test/integration/targets/setup_postgresql_db/tasks/ssl.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81

# Copyright: (c) 2019, Andrew Klychkov (@Andersson007) <aaklychkov@mail.ru>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)

# The aim of this test is to be sure that SSL options work in general
# and preparing the environment for testing these options in
# the following PostgreSQL modules (ssl_db, ssl_user, certs).
# Configured by https://www.postgresql.org/docs/current/ssl-tcp.html

####################
# Prepare for tests:

- name: postgresql SSL - create database
  become_user: "{{ pg_user }}"
  become: yes
  postgresql_db:
    name: "{{ ssl_db }}"

- name: postgresql SSL - create role
  become_user: "{{ pg_user }}"
  become: yes
  postgresql_user:
    name: "{{ ssl_user }}"
    role_attr_flags: SUPERUSER
    password: "{{ ssl_pass }}"

- name: postgresql SSL - install openssl
  become: yes
  package: name=openssl state=present

- name: postgresql SSL - create certs 1
  become_user: root
  become: yes
  shell: 'openssl req -new -nodes -text -out ~{{ pg_user }}/root.csr \
         -keyout ~{{ pg_user }}/root.key -subj "/CN=localhost.local"'

- name: postgresql SSL - create certs 2
  become_user: root
  become: yes
  shell: 'openssl x509 -req -in ~{{ pg_user }}/root.csr -text -days 3650 \
         -extensions v3_ca -signkey ~{{ pg_user }}/root.key -out ~{{ pg_user }}/root.crt'

- name: postgresql SSL - create certs 3
  become_user: root
  become: yes
  shell: 'openssl req -new -nodes -text -out ~{{ pg_user }}/server.csr \
         -keyout ~{{ pg_user }}/server.key -subj "/CN=localhost.local"'

- name: postgresql SSL - create certs 4
  become_user: root
  become: yes
  shell: 'openssl x509 -req -in ~{{ pg_user }}/server.csr -text -days 365 \
         -CA ~{{ pg_user }}/root.crt -CAkey ~{{ pg_user }}/root.key -CAcreateserial -out server.crt'

- name: postgresql SSL - set right permissions to files
  become_user: root
  become: yes
  file:
    path: '{{ item }}'
    mode: 0600
    owner: '{{ pg_user }}'
    group: '{{ pg_user }}'
  with_items:
  - '~{{ pg_user }}/root.key'
  - '~{{ pg_user }}/server.key'
  - '~{{ pg_user }}/root.crt'
  - '~{{ pg_user }}/server.csr'

- name: postgresql SSL - enable SSL
  become_user: "{{ pg_user }}"
  become: yes
  postgresql_set:
    login_user: "{{ pg_user }}"
    db: postgres
    name: ssl
    value: on

- name: postgresql SSL - reload PostgreSQL to enable ssl on
  become: yes
  service:
    name: "{{ postgresql_service }}"
    state: reloaded