Commit c32332a3 authored by drebs's avatar drebs
Browse files

Move PostGIS TLS support to a new class: `profile::postgis::tls`

parent ce3ccd1d
# Install PostGIS and PostgreSQL and configure TLS and authentication.
# Install PostGIS and PostgreSQL
class profile::postgis (
Hash $databases = {},
Stdlib::IP::Address::V4::Nosubnet $listen_address = '127.0.0.1',
......@@ -8,85 +8,43 @@ class profile::postgis (
# Support for TLS encryption
case $tls {
if $tls {
true: {
$ssl_cert_file = '/var/lib/postgresql/tls/fullchain.pem'
$ssl_key_file = '/var/lib/postgresql/tls/privkey.pem'
include profile::nginx
include profile::letsencrypt
nginx::resource::server { $domain: }
$acme_webroot = '/var/www/acme'
firewall { '100 accept HTTP on port 80':
dport => [ 80 ],
proto => 'tcp',
action => 'accept',
destination => "${listen_address}/32",
}
-> nginx::resource::location { "acme-webroot-${domain}":
server => $domain,
location => '^~ /.well-known/acme-challenge/',
www_root => $acme_webroot,
try_files => [ '$uri =404' ],
index_files => [],
location_cfg_prepend => { 'default_type' => 'text/plain' },
}
-> file { '/var/lib/postgresql/tls':
ensure => directory,
owner => 'postgres',
group => 'postgres',
mode => '0750',
}
-> profile::letsencrypt::certonly { $domain: }
~> exec { "Copy TLS cert for ${domain} to a place available to PostgreSQL":
command => "/usr/bin/cp /etc/letsencrypt/live/${domain}/privkey.pem /etc/letsencrypt/live/${domain}/fullchain.pem /var/lib/postgresql/tls/",
refreshonly => true,
notify => Service['postgresql'],
}
-> file { '/var/lib/postgresql/tls/fullchain.pem':
ensure => file,
owner => 'postgres',
group => 'postgres',
mode => '0644',
}
-> file { '/var/lib/postgresql/tls/privkey.pem':
ensure => file,
owner => 'postgres',
group => 'postgres',
mode => '0600',
class { 'profile::postgis::tls':
domain => $domain,
listen_address => $listen_address,
ssl_cert_file => $ssl_cert_file,
ssl_key_file => $ssl_key_file,
}
$config_entries = {
ssl => 'on',
ssl_cert_file => '/var/lib/postgresql/tls/fullchain.pem',
ssl_key_file => '/var/lib/postgresql/tls/privkey.pem',
ssl_cert_file => $ssl_cert_file,
ssl_key_file => $ssl_key_file,
}
}
$server_require = [
File[$ssl_key_file],
File[$ssl_cert_file],
]
default: {
$config_entries = {}
}
} else {
$config_entries = {}
$server_require = undef
}
# PostGIS dependencies
$postgresql_server_require = $tls ? { true => File['/var/lib/postgresql/tls/privkey.pem'], default => undef }
class { 'postgresql::server':
listen_addresses => $listen_address,
pg_hba_conf_defaults => false,
config_entries => $config_entries,
require => $postgresql_server_require,
require => $server_require,
}
firewall { '100 accept connections on PostgreSQL port':
......
# TLS support for PostGIS
class profile::postgis::tls (
String $domain = $::fqdn,
Stdlib::IP::Address::V4::Nosubnet $listen_address = '127.0.0.1',
Stdlib::Absolutepath $ssl_cert_file = '/var/lib/postgresql/tls/fullchain.pem',
Stdlib::Absolutepath $ssl_key_file = '/var/lib/postgresql/tls/privkey.pem',
) {
include profile::nginx
include profile::letsencrypt
nginx::resource::server { $domain: }
$acme_webroot = '/var/www/acme'
firewall { '100 accept HTTP on port 80':
dport => [ 80 ],
proto => 'tcp',
action => 'accept',
destination => "${listen_address}/32",
}
-> nginx::resource::location { "acme-webroot-${domain}":
server => $domain,
location => '^~ /.well-known/acme-challenge/',
www_root => $acme_webroot,
try_files => [ '$uri =404' ],
index_files => [],
location_cfg_prepend => { 'default_type' => 'text/plain' },
}
-> file { '/var/lib/postgresql/tls':
ensure => directory,
owner => 'postgres',
group => 'postgres',
mode => '0750',
}
-> profile::letsencrypt::certonly { $domain: }
~> exec { "Copy TLS cert for ${domain} to a place available to PostgreSQL":
command => "/usr/bin/cp /etc/letsencrypt/live/${domain}/privkey.pem /etc/letsencrypt/live/${domain}/fullchain.pem /var/lib/postgresql/tls/",
refreshonly => true,
notify => Service['postgresql'],
}
-> file { $ssl_cert_file:
ensure => file,
owner => 'postgres',
group => 'postgres',
mode => '0644',
}
-> file { $ssl_key_file:
ensure => file,
owner => 'postgres',
group => 'postgres',
mode => '0600',
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment