Dustin C. Hatch
965742d2b0
There's a bit of a dependency loop between the _postgresql-server_ role and other roles that supplement it, like _wal-g-pg_ and _postgresql-cert_. The latter roles need PostgreSQL installed, but when those roles are used, the server cannot be started until they have been applied. To resolve this situation, I've broken out the initial installation steps from the _postgresql-server_ role into _postgresql-server-base_. Roles that need PostgreSQL installed, but need to be applied before the server can start, can depend on this role.
114 lines
2.7 KiB
YAML
114 lines
2.7 KiB
YAML
- name: ensure required packages are installed
|
|
package:
|
|
name:
|
|
- certbot
|
|
state: present
|
|
tags:
|
|
- install
|
|
|
|
- name: ensure http port is allowed in firewall (for acme challenge)
|
|
firewalld:
|
|
service: http
|
|
state: enabled
|
|
permanent: true
|
|
immediate: true
|
|
when: host_uses_firewalld|d(true)
|
|
tags:
|
|
- firewalld
|
|
|
|
- name: ensure postgresql server certificate exists
|
|
command:
|
|
certbot certonly -n
|
|
--standalone
|
|
-d {{ postgresql_cert_domain }}
|
|
--server {{ postgresql_cert_acme_server }}
|
|
--agree-tos
|
|
--email {{ postgresql_cert_acme_email }}
|
|
args:
|
|
creates: /etc/letsencrypt/live/{{ postgresql_cert_domain }}/fullchain.pem
|
|
tags:
|
|
- cert
|
|
|
|
- name: ensure certbot deploy renewal hook script is installed
|
|
template:
|
|
src: deploy-hook.sh.j2
|
|
dest: /etc/letsencrypt/renewal-hooks/deploy/postgresql.sh
|
|
owner: root
|
|
group: root
|
|
mode: u=rwx,go=rx
|
|
tags:
|
|
- deploy-hook
|
|
|
|
- name: ensure certbot renewal period is configured for postgresql cert
|
|
lineinfile:
|
|
line: renew_before_expiry = 8 hours
|
|
regexp: '^#?\s*renew_before_expiry\s*='
|
|
path: /etc/letsencrypt/renewal/{{ postgresql_cert_domain }}.conf
|
|
state: present
|
|
tags:
|
|
- config
|
|
|
|
- name: ensure certbot-renew timer unit drop-in directory exists
|
|
file:
|
|
path: /etc/systemd/system/certbot-renew.timer.d
|
|
owner: root
|
|
group: root
|
|
mode: u=rwx,go=rx
|
|
state: directory
|
|
tags:
|
|
- systemd
|
|
- name: ensure certbot-renew timer schedule is configured
|
|
template:
|
|
src: certbot-renew.timer.j2
|
|
dest: /etc/systemd/system/certbot-renew.timer.d/schedule.conf
|
|
owner: root
|
|
group: root
|
|
mode: u=rw,go=r
|
|
notify:
|
|
- reload systemd
|
|
- restart certbot-renew timer
|
|
tags:
|
|
- systemd
|
|
|
|
- name: ensure certbot-renew timer is enabled
|
|
systemd:
|
|
name: certbot-renew.timer
|
|
enabled: true
|
|
tags:
|
|
- service
|
|
- name: flush handlers
|
|
meta: flush_handlers
|
|
- name: ensure certbot-renew timer is running
|
|
systemd:
|
|
name: certbot-renew.timer
|
|
state: started
|
|
tags:
|
|
- service
|
|
|
|
- name: ensure postgresql config directory exists
|
|
file:
|
|
path: /etc/postgresql
|
|
state: directory
|
|
- name: ensure initial copy of postgresql certificate is in place
|
|
copy:
|
|
src: /etc/letsencrypt/live/{{ postgresql_cert_domain }}/fullchain.pem
|
|
dest: /etc/postgresql/server.cer
|
|
remote_src: true
|
|
owner: root
|
|
group: root
|
|
mode: u=rw,go=r
|
|
force: false
|
|
tags:
|
|
- cert
|
|
- name: ensure initial copy of postgresql private key is in place
|
|
copy:
|
|
src: /etc/letsencrypt/live/{{ postgresql_cert_domain }}/privkey.pem
|
|
dest: /etc/postgresql/server.key
|
|
remote_src: true
|
|
owner: root
|
|
group: postgres
|
|
mode: u=rw,g=r,o=
|
|
force: false
|
|
tags:
|
|
- cert
|