245b307 100644
--- a/roles/nginx/tasks/ssl.yml
+++ b/roles/nginx/tasks/ssl.yml
@@ -3,7 +3,7 @@
   vars:
     - cert_path: /etc/nginx/ssl/cert.pem
     - cert_key_path: /etc/nginx/ssl/key.pem
-    - cert_user: nginx
+    - cert_key_user: nginx
   tags: web
 
 - name: Create DH param
diff --git a/roles/postgresql_server/defaults/main.yml b/roles/postgresql_server/defaults/main.yml
index 3720998..4bad3be 100644
--- a/roles/postgresql_server/defaults/main.yml
+++ b/roles/postgresql_server/defaults/main.yml
@@ -35,6 +35,9 @@ pg_base_conf:
   lc_monetary: fr_FR.UTF-8
   lc_numeric: fr_FR.UTF-8
   lc_time: fr_FR.UTF-8
+  ssl_cert_file: /var/lib/pgsql/ssl/server.crt
+  ssl_key_file: /var/lib/pgsql/ssl/server.key
+  ssl: "{{ pg_letsencrypt_cert is defined | ternary('on', 'off') }}"
 
 pg_extra_conf: {}
 pg_conf: "{{ pg_base_conf | combine(pg_extra_conf, recursive=True) }}"
@@ -74,4 +77,6 @@ pg_privs: []
 # Databases and roles to remove
 pg_databases_to_remove: []
 pg_roles_to_remove: []
-...
+
+# If defined, a Let's Encrypt cert will be obtained and used
+# pg_letsencrypt_cert: postgres.example.org
diff --git a/roles/postgresql_server/tasks/main.yml b/roles/postgresql_server/tasks/main.yml
index 43e830f..0b6aa57 100644
--- a/roles/postgresql_server/tasks/main.yml
+++ b/roles/postgresql_server/tasks/main.yml
@@ -14,6 +14,23 @@
     name: "{{ pg_packages }}"
   tags: pg
 
+- name: Create ssl directory
+  file: path=/var/lib/pgsql/ssl state=directory owner=postgres group=postgres mode=700
+  tags: pg
+
+- name: Create default self-signed cert
+  import_tasks: ../includes/create_selfsigned_cert.yml
+  vars:
+    - cert_path: /var/lib/pgsql/ssl/server.crt
+    - cert_key_path: /var/lib/pgsql/ssl/server.key
+    - cert_key_group: postgres
+    - cert_key_mode: 0640
+  tags: pg
+
+- name: Install dehydrated hook
+  template: src=dehydrated_hook.j2 dest=/etc/dehydrated/hooks_deploy_cert.d/postgresql mode=755
+  tags: pg
+
 - name: Check if PG_VERSION exists
   stat: path=/var/lib/pgsql/{{ (pg_version != 'default') | ternary(pg_version | string + '/','') }}data/PG_VERSION
   register: pg_version_file
diff --git a/roles/postgresql_server/templates/dehydrated_hook.j2 b/roles/postgresql_server/templates/dehydrated_hook.j2
new file mode 100644
index 0000000..9fba754
--- /dev/null
+++ b/roles/postgresql_server/templates/dehydrated_hook.j2
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+{% if pg_letsencrypt_cert is defined %}
+
+if [ $1 == "{{ pg_letsencrypt_cert }}" ]; then
+  cp /var/lib/dehydrated/certificates/certs/{{ pg_letsencrypt_cert }}/fullchain.pem /var/lib/pgsql/ssl/server.crt
+  cp /var/lib/dehydrated/certificates/certs/{{ pg_letsencrypt_cert }}/privkey.pem /var/lib/pgsql/ssl/server.key
+  chown root:postgres /var/lib/pgsql/ssl/server.key
+  chown root:root /var/lib/pgsql/ssl/server.crt
+  chmod 640 /var/lib/pgsql/ssl/server.key
+  chmod 644 /var/lib/pgsql/ssl/server.crt
+  systemctl reload postgresql{{ (pg_version != 'default') | ternary('-' + pg_version | string,'') }}
+fi
+
+{% else %}
+
+# No Let's Encrypt cert configured, nothing to do
+exit 0
+
+{% endif %}
diff --git a/roles/rabbitmq_server/tasks/conf.yml b/roles/rabbitmq_server/tasks/conf.yml
index 2595396..4dd8fb6 100644
--- a/roles/rabbitmq_server/tasks/conf.yml
+++ b/roles/rabbitmq_server/tasks/conf.yml
@@ -12,7 +12,7 @@
   vars:
     - cert_path: /etc/rabbitmq/ssl/cert.pem
     - cert_key_path: /etc/rabbitmq/ssl/key.pem
-    - cert_user: rabbitmq
+    - cert_key_user: rabbitmq
   tags: rabbitmq
 
 - name: Check if the cert chain exists