OP#228 add tls file control
This commit is contained in:
12ww1160
@@ -22,5 +22,47 @@ class confdroid_postgresql::main::files (
|
|||||||
content => template('confdroid_postgresql/postgresql.conf.erb'),
|
content => template('confdroid_postgresql/postgresql.conf.erb'),
|
||||||
notify => Service[$pl_service],
|
notify => Service[$pl_service],
|
||||||
}
|
}
|
||||||
|
if $pl_ssl_enabled == true {
|
||||||
|
# manage tls certs
|
||||||
|
## ca.crt
|
||||||
|
file { $pl_ca_crt_file:
|
||||||
|
ensure => file,
|
||||||
|
owner => 'postgres',
|
||||||
|
group => 'postgres',
|
||||||
|
mode => '0400',
|
||||||
|
selrange => s0,
|
||||||
|
selrole => object_r,
|
||||||
|
seltype => postgresql_db_t,
|
||||||
|
seluser => unconfined_u,
|
||||||
|
content => template($pl_ca_crt_erb),
|
||||||
|
notify => Service[$pl_service],
|
||||||
|
}
|
||||||
|
## server.crt
|
||||||
|
file { $pl_server_crt_file:
|
||||||
|
ensure => file,
|
||||||
|
owner => 'postgres',
|
||||||
|
group => 'postgres',
|
||||||
|
mode => '0400',
|
||||||
|
selrange => s0,
|
||||||
|
selrole => object_r,
|
||||||
|
seltype => postgresql_db_t,
|
||||||
|
seluser => unconfined_u,
|
||||||
|
content => template($pl_server_crt_erb),
|
||||||
|
notify => Service[$pl_service],
|
||||||
|
}
|
||||||
|
## server.key
|
||||||
|
file { $pl_server_key_file:
|
||||||
|
ensure => file,
|
||||||
|
owner => 'postgres',
|
||||||
|
group => 'postgres',
|
||||||
|
mode => '0400',
|
||||||
|
selrange => s0,
|
||||||
|
selrole => object_r,
|
||||||
|
seltype => postgresql_db_t,
|
||||||
|
seluser => unconfined_u,
|
||||||
|
content => template($pl_server_key_erb),
|
||||||
|
notify => Service[$pl_service],
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -97,6 +97,12 @@ class confdroid_postgresql::params (
|
|||||||
$pl_bouncer_auth_file = "${pl_bouncer_dir}/userlist.txt"
|
$pl_bouncer_auth_file = "${pl_bouncer_dir}/userlist.txt"
|
||||||
$pl_bouncer_auth_erb = 'confdroid_postgresql/server/bouncer/bouncer_users.erb'
|
$pl_bouncer_auth_erb = 'confdroid_postgresql/server/bouncer/bouncer_users.erb'
|
||||||
$pl_bouncer_rule_erb = 'confdroid_postgresql/server/bouncer/bouncer_rule.erb'
|
$pl_bouncer_rule_erb = 'confdroid_postgresql/server/bouncer/bouncer_rule.erb'
|
||||||
|
$pl_ca_crt_file = "${pl_data_dir}/ca.crt"
|
||||||
|
$pl_ca_crt_erb = 'confdroid_postgresql/server/ca.crt.erb'
|
||||||
|
$pl_server_crt_file = "${pl_data_dir}/server.crt"
|
||||||
|
$pl_server_crt_erb = 'confdroid_postgresql/server/server.crt.erb'
|
||||||
|
$pl_server_key_file = "${pl_data_dir}/server.key"
|
||||||
|
$pl_server_key_erb = 'confdroid_postgresql/server/server.key.erb'
|
||||||
|
|
||||||
# Service
|
# Service
|
||||||
$pl_service = 'postgresql'
|
$pl_service = 'postgresql'
|
||||||
|
|||||||
@@ -108,9 +108,9 @@ shared_preload_libraries = '<%= @reqpackages_extensions %>'
|
|||||||
|
|
||||||
<% if @pl_ssl_enabled == true -%>
|
<% if @pl_ssl_enabled == true -%>
|
||||||
ssl = on
|
ssl = on
|
||||||
ssl_ca_file = '<%= @pl_data_dir %><%= @pl_ca_crt -%>'
|
ssl_ca_file = '<%= @pl_data_dir %>ca.crt'
|
||||||
ssl_cert_file = '<%= @pl_data_dir %><%= @pl_server_crt -%>'
|
ssl_cert_file = '<%= @pl_data_dir %>server.crt'
|
||||||
ssl_key_file = '<%= @pl_data_dir %><%= @pl_server_key -%>'
|
ssl_key_file = '<%= @pl_data_dir %>server.key'
|
||||||
<% end -%>
|
<% end -%>
|
||||||
<% if @pl_ssl_enabled != true -%>
|
<% if @pl_ssl_enabled != true -%>
|
||||||
ssl = off
|
ssl = off
|
||||||
|
|||||||
1
templates/server/ca.crt.erb
Normal file
1
templates/server/ca.crt.erb
Normal file
@@ -0,0 +1 @@
|
|||||||
|
<%= @pl_ca_crt %>
|
||||||
1
templates/server/server.crt.erb
Normal file
1
templates/server/server.crt.erb
Normal file
@@ -0,0 +1 @@
|
|||||||
|
<%= @pl_server_crt %>
|
||||||
1
templates/server/server.key.erb
Normal file
1
templates/server/server.key.erb
Normal file
@@ -0,0 +1 @@
|
|||||||
|
<%= @pl_server_key %>
|
||||||
Reference in New Issue
Block a user